TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... Frost and Sullivan announced in their Feb. 2007 report, "Analysis of Vulnerability Discovery and Disclosure", that TippingPoint was the fastest growing discoverer of new vulnerabilities and the leader in the discovery of both high-severity and Microsoft vulnerabilities.

Pwn2Own Pre-Game

Incase you werent aware, Aaron Portnoy and I launched our training last year at Recon in Montreal. We had a great time and got some awesome feedback and suggestions. Since then we have revamped some of the material and added a new target (new bugs).


2011: The Year in Review

As the calendar year draws to a close we want to take the opportunity to disseminate some of the data that the Zero Day Initiative (ZDI) has acquired through the vulnerability purchasing program, reflect upon the state of (coordinated) disclosure and highlight some of the upcoming endeavors the team will be involved in. 2011 has been another record breaking year for the program with 350 researcher advisories and 14 internal advisories published thus far. 2012 promises to be another busy year for ZDI as the team has more than 160 upcoming advisories in the queue already.


Using Pastebin for Malicious Sample Collection

Services like Malware Domain List, Virus Watch and MalC0de are great for finding URLs of malicious content that may be interesting to collect and they provide us with a great deal of information that we use for further analysis. There are times when I am looking for specific samples and these services can't be used, that's when I turn to ...


Shellcode Detection Using Python

DVLabs has been collecting a large number of documents and files that are flagged as malicious and we're trying to decrease the number that we have to do a full manual analysis on. One of the methods we're using to aid in this is shellcode detection. If shellcode is detected inside the document we can reduce the amount of data we have to look at inside the file to find the attack. The majority of our code is in Python so shellcode detection using a Python module is preferable. ...


Malicious Content Harvesting with Python, WebKit, and Scapy

  Harvesting malicious files and websites isn’t a difficult task these days when you have sites like MalwareDomainList, jsunpack.jeek.org, etc. that allow pulling a list of URLs that have been reported as malicious or suspicious. What is more difficult and is most important to us is obtaining a complete picture of the actions that a malicious site is trying to perform. Tools like cURL, wget, etc. only retrieve an unrendered version of the page ...


Honeypotting the Cloud

What’s the cloud good for? One of the challenges facings DVLabs today is the ability to have complete network data from attacking and compromised hosts from non-customer networks. To solve this problem, a honeypot infrastructure with instances running in various cloud infrastructures was created. Allowing passive collection of information about suspicious hosts and comparing attacks across geographic regions in a wide-open netw ...


Ekoparty - Texas BBQ vs Argentine Asado

It all started in 2010 at an asado at Core's headquarters in Buenos Aires. Logan, a native Texan, made the offhand comment: "It's cute y'all like to play with BBQ". Now, if you're not familiar, asado is a huge part of the culture in Argentina. This alcohol-induced comment wasn't taken lightly, and thus a challenge was born. Flash forward to 2011 and the Texas BBQ vs Argen ...


MindshaRE: Hooking ReadFile and MapViewOfFile for Vulnerability Analysis

The Problem As Aaron mentioned in another MindshaRE here at ZDI we often get submissions containing only a fuzzed file without any analysis. When analysing those cases it is often useful to know exactly when our vulnerable program reads the bytes that have been changed in the file. This can be done using the hooking technique Aaron described earlier. The Solution Most read function available in Windows will ...


MindshaRE: Debugging via Code Injection with Python

Update: Peter was kind enough to whip up some legit web 2.0-ish graphing with some IDAPython to visualize the read() function referenced in this blog post. Check it out here (its draggable, and stuff). Quite often at the ZDI we receive submissions that go something like this: "When ...


REcon 2011 Training: Bug Hunting and Analysis 0x65

As Recon 2011 in Montreal (July 8-10) is fast approaching we wanted to let ZDI researchers know there is a training being offered by two of the ZDI team members: Bug Hunting and Analysis 0x65. Some of the case studies offered on day 2 of the training will be submissions that were patched and disclosed through the ZDI.


MindshaRE: Extending IDA with Custom Viewers

Anyone who utilizes IDA Pro is very likely familiar with the concept of subviews, the window panes that give a reverser the ability to view and query many characteristics of a binary stored in IDA's database. The default views available in IDA are great for displaying generic characteristics of any disassembled object. However, as is quite often the case, one may wish to collect data about an application (or otherwise) that may be more specifically targeted. For example, we often find ou ...


BlackHole Exploit Kit

BlackHole exploit kit is yet another in an ongoing wave of attack toolkits flooding the underground market. The kit first appeared on the crimeware market in September of 2010 and ever since then has quickly been gaining market share over its vast number of competitors. In fact, many antivirus vendors now claim that this is one of the most prevalent exploit kits used in the wild. Even Malware Domain List is showing quite a few domains infected with the BlackHole exploit kit. So what is it that makes this attack toolkit stand out above the rest?


Cloud Security: Amazon's EC2 serves up 'certified pre-owned' server images

Cloud computing has quickly evolved from a hot industry buzz word into a multi-billion dollar emerging market, with all the big names striving to grab a piece of the pie. Amazon, with its Amazon Elastic Computer Cloud (EC2), is arguably the dominant leader of the cloud services market. Even the video streaming giant Netflix moved its operation into Amazon's EC2, opting out of building out its own data centers. With such a high growth technology sector ...


Hammer of the Botgods: A New Variant of the ZeuS Botnet May Be Upon Us

Professionalism in the Underground It’s no secret to those who study illicit (shadow) economies that things change rapidly in order to meet supply and demand.  Profit (regardless of how you define it) remains supreme; loss the enemy.   This is true in all markets legal or illegal with cybercriminal markets being no exception.  Take botnets for example.  ...


Has Sapphire ‘Slammed’ Itself Out of Existence?

Has Sapphire ‘Slammed’ Itself Out of Existence? Word on the Street: The Worm Is Dead So the word on the street is that the worm is dead.  Not any old worm mind you, but the worm, the Sapphi ...


DoS and DDoS Yesterday and Today

Over the course of the last six months we at HP DVLabs have received numerous requests for advice, consultation and protection against Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.   It should come as no to surprise to any watching the current events of the day that DoS and DDoS attacks are seen ...


Obfuscated Attacks: What You Can't See Will Hurt You

Introduction Obfuscation is the new ‘sexy’ in all things having to do with security these days.  Thank God for that, as I thought people would never stop talking about PCI ...


Network Forensics: A New Era of Visibility

Historic Justification for Forensics Forensics is not a new science nor is it a new discipline within the information security continuum.  Though it is not new we are experiencing an exciting renaissance related to this science that is long overdue.   Forensics as a science has its roots in Rome (like so many amazing things including the author of this blog ...


Slaying The Dragon: An Analysis of the 'Night Dragon' Attack

Introduction: It should come as no surprise for those keeping a watchful eye on the media, the Internet Threat Landscape and certain social media outlets such as Twitter that McAfee, Inc. release ...


ZDI Public Disclosure: EMC

These vulnerabilities are being published as per the ZDI disclosure changes announced in August of 2010. ZDI-CAN-614 Title: EMC Replication Manager Client irccd.exe Remote Code Execution Vulnerability Advisory: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the EMC Replication Manager Cli ...


ZDI Public Disclosure: Novell

These vulnerabilities are being published as per the ZDI disclosure changes announced in August of 2010. ZDI-CAN-445 Title: Novell eDirectory Malformed NCP Request Denial of Service Vulnerability Advisory: This vulnerability allows attackers to deny services on vulnerable installations of Novell eDirectory. Authentication is not required in ...


ZDI Public Disclosure: CA

These vulnerabilities are being published as per the ZDI disclosure changes announced in August of 2010. ZDI-CAN-342 Title: CA ETrust Secure Content Manager Common Services Transport Remote Code Execution Vulnerability Advisory: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Computer Associates ...


ZDI Public Disclosure: SCO

These vulnerabilities are being published as per the ZDI disclosure changes announced in August of 2010. ZDI-CAN-407 Title: SCO Openserver IMAP Daemon Long Verb Parsing Remote Code Execution Vulnerability Advisory: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the SCO OpenServer IMAP dae ...


ZDI Public Disclosure: HP

These vulnerabilities are being published as per the ZDI disclosure changes announced in August of 2010. ZDI-CAN-418 Title: Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Remote Code Execution Vulnerability Advisory: This vulnerability allows an attacker to execute remote code on vulnerable installations of the Hewlett-Packar ...


ZDI Public Disclosure: IBM

These vulnerabilities are being published as per the ZDI disclosure changes announced in August of 2010. ZDI-CAN-374 Title: IBM Lotus Domino IMAP/POP3 Non-Printable Character Expansion Remote Code Execution Vulnerability Advisory: This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations o ...


ZDI Public Disclosure: Microsoft

These vulnerabilities are being published as per the ZDI disclosure changes announced in August of 2010. ZDI-CAN-811 Title: Microsoft Office Excel 2003 Invalid Object Type Remote Code Execution Vulnerability Advisory: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. ...


Announcing Pwn2Own 2011

It's that time of year again and the Zero Day Initiative (ZDI) team here at HP TippingPoint is proud to announce the 5th annual Pwn2Own competition is back. We have some exciting additions this year including the first ever vendor sponsorship, new attack surfaces, and even more prizes for competitors. If you're unfamiliar with the contest you can take a look at the archived blog posts from ...


Year in Review: 2010

2010 was a record year for the DVLabs team here at TippingPoint. The Zero Day Initiative hit an all-time personal and industry record of 300 vulnerabilities fixed through the program (triple the number for 2009). Affected products and severity are our primary concerns when acquiring vulnerabilities through the ZDI and the high-profile list of vendors and CVSS scores on the ZDI published advisory page attests to that. Over t ...