Professional Documents
Culture Documents
XMCO
C ON TEN TS
S t u x n et : c om p l e te two-p a rt ar t icle o n T HE vir us o f 2010 K ey b o ard L ayo u t : a n a l ysi s of t he MS10-073 vulner abilit y used by St ux ne t C u r re n t n e w s : Top 10 ha c king t echniques, z ero -day IE, Gsdays 2 0 1 0 , P ro FTP D. .. B l o g s , s o f t wares an d o u r fav orite Twe e ts...
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[1]
David Helan
ACTU SCU 27
A re y o u c o n c e r n e d b y I T s e c u ri t y i n y o u r c o m p a n y ? XMCO Partners is a consultancy whose business is IT security audits. Services: Intrusion tests Our experts in intrusion can test your networks, systems and web applications Use of OWASP, OSSTMM and CCWAPSS technologies
Security audit Technical and organizational audit of the security of your Information System
Best Practices ISO 27001, PCI DSS, Sarbanes-Oxley
PCI DSS support Consulting and auditing for environments requiring PCI DSS Level 1 and 2 certication.
CERT-XMCO: Vulnerability monitoring Personalized monitoring of vulnerabilities and the xes affecting your Information System
CERT-XMCO: Response to intrusion Detection and diagnosis of intrusion, collection of evidence, log examination, malware autopsy
About XMCO Partners: Founded in 2002 by experts in security and managed by its founders, we work in the form of xed-fee projects with a commitment to achieve results. Intrusion tests, security audits and vulnerability monitoring are the major areas in which our rm is developing. At the same time, we work with senior management on assignments providing support to heads of informationsystems security, in drawing up master plans and in working on awareness-raising seminars with several large French accounts.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[2]
WWW.XMCO.FR
FEB. 2011
EDITORIAL
certainly be implementation errors that may be exploited by pirates, especially as these are particularly ingenious concerning hacking means of payment. We hope that you nd this issue interesting and we look forward to seeing you at Black Hat Barcelona, for which XMCO is a partner.
Frdric Charpentier Chief Technology Ofcer
2 UMBER N
ACTUSECU
Editor in chief: Adrien GUINAULT Contributors: Charles DAGOUAT Florent HOCHWELKER Stphane JIN Franois LEGUE Frdric CHARPENTIER Yannick HAMON
CONTACT XMCO
What will 2011 bring us in terms of attacks and security? Without wishing to gaze into a crystal ball, it is clear, for me, that 2011 will be the year of m-payment: contactless mobile payments (by NFC or GSM). Although these technologies are, a priori, new, they are based on existing and proven frameworks. There will PCI DSS QSA TRAINING 7 and 8 March in London BLACKHAT EUROPE 16 and 17 March in Barcelona actu_secu@xmco.fr info@xmco.fr
BLACK HAT
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[3]
STUXNET PART I
P. 5 P. 52 P. 13
CONTENTS
STUXNET...
...PART II
Stuxnet Part I: analysis, myths and realities..5 An examination of THE virus of 2010
Stuxnet Part II: technical analysis.................13 Propagation, infection and attacks on industrial systems.
KEYBOARD LAYOUT
P. 29
Current news..................................................38 Top Ten hacking techniques, zero-day IE, GS Days, ProFTPD...
Blogs, software and extensions...................52 IMA, VMware compliance checker, Twitter and the rn_101 blog.
CURRENT NEWS
P. 38
XMCO 2011
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[4]
ACTU SCU 27
ACTU SCU 27
It would have been inconceivable not to devote an article to THE malware of the year 2010. Although nearly everything has already been said on this subject, we could not resist wanting to write an article on Stuxnet several months after the media buzz has subsided. Much is still obscure concerning this malware, its origins and its developers. However, we will try to give a summary, also taking an objective view in relation to various papers covering the subject.
Karsten Kneese
If there is one thing to remember about 2010, it is surely the case of Stuxnet. This is because this malware, specically produced to carry out the second highlypublicized targeted attack of 2010 (after Aurora) caused comment for more than six months! This article is intended as a summary of this long period, which was punctuated by many new developments. It covers the development of the discoveries and announcements that took place during this period and tries to analyze all the facts in order to draw conclusions. Between reminders on technical matters, genuine rumors and false realities, this article will appraise the situation as completely as possible.
To quickly reach its target, the malware also uses a password dened by default within certain SCADA (Supervisory Control And Data Acquisition) systems. This is based on the Siemens SIMATIC WinCC software.
constructed from many items, intended to sabotage the normal functioning of certain critical systems.
Thanks to all the work performed by various researchers with an interest in malware, the role of Stuxnet has been claried. The malicious code acts in several stages: rstly, a removable item of storage media is used to compromise a system on a local network. Once present on a network, the malware replicates, moving towards the discovery of a point of access to its target: a system on which WinCC is installed. Secondly, when such a target is discovered, the behavior of the various items controlling the target architecture is modied in order to physically impair the integrity of the industrial production system. In the case of Stuxnet, this concerns modifying the normal function of certain critical systems by manipulating their controllers.
Preliminary reminders
Stuxnet is a complex piece of malware constructed from many items, intended to sabotage the normal functioning of certain critical systems. In contrast to the somewhat indiscreet approach which is used to access these sensitive systems, this sabotage is intended to be very discreet. To approach its target, Stuxnet exploits at least four zero-day vulnerabilities (currently all corrected by Microsoft) targeting different versions of Windows, as well as the famous MS08-067 vulnerability that was corrected several years ago.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[5]
WWW.XMCO.FR
ACTU SCU 27
the Metasploit framework. This allowed control of a system to be taken over remotely by exploiting the security vulnerability through WebDAV sharing. This code allowed a pirate simply to encourage an Internet user to visit a web page with Internet Explorer to take control of the underlying system. The same day Symantec renamed W32. Temphid to W32.Stuxnet, and Siemens reported that the company was in the process of studying reports referring to the compromise of several SCADA systems linked to WinCC. On 20 July, Symantec announced that it had discovered how the malware communicated with its command and control (C&C) servers, and the meaning of the exchanged messages. On 21 July, MITRE assigned reference CVE-2010-2772 to the security vulnerability present within the Simatic WinCC and PCS 7 software from Siemens. A password had been hard-coded and could be used to access certain components of Siemens applications with elevated privileges. Two days afterwards, on 23 July, VeriSign revoked the certicate belonging to JMicron Technology Corp.
On
17 July, Symantec renamed "W32.Temphid" as "W32.Stuxnet" and Siemens reported that the company was in the process of studying reports referring to the compromise of several SCADA systems linked to WinCC
Then several days passed, during which the researchers and specialists involved in this study certainly did not stop working. On 2 August, outside its "Patch Tuesday" cycle, Microsoft published its security bulletin MS10-046 proposing several patches for the LNK vulnerability. On 6 August, Symantec presented the method used by Stuxnet to inject and hide code on a PLC (Programmable Logic Controller). On 14 September, Microsoft published a new security bulletin (MS10-061) and offered a patch for the security vulnerability present within the print spooler that was discovered by Symantec in August. The same day, MITRE assigned reference CVE-2010-3338 to the "elevation of privileges" vulnerability that was identied within the task scheduler. Just several days afterwards, on 17 September, Joshua J. Drake (jduck1337) published exploitation code within the Metasploit framework. This allowed control to be taken of a system via the security
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![6] strictly prohibited.
ACTU SCU 27
knowledge that was necessary, the human and material resources necessary and lastly, the cost of such an organization make certain countries ideal suspects. Among the list chosen by the researcher were Israel, the United States, Germany and Russia.
Trey Ratcliff
At the end of November, the former psychologist announced that Iran and Venezuela had concluded an agreement in 2008. This alliance allowed Iran to install ballistic missiles on Venezuelan territory in exchange for
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![7] strictly prohibited.
WWW.XMCO.FR
On 15 November, Langner presented a technical solution allowing the malicious code 315 to destroy gas centrifuges. He was then supported by the nuclear specialist from ISIS (Institute for Science and International Security), David Albright. On the same day, a second announcement gave the details of the attack performed by the code 417. In the days that followed, numerous details of this second attack were presented and a hypothesis concerning the targets was given: according to the researcher, the code 315 targeted the IR-1 centrifuges present in the Natanz enrichment centre, while module 417 targeted the steam turbines in the electrical power station at Bushehr. A single weapon, malware, which contained two payloads: the code modules 315 and 417, targeting different PLCs.
ACTU SCU 27
agreement, one month before the end of his term of ofce in January 2009, to the establishment of a secret program aiming to sabotage the electrical and computer systems at the main uranium enrichment centre at Natanz. From the beginning of his term of ofce, Barack Obama, who had been informed of this before taking ofce, accelerated this program on the advice of those knowledgeable concerning the case of Iran.
single weapon, malware, which contained two payloads: the code modules 315 and 417, targeting different PLCs ...
At the beginning of January, the researcher presented a new hypothesis on the role of blocks 315 and 417. According to him, their main objective was not the destruction of the centrifuges, but rather to make these production systems massively inefcient. By analyzing the data embedded in the code, and theoretical calculations on the yield of uranium production, the researcher discovered that the operations performed by the two blocks of code would drastically reduce the yield of the centrifuges. To summarize, over the course of these few months, Langner was probably the researcher who communicated most concerning Stuxnet. The "New York Times" theory For the rst time since the beginning of this scenario, an article published by the New York Times on 16 January described a plausible scenario. Even though this scenario is based more on a correlation between events and facts, rather than on tangible proof, these authors have the distinction of being among the rst to ofcially name the various protagonists. It should therefore be taken with caution and is the responsibility only of the journalists who wrote the New York Times article. In this scenario, the United States set up a plan to hinder Iran in its quest to produce nuclear weapons. According to the journalists, President Bush gave his Still according to the New York Times journalists, this program was based on work performed at the Idaho National Laboratory (INL) in partnership with the Department of Homeland Security (DHS) and Siemens. During 2008, they claim that Siemens requested the INL to test the security of its Step7 software used to control a set of industrial systems (tools, probes, etc), using controllers such as PCS7 (Process Control System 7). The results obtained, including numerous security vulnerabilities, were presented in July at a conference that was held in Chicago. Several months later, American diplomacy succeeded in establishing an embargo on certain components necessary to the correct functioning of a uranium enrichment centre. According to a diplomatic cable
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![8] strictly prohibited.
WWW.XMCO.FR
Trey Ratcliff
ACTU SCU 27
Israel of having ordered these assassinations. After this second suspect event, the Iranians took the decision to "hide" Mohsen Fakrizadeh, the third (and last?) nuclear specialist.
Ludo Benoit
Forbes's counter theory Another article published by journalists at Forbes the following day strongly criticized this analysis. According to them, this was based on no tangible proof. Only gestures made by certain diplomats at press conferences and the content of several diplomatic cables revealed by Wikileaks gave any support to the journalists' article. The journalists took advantage of trashing this theory to push their own analysis that was published in December. According to them, the "real" powers behind Stuxnet were Finland and China. The reasoning behind this was that Vacon, the Finnish manufacturer of frequency converters (variable frequency drives) had a manufacturing plant in China. This would mean that China would know precisely which PLCs to target. Furthermore, China is suspected to have access to part of the source code of Windows, which could explain the discovery and use of four zero-day vulnerabilities.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![9] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
and rescue, was controlled by a SCADA system based on Siemens S7-400 and SIMATIC WinCC PLCs. This announcement occurred during a complex period in Indo-Chinese relationships, because both countries are ercely competing with each other in the aerospace sector to be the rst Asian country to put a man on the moon. Although Symantec and other publishers of anti-virus software named Iran as the main victim of Stuxnet, it was not before mid-October that the subject of Stuxnet was publicly mentioned by Iran. During this rst speech, the Iranian president simply denied the damage that the worm was supposed to have caused to national infrastructure. A month later, in November, the country recognized for the rst time that it had suffered "slight" problems leading to the postponement of the launch of the Bushehr plant. In reaction to this attack, the government arrested some Russian service contractors suspected of being spies. These were subsequently released Since the beginning of 2011, numerous other events were added to this story. Symantec, by recovering samples obtained from various publishers of antivirus software in the market, was able to make a statistical study of the attacks.
Lastly, very many international experts criticized the quality of the code in the malware. Several commentators criticized the amateurism of certain functionalities of Stuxnet: the very basic component that communicates with the C&C servers (for example, no communications encryption, the lack of robustness of the control servers, etc), the absence of additional protection (polymorphism, anti-debug and robust encryption), and nally an indiscreet means of proliferation that is unworthy of an attack carried out discreetly by the military, etc. According to these commentators, just these observations are evidence that no government is hiding behind Stuxnet.
The other factors to be remembered On 9 July, the Indian satellite INSAT-4B was declared inoperable. This satellite, which was used for transmitting telecommunications, television broadcasting, meteorology and for individual search
From these samples Symantec was able to produce graphs representing the proliferation of the malware. For this, the researchers used the information recorded (date and time, for example) by the malware when it
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![10] strictly prohibited.
WWW.XMCO.FR
So, thanks to the 3,280 samples recovered from ESET, F-Secure, Kaspersky, Microsoft, McAfee and Trend Micro, Symantec was able to draw the following conclusions: - exactly ve organizations were targeted; these ve organizations are all present in Iran; - most of the 12,000 infections corresponding to the 3,280 samples can be traced to these various organizations; - among the victims used as vectors for propagation, three were attacked once, one was targeted twice and the third was attacked three times; - these attacks took place at very precise dates: in June 2009, one month later in July 2009, then at three further stages in March, April and May 2010; - lastly, three variants of the malware corresponding to the attacks that took place in June 2009, April 2010 and May 2010 were observed. The existence of a fourth variant is assumed but has not been observed among the samples obtained. According to Symantec, these ve companies are suppliers with links to the Natanz enrichment centre.
Ludo Benoit
ACTU SCU 27
In
April 2009, the researcher Carsten Kohler published an article in the magazine Hackin9 presenting a security vulnerability within the Windows print spooler. No one reacted, not even Microsoft, which was clearly concerned.
The day after this announcement, several media echoed another announcement that was particularly surprising. During a video shown at a party given in honor of the retirement of general Gabi Ashkenazi, and published by the conservative newspaper Haaretz, it was claimed that the newly-retired general had supervised the creation of Stuxnet. Nevertheless, as no ofcial Israeli source has corroborated this announcement, it must be taken with caution. Lastly, it was in March 2010 that the rst malware in the Stuxnet family appeared which exploited the LNK vulnerability.
The warning signs The Stuxnet affair began well before 2010. Thus, Symantec was able to nd traces of the malware going back to 2008. On 20 November 2008, Symantec observed the exploitation of the LNK vulnerability for the rst time. This had not been analyzed at the time and we had to wait until the appearance of Stuxnet to discover that pirates had known about this vulnerability for more than two years. The virus in question was then identied as "Trojan.Zlob" and does not appear to be related to Stuxnet. In April 2009, the researcher Carsten Kohler published an article in the magazine Hackin9 presenting a security vulnerability within the Windows print spooler. No one reacted, not even Microsoft, which was clearly concerned! Several months later, in June 2009, Symantec detected a new malware that is now identied as the rst version of Stuxnet. This was very simple and did not carry all of the payloads that we know today. According to Symantec, it was in January 2010 that the rst malware in the Stuxnet family appeared using the certicate from Realtek Semiconductor Corp. to sign one of the components of the malware.
Conclusion
Stuxnet has caused a lot of comment and been highly publicized. The various theories, analyses and hypotheses made until now do not allow any conclusions to be drawn with certainty, either concerning those ordering the attacks or the targets. However, according to the various discoveries made by several researchers and journalists (Symantec, Langner and the New York Times), Iran seems to have been targeted, especially the nuclear enrichment centre at Natanz. Concerning those ordering the attack, and bearing in mind its complexity, the resources used and the different information revealed by the journalists,
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![11] strictly prohibited.
WWW.XMCO.FR
Israel and the USA appear to have played a role in this affair. We must also bear in mind that all of the
ACTU SCU 27
F-Secure (FAQ) h t t p : / / w w w. f - s e c u r e . c o m / w e b l o g / a r c h i v e s / 00002040.html h t t p : / / w w w. f - s e c u r e . c o m / w e b l o g / a r c h i v e s / 00002066.html " Timeline http://www.infracritical.com/papers/stuxnet-timeline.txt " CERT-IST h t t p : / / w w w. c e r t - i s t . c o m / f r a / r e s s o u r c e s / Publications_ArticlesBulletins/VersVirusetAntivirus/ stuxnet/ " " New York Times http://www.nytimes.com/2011/01/16/world/middleeast/ 16stuxnet.html?pagewanted=all http://www.nytimes.com/2010/11/30/world/middleeast/ 30tehran.html?pagewanted=print http://www.nytimes.com/2010/01/13/world/middleeast/ 13iran.html?_r=1&pagewanted=print " Forbes http://blogs.forbes.com/jeffreycarr/2011/01/17/the-newyork-times-fails-to-deliver-stuxnets-creators/? boxes=Homepagechannels http://blogs.forbes.com/rewall/2010/12/14/stuxnetsnnish-chinese-connection/
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![12] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
After having looked at the history of Stuxnet and the theories and assumptions behind it, let us now look at its technical analysis. Some very good white papers (Symantec and ESET) have given a detailed presentation of the complexity of this malware. We will try to summarize everything to give an understanding of the propagation modes used, the relationships with industrial systems and the consequences that Stuxnet may cause.
Bjoern Schwarz
Charles Dagouat
General functioning
Stuxnet is a complex piece of malware. Its functioning mode revolves around two main "functions": the propagation of the virus, which is based upon the vulnerabilities inherent in the Windows platform, and the attack on SCADA systems, which is focused on WinCC and PCS7. This second function corresponds to the payload transported by the malware. It is based on the software component WinCC. WinCC is a very widespread tool for remote monitoring and data acquisition developed by Siemens. Installed on a Windows system, it is used to control an automatic system such as a Programmable Logic Controller (PLC). This type of architecture is particularly adapted to critical infrastructure such as can be found in industry. To fulll its task, Stuxnet's functioning is governed by a very specic scenario. The architecture of the malware is built around several main functionalities that correspond to the different stages in the attack process. The rst stage is not characteristic of Stuxnet, but corresponds to the majority of worms: it is the propagation phase. During this phase, the malware seeks to spread within a given area. the local network.
The second phase corresponds to the attack itself: this is the search for a target.
Stuxnet is a complex piece of malware. Its functioning mode revolves around two main "functions": the propagation of the virus, which is based upon the vulnerabilities inherent in the Windows platform, and the attack on SCADA systems, which is focused on WinCC and PCS...
In the case of Stuxnet, the target is a Siemens WinCC control and monitoring system linked to certain PLCs. If such a system is detected, its behavior is then discreetly impaired. Lastly, the nal phase corresponds to the material consequence of this modication. The undetectable effect discreetly acts on the system in order to slowly destroy it.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[13]
WWW.XMCO.FR
ACTU SCU 27
Exploitation of this vulnerability simply requires a user to open a malicious directory. Exploitation code has already been published within the Metasploit framework. Using this, a pirate only needs to get an Internet user to access an Internet address with Internet Explorer to take control of the remote system. In this proof of concept, the server forces the client to open a shared le using the WebDAV protocol.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![14] strictly prohibited.
WWW.XMCO.FR
After having ofcially acknowledged the security vulnerability by publishing the security alert referenced KB2286198 on 16 July, Microsoft quickly reacted by publishing its bulletin MS 10-046 and the associated patches on 2 August, outside its "Patch Tuesday", which was planned for eight days later, the following 10 August.
ACTU SCU 27
installed on a Windows system, the malware has several functionalities that allow it to work as part of a network. Among these, the malware installs an RPC server that allows it to communicate various items of information with other infected systems present on the LAN.
INFO
Provision of free tools for getting rid of malware, including Stuxnet.
BitDefender and Microsoft have just made free tools available for getting rid of the most currently-fashionable malware. After publishing a tool last month for getting rid of Zeus (see CXA-2010-1211), BitDefender has just published another tool for deleting the Stuxnet malware. As a reminder, the malware was detected for the first time by a company based in Belarus (see CXA-2010-0893), following the discovery of the zero-day LNK security vulnerability affecting all versions of Windows (see CXA-2010-0906). Microsoft has just updated its "malicious software removal tool", which can now deal with the most virulent botnet that is currently known: Zeus/ ZBot. Zeus is malware that is constantly being developed, and which mainly aims to steal banking information. The two tools can be downloaded via the following links: Sutxnet: http://www.malwarecity.com/community/ index.php?app=downloads&showfile=12
Server service Lastly, Stuxnet exploits the old MS08-067 security vulnerability in the server service. This vulnerability, which at the time was massively exploited by Conkerl Downadup, is used here to deposit a le in shared directories of the C$ or Admin$ type. The execution of this le is planned the day following compromise, using the task scheduler. It appears that the shell code used by the malware to carry out these two actions is relatively advanced, in contrast to that which was used by Conker. This security vulnerability was corrected by Microsoft when it published bulletin MS08-067. " " " The exploitation of these various security vulnerabilities allows malware to distribute itself both on a local network and, more widely, on all systems on which users can connect removable storage media. Once
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![15] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
Stuxnet therefore adds a task which calculates the associated CRC32 hash, "manually" changes the le to raise the privileges associated with it, adds a comment eld and lls it with random data to provoke a collision. The task is then executed with the highest privileges. This security vulnerability was corrected by Microsoft when it published bulletin MS10-092, which changed the hash function used. The CRC-32 hash function was replaced by SHA-256. This algorithm is considered secure against collision attacks. There remains an unknown factor. According to Microsoft, these two security vulnerabilities respectively targeted Windows XP and 2000 for the keyboard management, and Windows Vista, 7 and 2008 for the task scheduler. It would appear that the technique used by Stuxnet to install itself on Windows Server 2003 is unknown, or that the malware has excluded this platform from its targets.
Ludo Benoit
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![16] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
proliferation have been added to it by its designers. Among these are functionalities allowing it to spread, hide itself and lastly to update itself. These correspond, overall, to the various functions (21) exported by Stuxnet's main module: Function 1: infect removable media and launch the RPC server; Function 2: intercept the calls to certain functions in order to infect .S7P and .MCP les corresponding to Step7 projects; Function 4: initiate the Stuxnet uninstallation procedure; Function 5: check that the rootkit (the kernel driver MrxCls.sys) is correctly installed; Functions 6 and 7: return the version of Stuxnet installed; Functions 9, 10 and 31 (13?): update the malware from Step7 les Function 14: infect Step7 les; Function 15: point of entry for the system-infection routine; Function 16: infect the system (installation of drivers, DLLs, resources, code injection, etc.); Function 17: replace a Step 7 DLL so as to be able to intercept the calls to certain functions; Function 18: complete uninstallation of the malware; Function 19: infect a USB drive; Function 22: infect remote systems via the local network; Function 24: check the Internet connection; Function 27: RPC server; Function 28: dialogue with the command and control (C&C) server; Function 29: dialogue with the C&C server and execute the code returned; Function 32: RPC server used by the service server to respond to certain RPC calls; Several network functionalities are implemented within the malware. Among these are the RPC client and server. P2P communications and the use of a C&C are mainly used to keep the malware up to date and to recover information. Nevertheless, these could be used to download and install other malware or to exltrate sensitive information stolen from the compromised system.
exakta
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![17] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
#decrypt function on python def decrypt(key, counter, sym): v0 = key * counter v1 = v0 >> 0xb v1 = (v1 ^ v0) * 0x4e35 v2 = v1 & 0xffff v3 = v2 * v2 v4 = v3 >> 0xd v5 = v3 >> 0x17 xorbyte = ((v5 & 0xff) + (v4 & 0xff)) & 0xff xorbyte = xorbyte ^ ((v2 >> 8) & 0xff) xorbyte = xorbyte ^ (v2 & 0xff) return xorbyte ^ sym
This le contains several items of information, such as the list of servers used to check the Internet connection ("www.windowsupdate.com", "www.msn.com"), the list of C&C servers ("www.mypremierfutbol.com", "www.todaysfutbol.com"), the dates and times of activation and deactivation of the worm, after which the worm installs itself automatically using the previouslymentioned functions, the version of the malware, the minimum number of les that a USB drive must contain to be able to be infected using malicious LNK les, and lastly, other ancillary information used for the correct functioning of the worm and its propagation.
Concerning the functioning mode of the C&C servers, an instance of Stuxnet does not exchange plaintext messages with the two previously-mentioned servers. Each of the messages sent over the Internet to the servers is encrypted using a very simple algorithm. This is a simple XOR with the following 31-byte key:
// Encryption char Key[31] = { 0x67, 0xA9, 0x28, 0x90, 0x0D, 0x58, 0xD6, 0xA4, 0x5D, 0xE2, 0x66, 0xC0, 0x4A, 0x57, 0x88, 0x5A, 0xB0, 0x6E, 0x45, 0x56, 0x1A, 0xBD, 0x7C, 0x71, 0x42, 0xE4, 0xC1 };
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![18] strictly prohibited.
WWW.XMCO.FR
// Encryption procedure void EncryptData(char *Buffer, int BufferSize, char *Key) { for (int i = 0 ; i < BufferSize ; i ++) Buffer[i] ^= Key[i % 31]; return; }
ACTU SCU 27
Stuxnet's block of conguration data. Lastly, a speciallydesigned DLL is placed in the multiple sub-directories of the directory "hOmSave7". The infection mechanism is relatively simple. When the project is opened using WinCC Simatic Manager, the DLL placed in the sub-directories of the directory "hOmSave7" is automatically sought. When this is loaded, the library decrypts the protected data and loads the malware's main component into memory to complete the process of infection.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![19] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
1: The pirate manages to infect a USB drive used by a person working on a computer connected to the target information system. 2: The person uses their USB drive within the target information system's LAN. 3: After having infected a Windows workstation, Stuxnet seeks to spread across the LAN. 4: Sutxnet contacts its C&C server. 5: An employee whose USB drive has been contaminated connects to a workstation equipped with WinCC software and belonging to an industrial network. 6: When this contaminated workstation connects to a PLC, Stuxnet deposits the malicious code corresponding to PLC 0 7: The malicious code sends specic orders to the variable frequency drives. 7 bis: The person responsible for supervising the equipment cannot identify the presence of Stuxnet.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![20] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
keyboard layout (Keyboard Layout) (MS10-073) The following exports were observed by Symantec in the older versions of Stuxnet, but have disappeared in the "latest" conversions: Resource 207: Information related to the exploitation of a vulnerability using Autorun.inf. Resource 231: Resource used to check whether the system is connected to the Internet or not.
INFO
Definitions
PLC: Programmable Logic Controller Large-scale remote-control system for the real-time processing of a large number of remote measurements and for remotely controlling technical facilities. It is an industrial technology in the field of instrumentation. A programmable controller is a programmable electronic device for controlling industrial processes by sequential processing. It sends orders towards the preactuators (operative section or operative section on the actuator side) from input data (sensors) (control section or control section on the sensor side), instructions and a computer program.
ensure the persistence of the functionalities previously installed, Stuxnet nevertheless has to profoundly modify the system. This is because it is not possible to inject code into arbitrary processes or to sustainably hide files in the user area without profound modifications to the system ...
To
Data et
Large-scale remote-control system for the real-time processing of a large number of remote measurements and for remotely controlling technical facilities. It is an industrial technology in the field of instrumentation.
Resource 241: "-WTR4141.TMP", DLL used for loading the executable corresponding to resource 221 "WTR4132. TMP" responsible for installing malware (dropper) Resource 242: Driver "Mrxnet.sys" (Rootkit) used to mask the presence of certain les Resource 250: Malicious code used to exploit the security vulnerability present in the management of the
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![21] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
The 16 functions whose behavior is altered correspond to the methods for reading ("s7blk_read"), writing ("s7blk_write"), enumeration ("s7blk_ndrst" and "s7blk_ndnext") and deletion ("s7blk_delete") of the blocks of code present on the PLC. It is by modifying certain key functions of this library that the attackers ensure the sustainability and discretion of their attack. To avoid detection when an operator rst connects to a compromised PLC, the "read" and "enumeration" functions hide certain blocks of code from the operator and only return the original "healthy" code. But not all PLCs are targeted. Stuxnet, using two threads launched by the malicious library, searches for precisely two types of appliance with the references Siemens 6ES7-315-2 and 6ES7-417. The main difference between these two models of controller is the quantity of embedded memory. 256 KB for the series S7-315 against 30 MB for the series S7-417. Module 315 Secondly, in the conguration targeted by the malware, the PLCs of series 300 (6ES7-315-2) must use between one and six Probus CP 342-5 modules to communicate with the systems under their control. Once again, only certain identication numbers are sought. In the case of Stuxnet, these are the Probus identication numbers "7050h" and "9500h". These numbers uniquely identify the models of these items of equipment, which are known as "frequency converter drives" or "variable frequency drives". The corresponding products are the "KFC750V3" manufactured by Fararo Paya based in Teheran in Iran, and the "Vacon NX" from Vacon based in Finland.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![22] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
Subsequently, the system goes into a state machine clearly described by Symantec. The transition between each state is governed by timers, tests or by the end of other tasks. Approximately, the system collects data for a period of between 13 days and three months, before sending falsied data on the communication bus for about 50 min, then returning to the initial state. According to Symantec's study, the system uses DP_RECV to inspect the messages sent by the variable frequency drives, which contains specic information corresponding to the current operating frequency. Lastly, this attack allows a pirate who has successfully injected their malicious code to withdraw the control that the legitimate blocks of code had on the data transmitted during the phase nicknamed "deadfoot" ("DEADF007" in the code). This phase corresponds to 50 min during which the PLC sends semi-arbitrary information to the various variable frequency drives through the Probus modules. The messages sent correspond to frequencies that must be converted into rotation speeds by the variable frequency drives. Furthermore, execution of the legitimate code is prevented using a call to the command BEC (Conditional Block End) instead of letting the execution of the program continue. Without
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![23] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
the pre-recorded data is transmitted to the original logic, while the real data is processed by the malicious code. At the same time, the pirates control the output towards which they send the signals that they wish to send.
Module 417 Another sequence of the malicious code is dedicated to PLCs referenced 6ES7-417. The code composing this sequence is more complex than that which targets PLCs of series 300. This module 417 is broken down into nearly 12,000 lines of STL code, accompanied by 10 blocks of data, partly loaded by the malicious DLL and partly generated dynamically. In the same way as for sequence 315, an injection of code into block OB1 ensures that the added malicious functions are called. Ralph Langner's analysis provides understanding of the role and functioning of this second sequence of code. According to him, the code added by the attackers to the PLC allows an attack that is much more complex than for module 315. This is because the code in question is used to carry out an attack of the "man-inthe-middle" type on the controller itself. In contrast to the previous sequence, for which the principle was based on modifying the results returned using a conditional jump (BEC) to prevent the execution of the original code, the purpose of this code sequence is to intercept the input/output signals to/from the PLC and to supply falsied pre-recorded values to the code in charge of the logic. This trick also allowed falsifying the signals returned upon output to avoid attracting the attention of an operator who may observe dubious signals. As the researcher emphasized, this attack is worthy of a Hollywood scenario in which the spies repeatedly send images to the control room corresponding to what the surveillance cameras should be seeing. In the same way as for code 315, a state machine could follow the progress of attack 417. During a rst phase, the role of the malicious code is to record the values to be subsequently replayed. Several other intermediate states correspond to the offensive phase, during which
intercept the signals going to and from the PLC and to supply pre-recorded falsified values to the code in charge of the logic. This trick can also falsify the signals returned upon output to avoid attracting the attention of an operator who may observe dubious signals.
Nevertheless, the presence of this code is particularly surprising, given that, according to the study by Symantec, it is not functional. This is because the library in charge of copying the malicious code on the PLC does not copy all of the code to allow the attack to function properly. Among other things, the block OB1, which, as previously, corresponds to the main function that is continuously called by the PLC, is not modied to trigger the call to the malicious functions. Furthermore, still according to Symantec, in contrast to the code in attack 315, the STL code in module 417 contains numerous comments and debugging functions that are characteristic of unnished work. However, Langner qualied this assumption. This particularly-large block of code (about 12,000 lines) could not have been designed for nothing (extremely complex code, which would have required signicant resources in time, personnel and technology). Furthermore, certain interactions related to this code were also highlighted in his laboratory. The researcher therefore concluded that, based on the study of the code embedded by Stuxnet, it is difcult to know whether or not it was operational in the attack carried out against Natanz, but that it had been deliberately designed like that. In all cases, module 417 of Stuxnet, just like module 315, seeks a SCADA architecture that meets certain very precise restrictions. These are six assemblies each containing 164 centrifuges. This condition was deduced by Langner from function FC 6069. This is used to store 984 (6 * 164) entries in data block DB 8063.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![24] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
For its part, module 417 does not directly or indirectly target the steam turbines at the plant at Busherh, as Langner originally thought, but targets the system in charge of part of the safety system for the enrichment centre. Among other things, this system would be in charge of emptying a defective centrifuge to avoid an accident leading to its premature destruction. This highlevel security system allows gas to be passed from one centrifuge to another, avoiding accidents and minimizing disruption, while maintaining the production yield. Module 417 is therefore responsible for an assembly of 6 cascades of 164 centrifuges, namely 984.
By manipulating these two controllers in this way, Stuxnet would be capable of simultaneously causing the destruction of IR-1 centrifuges through premature wear and reducing their yield by modifying the theoretical organization and conguration of each of the cascades.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![25] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
Why is Stuxnet considered to be so complex? It uses multiple vulnerabilities and drops its own driver to the system. How can it install its own driver? Stuxnet driver was signed with a certicate stolen from Realtek Semiconductor Corp. Has the stolen certicate been revoked? Yes. VeriSign revoked it on July 16th. A modied variant signed with a certicate stolen from JMicron Technology Corp was found on July 17th. What's the relation between Realtek and Jmicron? Nothing. But these companies have their HQs in the same ofce park in Taiwan which is weird. Did the Stuxnet creators nd their own 0-day vulnerabilities or did they buy them from the black market? We don't know. How expensive would such vulnerabilities be? This varies. A single remote code execution zero-day in a popular version of Windows could go for anything between $50,000 to $500,000. Why was it so slow to analyze Stuxnet in detail? It's unusually complex and unusually big. Stuxnet is over 1.5MB in size. When did Stuxnet start spreading? In June 2009, or maybe even earlier. One of the components has a compile date in January 2009. How long did it take to create Stuxnet? We estimate that it took over 10 man-years to develop Stuxnet. Who could have written Stuxnet? Looking at the nancial and R&D investment required and combining this with the fact that there's no obvious money-making mechanism within Stuxnet, that leaves only two possibilities: a terror group or a nation-state. And we don't believe any terror group would have this kind of resources.
Was it Israel? Egypt? Saudi Arabia? USA? We don't know. Was the target Iran? We don't know.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![26] strictly prohibited.
WWW.XMCO.FR
So was Stuxnet written by a government? That's what it would look like, yes.
ACTU SCU 27
For example, by breaking into a home of an employee, nding his USB sticks and infecting it. Then wait for the employee to take the sticks to work and infect his work computer. What does it do then? It infects the system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic (Step7) factory system.
How could the attackers get a trojan like this into a secure facility?
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![27] strictly prohibited.
WWW.XMCO.FR
But Siemens has announced that only 15 factories have been infected. They are talking about factories. Most of the infected machines are collateral infections, i.e. normal home and ofce computers that are not connected to SCADA systems.
ACTU SCU 27
Hackin9 (Printer spooler article) http://newsoft.dyndns.org/tech/PrintYourShell.pdf Symantec (Report plus blog) http://www.symantec.com/content/en/us/enterprise/ media/security_response/whitepapers/ w32_stuxnet_dossier.pdf h t t p : / / w w w. s y m a n t e c . c o m / c o n n e c t / b l o g - t a g s / w32stuxnet " OSVDB Microsoft Windows Shell LNK File Parsing Arbitrary Command Execution http://osvdb.org/show/osvdb/66387 Siemens SIMATIC WinCC Default Password http://osvdb.org/show/osvdb/66441 ESET(Report plus blog) h t t p : / / w w w. e s e t . c o m / r e s o u r c e s / w h i t e - p a p e r s / Stuxnet_Under_the_Microscope.pdf http://blog.eset.com/2010/09/23/eset-stuxnet-paper Microsoft Windows on 32-bit win32k.sys Keyboard Layout Loading Local Privilege Escalation http://osvdb.org/show/osvdb/68517 Microsoft Windows Print Spooler Service RPC Impersonation StartDocPrinter Procedure Remote Code Execution http://osvdb.org/show/osvdb/67988 " Microsoft http://www.microsoft.com/technet/security/bulletin/ MS08-067.mspx http://www.microsoft.com/technet/security/bulletin/ MS10-046.mspx http://www.microsoft.com/technet/security/bulletin/ MS10-061.mspx http://www.microsoft.com/technet/security/bulletin/ MS10-073.mspx http://www.microsoft.com/technet/security/bulletin/ MS10-092.mspx " Microsoft Windows on 32-bit Task Scheduler Crafted Application Local Privilege Escalation http://osvdb.org/show/osvdb/68518
"
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![28] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
KEYBOARD LAYOUT
Keyboard Layout and MS10-073: a look at one of the vulnerabilities exploited by Stuxnet
2010 was notable for several Windows vulnerabilities allowing a user to elevate their privileges (Scheduler, KeyboardLayout, NtGdiEnableEUDC and Windows Class). Several exploitation codes were made public. In this article, we are going to study the KeyboardLayout (CVE-2010-2743 MS10-073) vulnerability used by the Stuxnet worm to elevate its privileges under Windows 2000 and XP, and learn how to develop an associated proof of concept.
Jon (xlibber)
Reminder
User permissions under Windows Under Windows, from version NT 3.51, it has been possible to create user accounts with restricted privileges, as well as administrator accounts. These ordinary users have limited permissions. For example, they cannot change certain system parameters, access directories belonging to other users or write into certain directories, such as the sensitive Windows directories. From Windows 1.0 to Windows 98, Microsoft's operating system did not really offer separation between the various users. This was partly due to the fact that Windows was still based on MS-DOS. The version NT 4.0 of Windows, which came out in 1996, was the rst Microsoft operating system to include permissions management on les and directories (ACL) using the NTFS le system. Using these mechanisms, a virus that succeeds in infecting a machine but which executes with the permissions of an ordinary user would have a great deal of difculty in entirely infecting a machine and hiding its presence within the system. Differences between "user-land" and "kernelland" Before going into explanations of the vulnerability, let us remember the difference between the kernel area (kernel-land) and the user area (user-land).
When a processor of the x86 family functions in protected mode, it is capable of isolating the various processes that it executes using a ring mechanism. There are 4 different rings: Rings 0, 1, 2 and 3. Under Windows, only ring 0 and ring 3 are used. The kernel, which is executed in ring 0, has all privileges. It can therefore access any memory space.
* However, a user with administrator permissions can install a driver executing in ring 0, or, using certain APIs, modify the kernel memory zone. For example, under XP, the function NtSystemDebugControl() is used by the debugger Microsoft WinDbg.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[29]
WWW.XMCO.FR
ACTU SCU 27
The kernel provides a large number of system calls for performing numerous different actions. It is generally not advisable to call them directly.
When a program has to carry out certain tasks, it generally uses the APIs supplied by the Windows operating system. Let us take the example of the CreateFile API function, which can create or open a le on the disk.
Table of system calls For example, the Windows CreateFile function will use the system call NtCreateFile. The program therefore passes control to the kernel to create the requested le.
g: continues the execution of the program kn: displays the call stack It is then possible, as an ordinary user, to send data that will be processed in ring 0. So, in order to take control in kernel-land mode (ring 0), a vulnerability must be found within a kernel function or in a driver (hardware drivers are also in ring 0) which allows control to be taken of ring 0 to access this protected memory area, to which access is normally prohibited. The various processes under Windows have a system of tokens corresponding to identities which specify the permissions assigned to each of them. Once ring 0 is controlled, it is possible to modify the token for our application and replace it with a system token (NT/
The program in the user area (ring 3) , will call the CreateFile function that is available in the kernel32.dll library. This library is also present in the user area. This function will perform several processes to check the parameters passed and then, through a system call, will pass control to the kernel.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![30] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
INFO
Keyboard Layout: what is it ?
The Keyboard Layout is a binary file describing the layout of the keys on the keyboard. There is therefore one file per keyboard layout. These files are in the form of libraries (DLL files) and are available in the directory "Windows/ system32/". For example, the French keyboard corresponds to file "kbdfr.dll".
The vulnerability comes from an overow in the table of pointers used in the function xxxKENLSProcs contained in the library win32k.sys. win32k is a library of functions loaded into kernel-land (ring 0) and accessible via system calls, which, among other things, manages various graphical rendering tasks.
Vulnerable code within the function xxxKENLSProcs We can see that the code calls a pointer on the function call _aNLSVKFProc[ecx*4] taking, as a parameter, a value of a byte located at address [eax-83h]. This value corresponds to a table index, which originally contains only 3 entries representing 3 functions (indexed from 0 to 2). Before Microsoft published bulletin MS10-073, no check on its length was made. Consequently, it was then possible to overrun the table
Content of table aNLSVKFProc dds: displays the data in the table and the associated symbols
Keyboard Layout and Stuxnet The vulnerability that we are going to present was exploited by the Stuxnet virus. As a reminder, Stuxnet implemented two zero-day vulnerabilities allowing elevation of privileges on all versions of the Windows operating system (from 2000 to Seven). The KeyboardLayout vulnerability is used by the virus to elevate its privileges under Windows 2000 and XP.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![31] strictly prohibited.
WWW.XMCO.FR
For example, by specifying an index of 5, we can redirect the call to the address Ox60636261 located in the user area, where we may have previously placed our malevolent code (payload). As a reminder, the userland area contains addresses between OxOOOOOOOO and Ox7FFFFFFF. We can therefore allocate memory at the address Ox60636261 and write whatever we want to it. It is important to note that this
ACTU SCU 27
It is normally impossible to load a Keyboard Layout, other than that of the system, as an ordinary user. By looking more closely at this function, we notice that it uses a system call "win32k! NtUserLoadKeyboardLayoutEx" (present in win32k.sys). The prototype for this function is available in the documentation on ReactOS *. The call takes 7 parameters, the rst of which corresponds to a HANDLE.
This value (HANDLE) corresponds to one of the Keyboard Layout les. We can use the Windows API "CreateFile()" function to open our specially-designed Keyboard Layout and recover a valid HANDLE corresponding to our le. In order to check which parameters must be passed to this function, we are going to study how it is called using a Windows debugger. For this, we are going to put breakpoint on the system call "win32k! NtUserLoadKeyboardLayoutEx".
Wade Kelly
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![32] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
1er paramtre
dernier paramtre
g: continue execution of the program dps: display the content of the stack !handle: display the information on the specied handle We can see that the 1st parameter is indeed our HANDLE. The 2nd parameter corresponds to offsets. It is formed of two groups of two bytes, here OxOOOO and Ox1768. The 3rd parameter is a pointer towards a UNICODE_STRING structure representing the name of the Keyboard Layout. We can put an arbitrary value into it. The 4th parameter also represents a HANDLE, but one that is more specic. This is because it represents the keyboard Layout that is currently used. The 5th parameter is again a pointer to a UNICODE_STRING structure representing the ID of the layout. The 6th parameter is a value representing a Keyboard Layout identier. Lastly, the 7th parameter is a ag. Ox82 represents the ags Ox2 (KLF _SU8STITUTE_OK) and Ox8 (KLF _NOTELLSHELL). The system call is not accessible directly. Consequently, we have to use assembler code to make the call. Under
Windows XP, it is possible to pass control to the kernel using the instruction "sysenter". The APIs available in user32.dll and ntdll.dll all use the same method to make this system call under Windows XP. [0] mov eax, XXXh [1] mov edx, 7FFE0300h [2] call dword ptr [edx] [3] retn 1Ch Code for making the syscall [0] eax is used to specify the number of the system call used. The list of system calls is available on the Internet. That of "NtUserLoadKeyboardLayoutEx" is Ox11 C6. [1] We place the address Ox7FFE0300 in the register EDX. At this address, which is xed under Windows XP, is a pointer towards the following assembler instructions for moving to ring 0. mov edx,esp sysenter
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![33] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
the input language associated with the keyboard using the shortcut alt+shift, a new icon with question marks (?) appears as well as the icons "FR" and "EN" corresponding to the two keyboard layouts loaded on our system.
SHIFT+ALT
dd: ok u: disassemble from the given address [2] The call to assembler instructions located at the address referenced by edx (Ox7FFE0300) allows entry into ring 0. [3] Finally, this last assembler instruction resumes execution of the program in ring 3. To be sure that we have a valid Keyboard Layout, we simply copy kbdfr.dll and we attempt to load it. In our exploitation code, we use a function of the "naked" type so as not to be bothered by the assembler prolog (push ebp; mov ebp, esp). Our Keyboard layout is therefore correctly applied. It corresponds exactly to the layout of the French keyboard that was previously loaded. The vulnerability is based on the fact that the 2nd argument passed to NtUserLoadKeyboardLayoutEx represents two offsets, each stored over two bytes. When loading a French keyboard, the default value is Ox1768.
The code corresponding to the _asm block corresponds to the system call used. We are going to use the values recovered from the breakpoint to stay as close as possible to valid values.
Here, hFile is a HANDLE corresponding to our copy of kbdfr.dll. The 2nd argument is an offset pointing to a structure contained in kbdfr.dll. We use the value observed with the debugger, to be sure of having a correct value.
Once the code is executed, it appears that nothing has happened. However, we may notice that when changing
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![34] strictly prohibited.
WWW.XMCO.FR
emdot
ACTU SCU 27
Content of the modied library (DLL) We write both structures directly into our copy of the le kbdfr.dll. Here, we choose to modify a text zone for greater simplicity. It should be noted that it is not necessary for loaded le to be a valid PE binary For example, Stuxnet used a text le containing these two structures and not a full valid Keyboard Layout le. In the 2nd parameter, we pass the offset where the KBONLSTABLES structure is located.
When the keyboard is loaded and the user presses a button, the function xxxKENLSProcs is called. A check is made on a global variable gpKbdNlsTbl. This value represents our offset passed as the 2nd argument when loading the Keyboard layout.
order to be able to reach the vulnerable code xxxKENLSProcs, we are going to modify this value to point towards the structure KBONLSTABLES (see below) added within our malicious kbdfr.dll file.
Here are the two structures to be added to our malicious DLL. These structures are constituted as follows:
In
INFO
Analyse diffrentielle du correctif MS10-073
Microsoft a corrig cette vulnrabilit avec le correctif MS10-073. Pour cela, quelques lignes de codes ont t ajoutes (en rouge) afin de contrler que la valeur de lindex soit infrieure 3.
In order to execute the code present at the address Ox60636261 located at index 5 of table win32k! aNLSVKFProc, the variable NLSFEProcType of the structure VK_F needs to be set to 5. The code corresponding to the Virtual Key (variable Vk) is an arbitrary value that we must reuse later on. We will leave this value at 0 (like stuxnet) for greater simplicity.
All the other variables can be set to 0. pVkToF is a relative virtual address (RVA). Which gives us:
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![35] strictly prohibited.
WWW.XMCO.FR
The variable pVkToF of the structure KBONLSTABLES must point to the structure VK_F. Given that we need a structure VK_F to trigger the vulnerability, we are going to set NumOfVkToF to 1.
ACTU SCU 27
6. Program halt (crash) at address Ox60636261. The exploitation of the vulnerability is successful.
Technical solution for changing the permissions of the current process from the kernel area. Lastly, the nal stage consists of elevating our privileges by using our own payload (shell code) located at the address Ox60636261. For this, it is necessary to allocate memory using the VirtualAlloc() API function, then to place our payload within it. As the address Ox60636261 is located within the user area, this is no problem.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![36] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
The payload will then be executed in the same context as the kernel, namely the 0 ring.
References!
Vupen's analysis h t t p : / / w w w . v u p e n . c o m / b l o g / 20101018.Stuxnet_Win32k_Windows_Kernel_zeroday_Exploit_CVE-2010-2743.php
Our payload must be able to execute the following actions: 1) Browse the processes open on the system. 2) Find a SYSTEM process. 3) Copy the token for this process. 4) Copy this token into our own process.
Our elevation of privileges is now nished. Our process is now running with SYSTEM privileges.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![37] strictly prohibited.
WWW.XMCO.FR
Current news...
What has been happening over the last few weeks within the small world of IT security?
As at the end of each year, Jeremiah Grossman presented the top 10 hacking techniques. Some zero-
CURRENT NEWS
day vulnerabilities discovered within Internet Explorer spoiled Microsoft's Christmas holidays. Lastly, we will return to a
particularly-successful attack on servers hosting the ProFTPD project and we will assess the second edition of GS Days.
Adrien GUINAULT
Sharon Pruitt
Penetration test/attacks: Top 10 techniques of the year 2010 Zero-day vulnerability: Microsoft Internet Explorer import CSS Conference: The GS Days 2010 Attack/Cyber criminality: Zero-day attack on servers hosting the ProFTPD project
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[38]
WWW.XMCO.FR
ACTU SCU 27
Each year since 2006, Jeremiah Grossman has put together the "top 10" new web attacks of the previous year. The process of selection, which applies to the 69 new techniques that were on the list in 2010, has been reviewed. To establish the top 15, Internet users initially voted for their favorite new techniques. Then, a panel of security experts classied this top 15 to obtain the top 10 new web attacks of 2010. Here is a quick summary of the attacks which have marked the year 2010.
http://samy.pl/ Each technique is very interesting, such as the creation of a PNG image from a cookie.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[39]
WWW.XMCO.FR
The codes and the description of the techniques used are available at the following address:
AlaskaTeacher
ACTU SCU 27
Attacking HTTPS with Cache Injection (Elie Bursztein, Baptiste Gourdin, Dan Boneh)
The HTTPS Cache injection attack consists of injecting a JavaScript library within a browser, in order to intercept the data exchanged between the victim and a website based on the HTTPS protocol. According to the author, 43% of the top 10,000 sites use external JavaScript libraries. Consequently, if a pirate compromises a site hosting one of these libraries, it may affect the condentiality of the sites that use this code.
Through some ingenious JavaScript code, Jeremiah showed that this information could easily be disclosed. Different code is offered for the four main browsers, either to write within the cache or to read information. The most interesting of these four proofs of concept concerns Internet Explorer 6 and 7. The JavaScript code that is offered allows the use of the "down" button when a user is on an entry eld. This will automatically show the various proposals contained within the browser. This code will then go into the history and auto-submit the content to a third-party domain controlled by the pirate.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![40] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
The code checks that the token submitted by the user is valid before updating the e-mail address. A legitimate request sent from the HTML form would be as follows:
However, if the victim visits a website which uses an iFrame as follows: < i f r a m e s r c = " h t t p : / / w w w. e x a m p l e . c o m / updateEmail.jsp?email=evil@attackermail.com"> The victim will, without their knowledge, send a POST request as follows:
Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution (Lavakumar Kuppan, Manish Saindane)
ClickJacking attacks already caused considerable comment some time ago. With proof of concept and presentations at Black Hat, the subject has been examined in depth. Lavakumar Kuppan and Manish Saindane presented a technique for bypassing the CSRF protection in place on JSP and ASP.NET applications. An example will illustrate this better than any explanations. Imagine an application which, once authenticated, allows its e-mail address to be updated. To protect itself against CSRF attacks, the developers add a unique token in a hidden eld when the update form is accessed. Consequently, the JSP code will have to process two email elds: one coming from the URL and the other coming from the arguments of the POST request. This dual use is an attack technique called HTTP parameter pollution, which can trap the JSP code that processes the eld received in the URL rst. Therefore, a pirate can use this method to force a connected user to change their e-mail address without their knowledge, while bypassing the anti-CSRF code.
In this case, the page that will process the received data is a JSP page named updateEmail.jsp:
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![41] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
scenario in which a pirate makes a webpage available containing a Java applet capable of carrying out such an attack. The malicious software would be provided to Internet users in the form of a game to attract them and cause them to execute the software. Finally, such an attack would be very difcult to trace, because of the disappearance of the traces. This is because as soon as a user closes the browser or empties the cache, the attack would stop from one of the zombies and no traces would remain on the workstation. Also, the more that this game is used by Internet users, the more the attack would be effective. A full presentation of this attack was given at the OWASP conference. http://www.hybridsec.com/papers/OWASP-UniversalHTTP-DoS.ppt
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![42] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
JavaSnoop http://www.aspectsecurity.com/tools/javasnoop/
References
CERT-XMCO references CXA-2010-1178, CXA-2010-0916, CXA-2010-0502, CXA-2010-1621 http://jeremiahgrossman.blogspot.com/2011/01/top-tenweb-hacking-techniques-of-2010.html
CSS History Hack In Firefox Without JavaScript for Intranet Portscanning http://ha.ckers.org/blog/20100125/css-history-hack-inrefox-without-javascript-for-intranet-portscanning/
Evercookie http://samy.pl/evercookie/
Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution http://blog.andlabs.org/2010/03/bypassing-csrfprotections-with.html Universal XSS in IE8
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![43] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
Daniel Horacio
Microsoft and IE
Microsoft alerted its clients (KB2488013) then, in February, corrected this vulnerability with bulletin MS11-003.
The
INFO
Exploiting an IE vulnerability via an alternative browser.
Billy Rios, the famous security researcher, has just published an article presenting an attack vector that is interesting for exploiting the latest zero-day vulnerability in Internet Explorer. Using an alternative browser and Adobe Reader, it is possible to exploit this vulnerability. The PDF language allows the use of an API method called "app.launchURL ()". This function takes a URL that will be opened by the default browser. Consequently, a malicious PDF opened with an alternative browser such as Firefox would cause a predefined URL to be opened with the default browser (Internet Explorer). The users of this browser are therefore exposed to the exploitation of a vulnerability affecting Internet Explorer.
A proof of concept was put online on the researcher's blog: http://xs-sniper.com/sniperscope/Adobe/ BounceToIE.pdf
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[44]
WWW.XMCO.FR
ACTU SCU 27
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![45] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
Last 30 November, the second edition of GS days took place in the Espace Saint Martin in the very heart of Paris. This conference is a meeting place for two communities that are usually separate: researchers and other technicians on one side and decision-makers on the other. Sixteen conferences took place, covering technical, legal and organizational subjects. They allowed the 260 French-speaking participants to (re)discover numerous aspects related to security. Although all of these conferences were enticing, we had to make a selection. After a breakfast that brought together all participants around the stands belonging to the various partners of the event, Marc Brahmi quickly introduced the event This speech was the occasion to announce, to participants, the date of the third edition of GS Days. This will take place on 10 May 2011, in the Espace Saint Martin.
From legal to technical: putting one finger up to hacking (Diane Mullenex, Legal Practitioner Paul Such, SeRT Philippe Humeau, NBS System)
SCRT and NBS were respectively represented by Paul Suchs and Philippe Humeau. They were accompanied by Diane Mullenex, who is a legal practitioner. They began the day with an opening keynote address entitled "from legal to technical: putting one nger up to hacking!". Unfortunately, this introduction had to be cut short due to lack of time. This plenary session presented several points such as post-incident analysis (the context, the aim, prior questions, submission of a disk before a court and analysis of the memory), and that of catching someone in the act. The speakers, from technical and legal backgrounds, presented the main stages in preparing a legallyadmissible technical case, and the main errors that are easy to make. Even so, the conclusion was given that few cases get as far as trial: currently, most of them are concluded by a privately-negotiated arrangement.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[46]
WWW.XMCO.FR
ACTU SCU 27
malicious code into an NX zone, transform this nonexecutable zone into an executable zone and lastly, to execute the code.
INFO
GS DAYS returns
After the success of the first two editions, GS DAYS will very soon return on 10 May 2011, from 08:30 to 18:00 at the Espace Saint Martin. This third edition following subjects: The security and systems of will address the
industrial
networks
The efficient use of connection data Dualistic use of workstations The call for launched. papers has already been
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![47] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
Internet. Lastly, he ended his conclusion by presenting a "hand-made" circuit for simulating a specic autonomous RFID system, using a roll of toilet paper as an antenna support. The researcher concluded his presentation by stating that speaking of the security of an RFID system could mean anything or nothing. It is important to know what a given system allows to be done, so as not to have a false impression of security.
Telecommuting: the frontier between private and public life (Catherine Duval and Yann Fareau Devoteam)
The following conference was led by Catherine Duval and Yann Fareau. It was entitled "Telecommuting: the frontier between private and public life". Between social, legal and environmental developments, this long appraisal of telecommuting in France gave a complete presentation of the major issues associated with this new way of working. The various components (managerial, legal and practical) were reviewed.
Nicolas will return to the SSTIC with the same subject, doubtless with more material and we hope for some demonstrations!
Saad Irfan
XSSF: demonstrating the danger of XSS (Ludovic Courgnaud and Imad Abounasr - Conix)
The nal technical conference, called "XSSF: demonstrating the danger of XSS" caused quite a reaction in the audience. Firstly, the two consultants from Conix, Ludovic Courgnaud and Imad Abounasr, presented the risks associated with exploitation of vulnerabilities of the XSS type, and the low importance that is still associated with them. Then they spoke of XSSF, a tool specially developed for this. This framework is based on Metasploit. Just like BeeF, it allows control to be taken of systems by exploiting vulnerabilities present in the operating system (e.g.: hcp, LNK), in the web browser, or in its plug-ins, simply by using JavaScript to force a browser to execute certain actions. This stage can control a set of bots that can be used subsequently. For example, pirates could use it as a relay for carrying out attacks. The two consultants showed how easy it was to go from an XSS on the site belonging to Norton/Symantec to the construction of a genuine botnet. The presentation ended by a discussion between consultants and decision-makers on the legality of a French company making the code for a "hacking" tool available.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![48] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
Conclusion
This second edition of GS DAYS was particularly interesting. The conferences were of an excellent level and the days were very well organized. The GS DAYS compare well in relation to other international conferences.
References
Website and information http://www.gsdays.fr/
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![49] strictly prohibited.
WWW.XMCO.FR
ACTU SCU 27
Jeff Keyzer
ATTAQUE PROFTPD
Just giving the FTP command "HELP ACIDBITCHEZ" then allows a pirate to directly obtain a shell and take control of the server.
pirates took advantage of this intrusion to replace the source code of ProFTPd version 1.3.3c, placing a stolen port ...
The rst hypothesis would be the exploitation of a zeroday vulnerability. However, a question remains unanswered, which is why would the pirates have used this vulnerability on the software publishers' servers, with the risk that administrators would discover the vulnerability used, when they could have used it massively on all ProFTPD servers discovered on the Internet?
The
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[50]
WWW.XMCO.FR
ACTU SCU 27
References
CERT-XMCO references CXA-2010-1692, CXA-2010-1680, CXA-2010-1673 http://www.phrack.org/issues.html? issue=67&id=7#article http://xorl.wordpress.com/2010/12/02/news-proftpdowned-and-backdoored/
Neither of these two hypotheses was conrmed and the developers did not wish to reveal more.
Consequences...
Consequently, all versions downloaded between 28 November and 2 December contained malicious code. No gure was communicated on the number of downloads of this version, which was available for 5 days.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![51] strictly prohibited.
WWW.XMCO.FR
Si vous avez un doute, nous vous conseillons fortement If you have any doubts, we strongly advise you to search for the character string ACIDBITCHEZ within the binary for ProFTPD and if necessary download the latest published version (1.3.3d or 1.3rc1 ).
ACTU SCU 27
With
each we
in and
this our
section, Firefox
free
tools,
favorite websites.
For this edition, we have chosen to present two the auditing that are program useful IMA, tools
Wade Kelly
for PCI DSS audits, a blog and our top Twitter profiles.
Adrien GUINAULT
On the agenda for this edition: IMA: Identity Management Auditor, an auditing tool developed by Yannick Hamon, consultant at XMCO. VMware compliance checker: tool for testing VMware environments for PCI DSS certication. The blog m_101: security blog specialized in the presentation of vulnerabilities and solutions to challenges. Top Twitter: a selection of Twitter accounts followed by CERT-XMCO.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[52]
WWW.XMCO.FR
ACTU SCU 27
IMA
Auditing permissions for systems and databases
Description
IMA is a program developed by Yannick Hamon, a consultant at XMCO. It can perform permissions audits on MSSQL, Oracle, Active Directory and Lotus Domino. This tool can quickly identify user proles (administrators, DBA, etc,) and test the robustness of passwords for all accounts.
How many times have you manually connected with Osql to an MSSQL database to extract the hashes, then passed them to John the Ripper? With IMA, one click is sufcient. Whether it is through local authentication or domain authentication, IMA recovers, audits, then reports the results in a directly-usable format (Excel, graph). It has several very useful functions: imports .pot les (John the ripper, export in different formats), Pass-The-Hash, password generators and SQL clients. Let's hope that IMA becomes the reference for security auditors!
Screenshot
http://www.xmco.fr/ima.html IMA has become an essential tool for our security audits. It becomes essential when it is necessary to audit dozens of Oracle and MSSQL databases or to check permissions on an instance of Active Directory. As the tool is developed and maintained in the author's free time, the author apologizes in advance for any potential bugs. Do not hesitate to report them or suggest new functionalities. For us, it is the best freeware of its kind;-)
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[53]
WWW.XMCO.FR
ACTU SCU 27
Vmware Compliance Checker is a very useful tool for auditing Windows systems for PCI DSS audits. It reports the essential security points of a Windows system for reaching the requirements imposed by the PCI DSS 1.2 standard: presence of a personal rewall, unnecessary services, permissions, logs, password policy, etc.
Screenshot
Address
http://www.vmware.com/products/compliance-checker/
XMCO opinion
Combined with a tool such as MBSA for security patches, this tool checks that a Windows system complies with basic security principles.
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[54]
WWW.XMCO.FR
ACTU SCU 27
m_101
Technical blog specialized in the exploitation of vulnerabilities
Description
Let's remain within the spirit of our rather technical article on the exploitation of Windows and Linux security vulnerabilities, with the blog m_101. This blog, written by a student with a keen interest in security, lets you follow and understand the resolution of challenges and the exploitation of vulnerabilities.
Screenshot
Address
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[55]
WWW.XMCO.FR
XMCO opinion
This blog will let you perfect your technical knowledge in highly varied elds, from the exploitation of Windows vulnerabilities to partial solution of challenges.
ACTU SCU 27
Twitter
Selection of Twitter accounts followed by CERT-XMCO
URL Type
Regvulture
http://twitter.com/regvulture
General info
honlinenews
http://twitter.com/honlinenews
Security info
helpnet
http://twitter.com/helpnetsecurity
Security info
hdmoore
http://twitter.com/hdmoore
Metasploit
xanda
http://twitter.com/xanda
Technical
CERT_Polska_en
http://twitter.com/CERT_Polska_en
Security info
schneierblog
http://twitter.com/schneierblog
Security info
taviso
http://twitter.com/taviso
Technical
ivanlef0u
http://twitter.com/ivanlef0u
Technical
msftsecresponse
http://twitter.com/msftsecresponse/
Security info
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[56]
WWW.XMCO.FR
ACTU SCU 27
Acknowledgement s...
Vanessa Lynn
http://www.ickr.com/photos/judeanpeoplesfront/ * Sharon Pruitt (pinksherbet): http://www.ickr.com/photos/pinksherbet/ * Daniel Horacio (dhammza) http://www.ickr.com/photos/dhammza * Saad Irfan (saadirfan) http://www.ickr.com/photos/saadirfan/ * Jeff Keyzer (mightyohm): http://www.ickr.com/photos/mightyohm/ * Vanessa Lynn (vanessa_lynn): http://www.ickr.com/photos/vanessa_lynn/ * BlackburnMike_1 / Mike Blackburn: http://www.ickr.com/photos/mikeblackburn/: * Nick Fisher (cobrasick): http://www.ickr.com/photos/cobrasick/ * The Consumerist: http://www.ickr.com/photos/consumerist// * Shorts and Longs | The Both And (48424574@N07/) http://www.ickr.com/photos/48424574@N07 *AlaskaTeacher (alstonfamily): http://www.ickr.com/photos/alstonfamily/ * Exakta: http://www.ickr.com/photos/exakta/ * Seth Anderson (swanksalot): http://www.ickr.com/photos/swanksalot/3820698076/ sizes/z/in/photostream/ http://www.b12partners.net/wp/
Photos of articles
* Karsten Kneese (karstenkneese): http://www.ickr.com/photos/karstenkneese/ * Trey Ratcliff (stuckincustoms) http://www.ickr.com/photos/stuckincustoms/ * Ludo Benoit (pics_troy): http://www.ickr.com/photos/pics_troy/ * Bjoern Schwarz (bagalute): http://www.ickr.com/people/bagalute/ * Shelly Munkberg (zingersb): http://www.ickr.com/photos/zingersb/ * Stfan Le D (st3f4n): http://www.ickr.com/photos/st3f4n/ * Jon (xlibber): http://www.ickr.com/photos/xlibber/ * Wade Kelly (wader): http://www.ickr.com/photos/wader/ * emdot http://www.ickr.com/photos/emdot/ * Michael LaCalameto (stopthegears): http://www.ickr.com/photos/stopthegears/ * Rob Shenk (rcsj): http://www.ickr.com/photos/rcsj/ * -JvL- (-jlv-): http://www.ickr.com/people/-jvl-/ * Gordon (judeanpeoplesfront):
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[57]
WWW.XMCO.FR
ACTU SCU 27
About ActuScu ActuScu is a digital magazine written and published by the consultants of the XMCO Partners consultancy. Its purpose is to give clear and detailed presentations on IT security in complete independence. All editions of ActuScu can be downloaded from the following address (french and english versions): http://www.xmco.fr/actualite-securite-vulnerabilite-fr.html
About XMCO Partners Founded in 2002 by experts in security and managed by its founders, we work in the form of xed-fee projects with a commitment to achieve results. Intrusion tests, PCI DSS security audits and vulnerability monitoring (CERT-XMCO) are the major areas in which our rm is developing. At the same time, we work with senior management on assignments providing support to heads of information-systems security, in drawing up master plans and in working on awareness-raising seminars with several large French accounts.
Contact XMCO Partners To contact XMCO Partners and obtain information about our business: +33 (0)01 47 34 68 61.
http://www.xmco.fr http://cert.xmco.fr
This document is the property of XMCO Partners. Any reproduction is !!!!!!!!!!!!!!!!! strictly prohibited.
[58]
WWW.XMCO.FR