Archive | November, 2012

Noted Chinese Hacker Wicked Rose Heading Antivirus Company Anvisoft

Your website & network are Hackable


The latest scandal on the block, it seems like a noted Chinese hacker known as Wicked Rose or Withered Rose is involved with the Antivirus startup Anvisoft. The hackers real name is Tan Dailin and he was previously involved in the hacking of some US defence contractors.

Anvisoft even posted on their official Facebook group a simple response to the original article “Yes it’s true”.

Antivirus startup Anvisoft was founded by an infamous Chinese hacker who allegedly cut his teeth exploiting Microsoft Office security holes to hack US defence contractors, it has emerged.

Investigative journalist Brian Krebs uncovered evidence – largely based on historic domain records for Anvisoft and reports compiled by VeriSign on Chinese hacking activities – to allege that black-hat Tan Dailin established the antivirus startup.

In response to inquiries from The Reg, Anvisoft confirmed via a message from its official Facebook account that the report is accurate. “Yes, it is true,” it simply stated.

Dailin, AKA Wicked Rose or sometime Withered Rose, allegedly led a state-sponsored four-man crew called NCPH – Network Crack Program Hacker. According to VeriSign’s iDefense, NCPH developed a rootkit [PDF] that was used to infiltrate the US defence establishment in 2006. The group is accused of launching Microsoft Office-based attacks for two years before it disbanded in 2008.

Krebs followed various online clues to piece together his tentative conclusion that Dailin, a 28-year-old graduate of Sichuan University of Science and Engineering in Zigong, registered Anvisoft’s domain in 2011, and may still be a key player at the startup.

One of Dailin’s cohorts in NCPH, a hacker nicknamed Rodag, wrote a blog post describing Anvisoft’s Smart Defender as a “security aid from abroad” and praised the technology, Krebs noted.

From Kreb’s research is seems like it could have been Dailin that actually registered the domain for Anvisoft, which would indicate he is a key player in the operation and perhaps even the founder or co-founder.

Even so, the evidence that has been turned up so far is far from conclusive and as well know just because this chap was mixed up in some dubious activity a few years back – doesn’t mean he isn’t ethically sound now. Some of the best ‘whitehat’ security folks have some distinctly grey stains on their hats.


Trademark registration records pinpoint Anvisoft’s genesis in the Chinese city of Chengdu although the company states it is based in Toronto, Canada.

Kreb’s digital detective work, though persuasive, was far from conclusive, which he admits. There is no suggestion of any wrongdoing by Anvisoft.

“Anvisoft may in fact be a legitimate company, with a legitimate product; and for all I know, it is. But until it starts to answer some basic questions about who’s running the company, this firm is going to have a tough time gaining any kind of credibility or market share,” Krebs noted.

Anvisoft’s technology has not been widely reviewed, but that’s not to say it is ineffective or untrustworthy. Against this Trend Micro, alone among mainstream antivirus software, flags up Anvisoft’s Anvi Smart Defender Free setup utility as malign, according to results from VirusTotal.

Western antivirus firms, at least, generally have a policy of not employing former malware writers. Aside for presenting a negative image to potential customers, and sustaining the myth that antivirus firms employ an underground army of virus programmers to ramp up demand for their products, VXers are thought to be ill-suited to life in an antivirus firm.

Not only have they shown themselves to have dubious morals but from a purely practical view the skills required to write a decent antivirus program are not the same as those necessary to construct modern malware.

You can read more by Brian Krebs here:

Infamous Hacker Heading Chinese Antivirus Firm?

Most Western Antivirus companies and providers have a standing ban on hiring people that have been mixed up in blackhat activities or malware creation, more from Sophos here:

Did anti-virus company hire convicted Chinese malware author?

Source: The Register


Posted in: Countermeasures, Legal Issues, Malware, Security Software

Tags: , , , , , , , , ,

Posted in: Countermeasures, Legal Issues, Malware, Security Software | Add a Comment
Recent in Countermeasures:
- Bearded – Security Automation Platform
- An Introduction To Web Application Security Systems
- OpenIOC – Sharing Threat Intelligence

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,268 views
- Password Hasher Firefox Extension - 117,883 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,751 views

Get protected with Sucuri


HoneyDrive – Honeypots In A Box

Your website & network are Hackable


HoneyDrive is a pre-configured honeypot system in virtual hard disk drive (VMDK format) with Ubuntu Server 11.10 32-bit edition installed. It currently contains Kippo SSH honeypot. Additionally it includes useful scripts and utilities to analyze and visualize the data it captures. Lastly, other helpful tools like tshark (command-line Wireshark), pdftools, etc. are also present.

In the future more software will be added such as Dionaea malware honeypot and Honeyd.

You can get the latest version (0.1) of HoneyDrive which contains Kippo SSH honeypot and related scripts (kippo-graph, kippo-stats, kippo-sessions, etc). Everything is pre-configured to work.

After downloading the file, you must uncompress it and then you simply have to create a new virtual machine (suggested software: Oracle VM VirtualBox) and select the VMDK drive as its hard disk.

You can download HoneyDrive here:

HoneyBox.7z

Or read more here.


Posted in: Countermeasures, Network Hacking

Tags: , , , , , , , ,

Posted in: Countermeasures, Network Hacking | Add a Comment
Recent in Countermeasures:
- Bearded – Security Automation Platform
- An Introduction To Web Application Security Systems
- OpenIOC – Sharing Threat Intelligence

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,268 views
- Password Hasher Firefox Extension - 117,883 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,751 views

Get protected with Sucuri


Hack.me – Build, Host & Share Vulnerable Web Application Code

Find your website's Achilles' Heel


Hack.me is a FREE, community based project powered by eLearnSecurity. The community allows you to build, host and share vulnerable web application code for educational and research purposes.

It aims to be the largest collection of “runnable” vulnerable web applications, code samples and CMS’s online. The platform is available without any restriction to any party interested in Web Application Security: students, universities, researchers, penetration testers and web developers.

Hack.me - Build, Host & Share Vulnerable Web Apps

Features

  • Upload your own code
  • Online IDE for PHP & MySQL
  • Your code hosted in the cloud
  • FREE!!
  • Practice webapp security
  • Isolated enviroment
  • Online: nothing to download!

Safety

Every time you run a new Hackme the site will initiate a new sandbox for you. You will get isolated access to it so that you will always know that the application is safe for you to use. No other students can add malware or exploits in your sandbox. This ensures 99% safety.

What about the 1%? While the team makes the best effort to moderate every and each new web app uploaded on Hack.me, chances are that something can and will slip through. If you are not 100% comfortable to trust us or the Hackme developer, please just run new Hackmes from a virtual machine or from a non production OS.

We have written about a variety of web apps where you can practice your hack-fu such as:

So head over to hack.me and see what you think:

https://hack.me/


Posted in: Advertorial, Exploits/Vulnerabilities, Programming, Web Hacking

Tags: , , , , , , , , ,

Posted in: Advertorial, Exploits/Vulnerabilities, Programming, Web Hacking | Add a Comment
Recent in Advertorial:
- Everything You Need To Know About Web Shells
- Web Application Log Forensics After a Hack
- Defence In Depth For Web Applications

Related Posts:

Most Read in Advertorial:
- eLearnSecurity – Online Penetration Testing Training - 42,004 views
- Acunetix Web Vulnerability Scanner 6 Review - 15,347 views
- Acunetix WVS (Web Vulnerability Scanner) 7 Review – Engine & Scanning Improvements - 15,201 views

Get protected with Sucuri


VMWare ESX Source Code Leaked On The Internet

Your website & network are Hackable


Another big source code leak, this time VMWare ESX, software which I’m sure most of the readers here have used at some point (I know I have).

There was a time back in 2006 when VMWare Rootkits seemed like they might be the next big thing, but nothing much ever came out of it.

VMware is playing it down, but I think this is a fairly serious leak – we all know what happens when the bad guys get access to source code – they find lovely new 0day bugs to play with.

VMware has confirmed that the source code for old versions of its ESX technology was leaked by hackers over the weekend – but played down the significance of the spill.

The virtualisation giant said on Sunday that the exposed portions of its hypervisor date back to 2004, and the leak follows the disclosure of VMware source code in April.

“It is possible that more related files will be posted in the future,” Iain Mulholland, VMware’s director of platform security, explained. “We take customer security seriously and have engaged our VMware Security Response Center to thoroughly investigate.”

Mulholland said customers who apply the latest product updates and patches, in addition to following system hardening guidelines, ought to be protected against attacks developed in the wake of the code leak.

“By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected,” he said.

A 2MB compressed archive of the software blueprints was uploaded into file-sharing networks and promoted by various tweeters on Sunday. Some of these tweets, posted with the hashtags #Anonymous #AntiSec and #SourcySleazySundays, claimed that the leaked code was the “full VMware ESX Server Kernel”.

Some of the people posting the code were hash-tagging with Anonymous – but there’s been no ‘official’ announcement from any of the Anonymous channels so I doubt it’s really related.

As usual VMWare are saying if you’re using the latest patched version and have applied the ‘hardening measures’ you will be safe. I’d except something nasty to come out of this within the next month or so.


A person going by the name of Stun, who made the source code available, wrote: “It is the VMKernel from between 1998 and 2004, but as we all know, kernels don’t change that much in programs, they get extended or adapted but some core functionality still stays the same.”

The previous VMWare source code leak was accompanied by the publication of the company’s internal emails via Pastebin by someone called Hardcore Charlie. The Anonymous-affiliated hacker claimed the information came from China National Electronics Import and Export (CEIEC), an engineering and electronics company outfit.

VMware said at the time that customers were not necessarily at greater risk as as result of the leak.

Hacktivists, to say nothing of state-sponsored cyber-espionage, have increased the threat of intellectual property theft for high-tech firms. The VMWare case is not unprecedented.

Earlier this year Symantec admitted source code for the 2006-era versions of the following products had been exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere. The security biz took the highly unusual step of advising customers of pcAnywhere to suspend use of the older versions of remote control desktop management software pending the release of a patch, which arrived within days of the warning.

An Indian hacktivist crew called the Lords of Dharmaraja claimed they lifted Symantec’s source code from systems belonging to the Indian government.

One upside is it’s only the kernel, and it is 8 years old (the kernel is from 1998-2004) – but then again the kernel does provide key functionality and kernels don’t change that much. There have been some major leaks of source code in the last couple of years including Symantec and Kaspersky.

Intellectual Property theft from large corporations is becoming a big thing and a very tasty target for hacktivists as source code and development systems don’t tend to be as highly secure as those containing say financial records or purchase transactions.

Source: The Register


Posted in: Legal Issues, Privacy, Programming

Tags: , , , , , , ,

Posted in: Legal Issues, Privacy, Programming | Add a Comment
Recent in Legal Issues:
- Criminal Rings Hijacking Unused IPv4 Address Spaces
- The Panama Papers Leak – What You Need To Know
- FBI Backed Off Apple In iPhone Cracking Case

Related Posts:

Most Read in Legal Issues:
- Class President Hacks School Grades - 80,724 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,661 views
- One Of The World’s Most Prolific Music Piracy Groups Busted - 43,635 views

Get protected with Sucuri