Hajime Botnet Reaches 300,000 Hosts With No Malicious Functions

Outsmart Malicious Hackers


This is not the first IoT heavy botnet, Mirai takes that title, the interesting part is the Hajime botnet appears to be benign.

Hajime Botnet Reaches 300,000 Hosts With No Malicious Functions

So far no malicious functions have been detected in the codebase, other than the ability to replicate itself and block other malware, Hajime seems to have no DDoS or offensive mechanisms.

Hajime – the “vigilante” IoT worm that blocks rival botnets – has built up a compromised network of 300,000 malware-compromised devices, according to new figures from Kaspersky Lab.

The steadily spreading Hajime IoT worm fights the Mirai botnet for control of easy-to-hack IoT products. The malware is billed as a vigilante-style internet clean-up operation but it might easily be abused as a resource for cyber-attacks, hence a growing concern among security watchers.

Hajime, like Mirai before it, takes advantage of factory-set (default) username and password combinations to brute-force its way into unsecured devices with open Telnet ports. The malware was first discovered [PDF] by security researchers at Rapidity Networks in October 2016. Since then it has spread steadily but inexorably. Most of the targets have turned out to be Digital Video Recorders, followed by webcams and routers, according to Kaspersky Lab.

Hajime avoids several networks, including those of General Electric, Hewlett-Packard, the US Postal Service, the United States Department of Defense, and a number of private networks. Infections had primarily come from Vietnam (over 20 per cent), Taiwan (almost 13 per cent) and Brazil (around 9 per cent).


The console messages state the worm was written by a White Hat hacker who is just seeking to protect the systems he/she infects. This seems rather unlikely, but it’s very possible. It might also just be a curious experiment by someone with the skills to use the Mirai code base (which was open-sourced) to do something so widespread.

Either way a DDoS attack from this many hosts would REALLY hurt.

The resiliency of Hajime surpasses Mirai, security researchers say. Features such as a peer-to-peer rather than centralised control network and hidden processes make it harder to interfere with the operation of Hajime (meaning “beginning” in Japanese) than comparable botnets.

Botnets of compromised devices can be harnessed for a variety of cyber-crimes ranging from DDoS attacks on targeted web sites to running credential-stuffing attacks or scanning websites for SQL injection vulnerabilities. The malware – which is not doing anything malign, at least for now – displays a message that says a “white hat” is “securing some systems”. The worm blocks access to ports 23, 7547, 5555, and 5358, common entry points for the rival Mirai worm and other threats.

There is no attacking code or capability in Hajime – only a propagation module. Despite its (current) benign state Hajime is a still concern, not least because the malware’s real purpose remains unknown.

“The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, its objective remains unknown. We have not seen its traces in any type of attack or additional malicious activity. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force, and to update their firmware if possible,” said Konstantin Zykov, senior security researcher at Kaspersky Lab.

The worm is blocking the common ports used by Mirai and other IoT threats, so it is aggressive in that aspect.

Other than that, there’s no proof it is actually malicious so we, as usual, will just have to wait and see.

Source: The Register


Tags: , , , , , , , , ,

Posted in: Hardware Hacking, Malware | Add a Comment

pemcracker – Tool For Cracking PEM Files

Outsmart Malicious Hackers


pemcracker is a tool for cracking PEM files that are encrypted and have a password. The purpose is to attempt to recover the password for encrypted PEM files while utilising all the CPU cores.

pemcracker - Tool For Cracking PEM Files

Inspired by Robert Graham’s pemcrack, it still uses high-level OpenSSL calls in order to guess the password. As an optimisation, instead of continually checking against the PEM on disk, it is loaded into memory in each thread.


Usage

Example:

If you are looking for the fastest possible method of brute forcing PEM files, you may wish to try out John the Ripper. Its little known ssh2john allows for converting PEM files to a format that can be fed into ./john.

You can download pemcracker here:

pemcracker-master.zip

Or read more here.


Tags: , , , , , , , ,

Posted in: Cryptography, Hacking Tools, Password Cracking | Add a Comment

BEURK – Linux Userland Preload Rootkit

Outsmart Malicious Hackers


BEURK is an userland preload rootkit for GNU/Linux, heavily focused around anti-debugging and anti-detection.

BEURK - Linux Userland Preload Rootkit

Being a userland rootkit it gives limited privileges (whatever the user has basically) vs a superuser or root level rootkit.

Features

  • Hide attacker files and directories
  • Realtime log cleanup (on utmp/wtmp)
  • Anti process and login detection
  • Bypass unhide, lsof, ps, ldd, netstat analysis
  • Furtive PTY backdoor client

Usage

Compile

Install

Enjoy !

Dependencies

The following packages are not required in order to build BEURK at the moment:

  • libpcap – to avoid local sniffing
  • libpam – for local PAM backdoor
  • libssl – for encrypted backdoor connection

You can download BEURK here:

beurk-dev.zip

Or read more here.


Tags: , , , , , ,

Posted in: Linux Hacking, Malware | Add a Comment

Shadow Brokers Release Dangerous NSA Hacking Tools

Outsmart Malicious Hackers


It’s not the first time Shadow Brokers has been on the radar with NSA Hacking Tools, in August 2016 they exposed a bunch of 0-day exploits (also from 2013).

Shadow Brokers Release Dangerous NSA Hacking Tools

This cache of tools appears to be from 2013, so was probably snatched during the same intrusion. This is somewhat more dangerous though as it provides what are essentially point-and-click tools for exploiting all types of Microsoft systems.

The Shadow Brokers have leaked more hacking tools stolen from the NSA’s Equation Group – this time four-year-old exploits that attempt to hijack venerable Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8.

The toolkit puts into anyone’s hands – from moronic script kiddies to hardened crims – highly classified nation-state-level weaponry that can potentially compromise and commandeer systems around the world. This is the same powerful toolkit Uncle Sam used once upon a time to hack into and secretly snoop on foreign governments, telcos, banks, and other organizations.

The files range from Microsoft Windows exploits to tools for monitoring SWIFT interbank payments. Ongoing analysis of the leaked documents and executables has revealed Cisco firewalls and VPN gateways are also targets.

The Shadow Brokers tried auctioning off the stolen cyber-weapons to the highest bidder, but when that sale flopped with no buyers, the team started releasing the gear online for free anyway.

“The shadow brokers not wanting going there. Is being too bad nobody deciding to be paying the shadow brokers for just to shutup and going away,” the group said in a typically garbled blog post.


Just exploits take a little more skill to use, but these tools allow the most n00b skiddies to carry out some pretty devastating attacks on machines running Win2k all the way to Windows 8 and Windows Server.

It seems like they tried to auction of this kit and got the cold shoulder, which should be expected as those with serious money are not gonna drop it on a bunch of 2013 software.

“The Shadow Brokers rather being getting drunk with McAfee on desert island with hot babes. Maybe if all suviving WWIII the shadow brokers be seeing you next week. Who knows what we having next time?”

For IT managers and normal folks, the Windows-hacking arsenal, which dates to around mid-2013, is the most concerning. It contains exploits for vulnerabilities that can be used to hack into unpatched Windows systems, from Windows 2000 to Windows 8 and Server 2012. In some cases this can be done across the network or internet via SMB, RDP, IMAP, and possibly other protocols.

If you have a vulnerable aging machine with those services running, it is possible they can be hijacked using today’s dumped tools – if not by strangers on the ‘net then potentially by malicious employees or malware already on your network. If you’re running the latest up-to-date gear, such as Windows 10, none of this will directly affect you – but not everyone is so lucky. There are plenty of organizations out there that cannot keep every box up to date, for various reasons.

The leaked archive also contains the NSA’s equivalent of the Metasploit hacking toolkit: FUZZBUNCH.

Matthew Hickey, cofounder of British security shop Hacker House, told The Register FUZZBUNCH is a very well-developed package that allows servers to be penetrated with a few strokes of the keyboard. The toolkit has modules to install a backdoor on invaded boxes to remote control the gear and romp through file systems.

Some part of me is glad to see the NSA software appears to be well written and well architected, at least they are doing well on those fronts. Plus 4 years later I’d imagine the malicious software capabilities they have are much more powerful.

We will have to wait and see if any more comes from this.

Source: The Register


Tags: , , , , , , ,

Posted in: Exploits/Vulnerabilities, Legal Issues | Add a Comment
yarAnalyzer - Yara Rule Analyzer and Statistics Generator

yarAnalyzer – Yara Rule Analyzer and Statistics Generator

yarAnalyzer is a Python-based YARA rule analyzer that can also generate statistics from yara rulesets. It also has an inventory creation feature that can output a CSV file detailing the rules. It creates statistics on a YARA rule set and files in a sample directory. Place some signatures with .yar extension in the “signatures” folder […]

Tags: , , , , , ,

Posted in: Malware, Security Software | Add a Comment
Prisoners Hack Prison From Inside Prison

Prisoners Hack Prison From Inside Prison

Prisoners Hack Prison! Sounds exciting right? This time it’s actually pretty entertaining with the prisoners managing to hack a prison network from INSIDE the prison using scavenged PC parts from a rehabilitation class. Some pretty resourceful guys managing to build 2 functional PCs from scrapped parts AND connect to the prison network AND try and […]

Tags: , , , , , , , , ,

Posted in: General Hacking, Legal Issues | Add a Comment
spectrology - Basic Audio Steganography Tool

spectrology – Basic Audio Steganography Tool

spectrology is a Python-based audio steganography tool that can convert images to audio files with a corresponding spectrogram encoding, this allows you to hide hidden messages via images inside audio files. Using this tool you can select range of frequencies to be used and all popular image codecs are supported. Usage

Example

You […]

Tags: , , , , , ,

Posted in: Cryptography, Hacking Tools, Privacy | Add a Comment
PowerMemory - Exploit Windows Credentials In Memory

PowerMemory – Exploit Windows Credentials In Memory

PowerMemory is a PowerShell based tool to exploit Windows credentials present in files and memory, it levers Microsoft signed binaries to hack Windows. The method is totally new. It proves that it can be extremely easy to get credentials or any other information from Windows memory without needing to code in C-type languages. In addition, […]

Tags: , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Hacking Tools, Password Cracking, Windows Hacking | Add a Comment
Microsoft Azure Web Application Firewall (WAF) Launched

Microsoft Azure Web Application Firewall (WAF) Launched

Not too long after Amazon launched their cloud protection WAF the Microsoft Azure Web Application Firewall (WAF) has been made generally available in all public Azure DCs. It’s a good move with the majority of websites and services moving into one of the big 3 cloud providers (AWS, Google or Azure) and the vast majority […]

Tags: , , , , , , , ,

Posted in: Countermeasures, Web Hacking | Add a Comment
HashData - A Command-line Hash Identifying Tool

HashData – A Command-line Hash Identifying Tool

HashData is a Ruby-based command-line REPL Hash Identifying Tool with support for a lot of different (most popular) hash types. Installation

Usage Command Line When installed, run hashdata and paste in hashes when prompted. Library Example Script:

The above should output true. The library only matches the start of your second input, this […]

Tags: , , , , , , , , , , ,

Posted in: Cryptography, Hacking Tools, Password Cracking | Add a Comment