Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 31 May 2012

Sysnative.com: Need help with BSOD's?

At one time or another, most people who use the Windows operating system have experienced the dreaded "Blue Screen of Death" (BSOD) -- until Windows 8, a strange blue screen filled with numbers and codes, completely incomprehensible to most everyone.

Granted, there are occasions where a shutdown/restart or evoking "Last Known Good Configuration" appear to have resolved whatever issue caused the BSOD. More times than not, however, help is needed to trace the source of the problem. This is where Sysnative.com comes in to play.

Sysnative.com is the result of a vision of Microsoft MVP, John Griffith. John, known in forum communities as jcgriff2, specializes in Blue Screen of Death (BSOD) Kernel dump analysis. John also enjoys a reputation as an expert Windows forensic troubleshooter, typically sought by Windows Vista and Windows 7 owners after all else has failed.

John developed an application for use by analysts who assist computer users track down the source of the BSODs plaguing their computers. The contributions by many talented people who are involved in analyzing the data compiled by John's application have made the "jcgriff2 BSOD File Collection app" the tool of choice for kernel dump analysis.


Hat tip to Corrine for the heads up;

http://securitygarden.blogspot.co.uk/2012/05/sysnative-what-is-it.html

You can find sysnative.com here;

sysnative.com

For those unfamiliar, sysnative is also a lesser known folder present on x64 systems. Details from Microsoft at;

TechNet: File System Redirector http://technet.microsoft.com/en-us/subscriptions/aa384187(v=vs.85).aspx

Programming Guide for 64-bit Windows http://msdn.microsoft.com/en-us/library/bb427430(v=vs.85)

Best Practices for WOW64 (MS Word document) http://download.microsoft.com/download/A/F/7/AF7777E5-7DCD-4800-8A0A-B18336565F5B/wow64_bestprac.docx

A 32-bit application cannot access the system32 folder on a computer that is running a 64-bit version of Windows Server 2003 or of Windows XP http://support.microsoft.com/kb/942589

Wednesday, 23 May 2012

File hosts + Malware

Over the years, we've seen file hosting being abused to house malicious payloads that are either downloaded by a "dropper", or are used in the likes of drive-by attacks.

One of the most common ones abused today, is of course, dropbox.com. However, over the past 24 months, I formed a fantastic relationship with them that has proven extremely effective in getting the malware removed extremely quickly. One of the methods criminals such as those at hackforums.net, are using to get past this, is by setting up their own dedicated file hosts. Just some off the top of my head include;

filehold.net
litetb.com
dlandexe.com
exehost.net
wss-coding.com
zalil.ru
botz.in
rghost.net
dox.abv.bg
ge.tt
downloadexecute.com

I've been successful in getting a few suspended, and others not so successful (yet), thanks in part, to lack of co-operation from the likes of eNom, NameCheap and CloudFlare etc. Some that have been suspended, such as filehold.net, have re-appeared elsewhere and re-suspended, and as of 24-48 hours ago, re-appeared yet again.

The latest to be suspended, is dlandexe.com, which kept allowing and encouraging, malicious files to be uploaded (not surprising, the owner of the site is an active member of a blackhat forum).

The blackhat scanners these use to check if their file is detected, includes;

chk4me.com
elementscanner.net
my-avscan.net
metascan.org
scan4you.net

If you've not already got a block on the above file hosts, I'd strongly recommend you do so. Other sites they're using, aside from dropbox.com, include;

sharesend.com
kiwi6.com
zippyshare.com
drop.st
filetolink.com
freewayhost.net
largedocument.com
mediafire.com
jumbofiles.com

Tuesday, 22 May 2012

Paragon Hard Disk Manager Professional v12

How do you take a break from work, whilst still getting things ticked off of your to-do list? Well, if you’re like me – you quite simply, don’t take a break. I’ve been awake for almost 36 hours, working flat out, with the exception of the 2 hours I had to take earlier, and decided I needed a break. One of the things on my to-do list, was a review of Paragon’ Hard Disk Manager Professional.

One of the benefits of the WiFi not working all of the time, on my journey down to the other end of the country, earlier this month, was the fact I could get things done that didn’t require one – things such as this. Though I’m now re-writing this yet again. One of the benefits of being an MVP (I’m going somewhere with this, bear with me – if you’ve made it this far), is the fact you not only get access to Microsoft’ software, but you also get free licenses for certain third party software. Some such third parties, require a review, some request it, others don’t, they give you the licence regardless. I mention this, because had I not, it would’ve left this review open to scrutiny due to non-disclosure – so consider it mentioned – the reason I was able to use this at all, was due to Paragon giving me a license.

Now, before you all decide where this is going, as mentioned, bear with me. I’ve been using various programs from Paragon for a while now, some great, others not so great. For example, one program I couldn’t get used to, due to its only allowing backups to a USB drive, and not for example, a remote or UNC location, was System Backup 2010 (what was to become System Backup 11). System Backup 2010 a great program for the average user that has their machine constantly plugged in to an external backup drive (dedicated to backups only), but not for those of us that require something that allows additional backup locations to be specified, which is where Paragon’ other products come in.

HDM however, lies somewhere in between. It is a great piece of software if you like things quick, simple and without the usual options normally required by those of us a little more picky.

One of the features of this program, and by far its best feature, is the addition of a BartPE CD/DVD/USB, that comes with it. This however, is to be lost, due to changes in Windows licensing (see my blog). However, I am very happy to report, that the option to create a bootable media (CD/DVD/USB), is very much here to stay, and can be found within the program. This uses Linux, rather than BartPE.

This option, you will find under Tools > Recovery Media Builder.



To go through all of the features available, would take far more than the time I’ve got here, so I’ll keep it to the best features – those you’ll be most likely to need and use.

The recovery option speaks for itself, things do tend to go wrong occasionally, it’s a fact of well, everything – but if you’re doing things properly, then you should already have backups (and this is a bear minimum.);
  1. Locally stored
  2. Remotely stored
Ideally, you should have two locally stored, but I realise not everyone has an endless supply of available storage, especially for things such as this, given the amount of space they typically require.

Take a typical disk backup, if your hard drive is 500GB, then you need two other 500GB drives (one local, one remote), for a disk backup, in case the drive itself fails. This quite obviously, needs to be kept up to date. To do this with HDM, all you do is select Wizards > Schedule Hard Disk Copy.

You also however, ideally need a “clean state” backup. This compromises an image of either your system partition, or an image of the drive. For this, you can either select Wizards > Smart Backup, or right click the drive/partition you wish to image, and select Backup Hard Disk or Backup Partition. From here, you have the benefit of both backup worlds – you can select to store it locally, or on your network (i.e. a NAS), or on a remote server.



One thing to bear in mind, of storing backups on remote servers – the backup isn’t done on the local machine then transferred – it’s backed up remotely – on the fly. As such, unless you’re on a fast connection, you’ll likely want to backup to a NAS/backup machine, a second drive, or a separate spare partition, and then zip and transfer the image to your remote location.

When storing locally, simply select your desired backup location (ideally a dedicated backup partition), select your compression options, and away you go. I personally like to make sure it is using Paragon Hot Processing over Volume Shadow Copy, as it seems faster and more reliable, and of course, assigning a password to the backup is a given.



Which brings me to one of the downsides of the program. Even when un-ticking “Split image up to”, you’ll find you have multiple files for the image, which is contrary to most other imaging programs I’ve used (e.g. for those of us that prefer the single ISO or VHD option). Unless you’re as fickle as I am however, this isn’t too important, as they’re only for a backup, they’re not going to be used for virtual disks.

I’ll delve further into the program in future parts, for now, I must get back to work. In the meantime, if you'd like to take a look at the software yourself, you'll find it here;

http://www.paragon-software.com/home/hdm-professional/

Disclosure: Whilst there's no affiliate links or rubbish like that, I must disclose that I got the license for free.

Monday, 7 May 2012

Toolsmith: Buster Sandbox Anayzer

Introduction On April 10th, 2012 a new version of Sandboxie was released, and on April 16th so too was a new version of the Buster Sandbox Analyzer which uses Sandboxie at its core. Voila! Instant toolsmith fodder. It’s been a few months since we’ve covered a malware analysis-specific tool so the timing was excellent. Buster Sandbox Analyzer is intended for use in analysis of process behavior and system changes (file system, registry, ports) during runtime for evaluation as suspicious. You’ll find it listed among the Sandbox Tools for Malware Analysis on one of my favorite Internet resources, Grand Stream Dreams. As always, I pinged the developer and Pedro Lopez (pseudonym) provided me with a number of insightful details. He releases new versions of Buster Sandbox Analyzer on a fairly regular basis, version 1.59 is current as I write this. There’s an update mechanism built right into BSA; just click Updates then Check for Updates. Pedro has recently improved static analysis and he’s always trying to improve dynamic analysis as he considers it the most important aspect of the tool. For future releases the TO-DO list is short given over two years of constant development. The following features are planned for: • A feature to analyze URLs in automatic mode. • Utilizing the information stored in the SQL database, a feature to generate statistics including used compressors, detected samples, and others.

Read more
http://holisticinfosec.blogspot.co.uk/2012/05/toolsmith-buster-sandbox-anayzer.html
Buster Sandbox Analyzer
http://bsa.isoftware.nl/
Sandboxie
http://www.sandboxie.com/

Thursday, 3 May 2012

Mapping Cybercrime by Country


All cybercrime is hosted and served from somewhere. A simple enough truism and yet little research, or even initiatives, emerge from this area. A new interactive web-based tool aims to provide deeper insights into this domain in search of solutions to a global problem. How much cybercrime is served by the hosting providers registered to, or routing through, an individual country? An interesting question that can now begin to be quantifiably answered thanks to a collaborative association between HostExploit, Russian Group-IB1 and CSIS2 in Denmark. The Global Security Map displays global hot spots for cybercriminal activities based on geographic location. It was first presented at the Anti-Phishing Work Group (APWG) meeting in Prague on April 25 by leading community researcher Jart Armin, editor of HostExploit, and is now on general release along with the accompanying Global Security Report.

Read more
http://hostexploit.com/blog/14-reports/3538-mapping-cybercrime-by-country.html

Global security report
http://hostexploit.com/downloads/viewdownload/7-public-reports/39-global-security-report-april-2012.html