Archive | January, 2008

New Rootkits Infecting the MBR

Your website & network are Hackable


Ah I remember some of the nastiest viruses back in the day attaching themselves in the MBR (Master Boot Record) rendering most anti-virus software useless (as it sits on top of the OS).

Now it seems MBR infection is back in fashion for a new age of rootkits.

Security mavens have uncovered a new class of attacks that attach malware to the bowels of a hard drive, making it extremely hard to detect and even harder to remove.

The rootkit modifies a PC’s master boot record (MBR), which is the first sector of a storage device and is used to help a PC locate an operating system to boot after it is turned on. The result: the rootkit is running even before Windows loads. There have been more than 5,000 infections in less than a month, researchers say.

“Master boot record rootkits are able to subvert the Windows kernel before it loads, which gives it a distinct stealth advantage over rootkits that load while Windows is running,” said Matthew Richard, director of the rapid response team for iDefense, a security provider owned by VeriSign. “It gives it a great stealth mechanism that allows it to persist even after removal.” Such rootkits can even survive reinstallation of the operating system, he said.

Pretty stealthy and extremely sticky, time to be a little more wary. MBR infectors are extremely nasty and the majority of people won’t even know they are. Plus as they can subvert the Windows kernel before it even loads…it has a huge stealth advantage.

The new rootkit is part of the arms race between security vendors and malware writers, he said. “We’re definitely making it harder and harder for the bad guys to do stuff to the operating system,” he said. They respond by attacking new parts of a PC.

Every version of Windows, including Vista, is vulnerable to the rootkit.

About 30,000 websites, mostly located in Europe, are actively trying to install the rootkit by exploiting users who have failed to install Windows updates, Richard says. There were 5,000 infections from December 12 to January 7. The rootkit is being spread by the same group responsible for distributing the Torpig banking Trojans, which are used to steal online banking credentials.

(Info from Securiteam)

A timeline is available from SANS here.

Source: The Register


Posted in: General Hacking, Malware

Tags: , , , , , , ,

Posted in: General Hacking, Malware | Add a Comment
Recent in General Hacking:
- Fully Integrated Defense Operation (FIDO) – Automated Incident Response
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- Dradis – Reporting Platform For IT Security Professionals

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,173,623 views
- Hack Tools/Exploits - 634,297 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 438,576 views


w3af Fifth BETA for Download – Automated Web Auditing and Exploitation Framework

Find your website's Achilles' Heel


As you all seem to pretty interested in Inguma, there’s something else similar called w3af – the fifth BETA was released a while back and the team are now working on the sixth.

w3af is a Web application attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and

We did mention when it was first released – w3af – Web Application Attack and Audit Framework.

There are a lot of small changes, but the basic and bigger ones are:

  • Virtual daemon, a way to use Metasploit framework payloads/shellcodes while exploiting web applications.
  • w3afAgent, a reverse VPN that allows you to route packets through the compromised server
  • Good samaritan, a module that allows you to exploit blind sql injections much faster
  • 20+ new plugins
  • A lot of bug fixes
  • A much more stable core.

A full plugin list is here:

w3af – Plugins

The users guide can be found here:

w3afUsersGuide.pdf

The author has also uploaded the presentation material he made for the T2 conference in Finland – this can serve as a good introduction.

w3af-T2.pdf

You can download w3af here:

w3af BETA5

Or read more here.


Posted in: Database Hacking, Hacking Tools, Web Hacking

Tags: , , , , , , , ,

Posted in: Database Hacking, Hacking Tools, Web Hacking | Add a Comment
Recent in Database Hacking:
- Securing MySQL Installation on Ubuntu 16.04 LTS
- BBQSQL – Blind SQL Injection Framework
- DBPwAudit – Database Password Auditing Tool

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 77,686 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,611 views
- SQLBrute – SQL Injection Brute Force Tool - 41,819 views


The First Reported Facebook Worm/Malware Pops Up – Secret Crush

Find your website's Achilles' Heel


So facebook has finally fallen victim, after the recent Orkut worm now we have malware infection from Facebook, an application called Secret Crush. The application was renamed as My Admirer but that seems to be gone now too.

The first spyware spreading with Facebook application has been discovered. Security company Fortinet reports that application called Secret Crush is installing Zango (aka AdWare.Win32.180Solution) with Iframe, technically from ZangoCash.com.

It seems like Social Networks are a big target for infections now as the sheer mass of users there means that if the bad guys get a good piece of self-propagating code mixed up with a dose of social engineering they will achieve a massive infection.

The text included to the request entry is “One of Your Friends Might Have a Crush on You!”. Additionally, the buttons are ‘Find Out Who!’ and typical ‘Ignore’. It appears that Secret Crush is not included to Facebook Application Directory (no log-in needed) any more. Reportedly FortiGuard Team has informed Facebook guys and probably the application has been disabled already.

Although the application has been disabled (Good work Facebook) it shows what can happen, and it will happen again that’s a guarantee. This is just the beginning.

Source: Securiteam


Posted in: Malware, Privacy, Web Hacking

Tags: , , , , , , ,

Posted in: Malware, Privacy, Web Hacking | Add a Comment
Recent in Malware:
- Android Devices Phoning Home To China
- Linux kernel.org Hacker Arrested After Traffic Stop
- CuckooDroid – Automated Android Malware Analysis

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,574 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,702 views
- US considers banning DRM rootkits – Sony BMG - 45,004 views


VoIP Hopper – VLAN Hopping Tool

Find your website's Achilles' Heel


VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper does this by mimicking the behavior of an IP Phone, in both Cisco and Avaya IP Phone environments.

In Cisco IP Phone networks, it first dissects either IEEE 802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets. If CDP is enabled on the switch port and the Voice VLAN feature is enabled, it will determine the Voice VLAN ID (VVID).

This will allow the tool to create a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet. After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request.

In Avaya IP Phone environments, it sends an Option 55 parameter request list, requesting Option 176. When the DHCP server sends Option 176, it decodes the L2QVLAN reply field for the Voice VLAN ID. It then creates a new voice interface and sends a DHCP request.

Why?

VoIP Hopper was written with the specific aim of improving security in VoIP environments by validating Layer 2 protection controls. It is a VLAN test tool that can be used to validate controls in VoIP environments but also anywhere else VLANs are used (basically everywhere).

You can download VoIP Hopper here:

VoIP Hopper 0.9.7

Or read more here.


Posted in: Hacking Tools, Network Hacking

Tags: , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Recent in Hacking Tools:
- PyExfil – Python Data Exfiltration Tools
- Netdiscover – Network Address Discovery Tool
- Kautilya – Human Interface Device Hacking Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 2,000,635 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,510,511 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 691,914 views


UK Government Set to Make ‘Hacking Tools’ Illegal

Your website & network are Hackable


This is sad news, it seems UK is considering following the lead of the Germans and their recently implemented hacking law 202(c) regarding the making of ‘hacking tools‘ illegal.

It’s almost like making baseball bats illegal because you can hit someone with it, doesn’t matter its made for playing sport and that’s what most people use it for..

The UK government has published guidelines for the application of a law that makes it illegal to create or distribute so-called “hacking tools”.

The controversial measure is among amendments to the Computer Misuse Act included in the Police and Justice Act 2006. However, the ban along with measures to increase the maximum penalty for hacking offences to ten years and make denial of service offences clearly illegal, are still not in force and probably won’t be until May 2008 in order not to create overlap with the Serious Crime Bill, currently making its way through the House of Commons.

Sounds pretty ominous to me, even distributing said hacking tools can get you in trouble – that’s bad news for people like me that believe in sharing information, knowledge and hard to find tools.

I agree a revamp of the Computer Misuse Act is needed, but please making tools like Nmap illegal to create or distribute is just plain stupid.

Following industry lobbying the government has come through with guidelines that address some, but not all, of these concerns about “dual-use” tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime. But the Home Office, despite lobbying, refused to withdraw the distribution offence. This leaves the door open to prosecute people who distribute a tool, such as nmap, that’s subsequently abused by hackers.

The Crown Prosecution Service guidance, published after a long delay on Monday, also asks prosecutors to consider if an article is “available on a wide scale commercial basis and sold through legitimate channels”. Critics argue this test fails to factor in the widespread use of open source tools or rapid product innovation.

It’s pretty messy – it could help malicious hackers be prosecuted effectively and gives a bit more ammo to law. But it also means over zealous lawyers could prosecute security consultants for actions they don’t really understand – which is the scary part for me.

I hope it gets distilled into something useful and fair for both sides.

Source: The Register


Posted in: General News, Legal Issues

Tags: , , , , , , , , ,

Posted in: General News, Legal Issues | Add a Comment
Recent in General News:
- Teen Accused Of Hacking School To Change Grades
- Google’s Chrome Apps – Are They Worth The Risk?
- Twitter Breach Leaks 250,000 User E-mails & Passwords

Related Posts:

Most Read in General News:
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,467 views
- eEye Launches 0-Day Exploit Tracker - 85,865 views
- Seattle Computer Security Expert Turns Tables On The Police - 44,746 views


Unicornscan v0.4.7 Released for Download – Fast Port Scanner

Find your website's Achilles' Heel


Unicornscan has always been a favourite of mine, especially for UDP scanning and scanning large networks (and getting it done fast).

Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. It is released for the community to use under the terms of the GPL license.

In some ways the implementation is better than Nmap – in some ways worse. Both are great tools and for me they work well hand in hand, both have certain advantages over the other in different situations.

I did get half way to writing an article about Nmap vs Unicornscan for large network scanning.

Benefits of Unicornscan

Unicornscan is an attempt at a User-land Distributed TCP/IP stack. It is intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network. Although it currently has hundreds of individual features, a main set of abilities include:

  • Asynchronous stateless TCP scanning with all variations of TCP Flags.
  • Asynchronous stateless TCP banner grabbing
  • Asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a response).
  • Active and Passive remote OS, application, and component identification by analyzing responses.
  • PCAP file logging and filtering
  • Relational database output
  • Custom module support
  • Customized data-set views

Anyway on the news – Unicornscan has finally been updated and v0.4.7 is available and released for download.

Unicornscan has also been awarded 2nd place in the security category for this years Les Trophees du libre 2007 (http://www.tropheesdulibre.org).

You can download Unicornscan here:

Source Code: unicornscan-0.4.7-2.tar.bz2
Fedora Core 8 RPM: unicornscan-0.4.7-4.fc8.i386.rpm

Or read more here.

Documentation is available here: Unicornscan-Getting_Started.pdf


Posted in: Hacking Tools, Network Hacking

Tags: , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Recent in Hacking Tools:
- PyExfil – Python Data Exfiltration Tools
- Netdiscover – Network Address Discovery Tool
- Kautilya – Human Interface Device Hacking Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 2,000,635 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,510,511 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 691,914 views


GFI Survey – 4 in 10 US Companies are NOT Secure!

Your website & network are Hackable


GFI has recently conducted a survey concering corporate security in the US for small and medium sized enterprizes (SMEs).

Despite the best efforts of many small and medium sized companies, a recent US survey shows that four in 10 companies believe that their networks are not secure. Thirty-two percent of the companies also reported that they had suffered a breach in the past 12 months alone citing virus attacks and Internet downloads as the leading cause of the security breach.

The survey, conducted by eMediaUSA on behalf of GFI Software, an international network security software developer, was given to 455 IT executives from U.S. based small and medium sized businesses (SMBs).


Commenting on the results, Andre Muscat, GFI’s Director of Engineering, said: “Email viruses top the ‘greatest threat to network security’ list and this does not come as a surprise. It is one of the easier attack routes and this is confirmed by those respondents who reported a breach. While companies are aware of, and are focused on, tackling viruses and malware, they appear to be giving sparse attention to other equally dangerous threats such as data theft and leakage from endpoints such as connected USB sticks, iPods and PDAs on the network.”

Further results on the survey can be found in the full survey here:

smbsurvey.pdf

Source: GFI


Posted in: Advertorial, General News

Tags: , , , , ,

Posted in: Advertorial, General News | Add a Comment
Recent in Advertorial:
- Securing MySQL Installation on Ubuntu 16.04 LTS
- An Introduction To Web Application Security Systems
- Everything You Need To Know About Web Shells

Related Posts:

Most Read in Advertorial:
- eLearnSecurity – Online Penetration Testing Training - 42,275 views
- Acunetix Web Vulnerability Scanner 6 Review - 15,412 views
- Acunetix WVS (Web Vulnerability Scanner) 7 Review – Engine & Scanning Improvements - 15,282 views


Recent in Forensics:
- Volatility Framework – Advanced Memory Forensics Framework
- CuckooDroid – Automated Android Malware Analysis
- Cuckoo Sandbox – Automated Malware Analysis System

Related Posts:

Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 66,607 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 34,856 views
- OpenDLP – Free & Open-Source Data Loss Prevention (DLP) Tool - 31,506 views


Uber Spammer Alan Ralsky Back In The News

Your website & network are Hackable


Ah so Mr Alan Ralsky one of the biggest spammers of all-time is back in the news after his indictment with 10 others for running a large scale spam operation intended to inflate stocks artificially.

At one time it was thought Mr Ralsky and his friends were responsible for the majority of the spam sent, he’s certainly one of the most prolific and there are around 150 spammers in the World responsible for about 90% of the spam received.

Infamous spam king Alan M. Ralsky is on the run following the Jan. 3 indictment of Ralsky and 10 others for operating a sophisticated spam scam involving pump-and-dump Chinese stocks.

The 41-count indictment, unsealed in a Detroit federal court, claims Ralsky, 52, and his fellow defendants operated a wide-ranging international fraud scheme involving millions of illegal e-mails touting thinly-traded Chinese penny stocks. Ralsky profited by selling the stock at artificially inflated prices.

Only two of the defendants appeared in court Jan. 3 for arraignment. Ralsky is reportedly at large in Europe.

It looks like he wants to skip on this one. It is a pretty serious case though – international stock fraud.

According to the indictment, Ralsky and his group earned approximately $3 million on the scheme during the summer of 2005. Ralsky faces charges including conspiracy, fraud in connection with electronic mail, computer fraud, mail fraud, wire fraud and money laundering.

The illegal e-mail practices cited in the indictment include evading spam-blocking devices, falsifying headers and domain names, using proxy computers to distribute the spam and misrepresenting the advertising content in the actual e-mail.

Ralsky seems to have made a good living from spamming when back in his palatial, 8,000-square-foot mansion in suburban Detroit was raided. He was living well.

He has admitted that spam had made him a millionaire.

Source: eWeek


Posted in: Spammers & Scammers

Tags: , , , , , , , , , ,

Posted in: Spammers & Scammers | Add a Comment
Recent in Spammers & Scammers:
- Russian Cyber-Crime Market Doubled In 2011
- Android Trojan Targets Japanese Market – Steals Personal Data
- Ramnit Worm Stealing Facebook Account Passwords, E-mail Address & Bank Details

Related Posts:

Most Read in Spammers & Scammers:
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,776 views
- Pro ATM Hacker ‘Chao’ Gives Out ATM Hacking Tips - 36,910 views
- Twitter DM Phishing Scam - 28,973 views


December Commenter of the Month Competition Winner!

Your website & network are Hackable


Competition time again!

As you know we started the Darknet Commenter of the Month Competition on June 1st and it ran for the whole of June and July. We have just finished the seventh month of the competition in December and are now in the eight, starting a few days ago on January 1st – Sponsored by GFI.

We are offering some pretty cool prizes like iPods and PSPs, along with cool GFI merchandise like shirts, keyrings and mugs.

And now the winner will also get a copy of the Ethical Hacker Kit.

GFI Goodies

Keep up the great comments and high quality interaction, we really enjoy reading your discussions and feedback.

Just to remind you of the added perks, by being one of the top 5 commenter’s you also have your name and chosen link displayed on the sidebar of every page of Darknet, with a high PR5 (close to 6) on most pages (4000+ spidered by Google).

So announcing the winner for December…it’s Sir Henry! Sir Henry is a relative newcomer in commenting here, but he’s very active!

Special mentions also go to Goodpeople (the predicted winner for December before Sir Henry turned up!) and Pantagruel for their active and interesting comments.

Commenter December

December has been an extremely active month for comments with some interesting discussions happening, I’d like to thank you all for your participation!

Thanks to everyone else who commented and thanks for your links and mentions around the blogosphere!

Feel free to share Darknet with everyone you know :)

Keep commenting guys, and stand to win a prize for the month of January.

We are still waiting for pictures from backbone, Sandeep and TRDQ, dirty and dre of themselves with their prizes!

Winner for June 2007 was Daniel with 35 comments.
Winner for July 2007 was backbone with 46 comments.
Winner for August 2007 was TheRealDonQuixote with 53 comments.
Winner for September 2007 was Sandeep Nain with 32 comments.
Winner for October 2007 was dre with 19 comments.
Winner for November 2007 was dirty with 38 comments.


Posted in: Site News

Tags: , , , , , , , , , , ,

Posted in: Site News | Add a Comment
Recent in Site News:
- A Look Back At 2015 – Tools & News Highlights
- A Look Back At 2014 – Tools & News Highlights
- Yes – We Now Have A Facebook Page – So Please Like It!

Related Posts:

Most Read in Site News:
- Welcome to Darknet – The REBIRTH - 36,635 views
- Get the ball rollin’ - 19,008 views
- Slashdot Effect vs Digg Effect Traffic Report - 12,276 views