Updates of www.CERT.at

(Services/Services) - Services

CERT.at — Thu, 10 Sep 2009 11:31:12 GMT

Services

Besides the warnings - which are only published in German language - and miscellaneous downloads there are still some more services CERT.at offers via this website.

(Services/Feeds) - Feeds

CERT.at — Thu, 15 Oct 2009 14:58:32 GMT

Feeds

If you want to receive CERT.at's latest site-activities in your RSS/Atom Feed Reader please choose:

Updates of www.CERT.at

This feed serves all updates of www.CERT.at.

RSS 2.0 http://www.cert.at/all_en.rss_2.0.xml
ATOM 1.0 http://www.cert.at/all_en.atom_1.0.xml

CERT.at Downloads

All CERT.at downloads as a feed.

RSS 2.0 http://www.cert.at/all.downloads_en.rss_2.0.xml
ATOM 1.0 http://www.cert.at/all.downloads_en.atom_1.0.xml

(Services/Incident Report Form) - Incident report form

CERT.at — Wed, 09 Sep 2009 14:57:09 GMT

Incident report form

We propose that you use the following form to guide you through the process of writing a helpful incident report.

(Services/Links) - Links

CERT.at — Thu, 24 Sep 2009 10:17:44 GMT

Links

	BSI advisories regarding miscellaneous vulnerabilities (german)
	US-CERT advisories regarding miscellaneous vulnerabilities (english)

	IT-Security advisories with marks for alerts (german)
	Advisories regarding miscellaneous vulnerabilities with priority-tags (german)
	Advisories regarding miscellaneous vulnerabilities and SANS interpretation of the actual level of global security (english)
	Advisories regarding miscellaneous actual vulnerabilities (english)

	Advisories regarding miscellaneous actual vulnerabilities in Microsoft products (english)
	Advisories regarding miscellaneous actual vulnerabilities in Apple products (german)
	Advisories regarding miscellaneous actual vulnerabilities in software relating to Debian GNU/Linux (english)
	Advisories regarding miscellaneous actual vulnerabilities in software relating to Red Hat (english)
	Advisories regarding miscellaneous actual vulnerabilities in software relating to SUSE Linux Enterprise (english)

(Downloads/Summary) - Downloads

CERT.at — Thu, 24 Sep 2009 10:13:22 GMT

Downloads

In this area of our homepage we offer you material for free download. Please read the related licence agreements.

Downloads which are only available in German language will be shortly mentioned in the English area as well, but the full description and the download-link itself will only be found in the German area.

These are the available categories for downloads:

Data

Here you'll find files that contain information for the purpose of being read by machines (i.e.: configuration files).

Papers

This area contains all papers that have been published by CERT.at so far.

Press

This is the place for all material that are of typical use for the public press (i.e.: CERT.at's logo).

Software

"Open" software with its root in CERT.at's daily work will be found here, including descriptions.

(Downloads/Papers) - An Analysis of the Skype IMBot Logic and Functionality

CERT.at — Mon, 08 Mar 2010 13:12:20 GMT

An Analysis of the Skype IMBot Logic and Functionality

2010/03/08

An Analysis of the Skype IMBot Logic and Functionality.

Download

Publication Date

March, 08th 2010

Author

Christian Wojner, L. Aaron Kaplan

Language

English

History

You can download the full document in pdf format here.

Content

The following report analyzes the Skype Instant Messenger Bot ("Skype IMBot", a variation of the W32.Nytemare trojan) and reports our reverse engineering efforts. One peculiar aspect of Skype IMBot was the way it controlled Skype (and other Instant Messengers) - simulating user input and user keystrokes. This reminded us of a limited Turing Test: did the malware or a true user send the URL? The report covers the reverse engineering of the Skype IMbot, network logic and recommendations to CERTs, users and Skype. It closed with an outlook on further instant messenger bots.

(Downloads/Papers) - Mass Malware Analysis: A Do-It-Yourself Kit

CERT.at — Wed, 14 Oct 2009 15:29:37 GMT

Mass Malware Analysis: A Do-It-Yourself Kit

2009/10/14

Theory, practice and a construction manual for an automated analysis station for malware using trivial and free instruments.

Download

Publication Date

October, 14th 2009

Author

Christian Wojner

Language

English

History

You can download the full document in pdf format here.

Content

This paper outlines the relevant steps to build up a customizable automated malware analysis station by using only freely available components with the exception of the target OS (Windows XP) itself. Further a special focus lies in handling a huge amount of malware samples and the actual implementation at CERT.at. As primary goal the reader of this paper should be able to build up her own specific installation and configuration while being free in her decision which components to use.

The first part of this document will cover all the theoretical, strategic and methodological aspects. The second part is focusing on the practical aspects by diving into CERT.at's automated malware analysis station closing with an easy to follow step-by-step tutorial, how to build up CERT.at's implementation for your own use. So feel free to skip parts.

(Downloads/Papers) - Detecting Conficker in your Network

CERT.at — Thu, 17 Sep 2009 13:18:01 GMT

Detecting Conficker in your Network

2009/02/11

Description of a method to detect earlystate Conficker worm infections through blocklists fitting the needs of small and medium enterprises.

Download

Publication Date

2009/02/11

Author

Adi Kriegisch

Language

English

Download

You can download the full document in pdf format here.

Content

Conficker is a computer worm spreading on Windows operating system by mainly using a buffer overflow or the Windows Autorun feature. The worm itself does not contain malware functions but contains a routine to load such code after infection. The purpose of this article is to sketch a way to detect such a worm in a small to medium business network as early as possible so that the effects of the worm can be minimized.

(Downloads/Papers) - Patching Nameservers: Austria reacts to VU#800113

CERT.at — Thu, 24 Sep 2009 10:04:43 GMT

Patching Nameservers: Austria reacts to VU#800113

2008/07/24

A report on the patch-rate of Austrian nameservers following announcement of the DNS cache poisoning vulnerabilty.

Download Original

Download Update

Publication Date

July, 24th 2008

Authors

Otmar Lendl and L. Aaron Kaplan

Language

English

History

You can download the full document in pdf format here.

We also published a short update on July 28th.

Content

This paper analyses the impact of the coordinated efforts to patch Austria's recursive DNS server infrastructure following the revealings of Dan Kaminsky (US-CERT VU#800113) which showed that almost all DNS servers on the Internet are vulnerable to DNS cache poisoning. CERT.at -- being run by nic.at, the Austrian domain registry -- is in a special position to be able to assess the reaction of the Austrian nameserver operators to the discovered DNS vulnerability. We analyzed the rate at which DNS servers were patched from an insecure to more secure state. The paper discusses a methodology to measure the patch level "score" of a recursive DNS server. We believe that this score methodology can be applied to cleanly discern patched from unpatched DNS servers.

We describe a methodology how a TLD operator can use his query logs to check which operators have patched their DNS resolvers according to the published advisories.

The conclusions are rather grim so far -- more than two thirds of the Austrian Internet's recursive DNS servers are unpatched while at the same time the upgrade adoption rate seems rather slow. Our findings are matched by the observations of Alexander Klink of Cynops GmbH who analyzed the results of the online vulnerability test on Dan Kaminsky's doxpara site.

We hereby present the information to the concerned public in the hope that DNS -- a central and crucial part of the Internet -- remains secure.

Our recommendation to IT system administrators is to update their recursive DNS servers immediately and check that their upgrades were successful.

(Downloads/Software) - Bytehist

CERT.at — Mon, 12 Oct 2009 10:22:43 GMT

Bytehist

A tool for generating byte-usage-histograms for all types of files with a special focus on binary executables in PE-format (Windows).

Download latest Windows version

Download latest Linux version

Author

Christian Wojner

Language

English

License

ISCL

Releases	Changes
1.0 beta 1	-			x

Features

Makes byte-usage-histograms of any file of any size
Histograms are generated as sorted and unsorted diagrams
Sub-histograms for each section of binary executables (PE)
Quick overview with GUI navigation in case of sub-histograms
Percentage for the share in the total filesize for sub-histograms
Sourcerelated names for sub-histograms (= section-names in case of PEs)
Results can be saved as .jpg, .bmp and .png files
Works as GUI and also as commandline tool (for scripting purposes)

Syntax

bytehist [options file]

Executing bytehist without any parameters activates full GUI-mode.

options:	-nogui	... don't bring up any GUI
	-save file	... save histogram to given file (bmp, png or jpg)
	-h	... show a short help

Description

Statistics can be a very good method if you want to detect encrypted or packed data. Data that has been manipulated in such a way usually comes up with a very even distribution of bytes being used. In contrast normal data typically has some bytes that are used constantly, which is caused by any kind of structures. So the byte-distribution of unencrypted and unpacked clear text, database-files, ... and even executable binaries differ massevily from the encrypted and/or packed ones. By putting this "phenomenon" into a picture this difference can be easily visualized by histograms.

Examples:

The first example shows an unpacked file. In fact the source of this histogram was a log-file - so that's human readable information.
The second example roots in an usual ZIP-archive.
So as formerly said, to see the difference between them is an easy one.

Let's take a closer look at these examples. Both of them have a green and a red section. In the green section every pixel-column complies to it's positional matching bytecode and visualizes the number of occurrences in a vertical bar. In other words, a tall green bar on the most left side tells us that the byte-code 0h had lots of occurrences. And on the most right side you'll find byte-code FFh.
The red section has the same roots like the green section but this time we got all the possible byte-codes in a descending order regarding their occurrences. This makes it much easier to see the evenness.
Besides that two sections you'll also find the filename being shown on the top right corner and a percentage.

To get an understanding for what this percentage is trying to tell, let's take a look at what more bytehist can do for us. bytehist can split up histograms in sub-histograms. At the moment the most senseful situation of providing sub-histograms is when you have to deal with binary executables. Binary executables are usually internally split up in a number of sections. There are sections for containing data, code, and so on. It is a common approach that executables are being packed or/and even encrypted before they get publicly rolled out. Especially in the malware-sector encryption and packing is massively used as a kind of hurdle to hinder deep analysis through reversing (i.e.). So, in the case of a binary executable in PE format - that's the one Microsoft Windows uses - bytehist will come up with an overall-histogram as well as providing one histogram per section it found and even one for possible rest behind the last section. Regarding the percentage the overall-histogram will still say "100%" but all the others will tell the percentage of their specific share in the total filesize.

Examples:

Both of the examples have a scrollarea on the right side showing thumbs of the relating (sub-)histogram. By clicking them with the left mouse-button they can be zoomed. Once again we have firstly an unpacked and secondly a packed file, but this time, binary executables.

This feature gives a reverser the possibility to instantly find out the section that's containing (if so) packed/encrypted data.

Full examples ...

Packed data behind sections:

An UPX packed executable:

bytehist itself - unpacked:

(Downloads/Software) - Minibis

CERT.at — Tue, 17 Aug 2010 21:02:30 GMT

Minibis

Software and tips to easily build up an automated malware analysis station based on a concept introduced in the paper "Mass Malware Analysis: A Do-It-Yourself Kit".

Download latest version

Author

Christian Wojner

Language

English

License

ISCL

Releases	Changes	Download
2.0 (29/29)	Release 2.0
2.0 beta (28/29)	Forceable quit / Recovers from crashes
2.0 beta (27/29)	Check Internet connectivity / Exit only if analysis paused
2.0 beta (25/29)	-

Stay Informed!

If you are interested in the actual state and the progress of upcoming features you might want to take a look at Minibis' Twitter channel: https://twitter.com/CERTat_Minibis.

Background
Installation Guide
Configuration Guide
One Loop-Cycle
Scripting of Common Tools and Tasks
Screenshots

Background

For detailed information on the underlying concept we recommend you read our paper "Mass Malware Analysis: A Do-It-Yourself Kit".

Installation Guide

As a Minibis installations includes commercial software it is not possible for us to provide a complete installation-package. The following step-by-step guide will lead you through the configuration of a typical Minibis environment.

Select the (physical) machine you like to be the home of your Minibis environment.
Install the latest version of Ubuntu (32 bit) on it.
Install proftpd (via "apt-get install proftpd").
Install zip (via "apt-get install zip").
Create a user "minibis" and do not forget to give it a password.
Give your own user (the one you will start "minibis-cpr" from) full permissions to the home of "minibis" and verify that you can write to it.
Download Minibis and extract it to your desired folder.
Install SUN's VirtualBox (via "apt-get install virtualbox").
Create a new virtual machine (VM) in it using Windows XP as operating-system. All default settings for the machine and the OS are fine. Decline Autoupdate features when you get asked.
Add "minibis" as entry to Windows' hosts-file resolving it to your FTP-server's IP address.
Disconnect any (virtual) volumes from the VM (this is necessary to prevent eventual popups like autoplay, new hardware found etc.).
Transfer "minibis-cpp.exe" to the VM's Windows desktop.
Download your desired monitoring-tools to Linux. (Note: Download the ones that need "real" installation - so do not just copy - directly to Windows and install them.)
Disconnect from the network, i.e. by unplugging the network cable!
Check out if you can connect to the host ftp-daemon by using the Windows ftp-client.
Execute "minibis-cpp.exe" in the VM and answer the firewall question to NOT BLOCK this application.
You will be now asked to enter a password. This is the one of the user "minibis".
Create a VM-snapshot of this state.
Close the VM, using the option to revert to the last taken snapshot.
Bring your samples into Linux's filesystem (i.e. by mounting a CD-Rom).
Set "minibis-cpr" as executable (chmod +x minibis-cpr) and execute and configure it.

Configuration Guide

The download package includes an example configuration. To use this copy it to Minibis' folder and rename it to "minibis.pref". Note: Do never alter this file in an editor use Minibis for that. Just click on the "Config"-button in the lower left corner in the main-window.

Buttons behind fields

As usual a click on such a button brings up a tiny wizard that provides support in finding the proper value.

The "check"-button

By clicking this button the actual configuration is going to be checked for consistency. Note that in case of multiple errors each click will always come up with just one error. So make sure to re-check if you solved a problem.

Area "Samples"

By using the directory- or the file-entry you can configure a run for multiple samples or just one sample. In case of directory-mode sub-directories are included as well.

Area "General"

"FTP-Directory" is the path where the log-files will be transferred to. "Samplename" is the name that will be used for the sample at the proband. Some malware reacts to specific names, so this is the place where you can change it. Regarding "Virtual Machine" you can switch between the actually supported solutions (currently only VirtualBox) and choose the right virtual machine instance.

Area "Timeouts"

These are the timeouts from the underlying concept. The extra field for cpp, which holds "10" (seconds) by default specifies some additional time to wait before quitting monitoring if the sample exited on its own. This enables continuation of monitoring i.e. if the sample injects itself in another process before doing something evil.

Area "Solutions for VBox bugs"

These are settings that help to prevent processes of VirtualBox from getting stuck. If you already have other (VBox) virtual machines running you might want to uncheck those. The first checkbox addresses stopping and the second reverting the VM.

Area "VM Management"

Here you can specify the commands that will be used for the corresponding VM activities. The id of the VM is addressed by the replacement token %vmid%. Besides that, any of them has a timeout for hangup-prevention.

Tab "Researcher Scripting"

To let you customize the researcher side there are three events (therefore three editor-fields) that can be scripted using shell-scripting (Linux). Use the replacement token %md5% to specify the actual sample.

For further details when those events exactly happen, see "One Loop-Cycle".
You'll find tutorials and examples regarding scripting under "Scripting of Common Tools and Tasks".

Tab "Proband Scripting"

To let you customize the Proband's side there are two events (the two lower editor-fields) that can be scripted using batch-scripting (Windows).
The actions scripted for these two events are tied to the two editor-fields above called "Tools to transfer" and "Results to transfer ([...] to ZIP)". The first ("Tools...") is used to define (name) the tools (files) that will be copied to the Proband for use in later activities. The second ("Results...") is used to define (name) the files that will be transferred back from the Proband. If the filename is enclosed in square brackets "[...]" the file will get ZIPped into an archive after it arrives on Researcher.

For further details when those events exactly happen and how the "Tools..." and the "Results..." are handled see "One Loop-Cycle".
More Tutorials and examples regarding scripting can be found under "Scripting of Common Tools and Tasks".

One Loop-Cycle

Assuming that the sample can be executed, this is a chronological list of all actions that can (some of them are optional) happen. It is important to understand that in this list the two components of Minibis - CPR and CPP - are described as what they really are: one logical entity. The tags (R) and (P) specify the location ((R)esearcher or (P)roband) of the action:

(R) Copy sample to FTP-path (config) as samplename (config) with the apropriate suffix according to the result of Linux' "file"-command.
(R) Execute the actions tied to event "Actions BEFORE Proband gets started" (config).
(R) Execute the command declared under "VM Management Start" (config) and wait until the triggerfile "%md5%_start.rdy" exists or the timeout for "VM Management Start" occurs. In case of the latter do the steps 14, 15, 17, 19 and return to step 3.
(P) Fetch the preference file "minibis.pref" via FTP.
(P) Fetch all tools (files) according to "Tools to transfer" (config) via FTP.
(P) Transfer back the triggerfile "%md5%_start.rdy" via FTP.
(R) Wait until a triggerfile "%md5%_ready.rdy" exists or the timeout for "CPR" (config) occurs.
Meanwhile (optionally) execute the actions tied to event "Actions WHILE Proband runs" and optionally repeat this every N seconds (see config field "every").
If the timeout occurred then continue with step 14.
(P) Execute the actions tied to event "Actions BEFORE sample gets executed" (config).
(P) Execute the sample and wait until it exits or the timeout for "CPP" (config) occurs. If the sample exited wait until the timeout for "CPP +" occurs.
(P) Execute the actions tied to event "Actions AFTER sample exited or time's up" (config).
(P) Transfer back all files according to "Results to transfer ([...] to ZIP)" (config) via FTP.
(P) Transfer back the triggerfile "%md5%_ready.rdy" via FTP.
(P) Exit.
(R) Execute the command declared under "VM Management Stop" (config) and wait until it exits or the timeout for "VM Management Stop" occurs.
(R) Optionally execute "Solutions for VBox bugs" column 1 (config).
(R) Execute the actions tied to event "Actions AFTER Proband got stopped" (config).
(R) Execute the command declared under "VM Management Revert" (config) and wait until it exits or the timeout for "VM Management Revert" occurs.
(R) ZIP all files surrounded with [...] according to "Results to transfer ([...] to ZIP)" (config) into the archive "%md5%.zip".
(R) Optionally execute "Solutions for VBox bugs" column 2 (config).
(R) Delete "minibis.pref" and the sample from FTP-folder.

Scripting of Common Tools and Tasks

This section gives you example configurations for the integration of widely used monitoring tools into Minibis.

Sysinternals Process Monitor

You can download the latest version of Process Monitor from here.
Extract the ZIP-file and copy "Procmon.exe" to Minibis' FTP-folder (config).

Proband Scripting

Tools to transfer:

Procmon.exe
Results to transfer ([...] to ZIP):

[procmon.pml]
procmon.csv
Actions BEFORE sample gets executed:

start Procmon.exe /AcceptEula /quiet /minimized /Backingfile procmon.pml
Procmon.exe /AcceptEula /WaitForIdle
Actions AFTER sample exited or time's up:

Procmon.exe /AcceptEula /terminate
Procmon.exe /AcceptEula /saveas procmon.csv /openlog procmon.pml

WinDump: tcpdump for Windows

You can download the latest version of WinDump from here.
You also need to install WinPcap in the Proband for WinDump to work properly. You can download the latest version of WinDump from here.
Copy "WinDump.exe" to Minibis' FTP-folder (config).
Copy "sleep.exe" (a tool of the Minibis download-package) to Minibis' FTP-folder (config).

Proband Scripting

Tools to transfer:

WinDump.exe sleep.exe
Results to transfer ([...] to ZIP):

[windump.pcap]
windump.txt
Actions BEFORE sample gets executed:

start WinDump.exe -i 1 -w windump.pcap -U -s 0
sleep.exe 1
Actions AFTER sample exited or time's up:

taskkill /f /im WinDump.exe
WinDump.exe -n -p -r windump.pcap > windump.txt

Creating a Screenshot

Copy "screenshot.exe" (a tool of the Minibis download-package) to Minibis' FTP-folder (config).

Proband Scripting

Tools to transfer:

screenshot.exe
Results to transfer ([...] to ZIP):

screenshot.png
Actions AFTER sample exited or time's up:

screenshot.exe screenshot.png

Screenshots

(Downloads/Data) - Conficker Worm

CERT.at — Mon, 12 Oct 2009 10:19:30 GMT

Conficker Worm

2009/02/09

Various files regarding the worm "Conficker".

all domains	... suitable for block lists (in proxies etc)
DNS named.conf file	... Bind named.conf file with all conficker domain names
sample bind zone file	... suitable for the named.conf file above.

(Downloads/Press material) - CERT.at Logo

CERT.at — Mon, 12 Oct 2009 10:17:23 GMT

CERT.at Logo

CERT.at-logo in various formats and sizes.

CERT.at-logo as 16x8 PNG-file (0.5 KB)

CERT.at-logo as 32x17 PNG-file (1.1 KB)

CERT.at-logo as 64x34 PNG-file (2.7 KB)

CERT.at-logo as 100x53 PNG-file (4.6 KB)

CERT.at-logo as 128x67 PNG-file (5.6 KB)

CERT.at-logo as 150x79 PNG-file (6.6 KB)

CERT.at-logo as 200x105 PNG-file (8.8 KB)

CERT.at-logo as 256x135 PNG-file (11.4 KB)

CERT.at-logo as 320x168 PNG-file (14.4 KB)

CERT.at-logo as 640x336 PNG-file (29.3 KB)

CERT.at-logo as 800x420 PNG-file (37.8 KB)

CERT.at-logo as 1024x538 PNG-file (49.2 KB)

CERT.at-logo as 1280x673 PNG-file (63.8 KB)

CERT.at-logo as 1600x841 PNG-file (82.2 KB)

CERT.at-logo as vectorized format Inkscape-SVG (17.1 KB)

CERT.at-logo as vektorized format Plain-SVG (14.6 KB)

all CERT.at-logos as ZIP-archive (311.6 KB)

(Downloads/Press material) - HiRes Teamphotos

CERT.at — Mon, 12 Oct 2009 10:21:10 GMT

HiRes Teamphotos

High resolution photographs of the CERT.at teammembers.

(About us/Overview) - Overview

CERT.at — Thu, 24 Sep 2009 10:18:58 GMT

Overview

CERT.at is the Austrian national CERT.

CERT.at is the primary contact point for IT-security in a national context. CERT.at will coordinate other CERTs operating in the area of critical infrastructure or communication infrastructure. We will also provide basic IT-security information (warnings, alerts, advise) for SMEs.

In the case of significant online attacks against Austrian infrastructure, CERT.at will coordinate the reponse by the targeted operators and local security teams.

The full description of CERT.at can be found in RFC 2350 format.

Why?

Security needs an holistic approach! IT-systems are increasingly interconnected and thus interdependent. In order to protect the national infrastructure, the response to an attack needs to be coordinated between all stakeholders and operators.

(About us/Charter) - Charter

CERT.at — Thu, 07 Jan 2010 15:14:35 GMT

Charter

The purpose of CERT.at is to coordinate security efforts and incident response for IT-security problems on a national level in Austria.

Constituency

The constituency are IT-security teams and local CERTs in Austria.

Pro-active and educational material will be provided for SMEs and the general public as well.

As part of a cooperation agreement with the Austrian Government CERT, CERT.at provices resources for incident response in government and crititical infrastructure networks.

Sponsorship and/or Affiliation

CERT.at is an initiative of nic.at, the Austrian domain registry.

Funding is provided by nic.at

Authority

CERT.at's main purpose in incident handling is the coordination of incident response. As such, we only advise local CERTs and have no authority to demand certain actions. We have indirect authority over AS35492 and are in very close contact with the ACONet CERT.

(About us/Policies) - Policies

CERT.at — Thu, 24 Sep 2009 10:20:30 GMT

Policies

Types of Incidents and Level of Support

CERT.at is authorized to address all types of computer security incidents which occur, or threaten to occur, in our constituency and which require cross-organizational coordination.

The level of support given by CERT.at will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and CERT.at's resources at the time. Special attention will be give to issues affecting critical infrastructure.

Note that no direct support will be given to end users; they are expected to contact their system administrator, network administrator, or department head for assistance. CERT.at will support the latter people.

CERT.at is committed to keeping its constituency informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited.

Co-operation, Interaction and Disclosure of Information

CERT.at will cooperate with other Organisations in the Field of Computer Security. This Cooperation also includes and often requires the exchange of vital information regarding security incidents and vulnerabilities. Nevertheless CERT.at will protect the privacy of their customers, and therefore (under normal circumstances) pass on information in an anonymized way only unless other contractual agreements apply.

CERT.at operates under the restrictions imposed by Austrian law. This involves careful handling of personal data as required by Austrian Data Protection law, but it is also possible that - according to Austrian law - CERT.at may be forced to disclose information due to a Court's order.

Communication and Authentication

For normal communication not containing sensitive information CERT.at will use conventional methods like unencrypted e-mail or fax.

For secure communication PGP-Encrypted e-mail or telephone will be used. If it is necessary to authenticate a person before communicating, this can be done either through existing webs of trust (e.g. FIRST, TI, …) or by other methods like call-back, mail-back or even face-to-face meeting if necessary.

(About us/Contact) - Contact

CERT.at — Thu, 24 Sep 2009 10:21:13 GMT

Contact

CERT.at:	Computer Emergency Response Team Austria
Address:	nic.at Karlsplatz 1/2/9 A-1010 Vienna Austria
Telephone:	+43 1 5056416 78
Fax:	+43 1 5056416 79

eMail

Please report security incidents to reports@cert.at.

General inquiries and communication not related to a specific incident should be addressed to cert@cert.at.

CERT.at is not a public IT helpdesk and will thus refer questions like "is my PC infected" to public web ressources or commercial helpdesks.

PGP Setup

We will sign official communications with the following key:

      pub   1024D/5C384328 2008-02-13
            Key fingerprint = 740C 68EC B6B6 2060 48A5  D49A 02FB C1EF 5C38 4328
	    uid                  reports@cert.at (general communication key. For incident reports) 
	    sub   4096g/D7071014 2008-02-13

You can also use this key to encrypt mail addressed to us.

A keyring of all our keys is located at http://www.cert.at/static/pgpkeys.asc.

(About us/Team) - Team

CERT.at — Thu, 24 Sep 2009 10:21:49 GMT

Team

Name	PGP ID	Fingerprint
Leon Aaron Kaplan	CDAE4DB6	BC3E 553E 102F 214F C59A 4A0C 2D7A 997A CDAE 4DB6
Team leader: Otmar Lendl	835E0B34	BE4E 1E48 E0F6 6987 181B 0D27 754E 9F02 835E 0B34
Robert Schischka	A2FD9DBC	9C27 EB2A 901F 95AD 5C3E 3F6A 537D F15D A2FD 9DBC
Robert Waldner	C33A2BC0	401B 4257 4D23 3DFD 8E09 C1B5 B327 48AD C33A 2BC0
Christian Wojner	770B4617	EFB8 1496 3DAA F632 7A89 0F20 6635 B222 770B 4617

(About us/Partners) - Partners

CERT.at — Thu, 07 Jan 2010 15:13:10 GMT

Partners

	CERT.at is cooperation partner of the Austrian Government Computer Emergency Response Teams.
	CERT.at is approved by CERT-CC - which is the original CERT of Carnegie Mellon University - as a legitimate Computer Emergency Response Team and therefore being granted the usage of the trademark "CERT".
	CERT.at is accredited member of Trusted Introducer.
	CERT.at is member of FIRST.

(About us/RFC 2350) - RFC 2350

CERT.at — Fri, 18 Sep 2009 14:31:10 GMT

RFC 2350

1. Document Information

This document contains a description of CERT.at according to RFC 2350. It provides basic information about the CERT, the ways it can be contacted, describes its responsibilities and the services offered. 1.1 Date of Last Update

This is version 0.6 as of 2008/06/23.

1.2 Distribution List for Notifications

There is no distribution list for notifications as of 2008/02.

1.3 Locations where this Document May Be Found

The current version of this document can always be found at http://www.cert.at/about/rfc2350/. For validation purposes, a GPG signed ASCII version of this document is located at http://www.cert.at/static/rfc2350.txt. The key used for signing is the CERT.at key as listed under 2.8.

2. Contact Information

2.1 Name of the Team

CERT.at

2.2 Address

CERT Team nic.at Karlsplatz 1/2/9 1010 Wien Austria

2.3 Time Zone

We are located in the central European timezone (CET) which is GMT+0100 (+0200 during day-light saving time).

2.4 Telephone Number

+43 1 5056416 78

2.5 Facsimile Number

+43 1 5056416 79

2.6 Other Telecommunication

None.

2.7 Electronic Mail Address

Please send incident reports to reports@cert.at.

Non-incident related mail should be addressed to team@cert.at.

2.8 Public Keys and Encryption Information

CERT.at uses a master signing key to sign all keys used for operational purposes. This trust anchor is:

pub   1024D/242EFA2F 2008-02-12 [expires: 2013-02-10]
      Key fingerprint = 0F71 E5DB 5A23 22AE D6A3  5706 A5A2 AC28 242E FA2F
uid                  cert.at master key <cert@cert.at>
sub   4096g/BA63C2F4 2008-02-12 [expires: 2013-02-10]

and can be found on most key-servers. Please do not use this key for communications with us.

All official communication by CERT.at will be signed by the current operations key, which is as of 2008/02:

pub   1024D/5C384328 2008-02-13
      Key fingerprint = 740C 68EC B6B6 2060 48A5  D49A 02FB C1EF 5C38 4328
uid                  reports@cert.at (general communication key. For incident reports) <reports@cert.at>
sub   4096g/D7071014 2008-02-13

Encrypted communications with CERT.at should use this operational key.

All keys (including the keys of individual team members) can be found http://www.cert.at/static/pgpkeys.asc

2.9 Team Members

The CERT team leader is Otmar Lendl. Other team members, along with their areas of expertise and contact information, are listed in the CERT.at web pages, at Team.

Management, liaison and supervision are provided by Robert Schischka, Technical Manger of nic.at.

2.10 Other Information

2.11 Points of Customer Contact

The preferred method for contacting CERT.at is via e-mail. For incident reports and related issues please use reports@cert.at. This will create a ticket in our tracking system and alert the human on duty.

For general inquiries please send e-mail to team@cert.at.

If it is not possible (or advisable due to security reasons) to use e-mail, you can reach us via telephone at +43 1 5056416 700.

CERT.at's hours of operation are generally restricted to regular business hours.

Please use our incident reporting form (or if you prefer there is also a german one).

3. Charter

3.1 Mission Statement

The purpose of CERT.at is to coordinate security efforts and incident response for IT-security problems on a national level in Austria.

3.2 Constituency

The constituency are IT-security teams and local CERTs in Austria.

Pro-active and educational material will be provided for SMEs and the general public as well.

3.3 Sponsorship and/or Affiliation

CERT.at is an initiative of nic.at, the Austrian domain registry.

Funding is provided by nic.at

3.4 Authority

4. Policies

4.1 Types of Incidents and Level of Support

CERT.at is authorized to address all types of computer security incidents which occur, or threaten to occur, in our Constituency (see 3.2) and which require cross-organizational coordination.

CERT.at is committed to keeping its constituency informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited.

4.2 Co-operation, Interaction and Disclosure of Information

4.3 Communication and Authentication

For normal communication not containing sensitive information CERT.at will use conventional methods like unencrypted e-mail or fax.

5. Services

5.1 Incident Response

CERT.at will assist IT-security team in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management:

5.1.1. Incident Triage

Determining whether an incident is authentic.
Assessing and prioritizing the incident.

5.1.2. Incident Coordination

Determine the involved organizations.
Contact the involved organizations to investigate the incident and take the appropriate steps.
Facilitate contact to other parties which can help resolve the incident.
Send reports to other CERTs

5.1.3. Incident Resolution

Advise local security teams on appropriate actions.
Follow up on the progress of the concerned local security teams.
Ask for reports.
Report back.

CERT.at will also collect statistics about incidents within its constituency.

5.2 Proactive Activities

CERT.at tries to raise security awareness in its constituency.
Collect contact information of local security teams.
Publish announcements concerning serious security threats.
Observer current trends in technology and distribute relevant knowledge to the constituency.
Provide fora for community building and information exchange within the constituency.

6. Incident Reporting Forms

There are no local forms available yet. If possible, please make use of the Incident Reporting Form of the CERT Coordination Center. The current version is available from: http://www.cert.org/reporting/incident_form.txt.

7. Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, CERT.at assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.

Updates of www.CERT.at

(Services/Services) - Services

Services

(Services/Feeds) - Feeds

Feeds

Updates of www.CERT.at

CERT.at Downloads

(Services/Incident Report Form) - Incident report form

Incident report form

(Services/Links) - Links

Links

(Downloads/Summary) - Downloads

Downloads

Data

Papers

Press

Software

(Downloads/Papers) - An Analysis of the Skype IMBot Logic and Functionality

An Analysis of the Skype IMBot Logic and Functionality

Publication Date

Author

Language

History

Content

(Downloads/Papers) - Mass Malware Analysis: A Do-It-Yourself Kit

Mass Malware Analysis: A Do-It-Yourself Kit

Publication Date

Author

Language

History

Content

(Downloads/Papers) - Detecting Conficker in your Network

Detecting Conficker in your Network

Publication Date

Author

Language

Download

Content

(Downloads/Papers) - Patching Nameservers: Austria reacts to VU#800113

Patching Nameservers: Austria reacts to VU#800113

Publication Date

Authors

Language

History

Content

(Downloads/Software) - Bytehist

Bytehist

Author

Language

License

Releases

Changes

Features

Syntax

Description

(Downloads/Software) - Minibis

Minibis

Author

Language

License

Releases

Changes

Download

Stay Informed!

Table of Contents

Background

Installation Guide

Configuration Guide

Buttons behind fields

The "check"-button

Area "Samples"

Area "General"

Area "Timeouts"

Area "Solutions for VBox bugs"

Area "VM Management"

Tab "Researcher Scripting"

Tab "Proband Scripting"

One Loop-Cycle

Scripting of Common Tools and Tasks

Sysinternals Process Monitor