Darknet – The Darkside

Now this is quite a fascinating story, especially if you know anything about Malware and have interests in that area.

It seems the latest development is the accidental development of new super-malware strains created by viruses infecting executable files of worms. Worms are generally executable files and well, viruses infect executables – so you can imagine what happens.

Now the franken-worm has both the characteristics of the original worm and it also carries the virus – so when it spreads, the virus also spreads.

Viruses are accidentally infecting worms on victims’ computers, creating super-powered strains of hybrid software nasties.

The monster malware spreads quicker than before, screws up systems worse than ever, and exposes private data in a way not even envisioned by the original virus writers.

A study by antivirus outfit BitDefender found 40,000 such “Frankenmalware samples” in a study of 10 million infected files in early January, or 0.4 per cent of malware strains sampled. These cybercrime chimeras pose a greater risk to infected users than standard malware, the Romanian antivirus firm warns.

“If you get one of these hybrids on your system, you could be facing financial troubles, computer problems, identity theft, and a wave of spam thrown in as a random bonus,” said Loredana Botezatu, the BitDefender analyst who carried out the study. “The advent of malware sandwiches throws a new twist into the world of malware. They spread more efficiently, and will become increasingly difficult to predict.”

BitDefender doesn’t have historical data to go on. Even so it posits that frankenmalware is likely to grow at the same rate as regular computer viruses, or about 17 per cent year on year.

There’s really unlimited possibilities with this, and the great thing (to me anyway) is that it occurred by complete accident. I guess the next step up would be virus authors purposely hunting down worm files and infecting them with additional capabilities.

There’s always been cases of malware in the past that hunt down other malware and remove them from the host machine.

All of the malware hybrids analysed by BitDefender so far have been created accidentally. However, the risk posed by these combos could increase dramatically as crooks latch onto the idea of deliberately splicing malware strains together to see what sticks. This is on top of efforts by blackhat coders to add extra features to others’ viruses and unleash the updated builds onto the unsuspecting public.

BitDefender carried out its study after finding a sample of the Rimecud worm that was infected by the Virtob file infector. Rimecud is designed to steal online passwords for e-banking or e-mail accounts, among other functions. Virtob creates a hacker-controlled backdoor on infected systems.

“Imagine these two pieces of malware working together – willingly or not – on the same compromised system,” Botezatu explains. “That PC faces a twofold malware with twice as many command and control servers to query for instructions; moreover, there are two backdoors open, two attack techniques active and various spreading methods put in place. Where one fails, the other succeeds.”

I wonder what will happen in the future with this and if the bad guys will really jump on this already sailing ship and use it to their advantage.

If you are interested you can read more on BitDefender’s Malware city blog here:

Virus infects worm by mistake

Source: The Register

Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. Cases and item categories are defined using XML files for easy integration with other tools.

Installation

As root, type:

python setup.py install

Usage

Run mobius_bin.py.

You can download Mobius 0.5.10 here:

mobiusft-0.5.10.tar.gz
mobiusft-0.5.10.zip

Or read more here.

Oh look, another aspect of security and privacy to consider as Google pushes its’ mobile payment solution ‘Wallet’ onto two new NFC capable phones – the Galaxy Nexus & LG Viper.

If you haven’t heard of the service you can find out more here – Google Wallet (Wikipedia).

The main concern here (security wise) is that this relies on a secure storage on the phone of your cryptographic keys that allow you to carry out transactions.

Sprint’s two newly announced 4G handsets both support Google Wallet, bringing an important boost to Google’s aspirations, but they also hammer the death nail into WiMAX in the USA.

Sprint’s last 4G handset, the “Sprint Nexus S 4G”, was a WiMAX device, but Sprint has admitted backing the wrong 4G horse and is now transitioning to LTE across its network. So the operator will now be selling Google’s Galaxy Nexus and LG’s Viper handsets, both with support for Google Wallet for those wanting pay-by-bonk functionality.

Supporting the ability to make payments by tapping the phone against a reader isn’t just a matter of supporting Near Field Communications (NFC), you also need a secure element in which to store the cryptographic keys, which will be under the control of a mutually-trusted party, and then an application with which to make the payments.

Both the Galaxy Nexus and the Viper have a module built into the phone, under the control of Google – which is trusted by Mastercard and Visa. So far only Google itself and Citibank have created applications with which a user can make payments, and despite offering to pay for users’ groceries, Google Wallet is proving something of a slow burner at best.

I’d imagine the wallet system will have functionality to auto-reload from your credit card too, so if someone can manage to grab those cryptographic keys from the ‘secure’ area on your phone – you might be in for a surprise when you get your next credit card statement.

The plus side is, the adoption rate so far seems to be super low – so it’s not much of a risk right now.

It has not been helped by Verizon asking to have the functionality disabled in its spin of the Galaxy Nexus. The operator claims the decision was down to integration issues, but it is widely believed to have made the call in order to hold back a competitor until the US-operator-consortium wallet, ISIS, comes online.

ISIS uses a secure element held in the SIM – and thus under the operators’ control – and should work with any handset supporting the SWP (Single Wire Protocol) standard for NFC/SIM communications.

So once ISIS is available then the operators will start pushing it out to everyone with an SWP-supporting handset, including the Google Galaxy Nexus and LG Viper. Google needs to move fast and grab some market share before the operators shut it out, which is why these new handsets are so important to the Chocolate Factory as well as to Sprint.

There’s a whole lot of politics going on too with a new mobile payment system set to come online soon – ISIS – founded by…wait for it…AT&T, T-Mobile and Verizon. Yah, screw whoever tries to mess with ISIS – because they are gonna be in big trouble – the only major US operator missing is Sprint.

I’m guessing that’s why they are going with Google Wallet, there’s a very short article on Wikipedia about ISIS here.

Source: The Register

Arachni is a high-performance (Open Source) Web Application Security Scanner Framework written in Ruby.

This version includes lots of goodies, including:

• A new light-weight RPC implementation (No more XMLRPC)
• High Performance Grid (HPG) — Combines the resources of multiple nodes for lightning-fast scans
• Updated WebUI to provide access to HPG features and context-sensitive help
• Accuracy improvements and bugfixes for the XSS, SQL Injection and Path Traversal modules
• New report formats (JSON, Marshal, YAML)
• Cygwin package for Windows

New plugins

• ReScan — It uses the AFR report of a previous scan to extract the sitemap in order to avoid a redundant crawl.
• BeepNotify — Beeps when the scan finishes.
• LibNotify — Uses the libnotify library to send notifications for each discovered issue and a summary at the end of the scan.
• EmailNotify — Sends a notification (and optionally a report) over SMTP at the end of the scan.
• Manual verification — Flags issues that require manual verification as untrusted in order to reduce the signal-to-noise ratio.
• Resolver — Resolves vulnerable hostnames to IP addresses.

IF you want a slightly more detailed description of what’s changed you can check here, or view the ChangeLog.

You can download Arachni v0.4 here:

Windows – arachni-v0.4.0.2-cygwin.exe
Linux – arachni-v0.4.0.2-cde.tar.gz

Or read more here.

Oh look, another Facebook worm – this one seems pretty nasty and as usual it’s going for Facebook access details and then diving into banking credentials if it can find them.

It’s mostly targeted at the UK though, worms of these type usually are geographically limited as they are targeting bank information – it’s better to go after a certain niche of users.

45,000 isn’t a huge number though considering the latest stats say there are over 30 millions Facebook users from the UK alone.

A bank account-raiding worm has started spreading on Facebook, stealing login credentials as it creeps across the site, security researchers have revealed.

Evidence recovered from a command-and-control server used to coordinate the evolving Ramnit worm confirms that the malware has already stolen 45,000 Facebook passwords and associated email addresses. Experts from Seculert, who found the controller node, have supplied Facebook with a list of all the stolen credentials found on the server. Most of the victims are from either the UK or France.

Ramnit differs from other worms, such as Koobface, that have used Facebook to spread because it relies on multiple infection techniques and has only recently extended onto social networks. Koobface, by contrast, only uses Facebook or Twitter to spread.

“Ramnit started as a file infector worm which steals FTP credentials and browser cookies, then added some financial-stealing capabilities, and now recently added Facebook worm capabilities,” Aviv Raff, CTO at Seculert, told El Reg.

“We suspect that they use the Facebook logins to post on a victim’s friends’ wall links to malicious websites which download Ramnit,” he added.

There was indeed Koobface some time back, but that was purely on Facebook – the danger with worms like Ramnit is that Facebook is only 1 of the vectors they are using to spread.

It’s a good job researchers got hold of one the command and control nodes – or this could have gotten a whole lot messier. Facebook has been pretty good lately blocking malicious strings and clamping down on worms as soon as they show up.

Ramnit first appeared in April 2010. By last July variants of the malware accounted for 17.3 per cent of all new malicious software infections, according to Symantec. A month later Trusteer reported that flavours of Ramnit were packing sophisticated banking login credential snaffling capabilities – technologies culled from the leak of the source code of the notorious ZeuS cybercrime toolkit at around the same time.

The new Ramnit configuration was able to bypass two-factor authentication and transaction-signing systems used by financial institutions to protect online banking sessions. The same technology might also be used to bypass two-factor authentication mechanisms in order to gain remote access to corporate networks, Seculert warns.

The move onto Facebook by the miscreants behind Ramnit seems designed primarily to expand the malware’s distribution network and infect more victims.

“We suspect that the attackers behind Ramnit are using the stolen credentials to expand the malware’s reach,” Seculert concludes, adding that capturing the login credentials of Facebook accounts creates a means to attack more sensitive accounts that happen to use the same email address and password combination.

“The cyber-criminals are also taking advantage of the fact that people usually use the same passwords for different web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks,” it said.

The Ramnit outbreak on Facebook follows the November outbreak of an earlier worm that tried to infect victims with a variant of ZeuS.

The scary part is that the latest version of Ramnit can bypass two factor authentication! I’m not exactly sure how it does that, but it seems to have snagged a lot of features from the source code leak of ZeuS.

I would agree with the article though, people do tend to re-use passwords, they trust things shared on Facebook and it’s a good platform to spread malware rapidly.

Source: The Register

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. Basically the author got tired of using Medusa, Hydra, ncrack, metasploit auxiliary modules, nmap NSE scripts and the like because:

• They either do not work or are not reliable (false negatives several times in the past)
• They are slow (not multi-threaded or not testing multiple passwords within the same TCP connection)
• They lack very useful features that are easy to code in python (eg. interactive runtime)

Basically you should give Patator a try once you get disappointed by Medusa, Hydra or other brute-force tools and are about to code your own small script because Patator will allow you to:

• Not write the same code over and over
• Run multi-threaded
• Benefit for useful features such as the interactive runtime commands, response logging, etc.

Currently it supports the following modules:

• ftp_login : Brute-force FTP
• ssh_login : Brute-force SSH
• telnet_login : Brute-force Telnet
• smtp_login : Brute-force SMTP
• smtp_vrfy : Enumerate valid users using the SMTP VRFY command
• smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
• http_fuzz : Brute-force HTTP/HTTPS
• pop_passd : Brute-force poppassd (not POP3)
• ldap_login : Brute-force LDAP
• smb_login : Brute-force SMB
• mssql_login : Brute-force MSSQL
• oracle_login : Brute-force Oracle
• mysql_login : Brute-force MySQL
• pgsql_login : Brute-force PostgreSQL
• vnc_login : Brute-force VNC
• dns_forward : Forward lookup subdomains
• dns_reverse : Reverse lookup subnets
• snmp_login : Brute-force SNMPv1/2 and SNMPv3
• unzip_pass : Brute-force the password of encrypted ZIP files
• keystore_pass : Brute-force the password of Java keystore files

The name “Patator” comes from this tv interview clip – patator

Patator is NOT script-kiddie friendly, please read the README inside patator.py before reporting/complaining/asking me how to use this tool..

You can download Patator v0.3 here:

patator_v0.3.py

Or read more here.

Honestly there hasn’t been much news over the holiday period, well maybe there was but no one bothered reporting it. There was the Stratfor case of course, which Anonymous is saying wasn’t anything to do with them.

The scale of this incident somehow reminds me of the whole TJ MAXX fiasco a few years back.

Anyway, this whole scheme sounds like a case of people installed VNC with weak passwords and someone finding it by accident – it doesn’t even seem to have been a targeted hack.

For thousands of customers of Subway restaurants around the US over the past few years, paying for their $5 footlong sub was a ticket to having their credit card data stolen. In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers. And those retailers made it possible by practically leaving their cash drawers open to the Internet, letting the hackers ring up over $3 million in fraudulent charges.

In an indictment unsealed in the US District Court of New Hampshire on December 8, the hackers are alleged to have gathered the credit and debit card data from over 80,000 victims.

“This is the crime of the future,” said Dave Marcus, director of security research and communications at McAfee Labs in an interview with Ars. Instead of coming in with guns and robbing the till, he said, criminals can target small businesses, “root them from across the planet, and steal digitally.”

The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.

While the scale of this particular ring may be significant, the methods used by the attackers were hardly sophisticated. According to the indictment, the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems. The PCI Security Standards Council, which governs credit card and debit card payment systems security, requires two-factor authentication for remote access to POS systems—something the applications used by these retailers clearly didn’t have.

It seems like there’s a pretty large ring behind this operation, just due to the sheer number of locations compromised and the amount of time it must have taken to install all the malware and logging software.

Plus the network infrastructure that was build to receive the logs via FTP upload, the criminals were pretty smart too – they even ‘backed up’ their stolen data to sendspace just in case their hosting got taken down.

Once they were in, the hackers then deployed a collection of hacking tools to the POS systems, including logging software that recorded all the input into the systems—including credit card scans. They also installed a trojan, xp.exe, onto the systems to provide a back door to reconnect to the systems to allow the installation of additional malware, and prevent any security software updates.

Collected data from the loggers was posted by the malware to FTP “dump” sites on a number of Web servers in the US created with domains they registered through GoDaddy.com using stolen credit card data. In addition to using the stolen data to register their own domains and pay for hosting service, the hackers periodically rounded up the dumped transaction data and moved it to sendspace.com, a file transfer site. Richard James of sendspace.com says that his company cooperated with the FBI in the investigation of the hack. ” Sendspace [is] a file hosting and transfer site used by millions every single day,” he said in an email to Ars Technica,”and as such can indeed be used for activities which are against our TOS and that we do not condone.”

Some of the data was used to print counterfeit credit cards using blank plastic cards and embossing machines. One of the alleged hackers, Cezar Iulian Butu, was generating counterfeit cards with an embossing machine out of a house in Belgium in October of 2010, and working with a group, used the cards “among other uses [to] place bets at local French ‘tobacco’ shops,” the Justice Department said in its filing. The rest of the stolen data was sold in blocks to other criminals from the Sendspace server.

According to a report by Schuman, Subway’s corporate IT and a credit card company discovered the data breach “almost simultaneously.” Subway Corporate Press Relations Manager Kevin Kane told Ars that “the tech guys who dealt with this moved and put steps in place [to block the theft of data] as soon as they discovered it.” He said the company wouldn’t discuss the measures taken, as “we don’t want to give away the blueprint” to other potential attackers. And Kane added that Subway had been asked by the Justice Department not to comment on other details of the case, as it is part of an ongoing investigation.

It’ll be a pretty interesting case to watch either way, we’ll have to see what else gets discovered (and more importantly released to the public).

Subway corporate IT has taken some measures against this, but as it was franchisee stores that got owned – I don’t honestly see how much they can do. Unless they implement a complete new POS system (which is secure and preferably doesn’t run Windows and connect to the Internet).

POS in this case should well stand for Piece of Shit.

Source: Ars Technica

Social engineering has been around for tens of thousands of years so it is time we approach the topic in a professional manner. The Social Engineering Vulnerability Evaluation and Recommendation (SEVER) Project is one way to help penetration testers become more consistent. It is also intended to be the best way to teach novices about social engineering concepts.

By distilling thousands of pages of theory into a simple form the SEVER project hopes to:

1. Provide the fastest means of training novices about complex social engineering concepts.
2. Provide penetration testers with a methodology that minimizes their effort while increasing their chance of success.

You will begin by defining requirements, then brainstorm solutions, and then refine your solutions through multiple phases. Each phase increases in detail, allowing you to identify ‘show stoppers’ as soon as possible. This will help you avoid wasting time working on a plan that is not going to succeed. If an idea makes it through the entire process and you still feel good about it then you should have a very high chance of success.

The best format for this content would be an electronic form with a lot of context-sensitive notes. But since there is currently no effective, portable way of accomplishing that I decided to split the content into two PDF files – the SEVER Worksheet and the SEVER Instructions. Go through these instructions while you fill out the form until you have a thorough understanding of how the form works. If you cheat and try to do one before the other (or skip the instructions altogether) you will miss things which will make failure far more likely.

You can download both papers here:

- SEVER_Instructions_Final.pdf
- SEVER_Worksheet_Final.pdf

Or read more here.

There have been a few stories about this in the past, I recall China Facing Problems With Android Handsets & Pre-installed Trojans that were draining people’s batteries and phone credit by sending messages to premium-rate numbers.

The latest news is of a more technical nature, but it outlines ways in which cybercrooks may well be able to send out premium-rate SMS messages without the handset owner knowing due to weaknesses in the actual standard.

Cybercrooks may be able to force mobiles to send premium-rate SMS messages or prevent them from receiving messages due to security weaknesses in mobile telecoms standards.

The weakness involves the handling of messages directed towards SIM Application Toolkits, applications preloaded onto SIM cards by mobile operators. The applications can be used for functions such as displaying available credit or checking voicemail, as well as handling value-added services, such as micro-payments.

SIM Toolkits receive commands via specially formatted and digitally signed SMS messages. These messages are processed without appearing in a user’s inbox and without triggering any other form of alert. Some mobiles may wake from a sleeping state on receipt of such messages but that is about all that’s likely to happen.

The encryption scheme deployed is robust but problems might arise because error messages are automatically sent out if a command cannot be executed. The SIM Toolkit service message can be configured so that responses are made via SMS to a sender’s number or to the operator’s message centre. This creates two possible attack scenarios.

It seems to be a theoretical attack right now, but seen as though it’s a flaw with the way the standard works (and it’s implemented this way on literally millions of phones) it could become a major issue.

I would imagine it’s something vendors can fix on future handsets they sell, or on previous handsets via a firmware update – but that wouldn’t cover everyone.

In all likelihood however, I see the most likely ath would be it stats as a purely theoretical attack.

In the first case, an attacker might use an SMS spoofing service to force the dispatch of an error message to a premium-rate number, potentially ringing up fraudulent charges against the account of a targeted phone owner in the process.

Attackers can’t control the content of the automatic error responses, a potential stumbling block when it comes to signing up people up for these services simply because they’ve sent a message, but it’s easy to imagine this tactic will be effective enough times to make it potentially workable. A premium-rate number is restricted to signing up people to its services only in response to properly formatted requests rather than an any old message.

In the second case, an SIM Toolkit error message is sent to the operator’s message centre, and this is interpreted as a message delivery failure. Operators usually attempt to resend the undelivered message: creating an error loop that prevents the delivery of legitimate SMS messages to a user’s handset until a bogus SIM Toolkit message times out, typically after 24 hours or so. Because of this, sending a series of bogus SIM Toolkit messages creates a means of running an SMS DoS attack.

Independent security researcher Bogdan Alecu gave a presentation explaining the security shortcoming, and demonstrating how it might be exploited, at a recent DeepSec security conference in Vienna, Austria.

Alecu tested the attack against phones from Samsung, Nokia, HTC, RIM and Apple. Only phones from Nokia have the option to ask users before confirming the dispatch of an SIM Toolkit response. However the the option “Confirm SIM Service Actions” is usually disabled by default. Operators could mitigate the attack by filtering SIM Toolkit messages and whitelisting numbers that are allowed to send them. However Alecu said he is yet to encounter an operator that applies such controls, even after testing the attack on mobile operators in Romania, Bulgaria, Austria, Germany and France, IDG reports

The SIM DoS attack is fairly interesting as it could prevent a user from receiving legitimate SMS responses almost indefinitely. There are various ways to mitigate against the attack and it seems like Nokia has the most secure handset as of now – even though the option to prevent these attacks is turned off by default – at least they have the option.

The other way is to get the service providers to filter out the messages and use a whitelist for legitimate SIM Toolkit messages – I don’t think that’s very likely though.

Source: The Register

MysqlPasswordAuditor is the FREE Mysql password recovery and auditing software. Mysql is one of the popular and powerful database software used by most of the web based and server side applications.

If you have ever lost or forgotten your Mysql database password then MysqlPasswordAuditor can help in recovering it easily. It can also help you to audit Mysql database server setup in an corporate environment by discovering the weak password configurations. This makes it one of the must have tool for IT administrators & Penetration Testers.

MysqlPasswordAuditor is very easy to use with the simple dictionary based password recovery method. By default it includes small password list file, however you can find more password dictionary files at OpenWall collection. You can also use tools like Crunch, Cupp to generate custom password list files on your own and then use it with MysqlPasswordAuditor.

MysqlPasswordAuditor works on wide range of platforms starting from Windows XP to latest operating system Windows 7.

Features

• Free and Simple software to Recover/Audit Mysql Password.
• Very useful for IT administrators & Penetration Testers
• Dictionary based Password Recovery method
• Detailed statistics such as tested passwords, elapsed time, progress bar is displayed during Audit operation.
• Simple, easy to use GUI interface
• Integrated Installer for local Installation & Uninstallation.

You can download MysqlPasswordAuditor here:

MysqlPasswordAuditor.zip

Or read more here.