TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... Frost and Sullivan announced in their Feb. 2007 report, "Analysis of Vulnerability Discovery and Disclosure", that TippingPoint was the fastest growing discoverer of new vulnerabilities and the leader in the discovery of both high-severity and Microsoft vulnerabilities.

Three Letter Acronyms and the Imminent Death of the Net

Years ago, I was much more heavily involved in the network engineering side of the network world. Don't get me wrong, there's still plenty of groveling through packet captures here at TippingPoint's orbiting HQ, but I used to actually design networks and configure routers and do all of the nuts-and-bolts stuff that makes networks run.As a result of this, I know a reasonable amount about various low-level network protocols, including the wonderful, critical, byzantine, and obscure ...


ThreatLinQ: A Brave New World: Legitimate Script Obfuscation

As a filter writer, there is a blurred line between blocking real attacks and Internet annoyances. For example, today's Internet advertisements often use the same obfusction tactics as attackers in order to avoid scrubbing by content filtering systems.I have been doing some research on Peer-To-Peer (P2P) filters and came across something that illustrates this point very nicely. I came across the following trace that sent to a server that is on one of my IP watch lists:0000&nb ...


MindshaRE: The IDA Pro Book

IDA can be a very intimidating program to use. When starting out, not only are you trying to get comfortable with assembly, but you also must navigate a program with a steep learning curve. IDA's lack of documentation, aside from ida.hlp, compounds this problem leaving you somewhat insecure in your endeavor. Not anymore. A new book as been published by no starch press titled " ...


ThreatLinQ: A tale of two attackers

After my previous blog post last week about MS-SQL brute force attackers, I asked myself the question "who /are/ these guys?"  I mean, There are a lot of different attacks out there, why choose this one?  So, today I spent a couple hours trying to answer this question.Specifically, I decided to take the top 25 attackers from filter 463 'Bad MS-SQL SA Login' portscan them w/OS detection and some other probes and then compare them with the top 25 attackers from  our 'PHP File in ...


ThreatLinQ: Using Filter Groups - Guilty By Association

This post shows how the “Filter Group” section of the website can be used to find some very interesting events. Lets start by looking at the “Metasploit Shellcode” group, which is more often that not a very good starting point for finding malicious attackers. Not surprisingly, in analyzing ThreatLinQ data we have noticed that shellcode filters fire in tandem with many severe attacks. This makes sens ...


Line Noise

It's that awesome time unscheduled by conventional schedules for the blog that everyone loves to power Fridays with. Line Noise!  First up, Ali found a paper on someone implementing a sublanguage within haskell in order to enforce data flow control, for security reasons. A cool in concept, especially if you're a fan of the functional programming.Here's a set of new ...


Where are the Apples of Yesteryear?

 There was a time, not so long ago, where Apple was the plucky upstart. They weren't the second-largest music retailer in the United States. They didn't hold a virtual monopoly on portable music players, and they didn't capture nearly half of the high-end laptop market.Apple was instead, a geek's company. They were open and friendly, flexible and more than a little quirky. Sure, the fact that large portions of their code are open source is great, and certainly something of which ...


MindshaRE: Fixing Functions

IDA's function identification has always frustrated me. I could never understand why seemingly undefined functions weren't discovered during analysis. Recently, while attending RECon, I got my answer. While Ilfak, the creator of IDA, was giving a talk he explained why. He always errors on the side of caution. Meaning, unless he is 100% positive about a function he will leave it up to the user to fix. This isn't such a bad philosophy, unless you are dealing with hundred meg binaries. Regardle ...


Blackmail, Extortion or same old game?

My heart skipped at least two beats today when I opened a Google Alert and read the headline of “Researcher Blackmails Sun, Nokia” followed by a very brief description including not much more than a reference to Zero Day Initiative.In a panic I read the ZDNet article and then checked out the Security Explorations website, carefully pouring over their FAQ’s ...


ThreatLinQ: Spotlight on Filter 1401 (MS-SQL: Login Failure)

One of the cool things about the new ThreatLinQ tool, is we get to see TippingPoint Filters which have been shipping for years, still protecting customers.Today, I'd like to point out one of those filters in particular.Filter 1401 - MS-SQL: Login FailureThis filter does not ship enabled by default (generally speaking, login failures are entirely non-malicious), but if configured properly, this filter can be very useful for blocking brute force attacks.To illustrat ...


MindshaRE: Arithmetic in Assembly

In a previous MindshaRE we looked at loops in assembly.  I feel writing chunks of code in c and then disassembling them is an important bridge between higher level languages and assembly when you first start reversing.  This allows you to quickly recognize patterns and translate those back into their higher level representation.  Doing this is imperative to understanding a binary when reversing.  So today we will do a short followup, and look at arithmetic in assembly.  ...


ThreatLinQ: Movers and Shakers

Here we are looking at a filter that recently made the ThreatLinQ “Movers and Shakers” list, namely filter 1401 “MS-SQL: Login Failure.” We began watching this filter around 7-20-08 and it seems that it was just in time. On 7-21-08 we saw a sharp increase in filter hits and the majority of these hits are unique destination IP addressees, which is denoted by the blue bar. This pattern is often indicative of brut ...


ThreatLinQ: Javascript Bad Juju

The game of obfuscating especially JavaScript code has been going on for a while. The attackers are coming up with simple and ingenious ways to evade "string"-based detection. One of our sensors caught this clever technique for evading string-based detection of ActiveX CLSIDs. With hundreds of ActiveX vulnerabilities out there, it is very common to see a massive exploitation of them. Here is a cool trick we saw in action:<script>start();function z_sa(o,p, ...


ThreatLinQ: Bad to the Bone

If you've gone to any security conference over the last year, you surely have heard that threats on the internet are moving from general purpose, noisy attacks, to highly targeted attacks designed to only attack YOU...personally.  Now that the ThreatLinq program is up and running, it is satisfying to notice that many attackers are not only performing their attacks on multiple hosts, they commonly use many different attack vectors and payloads.  Take this IP address for instance: 89.156 ...


ThreatLinQ: ThreatLinQ Launch By DVLabs

TippingPoint DVLabs announced the availability of the "ThreatLinQ" Beta portal to all our customers today. The ThreatLinQ portal provides the TippingPoint customers with the latest information on the global attack landscape. The information provided provides an excellent source of background information, as well as actionable data for consideration in configuration of the IPS.  We will also be posting summaries of our findings and analysis regularly via this blog.W ...


MindshaRE: Anti-Reversing Techniques

Anti-reversing tricks have been around for a long time.  They most commonly occur in malware or spyware applications.  However, in recent times more applications are incorporating them into their code.  This might be to thwart reversing of intellectual property, or perhaps modification of the binary at run time.  So today we take a quick look at some of the most common categories anti-reversing techniques fall into, and a few examples from each type.MindshaRE is o ...