Sunday, May 1, 2016

Badware is short for Blocked Adware

Last week an article that I collaborated on was published. So far this has been the crowning achievement of my short time with Cisco, a short but amazing time. Malware analysis is my absolute passion and being able to turn software analysis into globally deployed protection in days is the best.

When I was presented with a strange piece of software I knew it would be another excellent chance to tear into the inner workings of a tool. I didn't know yet it would be the basis of an article to a professional Threat Intelligence blog. I really didn't know the splash it would make across digital media.

In no particular order I will list all of the references that I can find to that article (these links are not endorsement, nor disparagement, of the linked article!):

Non-English:
I was most touched by the brief shout out on the blog of Mary Ellen, @icanhaspii. Media is great, but recognition from a practitioner means far more to me than a big pile of media comment.

This being a personal blog nothing contained in this article should be construed as anything except my personal opinions. I do not speak for, nor represent, Cisco.

Updated Links:

A Post that sat as a draft for a very long time

A vulnerability that I have interacted with in the wild and have had to intentionally avoid myself is the venerable SQL injection. In a sentence, SQL injections are vulnerabilities where input is improperly combined with commands in a way where the input can be interpreted as SQL statements (Vacca, 2009). The obvious exploit for passing arbitrary commands to a database is to read additional data, which is available to attackers targeting a SQL injection. Additionally, if the running account has write access, it can also be used to corrupt the integrity of the database, even going so far as to erase data, as was captured in the classic XKCD comic about Little Bobby Tables (Munroe, 2007).
The danger from exposing a SQL injection goes far beyond letting users read extra data or destroy some, though. Halfond, Viegas, and Orso enumerate a whole set of possible attacker intentions that can be realized through SQL injections: database finger-printing, learning the database schema, extracting data, changing or inserting data, causing denial of service, avoiding detection, skipping traditional authentication, elevating privileges, and command execution (2006). Some of these can be really easy, such as finger-printing the database in use: when first stumbling on the injection an error may be dumped to output containing the database version, query ran, software name, operating system, and more. (Halfond et al., 2006)
In a Black Hat Briefing, Guimarães describes some of the really nasty and unexpected things that attackers can accomplish through SQL queries. MySQL can use the LOAD_FILE function to read an arbitrary file on disk, allowing the extraction of sensitive data that isn’t even in the targeted database (Guimarães, 2009). MS SQL Server and PostgresSQL also have commands that can be used to extract arbitrary files. MySQL allows for the INTO DUMPFILE clause to write to arbitrary files, as can the PostgresSQL lo_export() function (Guimarães, 2009).
Even though arbitrary read/write to the remote system is nearly enough to fully own the target, SQL injections can provide even more access. MS SQL Server allows the importing of user defined functions from DLLs with CREATE ASSEMBLY (Patel, 2010). Being able to load an executable into the remote database process, combined with the previously mentioned ability to write the desired executable to the system, is total access to the level of the database account. It literally allows you to run anything you can write. Finally taking the cake, MS SQL Server even provides an xp_cmdshell() stored procedure to provide raw shell command execution (Guimarães, 2009). Game over.

Guimarães, B. D. A. (2009). Advanced SQL injection to operating system full control. Black Hat Europe, white paper.
Halfond, W. G., Viegas, J., & Orso, A. (2006, March). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (Vol. 1, pp. 13-15). IEEE.
Munroe, R. (2007, October 10). Exploits of a Mom. XKCD. Retrieved from https://xkcd.com/327/
Patel, V. (2010, September 27). Creating User-Defined Functions in Microsoft SQL Server . Database Journal. Retrieved from http://www.databasejournal.com/features/mssql/article.php/3904491/Creating-User-Defined-Functions-in-Microsoft-SQL-Server.htm
Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman