[SecurityRatty] tag: static

Serializable XmlDocument

Mon, 18 Aug 2008 22:58:00 +0000

It's surprising that XmlDocument isn't marked [Serializable], because it's very natural to serialize one into a stream. I wanted to put an object into ASP.NET ViewState the other day, and quickly ran into this roadblock, because part of the object included an XmlDocument, which is not serializable. A quick search revealed that most people deal with this problem by storing a string instead. Indeed, that was where I started, but I quickly realized that there are multiple places in my code where I want to do this sort of thing, and I don't want to have to mess with it in each data structure that contains an XmlDocument.

So I put together a simple class that holds an XmlDocument and implements ISerializable and called it SerializableXmlDocument. I'm sharing the source code here in the hopes that

a) somebody will find it useful, and

b) somebody smarter than I am will point out how I screwed it up and help me make it better.

SerializableXmlDocument includes implicit conversion operators to make it easy to convert to/from an XmlDocument. It holds the actual document in a property called Value. This "isomorph" pattern is one that I picked up from Craig.

While writing this code, I also wrote a helpful extension method for getting a byte array out of a MemoryStream that is exactly the length of the data written to the stream so far (CopyUpToSeekPointer). So don't go looking in the docs for MemoryStream for this method :) This is obviously not the most efficient way to consume bytes written to a MemoryStream since it copies the data into a new byte array, but it's very convenient in many scenarios.

Here is SerializableXmlDocument.cs:

using System;
using System.Runtime.Serialization;
using System.Xml;
using System.IO;

namespace Pluralsight.Samples
{
    [Serializable]
    public class SerializableXmlDocument : ISerializable
    {
        public SerializableXmlDocument() { }
        public SerializableXmlDocument(XmlDocument value)
        {
            this.Value = value;
        }

        public XmlDocument Value { get; set; }

        #region ISerializable implementation
        public SerializableXmlDocument(SerializationInfo info,
                                       StreamingContext context)
        {
            byte[] serializedData = (byte[])info.GetValue("doc",
                typeof(byte[]));
            if (null != serializedData)
                this.Value = Deserialize(serializedData);
        }

        public void GetObjectData(SerializationInfo info,
                                  StreamingContext context)
        {
            byte[] serializedData = null;
            if (null != Value)
                serializedData = Serialize(Value);
            info.AddValue("doc", serializedData);
        }
        #endregion

        #region implicit conversion to/from XmlDocument
        public static implicit operator SerializableXmlDocument(
            XmlDocument doc)
        {
            return new SerializableXmlDocument(doc);
        }
        public static implicit operator XmlDocument(
            SerializableXmlDocument sdoc)
        {
            return sdoc.Value;
        }
        #endregion

        #region Xml serialization helper methods
        private static byte[] Serialize(XmlDocument doc)
        {
            MemoryStream stream = new MemoryStream();
            doc.Save(stream);
            return stream.CopyUpToSeekPointer();
        }
        private static XmlDocument Deserialize(byte[] serializedData)
        {
            XmlDocument doc = new XmlDocument();
            doc.Load(new MemoryStream(serializedData, false));
            return doc;
        }
        #endregion
    }
}

...and here's the CopyUpToSeekPointer extension method for MemoryStream:

using System;
using System.IO;

namespace Pluralsight.Samples
{
    public static class MemoryStreamExtensionMethods
    {
        public static byte[] CopyUpToSeekPointer(
            this MemoryStream stream)
        {
            // copy only the part of the buffer
            // that contains the serialized document
            long length = stream.Position;
            byte[] buffer = stream.GetBuffer();
            byte[] result = new byte[length];
            for (int i = 0; i < length; ++i)
                result[i] = buffer[i];
            return result;
        }
    }
}

...and here's a sample object that uses SerializableXmlDocument:

using System;

namespace Pluralsight.Samples
{
    [Serializable]
    public class Item
    {
        public string Name { get; set; }
        public SerializableXmlDocument Data { get; set; }

        public void Print()
        {
            Console.WriteLine("Name: {0}", Name);
            Console.WriteLine(Data.Value.OuterXml);
        }
    }
}

...and here's a sample program that creates an instance of Item, serializes it, then deserializes it, printing diagnostics along the way to show that it's working properly.

using System;
using System.Xml;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using Pluralsight.Samples;

class DemoProgram
{
    static void Main(string[] args)
    {
        XmlDocument doc = new XmlDocument();
        doc.LoadXml("text");

        Item item = new Item
        {
            Name = "Testing 123",
            Data = doc,
        };

        // print object before serialization
        item.Print();

        BinaryFormatter formatter = new BinaryFormatter();
        MemoryStream stream = new MemoryStream();
        formatter.Serialize(stream, item);

        byte[] serializedItem = stream.CopyUpToSeekPointer();

        Console.WriteLine("Serialized data (base64): {0}",
            Convert.ToBase64String(serializedItem));

        item = (Item)formatter.Deserialize(
            new MemoryStream(serializedItem, false));

        // print object after deserialization
        item.Print();
    }
}

Here's the output of the previous sample program:

Flame away!

Two-way formatted data binding in ASP.NET

Fri, 15 Aug 2008 16:22:37 +0000

Two way data binding in ASP.NET is easy, just use the Bind expression and data will flow between your web controls and your data source flawlessly. Until that is, you try to use a format string:

Bind("AmountCharged", "{0:C}")

While this displays just as you'd expect (e.g., $200), it doesn't do so well when you submit an edit that includes the same value ($200):

Input string was not in a correct format.

I searched around and didn't find much in the way of a clean solution, but I did solve the problem with just a few lines of code. The trick is to handle the data-bound control's Updating event. Since I was working with a GridView, my solution looked a bit like this:

<asp:GridView DataSourceID='myDataSource'
              OnRowUpdating='FixFormatting'
              AutoGenerateColumns='false'
              CellPadding="3" ...>

Notice the OnRowUpdating handler that I've installed in my grid view. That code looks like this:

protected void FixFormatting(object sender, GridViewUpdateEventArgs args)
{
    decimal amountPaid = ParseDecimal((string)args.NewValues["AmountPaid"]);
    args.NewValues["AmountPaid"] = amountPaid;
}

When you handle this event, you're given a dictionary of old and new values, which appear to come directly from the controls (in my case, a TextBox was used to gather the updated data AmountPaid, so the type of object that I found in NewValues["AmountPaid"] was a string. I wrote a little helper method called ParseDecimal that parses a string into a decimal value, allowing currency characters, decimal points, and thousands separators. I also allowed a blank value to indicate zero:

public static decimal ParseDecimal(string value)
{
    if (string.IsNullOrEmpty(value))
        return 0;
    return Decimal.Parse(value,
        NumberStyles.AllowThousands |
        NumberStyles.AllowDecimalPoint |
        NumberStyles.AllowCurrencySymbol,
        CultureInfo.InstalledUICulture);
}

This solved the problem quite nicely. Now two-way binding works with formatted data.

The Russia vs Georgia Cyber Attack

Mon, 11 Aug 2008 15:35:55 +0000

Last month's lone gunman DDoS attack against Georgia President's web site seemed like a signal shot for the cyber siege to come a week later. Here's the complete coverage of the coordination phrase, the execution and the actual impact of the cyber attack so far - "Coordinated Russia vs Georgia cyber attack in progress" :

"Who’s behind it? The infamous Russian Business Network, or literally every Russian supporting Russia’s actions? How coordinated and planned the cyber attack is, and do we actually have a relatively decent example of cyber warfare combining PSYOPs (psychological operations), and self-mobilization of the local Internet users by spreading “For our motherland, brothers!” or “Your country is calling you!” hacktivist messages across web forums. Let’s find out, in-depth. With the attacks originally starting to take place several weeks before the actual “intervention” with Georgia President’s web site coming under DDoS attack from Russian hackers in July, followed by active discussions across the Russian web on whether or not DDoS attacks and web site defacements should in fact be taking place, which would inevitably come as a handy tool to be used against Russian from Western or Pro-Western journalists, the peak of DDoS attack and the actual defacements started taking place as of Friday."

Some of the tactics used :
distributing a static list of targets, eliminate centralized coordination of the attack, engaging the average internet users, empower them with DoS tools; distributing lists of remotely SQL injectable Georgian sites; abusing public lists of email addresses of Georgian politicians for spamming and targeted attacks; destroy the adversary’s ability to communicate using the usual channels -- Georgia's most popular hacking portal is under DDoS attack from Russian hackers.

Some of the parked domains acting as command and control servers for one of the botnets at 79.135.167.22 :
emultrix .org
yandexshit .com
ad.yandexshit .com
a-nahui-vse-zaebalo-v-pizdu .com
killgay .com
ns1.guagaga .net
ns2.guagaga .net
ohueli .net
pizdos .net
googlecomaolcomyahoocomaboutcom.net

Actual command and control locations :
a-nahui-vse-zaebalo-v-pizdu .com/a/nahui/vse/zaebalo/v/pizdu/
prosto.pizdos .net/_lol/

Consider going through the complete coverage of what's been happening during the weeked. Considering the combination of tactics used, unless the conflict gets solved, more attacks will definitely take place during the week.

Compromised Web Servers Serving Fake Flash Players

Tue, 05 Aug 2008 10:50:04 +0000

The tactic of abusing web servers whose vulnerable web applications allow a malicious attacker to locally host a malicious campaign is nothing new. In fact, malicious attackers have been building so much confidence in this risk-forwarding process of hosting their campaigns, that they would start actively spamming the links residing within low-profile legitimate sites across the web.

This campaign serving fake flash players is getting so prevalent these days due to the multiple spamming approaches used, that it's hard not to notice it - and expose it. From a strategic perspective, having a legitimate low-profile site -- of course with the obvious exceptions being on purposely registered for malicious purposes within the participating sites -- hosting your malicious campaign is pretty creative in terms of forwarding the responsibility, and the eventual blocking of a legitimate site to the its owner. As far as the owner's are concerned, it appears that some of them are already seeing the malware page popping-up on the top of their daily traffic stats, and have taken measures to remove it.

Moreover, Adobe's Product Security Incident Response Team (PSIRT) issued a warning notice about the attack yesterday, which could come handy if the attackers weren't taking advantage of client-side vulnerabilities, putting the unware end user is a situation where he wouldn't even receive a download dialog :

"We have seen coverage from the security community of a worm on popular social networking sites that is using social engineering lures to get users to install a piece of malware. According to the reports, the worm posts comments on these sites that include links to a fake site. If the link is followed, users are told they need to update their Flash Player. The installer, posted on a malicious site, of course installs malware instead of Flash Player.We’d like to take this opportunity to reiterate the importance of validating installers and updates before installing them. First off, do not download Flash Player from a site other than adobe.com – you can find the link for downloading Flash Player here. This goes for any piece of software (Reader, Windows Media Player, Quicktime, etc.) – if you get a notice to update, it’s not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious."

The structure of the malware campaign is pretty static, with several exceptions where they also take advange of client-side vulnerabilities (Real player exploit) attempting to automatically deliver the fake flash update or player depending on the campaign. On each and every site, there are dnd.js and master.js scripts shich serve the rogue download window, and another .html file, where an IFRAME attempts to access the traffic management command and control, in a random URL it was 207.10.234.217/cgi-bin/index.cgi?user200. A sample list of participating URLs, most of which are still active and running :

joseantoniobaltanas .com

automoviliaria .es/hotnews.html
risasnc .it/fresh.html
carpe-diem .com.mx/fresh.html
kotilogullari .com.tr/hotnews.html
ferrariclubpesaro .it/hotnews.html
imobiliariacom .com.br/default.html
misoares .com
osniehus .de/fresh.html
mydirecttube .com/1/5098/
madosma .com/default.html
tutotic .com/checkit.html
veit-team .si/default.html
antigewaltkurse .de/stream.html
kwhgs .ca/topnews.html
vorgo .com/stream.html
ankaraspor .com.tr/default.html
xxxdnn0314 .locaweb.com.br/watchit.html
ossuzio .com/watchit.html
cit-inc .net/default.html
negocioindependiente .biz/default.html
ambermarketing .com/topnews.html
web27 .login-7.loginserver.ch/stream.html
moretewebdesign .br-web.com/stream.html
omdconsulting .es/topnews.html
parapendiolestreghe .it/hotnews.html
campodifiori .it/topnews.html
212.50.55.81 /stream.html
logisigns .net/fresh.html
intimaescorts .com/default.html
ghioautotre .it/live.html
geckert .de/stream.html
yuricardinali .com/watchit.html
retder .com/fresh.html
valdaran .es/default.html
getadultaccess .com/movie/?aff=5274
bauelemente-giering .de/stream.html
newyork-hebergement .com/watchit.html
allevatoritrotto .it/live.html
exoss2 .com/hotnews.html
soundandlightkaraoke .com/stream.html
land-kan .com/stream.html
grimaldi.nexenservices .com/watchit.html
inconstancia .com.br/watchit.html
gretelstudio .com/stream.html
sumacyl .com/watchit.html
mysna .net/fresh.html
gimnasioyx .com.ar/watchit.html
lagalbana .com/watchit.html
bielizna.tgory .pl/topnews.html
bcs92.imingo .net/stream.html
lapiramidecoslada .es/topnews.html
raulortega .com/stream.html
go-art-morelli .de/hotnews.html
wowhard.baewha .ac.kr/watchit.html
dianagraf .es/default.html
komma10-thueringen .de/hotnews.html
miavassilev .com/stream.html
swampgiants .com/watchit.html
compagniedephalsbourg .com/fresh.html
arla-rc .net/hotnews.html
salacopernico .es/watchit.html
drfinster .de/checkit.html
healthylifehypnotherapy .com/stream.html
ecotrike-bg .com/fresh.html
paoepalavra .org/watchit.html
jureplaninc-sp .com/topnews.html
fichte-lintfort .de/default.html
hergert-band .de/checkit.html
izliyorum .org/topnews.html
lideka .com/stream.html
athena-digitaldesign .com.tw/hotnews.html
e-paso .pl/stream.html
colombeblanche .org/stream.html
teatromalasa .es/watchit.html
mesporte.digiweb.com .br/stream.html
bistrodavila.com .br/watchit.html
hausfeld-solar .de/topnews.html
nakedinbed.co .uk/topnews.html
csr.imb .br/stream.html
herion-architekten .de/default.html
jbhumet .com/default.html
gruppouni .com/hotnews.html
francex .net/fresh.html
galvatoledo .com/topnews.html
cmeedilizia .eu/topnews.html
kroenert .name/default.html
textilhogarnovadecor .com/topnews.html
keithcrook .com/stream.html
elpatiodejesusmaria .com/checkit.html
neticon .pl/hotnews.html
malerbetrieb-pelzer .de/hotnews.html
easterstreet .de/fresh.html
piogiovannini .com.ar/watchit.html
ser-all .com/topnews.html
petzold-dieter .de/checkit.html
beatmung-brandenburg .de/checkit.html
ossuzio .com/watchit.html
teatromalasa .es/watchit.html
vuelosultimahora .com/topnews.html
zelenaratolest .cz/pornotube/index1.htm
ambulatoriovirtuale .it/topnews.html
10a3 .ru/index1.php
izliyorum .org/topnews.html
collectedthoughts .co.uk/index12.html
afg .es/topnews.html
albertruiz .net/topnews.html
bielizna.tgory .pl/topnews.html
blueseven.com .br/topnews.html
bollettinogiuridicosanitario .it/topnews.html
caprilchamonix.com .br/topnews.html
carlolongarini .it/topnews.html
champimousse .com/topnews.html
cheviot.org .nz/topnews.html
contrapie .com/topnews.html
gruppouni .com/topnews.html
hausfeld-solar .de/topnews.html
herbatele .com/topnews.html
houseincostaricaforsale .com/topnews.html
alim.co .il/topnews.html
allevatoritrotto .it/topnews.html
amafe .org/topnews.html
ambulatoriovirtuale .it/topnews.html
atelier-de-loulou .fr/topnews.html
automoviliaria .es/topnews.html
autoreserve .fr/topnews.html
izliyorum .org/topnews.html
jureplaninc-sp .com/topnews.html
kwhgs .ca/topnews.html
lapiramidecoslada .es/topnews.html
last-minute-reisen-4u .de/topnews.html
marcadina .fr/topnews.html
maremax .it/topnews.html
corradiproject .info/topnews.html
dantealighieriasturias .es/topnews.html
deliriuslaspalmas .com/topnews.html
ecchoppers .co.za/topnews.html
elianacaminada .net/topnews.html
fonavistas .com/topnews.html
fraemma .com/topnews.html
fundmyira .com/topnews.html
galvatoledo .com/topnews.html
grafisch-ontwerpburo .nl/topnews.html
markmaverick .com/topnews.html
micela .info/topnews.html
motoclubnosvamos .com/topnews.html
nebottorrella .com/topnews.html
negozistore .it/topnews.html
neticon .pl/topnews.html
norbert-leifheit.gmxhome .de/topnews.html
segelclub-honau .de/topnews.html
snmobilya .com/topnews.html
splashcor .com.br/topnews.html
stephanmager .gmxhome.de/topnews.html
svcanvas .com/topnews.html
tautau.web .simplesnet.pt/topnews.html
textilhogarnovadecor .com/topnews.html
theflorist4u .com/topnews.html
thewindsorhotel .it/topnews.html
vuelosultimahora .com/topnews.html
aliarzani .de/topnews.html
ambermarketing .com/topnews.html
arnold82.gmxhome .de/topnews.html
ocoartefatos.com .br/topnews.html
omdconsulting .es/topnews.html
parapendiolestreghe .it/topnews.html
positive-begegnungen .de/topnews.html
projetsoft .net/topnews.html
rbc.gmxhome .de/topnews.html
beatmung-sachsen .eu/topnews.html
campodifiori .it/topnews.html
clickjava .net/topnews.html
cmeedilizia .eu/topnews.html
dammer .info/topnews.html
embedded-silicon .de/topnews.html
ferrariclubpesaro .it/topnews.html
fgwiese .de/topnews.html
fswash.site .br.com/topnews.html
fytema .es/topnews.html
gildas-saliou. com/topnews.html
go-art-morelli .de/topnews.html
go-siegmund .de/topnews.html
guerrero-tuning .com/topnews.html
gut-barbarastein .de/topnews.html
japansec .com/topnews.html
komma10-thueringen .de/topnews.html
koon-design .de/topnews.html
lanz-volldiesel .de/topnews.html
lauscher-staat .de/topnews.html
losnaranjos.com .es/topnews.html
medical-service-krause .de/topnews.html
nakedinbed.co .uk/topnews.html
nepi.si/topnews .html
radieschenhein. de/topnews.html
residenceflora .it/topnews.html
sabuha .de/topnews.html
ser-all .com/topnews.html
siemieniewicz .de/topnews.html
viajesk .es/topnews.html
allevatoritrotto .it/live.html
bollettinogiuridicosanitario .it/live.html
carlolongarini .it/topnews.html
maremax .it/topnews.html
negozistore .it/topnews.html
parapendiolestreghe .it/live.html
www.donlisander .it/stream.html
aerogenesis .net/watchit.html
allevatoritrotto .it/live.html
atelier-de-loulou .fr/topnews.html
bistrodavila.com .br/watchit.html
bollettinogiuridicosanitario .it/live.html
caprilchamonix.com .br/topnews.html
cheviot.org .nz/live.html
condorautocenter .com.br/watchit.html
dantealighieriasturias .es/live.html
ecchoppers .co.za/topnews.html
elianacaminada .net/live.html
fonavistas .com/topnews.html
fundmyira .com/topnews.html
g6esporte .com.br/stream.html
grafisch-ontwerpburo .nl/topnews.html
gretelstudio .com/stream.html
gutierrezymoralo .com/watchit.html
healthylifehypnotherapy .com/stream.html
herbatele .com/live.html
jureplaninc-sp .com/topnews.html
lacomercialsrl .com.ar/stream.html
lagalbana .com/watchit.html
lapuertaestrecha .com.es/watchit.html
marcadina .fr/topnews.html
maremax .it/topnews.html
myadultcube .com/flash//aff=5176
myadultcube .com/flash//aff=5810
myadultcube .com/movie//aff=5155
newyork-hebergement .com/watchit.html
norbert-leifheit.gmxhome .de/topnews.html
omdconsulting .es/topnews.html
oyakatakent46537 .com/stream.html
parapendiolestreghe .it/live.html
regesh. co.il/watchit.html
rikkeroenneberg .dk/watchit.html
s215847279 .onlinehome.fr/stream.html
salacopernico .es/watchit.html
seekzones .com/watchit.html
seicomsl .es/watchit.html
sigma-lux .ro/watchit.html
soundandlightkaraoke .com/stream.html
stephanmager.gmxhome .de/topnews.html
tartuinstituut .ca/watchit.html
teatromalasa .es/watchit.html
vuelosultimahora .com/topnews.html
wowhard.baewha .ac.kr/watchit.html
aliarzani .de/topnews.html
ambermarketing. com/live.html
bilbondo .com/watchit.html
bollettinogiuridicosanitario .it/live.html
colombeblanche .org/stream.html
donlisander .it/stream.html
fgwiese .de/topnews.html
geckert .de/stream.html
helene-taucher .de/watchit.html
lanz-volldiesel .de/topnews.html
mairie-margnylescompiegne .fr/watchit.html
medical-service-krause .de/topnews.html
nakedinbed.co .uk/topnews.html
ossuzio .com/watchit.html
piogiovannini .com.ar/watchit.html
sabuha .de/topnews.html
sumacyl .com/watchit.html
swampgiants .com/watchit.html
xn--glland-3ya .de/stream.html
yuricardinali .com/watchit.html
nepi .si/topnews.html
dammer .info/topnews.html
atelier-de-loulou .fr/topnews.html
galvatoledo .com/topnews.html
allevatoritrotto .it/topnews.html
hausfeld-solar .de/topnews.html
micela .info/topnews.html
bistrodavila .com.br/watchit.html
hausfeld-solar .de/topnews.html
csr.imb .br/stream.html
herion-architekten .de/default.html
gruppouni .com/hotnews.html
galvatoledo .com/topnews.html
kroenert .name/default.html
keithcrook .com/stream.html
elpatiodejesusmaria .com/checkit.html
malerbetrieb-pelzer .de/hotnews.html
dantealighieriasturias .es/topnews.html
oyakatakent46537 .com/stream.html
89.19.29 .13/stream.html
slobodandjakovic .com/fresh.html
cqcs.com .br/stream.html
seekzones .com/watchit.html
pascosa .it/stream.html
caprilchamonix .com.br/topnews.html
positive-begegnungen .de/topnews.html
ferien-urlaub-lastminute .de/default.html
mueggelpark .info/watchit.html
hillner-online .de/fresh.html
guiasaojose .net/default.html
deliriuslaspalmas .com/topnews.html
fraemma .com/topnews.html
morsbaby .net/default.html
vickywhite .com/fresh.html
micela .info/topnews.html
corradiproject .info/topnews.html
liguehavraise .com/live.html
capacitacaoemlideranca .com.br/fresh.html
materialesyacabados .com.mx/stream.html
208.112.7.68 /checkit.html
152.10.1.37 /1.html
carlolongarini .it/topnews.html
splashcor.com .br/topnews.html
lobpreisstrasse .org/1.html
motoclubnosvamos .com/hotnews.html
hk-rc.com /1.html
taaf.re /stream.html
dulceysalao .com/default.html
amafe .org/topnews.html

Sample detection rate : flashupdate.exe
Scanners Result: 35/36 (97.23%)
Trojan-Downloader.Win32.Exchanger.hk; Troj/Cbeplay-A
File size: 78848 bytes
MD5...: c81b29a3662b6083e3590939b6793bb8
SHA1..: d513275c276840cb528ce11dd228eae46a74b4b4

The downloader then "phones back home" at 72.9.98.234 port 443 which is responding to the rogue security software AntiSpy Spider (antispyspider.net) :

"AntiSpy Spider is a cutting-edge anti-spyware solution.This revolutionary anti-spyware program was created by the industry's top spyware experts in order to protect your computer and your privacy.html, while ensuring optimal system performance.With the ability to locate, eliminate and prevent the widest range of spyware threats, AntispyStorm is able to offer its users a safe, spyware-free computing experience; and with it's convenient automatic update feature, AntispyStorm ensures continuous up-to-date protection."

Sample detection rate : antispyspider.msi
Scanners Result: 11/35 (31.43%)
FraudTool.Win32.AntiSpySpider.b;
File size: 1851904 bytes
MD5...: 2f1389e445f65e8a9c1a648b42a23827
SHA1..: e32aa6aa791e98fe6fdef451bd3b8a45bad0acd8

The bottom line - over a thousand domains are participating, with many other apparently joining the party proportionally with the web site owner's actions to get rid of the malware campaign hosted on their servers.

Related posts:
Lazy Summer Days at UkrTeleGroup Ltd
Fake Porn Sites Serving Malware - Part Two
Fake Porn Sites Serving Malware
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

Better exception reporting in ASP.NET part 2

Mon, 04 Aug 2008 10:11:14 +0000

This is the third post in a series.

The first post described the problem: ASP.NET wasn't reporting inner exception stack traces.

The second post described my solution.

This post shows the code I used to solve the problem: a custom email provider for the Health Monitoring system in ASP.NET. Enjoy!

Here's the provider. Note that I opted *not* to build a buffering provider to keep things simple:

public class MyMailWebEventProvider : WebEventProvider
{
    string to;
    string from;
    string subjectPrefix;

    public override void Initialize(string name,
        NameValueCollection config)
    {
        base.Initialize(name, config);

        to = GetAndRemoveStringAttribute(config, "to", true);
        from = GetAndRemoveStringAttribute(config, "from", true);
        subjectPrefix = GetAndRemoveStringAttribute(config,
            "subjectPrefix", false);
    }
    public override void ProcessEvent(WebBaseEvent raisedEvent)
    {
        SendMail(raisedEvent);
    }

    private void SendMail(WebBaseEvent raisedEvent)
    {
        string subject = ComputeEmailSubject(raisedEvent);
        string body = ComputeEmailBody(raisedEvent);

        MailMessage msg = new MailMessage(from, to, subject, body);
        new SmtpClient().Send(msg);
    }

    private string ComputeEmailBody(WebBaseEvent raisedEvent)
    {
        WebRequestErrorEvent errorEvent =
            raisedEvent as WebRequestErrorEvent;
        if (null != errorEvent)
            return ErrorEventFormattingHelper.FormatRequestErrorEvent(errorEvent);
        else return raisedEvent.ToString();
    }

    private string ComputeEmailSubject(WebBaseEvent raisedEvent)
    {
        StringBuilder subjectBuilder = new StringBuilder();

        // surface some details in subject about error events
        WebBaseErrorEvent errorEvent = raisedEvent as WebBaseErrorEvent;
        if (null != errorEvent)
        {
            Exception unhandledException = errorEvent.ErrorException;

            // drill through reflection exceptions to show the root cause
            TargetInvocationException invocationException =
                unhandledException as TargetInvocationException;
            if (null != invocationException)
            {
                Exception innerException =
                    DrillIntoTargetInvocationException(invocationException);
                subjectBuilder.AppendFormat("{0}",
                    (innerException ?? invocationException).GetType().Name);
                if (null != innerException)
                    subjectBuilder.Append(" (via reflection)");
            }
            else subjectBuilder.Append(unhandledException.GetType().Name);
        }

        // if we've not got anything better
        // just show the event type in the subject
        if (0 == subjectBuilder.Length)
            subjectBuilder.AppendFormat("Event type: {0}",
                raisedEvent.GetType().Name);

        if (!string.IsNullOrEmpty(subjectPrefix)) {
            subjectBuilder.Insert(0, ' ');
            subjectBuilder.Insert(0, subjectPrefix);
        }
        return subjectBuilder.ToString();
    }

    /// 
    /// Reflection often hides exception details, so we try to drill down
    /// through the plumbing exceptions to find a likely cause
    /// 
    private Exception DrillIntoTargetInvocationException(
        TargetInvocationException outerException)
    {
        Exception innerException = outerException.InnerException;
        TargetInvocationException innerInvocationException =
            innerException as TargetInvocationException;
        if (null != innerInvocationException)
            return DrillIntoTargetInvocationException(innerInvocationException);
        else if (null != innerException)
            return innerException;
        else return null;
    }

    private static string GetAndRemoveStringAttribute(NameValueCollection config,
        string attributeName, bool required)
    {
        string value = config.Get(attributeName);
        if (required && string.IsNullOrEmpty(value))
            throw new ConfigurationErrorsException(string.Format(
                "Expected attribute {0}, which is missing or empty.",
                attributeName));
        config.Remove(attributeName);
        return value;
    }

    public override void Flush()
    {
        // nothing to do - this is not a buffering provider
    }

    public override void Shutdown()
    {
        // nothing to do here either
    }
}

Here's a helper class that formats the error messages the way I want to see them. Note that I've omitted some fields that I personally didn't care about, and I've reordered things a bit, so you might want to tweak this if you're going to use it in your own system.

internal static class ErrorEventFormattingHelper
{
    internal static string FormatRequestErrorEvent(
        WebRequestErrorEvent errorEvent)
    {
        CustomEventFormatter formatter = 
            new CustomEventFormatter();

        formatter.AppendLine(string.Format(
            "Unhandled Exception in {0}:",
            WebBaseEvent.ApplicationInformation
            .ApplicationVirtualPath));
        formatter.Indent();
        EmitExceptionAtAGlance(formatter, 
            errorEvent.ErrorException);
        formatter.RevertIndent();

        formatter.AppendLine();
        formatter.AppendLine("Exception stack trace(s):");
        EmitExceptionStackTrace(formatter, 
            errorEvent.ErrorException);

        formatter.AppendLine();
        formatter.AppendLine("Event information:");
        formatter.Indent();
        EmitEventInfo(formatter, errorEvent);
        formatter.RevertIndent();

        formatter.AppendLine();
        formatter.AppendLine("Application information:");
        formatter.Indent();
        EmitApplicationInfo(formatter, 
            WebBaseEvent.ApplicationInformation);
        formatter.RevertIndent();

        formatter.AppendLine();
        formatter.AppendLine("Process/thread information:");
        formatter.Indent();
        EmitProcessInfo(formatter, 
            errorEvent.ProcessInformation);
        formatter.RevertIndent();

        formatter.AppendLine();
        formatter.AppendLine("Request information:");
        formatter.Indent();
        EmitRequestInfo(formatter, 
            errorEvent.RequestInformation);
        formatter.RevertIndent();

        return formatter.ToString();
    }

    private static void EmitEventInfo(
        CustomEventFormatter formatter,
        WebBaseEvent theEvent)
    {
        formatter.AppendLine(string.Format(
            "Event code: {0}",
            theEvent.EventCode.ToString(
            CultureInfo.InvariantCulture)));
        formatter.AppendLine(string.Format(
            "Event message: {0}", 
            theEvent.Message));
        formatter.AppendLine(string.Format(
            "Event time: {0}", 
            theEvent.EventTime.ToString(
            CultureInfo.InvariantCulture)));
        formatter.AppendLine(string.Format(
            "Event ID: {0}", 
            theEvent.EventID.ToString("N", 
            CultureInfo.InvariantCulture)));
    }

    private static void EmitApplicationInfo(
        CustomEventFormatter formatter, 
        WebApplicationInformation appInfo)
    {
        formatter.AppendLine(string.Format(
            "Application domain: {0}", 
            appInfo.ApplicationDomain));
        formatter.AppendLine(string.Format(
            "Application Virtual Path: {0}", 
            appInfo.ApplicationVirtualPath));
        formatter.AppendLine(string.Format(
            "Application Physical Path: {0}", 
            appInfo.ApplicationPath));
    }

    private static void EmitProcessInfo(
        CustomEventFormatter formatter, 
        WebProcessInformation webProcessInfo)
    {
        formatter.AppendLine(string.Format(
            "Process ID: {0}", 
            webProcessInfo.ProcessID.ToString(
            CultureInfo.InvariantCulture)));
        formatter.AppendLine(string.Format(
            "Process name: {0}", 
            webProcessInfo.ProcessName));
        formatter.AppendLine(string.Format(
            "Account name: {0}", 
            webProcessInfo.AccountName));
    }

    private static void EmitRequestInfo(
        CustomEventFormatter formatter, 
        WebRequestInformation webRequestInfo)
    {
        string name = null;
        if (webRequestInfo.Principal != null)
            name = webRequestInfo.Principal.Identity.Name;

        formatter.AppendLine(string.Format(
            "Request URL: {0}", 
            webRequestInfo.RequestUrl));
        formatter.AppendLine(string.Format(
            "Request path: {0}", 
            webRequestInfo.RequestPath));
        formatter.AppendLine(string.Format(
            "User name: {0}", 
            name ?? "[ANONYMOUS]"));
        formatter.AppendLine(string.Format(
            "User host address: {0}", 
            webRequestInfo.UserHostAddress));
    }

    private static void EmitExceptionAtAGlance(
        CustomEventFormatter formatter, 
        Exception exception)
    {
        formatter.AppendLine(string.Format(
            "Type: {0}", 
            exception.GetType().Name));
        formatter.AppendLine(string.Format(
            "Message: {0}", 
            exception.Message));
        if (null != exception.InnerException)
        {
            formatter.Indent();
            formatter.AppendLine("-->Inner Exception");
            EmitExceptionAtAGlance(formatter, 
                exception.InnerException);
            formatter.RevertIndent();
        }
    }

    private static void EmitExceptionStackTrace(
        CustomEventFormatter formatter, Exception exception)
    {
        formatter.AppendLine(exception.StackTrace);

        if (null != exception.InnerException)
        {
            // no point indenting
            // since stack traces typically wrap like crazy
            formatter.AppendLine();
            formatter.AppendLine("-->Inner exception stack trace:");
            EmitExceptionStackTrace(formatter, exception.InnerException);
        }
    }
}

And finally, here's a helper class that manages indentation levels for the output email message:

public class CustomEventFormatter
{
    const int TabSpaces = 4;

    StringBuilder sb = new StringBuilder();
    private int indentLevel;
    private bool startingNewLine = true;

    public void Indent()
    {
        ++indentLevel;
    }

    public void RevertIndent()
    {
        if (indentLevel > 0)
            --indentLevel;
    }

    public void Append(string text)
    {
        if (startingNewLine)
            EmitIndent();
        sb.Append(text);
        startingNewLine = false;
    }

    public void AppendLine(string lineOfText)
    {
        if (startingNewLine)
            EmitIndent();
        EmitIndent();
        sb.AppendLine(lineOfText);
        startingNewLine = true;
    }

    private void EmitIndent()
    {
        sb.Append(' ', TabSpaces * indentLevel);
    }

    public void AppendLine()
    {
        AppendLine(string.Empty);
    }

    public override string ToString()
    {
        return sb.ToString();
    }
}

Build this into a library application and reference it in your config file. Here's an example:

<healthMonitoring>
  <providers>
    <add name="mailWebEventProvider"
         type="MyMailWebEventProvider"
         to="web-fault@fabrikam.com"
         from="website@fabrikam.com"
         buffer="false"
         subjectPrefix="[WEB-ERROR]"
       />
  providers>
  <rules>
    <add name="All Errors Email"
         eventName="All Errors"
         provider="mailWebEventProvider"
         profile="Default"
         minInstances="1"
         maxLimit="Infinite"
         minInterval="00:01:00"
         custom=""/>
  rules>
healthMonitoring>

SANS Webcast: Security for Web Services and SOA

Mon, 04 Aug 2008 07:29:54 +0000

Last week I did a SANS webcast with Jacob West from Fortify on Web Services and SOA Security issues. I also did another SANS Webcast on Web services security way back in 2005. I went back and looked at the 2005 slides and its really scary how the issues are still there. Again we see developers making hellacious progress and security treading water (in a moving stream). From 2005:

Many (most?) classic Information Security mechanisms are not as relevant in securing Web Services:

Firewalls:SSL

SSL

Session based access control

Policies & mechanism domains are blurred by integration and decoupling

Lack of end to end visibility

I realize that security is a system level issue and it takes a long time to change things at that level, but what's more concerning to me is that the typical infosec mindset remains the same. Should we be surprised by rampant phishing and fraud? I am frankly surprised the numbers are so low given the opportunities that the attackers have via the glacial pace of security improvements. Its been three years since that list and I could write the same exact one today for SOAP, REST, SOA, Web 2.0 whatever. Maybe the main reason, beyond failure of imagination, why infosec is so far behind developers is that infosec lacks tools. Developers automate everything possible. Security doesn't. The most promising thing about static analysis is not the ability to find everything, its the ability to find many important things in an automated way. Infosec needs to stop giving people fish and teaching people to fish. Look at Fortify's vulncat site which has a Taxonomy of Coding Errors. Fortify's Seven (plus one) pernicious kingdoms are:

Input Validation and Representation
API Abuse
Security Features
Time and State
Errors
Code Quality
Encapsulation
*. Environment

These vulns are then integrated to find security bugs in a variety of frameworks - Axis, Axis2, Websphere and .Net. The tools give security people a richer understanding about the actual state of security in their web services, the ability to communicate and debate design improvement tradeoffs with developers, and cogent advice on how to address the issues.

It would be fantastic if the list of security issues in 2011 is different from the one 2005 that we are still stuck with.

Simulating Email in .NET

Fri, 01 Aug 2008 09:59:01 +0000

I use email as a notification mechanism a lot, and often in class I'll demo sending email via a technique that I use frequently when developing code. It allows you to simulate sending an email message.

The trick to doing this is not to hardcode things like host, port, etc. for your SMTP server when you use System.Net.Mail to send mail. Instead, use the default ctor for SmtpClient as I've done in the code below.

static void Main(string[] args)
{
    // note the use of the MailAddress class
    // this allows me to specify display names as well as email addresses
    MailAddress from = new MailAddress("admin@fabrikam.com", "Fabrikam Website");
    MailAddress to = new MailAddress("mari@fabrikam.com", "Mari Joyce");

    MailMessage msg = new MailMessage(from, to);
    msg.Subject  = "Testing 123";
    msg.Body = "This is only a test!";

    // note use of default ctor
    // this looks in config to figure out how to send mail
    new SmtpClient().Send(msg);
}

.csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; }

What you're telling .NET by using the default ctor for SmtpClient is, "please use my config file to figure out how to send mail". Now you can use the system.net/mailSettings/smtp section in config to specify the details of your mail server, and all of the code in your app that is written to use the default SmtpClient ctor will inherit these settings. Here's an example of what the config on a production server might look like (if you put passwords in your config files, be sure to encrypt those sections):

<configuration>
  <system.net>
    <mailSettings>
      <smtp deliveryMethod="Network">
        <network host="mail.fabrikam.com"
                 port="25"
                 userName="WebsiteMailAccount"
                 password="whatever"/>
      smtp>
    mailSettings>
  system.net>
configuration>

During development, I use different settings because I don't usually want to deal with the hassle of installing an SMTP server on my development box. Instead, I want email messages delivered as individual files in a directory on my hard drive (I always have a c:\mail directory on my development box for just this purpose):

<configuration>
  <system.net>
    <mailSettings>
      <smtp deliveryMethod="SpecifiedPickupDirectory">
        <specifiedPickupDirectory pickupDirectoryLocation="c:\mail"/>
      smtp>
    mailSettings>
  system.net>
configuration>

Now when I run the program above, I get a .EML file in my c:\mail directory:

Outlook Express is normally registered as the viewer for .EML files, so double-click the file to view it:

If you've never seen this method of simulating email before, I hope you find it as useful as I have. Happy coding!

Silver Bullet Talks with Adam Shostack

Thu, 31 Jul 2008 09:30:21 +0000

Gary McGraw interviews Adam Shostack. Shostack is a member of Microsoft's Secure Development Lifecycle Team. He's worked for Zero Knowledge as Most Evil Genius and Reflective where, as CTO, he focused on static analysis for software security. Shostack recently coauthored The New School of Information Security with Andrew Stewart.

"Walking" with the SDL - Part 1

Fri, 18 Jul 2008 12:55:00 +0000

Jeremy Dallman here. Back in March I wrote a post about “Crawling” Toward SDL. I used the imagery of learning to “crawl, walk and run” as a way to provide some basic starting points that would move your organization toward implementing a version of Microsoft’s Security Development Lifecycle (SDL).

In this series I am going to talk about “Walking” with the SDL. Walking is the point where your security development practices become a lifecycle – a repeatable, mostly reusable process that makes security a part of your development culture. To relate the analogy to SDL a bit more closely, think of crawling as the “SD” in SDL. For this post, we’ll talk about walking – or adding the “L” in SDL.

I will be covering quite a bit on this topic, so I intend to split it up in to a multi-part series over a few days. I’ll condense it all into one big doc at the end. In Part One, I will review “crawling” and the foundation you need to have in place as well as discuss getting management approval. In Part Two we’ll cover the topic of expanding your security training. In the additional posts, we’ll discuss formalizing requirements, reusing threat modeling and attack surface review data, the importance of final security reviews, and managing post-release documentation. All of these are components to “walking” with the SDL.

Before I jump into detailing what you can do to “walk” with the SDL, let’s look back at a snapshot of what you should already have in place from learning to “crawl.” At a high level, crawling involved three components. Each of these components requires specific activities or tools that your team must implement to begin developing secure code:

1. Detailed awareness of your architecture and its attack surface.

a. Threat Modeling

2. Tools that will perform security analysis on your application.

a. Strengthen compiler defenses

b. Use code analysis or static analysis tools such as PREfast, FxCop, AppVerif

c. Build a strong fuzz testing capability

3. Results that show how the analysis resulted in improved security

a. Response planning and response process in place

b. Use bugs to gather evidence and show that your work improved security

Think of these pieces as the “gross motor skills” you need to start walking. You should already be using these components and have reached a conscious decision to start building a lifecycle around your secure development practices. As you start figuring out how to “walk”, I want to point out that each of the concepts I discuss in this post is a critical component of the Microsoft Security Development Lifecycle. Adopting the SDL in your company involves a combination of integrating the existing SDL principles and the creating of unique requirements and components specific to your environment to build your own Security Development Lifecycle.

With that in place, let’s start talking about what it means to “Walk with SDL.”

Obtain Management Approval/Endorsement

Creating a Security Development Lifecycle will cost time and money. In addition, it will likely require some process changes. In most organizations, this change will not happen unless you obtain the management approval and endorsement necessary to compel the organization to act.

The key to successfully pitching SDL to your management can be found in the data you have been accumulating during the “crawl” phase. As you may recall from my crawling post, the simplest way to create evidence that clearly illustrates improved application security is to “mine” the data from your bug database. Connecting those bugs to known security vulnerabilities or to what would have been bad security issues that were avoided by fixing them in development is a powerful story. Of course your pitch should include other necessary components like anticipated costs, new software acquisition, possible vendor and consulting contracts and anticipated return on investment.

However, the heart of your argument will be the story you tell. The story is quite simply “If we hadn’t done this basic work in security, here is what we would have missed and how much it would have hurt…” followed by “if we continue to expand our security practices and make them a part of our process, we can better predict measurable security improvements that reduce the likelihood of future risks.”

The new SDL website [http://www.microsoft.com/sdl] provides some valuable reference material on the Business Case for SDL. I would recommend that looking through that information for some good supporting material. In Part Two, I will discuss expanding your security training as another component of “walking” with SDL.

I’d like to hear if anyone is using the concept of “crawling” and “walking” to implement SDL in your company.

? What unique challenges are you facing as you try to push for SDL adoption?

? What have you used to successfully communicate the importance of security to your management?

Are Stolen Credit Card Details Getting Cheaper?

Tue, 15 Jul 2008 11:36:12 +0000

What is shaping the prices of stolen credit card details? The investments the cybercriminals or real life scammers ( through credit card cloning or ATM skimming) put into the process of obtaining the details, or can we even talk about investments being made where an experienced scammer has just purchased 1GB of raw credit cards data from a novice botnet master who isn't really aware of the actual value of his "botnet output"?

Depends on which economic theory you believe in, or whether or not you'll take the "bottom-up approach" or the "top-down" one. And since I'm not aware of the existence of "the invisible hand of the underground market" and centralized power to increase the supply or decrease it to boost prices for the stolen credit card details, also indicating the existence of underground cartels putting everyone in a "price taker" position.

The basics of demand and supply for anything underground will always apply unless of course, The more they want, the cheaper it gets, the less they want, the higher the price on per credit card basis gets, since the investment on behalf of the malicious party that originally stolen them is virtually the same, and he can theoretically break-even in every single case since the credit card details were obtained efficiently. It's up to the seller to follow or entirely ignore economic behavior, and do what they feel like doing with this good which must on the other hand reach its market liquidity as soon as possible, else it becomes obsolete. The current market model can be further explained as a good example of competitive equilibrium :

"Competitive market equilibrium is the traditional concept of economic equilibrium, appropriate for the analysis of commodity markets with flexible prices and many traders, and serving as the benchmark of efficiency in economic analysis. It relies crucially on the assumption of a competitive environment where each trader decides upon a quantity that is so small compared to the total quantity traded in the market that their individual transactions have no influence on the prices."

This can be easily explained in a single sentence - it's a mess and every participant is doing whatever they want to, so generalizing on the prices charged for stolen credit card numbers would be unrealistic, since it's the price a single seller with no real impact on the "average" market price for the same good. As for the average market price itself, it would be hard to measure it depending on the quality of the sample you want to rely on, since this is a type of market where sellers don't have to report price changes in their goods for the purpose of statistical research.

A recently released report by Finjan, with whom I've been on the same page of several high profile incidents so far, touches this very same topic :

"Prices charged by cybercriminals selling hacked bank and credit card details have fallen sharply as the volume of data on offer has soared, forcing them to look elsewhere to boost profit margins, a new report says. Researchers for Finjan, a Web security firm, said the high volumes traded had led to bank and credit card information becoming "commoditized" - account details with PIN codes that once fetched $100 or more each might now go for $10 or $20. In its latest quarterly survey of Web trends, the California-based company said cybercrime had evolved into "a major shadow economy ruled by business rules and logic that closely mimics the legitimate business world."

Excluding the presence of price discrimination for a while, as well as open topic offers in the lines of "how much for X amount of Y?" answered as "how much are you willing to pay?", it's all a matter of the seller in a particular situation.

Furthermore, in real-life market there's always the scarcity problem, however, in the underground market there's no shortage of resources despite the ever growing wants of the buyers. Generalizing even more, take for instance the butterfly effect of a price change in petrol, and result of which is inevitable increase of prices in every single aspect of your life, but in the underground market mostly due to the malicious economies of scale achieved, a price increase in renting a botnet would have no effect in the prices charged for the stolen credit card details obtained through the infected hosts. How come? Basically, the price and resources for malware infection are prone to decrease, if we take a malware infected host as a static foundation for the basis of any upcoming cybercrime activities using it.

Perhaps the most disturbing part is that the market for stolen credit card details is so mature, and its entry barriers so low these days, that the confidential data that cannot be efficiently obtained through real-life means like credit card cloning or ATM skimming on a large scale, is now purchased online for the purpose of abusing it in real-life by embedding the valid information into plastic cards.