Monday, May 3, 2010

Suspicious behavior in Microsoft Office 2010

For my consulting project, I was working on a Word document which required extensive formatting and frequent editing. This document was created using Microsoft Word (in the clients system) and at times I had to update it when I was in my home. Unfortunately I don't have a valid license of Microsoft Word on my home laptop (I do have a valid XP license though.)

I first tried using Nivio; this site provides a free one month trial for using their Web Services which includes an installed version of Microsoft Office. My Photon Whiz connection tried really hard to give me a good experience of using Nivio's "always turned on" web services, but better sense prevailed; I accepted the fact that I have to install Microsoft Office on my laptop.

I decided to give Microsoft 2010 a try. I logged in as Administrator to allow the installation and after 24 hours of downloading the installer, I encountered an interesting issue.


Zone Alarm displayed a security alert ( Zone Alarm is a free Windows Firewall with some interesting add-on features. It is a must have for Windows users in my opinion)

I got worried on seeing this warning. I had my Huawei Photon (Chinese malware, anyone ?) connected to the Internet and my portable hard disk plugged in. Could one of them be the culprit ?

I downloaded and ran Process Explorer from SysInternals and after searching for "WINWORD.EXE", i got this -



I was using "Click to Run" to install Office 2010. With "Click to Run", Office 2010 applications run locally in a Virtual Application Environment on the Virtual Drive Q: that is specifically created on the system. You can read about it here.

So, when Microsoft Word was starting up from the Virtual Drive Q, Zone Alarm detected that it was trying to inject code into Explorer.exe

Now the question is why the code injection and what should I do ?

I downloaded the installer from Microsoft's site (This application is valid only for 60 days). So, is this normal activity from the latest Office Application ?
Access to Q drive is denied by XP, I could not verify if WINWORD.EXE is infected or not.
As of now, the Zone Alarm prompt is still open and I have not "allowed" or "denied" the code injection. (Suggestions are welcome)

The net outcome of this issue is that I have to go to work early to work on my document :(
Posted by at No comments:

Thursday, March 25, 2010

Ubiq-Freeom UTM - Deep Dive

I will go a little in-depth and talk about the Ubiq-Freedom UTM -

What is a UTM ?
  • UTM or a Unified Threat Management System is an all-in-one security product with features like Firewall, Proxy, Mail, Content Filter, IDS, Anti-Virus etc. It is a solution which typically sits at your Gateway between your Edge Router and your network. You can read the wikipedia link here.
Firmware -
  1. The Ubiq-Freedom UTM firmware is based on Linux From Scratch. LFS is a project which gives detailed instruction on how to create your own customized linux distribution (Read here to know more about LFS.
  2. The Ubiq-Freedom UTM is available as an ISO Image in sourceforge. The size of the downloadable image is less than 150 Mb. Anyone can download this ISO file and use a tool like CDBurnerXP to write to a CD.
Hardware -
  1. You will need a system which has at least 80 GB Hard Disk and 3 Network Cards.
  2. To use the different features of the Ubiq-Freedom UTM, it is best that you have at least 2 GB RAM on your hardware.
  3. Note, that the existing data on the Hard Disk will be completely lost. The CD Installer formats the Hard Disk completely.
Installation -
  1. The user can then install the Ubiq-Freedom UTM using the CD on a standard hardware.
  2. The CD Installer is based on ncurses and has a very simple interface. It offers the user a choice to configure the Ip Address, Netmask, Hostname, Primary DNS Server and the Root Password for the Ubiq-Freedom UTM.
First Steps-
  1. Once the Ubiq-Freedom UTM has successfully been installed, access the Web Interface by using the URL https://:40000. If you have not provided any Ip Address during the Installation then, the default Ip Address is 192.168.0.1
  2. Login with the username "ubiqfreedom" and password "ubiqfreedom". You should change this password before the actual deployment of the Ubiq-Freedom UTM.
  3. Follow the steps mentioned in the page after the Login. These steps are -
  • Create an account to register in the free-utm portal
  • Configure the basic setup in the Ubiq-Freedom UTM and then upload that information to the free-utm portal.
  • Configure the rest of the settings (like Firewall, Proxy, Mail etc) in the free-utm portal.
  • Apply the settings in the Ubiq-Freedom UTM.
  • You can now start using the Ubiq-Freedom UTM.

Final Steps
  1. Change the password for the "root" user in the Ubiq-Freedom UTM, if you have not already done so. The default root password is "ubiqfreedom". This is the system password. You can login to the Ubiq-Freedom UTM using a Keyboard or over a SSH connection.
  2. Change the password for the user "ubiqfreedom" in the Ubiq-Freedom UTM, if you have not already done so. The default password for this user is "ubiqfreedom". This is the password that is used when you access the Web Interface.
  3. Take a complete back up of your settings and changes that you have done on the Ubiq-Freedom UTM.
  4. Drop us an email with any comments. Your suggestions and feedback is always welcome.
Contact Us
Thank you for reading such a long post :)
Posted by at 1 comment:
Labels:

Deploying the Ubiq-Freedom UTM

Let me talk about a few normal ( and run of the mill ) deployment scenarios of the Ubiq-Freedom UTM
  1. The Ubiq-Freedom UTM will usually be deployed between your Edge Router and the LAN.

  2. It can also deployed between the Head Office Network and a Branch Network. This should be done right before the Branch Network terminates in the LAN of the Head Office Network. This concept can be extended when connecting multiple Branches.

  3. The Ubiq-Freedom UTM can be deployed in front of your Mail Server as an Anti-Spam and Anti-Virus solution.

  4. Some additional scenarios is documented in this document

Now some unusual ( and not run of the mill ) deployment scenarios -
  1. You are organizing a Seminar, a Talk or even a Conference and you want to provide Internet connectivity to the delegates. The Ubiq-Freedom UTM can be deployed here to segregate this new network from your main network. You can implement a Proxy Server with Authentication and Content Filter or even host a Mail domain.

  2. You have setup a lab and you are running different Security tools. It is also possible that you are infecting VM systems with Virus or Malware and conducting research. The Ubiq-Freedom UTM can be deployed here to protect the devices which are critical to your lab environment.

  3. You wanted to increase the visibility that you have for your Network infrastructure. By adding tools for Network Monitoring, Security Monitoring and Log Analysis on the UTM, you can use Ubiq-Freedom UTM to give you a bigger picture of your Network.

  4. You have created a new Intrusion Detection / Prevention tool (IDS / IPS), but now you have to set up a Firewall and different Network Services like DHCP Server, DNS Server, Proxy Server, VPN Server and a Mail Server just to test your tool properly. In this scenario, you can deploy the Ubiq-Freedom UTM and test your tool against it.

  5. You are a Security enthusiast. You want to do research on topics like Honeypot, Security Monitoring, Log Analysis, Intrusion Detection etc. You can deploy the Ubiq-Freedom UTM in your lab to log the traffic that is going through the Firewall. You can transparently intercept Web Traffic and Mail Traffic and redirect it through the Proxy Server and the Mail Server. The logs generated and the data captured will be valuable to your research.
There could be many other ways that you can deploy the Ubiq-Freedom UTM. In the coming days, I will keep updating this list.


Contact Us
Posted by at 1 comment:
Labels: ,

Launch of Ubiq-Freedom UTM

I am very pleased to announce that the Ubiq-Freedom UTM has finally been launched.

Get it now -
Feature list -
  • The complete features available in Ubiq-Freedom UTM can be read here.
Do you require assistance ?
Configuration
  • The Ubiq-Freedom UTM can be configured by accessing the Web Based Interface (on port 40000) running on the UTM.
  • The Ubiq-Freedom UTM basically connects to a Central Configuration Portal to do the configuration.
Additional Information
  • Since Ubiq-Freedom UTM runs a GNU/Linux Kernel and uses well known Open Source components, it can be configured by most people familiar with Linux and the different Server Applications that can run on them.
  • The Web Based Interface running in the Ubiq-Freedom UTM is Webmin which is a known configuration tool.
Contact Us
Posted by at No comments:
Labels:

Thursday, February 25, 2010

My first disclosure !

I published my first disclosure today. Read it here. Technically, the issue was found earlier by Vidhya Shankar who posted it here
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)