Archive | January, 2008

New Rootkits Infecting the MBR

January 17, 2008 | 9,521 views

Ah I remember some of the nastiest viruses back in the day attaching themselves in the MBR (Master Boot Record) rendering most anti-virus software useless (as it sits on top of the OS).

Now it seems MBR infection is back in fashion for a new age of rootkits.

Security mavens have uncovered a new class of attacks that attach malware to the bowels of a hard drive, making it extremely hard to detect and even harder to remove.

The rootkit modifies a PC’s master boot record (MBR), which is the first sector of a storage device and is used to help a PC locate an operating system to boot after it is turned on. The result: the rootkit is running even before Windows loads. There have been more than 5,000 infections in less than a month, researchers say.

“Master boot record rootkits are able to subvert the Windows kernel before it loads, which gives it a distinct stealth advantage over rootkits that load while Windows is running,” said Matthew Richard, director of the rapid response team for iDefense, a security provider owned by VeriSign. “It gives it a great stealth mechanism that allows it to persist even after removal.” Such rootkits can even survive reinstallation of the operating system, he said.

Pretty stealthy and extremely sticky, time to be a little more wary. MBR infectors are extremely nasty and the majority of people won’t even know they are. Plus as they can subvert the Windows kernel before it even loads…it has a huge stealth advantage.

The new rootkit is part of the arms race between security vendors and malware writers, he said. “We’re definitely making it harder and harder for the bad guys to do stuff to the operating system,” he said. They respond by attacking new parts of a PC.

Every version of Windows, including Vista, is vulnerable to the rootkit.

About 30,000 websites, mostly located in Europe, are actively trying to install the rootkit by exploiting users who have failed to install Windows updates, Richard says. There were 5,000 infections from December 12 to January 7. The rootkit is being spread by the same group responsible for distributing the Torpig banking Trojans, which are used to steal online banking credentials.

McAfee detects the Trojan as StealthMBR (DAT 5204 or above) or StealthMBR!rootkit
Symantec as Trojan.Mebroot or Boot.Mebroot
Sophos uses name Troj/Mbroot-A
Trend Micro uses the name TROJ_SINOWAL.AD

(Info from Securiteam)

A timeline is available from SANS here.

Source: The Register

Posted in: General Hacking, Malware

Tags: hacking, malware, mbr infector, mbr rootkit, root-kits, rootkit, trojans, viruses

Posted in: General Hacking, Malware | Add a Comment

Recent in General Hacking:
- Why Are Hackers Winning The Security Game?
- The Dyn DNS DDoS That Killed Half The Internet
- Fully Integrated Defense Operation (FIDO) – Automated Incident Response

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,178,845 views
- Hack Tools/Exploits - 644,959 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 444,565 views

w3af Fifth BETA for Download – Automated Web Auditing and Exploitation Framework

January 16, 2008 | 9,552 views

As you all seem to pretty interested in Inguma, there’s something else similar called w3af – the fifth BETA was released a while back and the team are now working on the sixth.

w3af is a Web application attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and

We did mention when it was first released – w3af – Web Application Attack and Audit Framework.

There are a lot of small changes, but the basic and bigger ones are:

Virtual daemon, a way to use Metasploit framework payloads/shellcodes while exploiting web applications.
w3afAgent, a reverse VPN that allows you to route packets through the compromised server
Good samaritan, a module that allows you to exploit blind sql injections much faster
20+ new plugins
A lot of bug fixes
A much more stable core.

A full plugin list is here:

w3af – Plugins

The users guide can be found here:

w3afUsersGuide.pdf

The author has also uploaded the presentation material he made for the T2 conference in Finland – this can serve as a good introduction.

w3af-T2.pdf

You can download w3af here:

w3af BETA5

Or read more here.

Posted in: Database Hacking, Hacking Tools, Web Hacking

Tags: auditing-framework, hacking-web-application, hacking-web-sites, Python, sql-injection, w3af, Web Hacking, web-applicaton-security, web-auditing

Posted in: Database Hacking, Hacking Tools, Web Hacking | Add a Comment

Recent in Database Hacking:
- Another MongoDB Hack Leaks Two Million Recordings Of Kids
- MongoDB Ransack – Over 33,000 Databases Hacked
- DBShield – Go Based Database Firewall

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 79,161 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,882 views
- SQLBrute – SQL Injection Brute Force Tool - 42,927 views

The First Reported Facebook Worm/Malware Pops Up – Secret Crush

January 15, 2008 | 12,865 views

So facebook has finally fallen victim, after the recent Orkut worm now we have malware infection from Facebook, an application called Secret Crush. The application was renamed as My Admirer but that seems to be gone now too.

The first spyware spreading with Facebook application has been discovered. Security company Fortinet reports that application called Secret Crush is installing Zango (aka AdWare.Win32.180Solution) with Iframe, technically from ZangoCash.com.

It seems like Social Networks are a big target for infections now as the sheer mass of users there means that if the bad guys get a good piece of self-propagating code mixed up with a dose of social engineering they will achieve a massive infection.

The text included to the request entry is “One of Your Friends Might Have a Crush on You!”. Additionally, the buttons are ‘Find Out Who!’ and typical ‘Ignore’. It appears that Secret Crush is not included to Facebook Application Directory (no log-in needed) any more. Reportedly FortiGuard Team has informed Facebook guys and probably the application has been disabled already.

Although the application has been disabled (Good work Facebook) it shows what can happen, and it will happen again that’s a guarantee. This is just the beginning.

Source: Securiteam

Posted in: Malware, Privacy, Web Hacking

Tags: facebook malware, facebook worm, hacking-facebook, hacking-websites, malware, my admirer, secret crush, Web Hacking

Posted in: Malware, Privacy, Web Hacking | Add a Comment

Recent in Malware:
- South Korean Webhost Nayana Pays USD1 Million Ransom
- maltrail – Malicious Traffic Detection System
- Windows XP Too Unstable To Spread WannaCry

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,629 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,775 views
- US considers banning DRM rootkits – Sony BMG - 45,014 views

VoIP Hopper – VLAN Hopping Tool

January 14, 2008 | 14,990 views

VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper does this by mimicking the behavior of an IP Phone, in both Cisco and Avaya IP Phone environments.

In Cisco IP Phone networks, it first dissects either IEEE 802.3 or Ethernet II for Cisco Discovery Protocol (CDP) packets. If CDP is enabled on the switch port and the Voice VLAN feature is enabled, it will determine the Voice VLAN ID (VVID).

This will allow the tool to create a new Ethernet interface on the PC that tags the 802.1q VLAN header in the Ethernet packet. After VoIP Hopper has created the new Ethernet device, it will send a DHCP client request.

In Avaya IP Phone environments, it sends an Option 55 parameter request list, requesting Option 176. When the DHCP server sends Option 176, it decodes the L2QVLAN reply field for the Voice VLAN ID. It then creates a new voice interface and sends a DHCP request.

Why?

VoIP Hopper was written with the specific aim of improving security in VoIP environments by validating Layer 2 protection controls. It is a VLAN test tool that can be used to validate controls in VoIP environments but also anywhere else VLANs are used (basically everywhere).

You can download VoIP Hopper here:

VoIP Hopper 0.9.7

Or read more here.

Posted in: Hacking Tools, Network Hacking

Tags: hacking tool, Hacking Tools, hacking-networks, Network Hacking, vlan hopper, vlan hopping tool, voip, voip hopper, voip-hacking

Posted in: Hacking Tools, Network Hacking | Add a Comment

Recent in Hacking Tools:
- Bluto – DNS Recon, Zone Transfer & Brute Forcer
- dork-cli – Command-line Google Dork Tool
- T50 – The Fastest Mixed Packet Injector Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 2,024,637 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,610,650 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 707,845 views

UK Government Set to Make ‘Hacking Tools’ Illegal

January 11, 2008 | 14,647 views

This is sad news, it seems UK is considering following the lead of the Germans and their recently implemented hacking law 202(c) regarding the making of ‘hacking tools‘ illegal.

It’s almost like making baseball bats illegal because you can hit someone with it, doesn’t matter its made for playing sport and that’s what most people use it for..

The UK government has published guidelines for the application of a law that makes it illegal to create or distribute so-called “hacking tools”.

The controversial measure is among amendments to the Computer Misuse Act included in the Police and Justice Act 2006. However, the ban along with measures to increase the maximum penalty for hacking offences to ten years and make denial of service offences clearly illegal, are still not in force and probably won’t be until May 2008 in order not to create overlap with the Serious Crime Bill, currently making its way through the House of Commons.

Sounds pretty ominous to me, even distributing said hacking tools can get you in trouble – that’s bad news for people like me that believe in sharing information, knowledge and hard to find tools.

I agree a revamp of the Computer Misuse Act is needed, but please making tools like Nmap illegal to create or distribute is just plain stupid.

Following industry lobbying the government has come through with guidelines that address some, but not all, of these concerns about “dual-use” tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime. But the Home Office, despite lobbying, refused to withdraw the distribution offence. This leaves the door open to prosecute people who distribute a tool, such as nmap, that’s subsequently abused by hackers.

The Crown Prosecution Service guidance, published after a long delay on Monday, also asks prosecutors to consider if an article is “available on a wide scale commercial basis and sold through legitimate channels”. Critics argue this test fails to factor in the widespread use of open source tools or rapid product innovation.

It’s pretty messy – it could help malicious hackers be prosecuted effectively and gives a bit more ammo to law. But it also means over zealous lawyers could prosecute security consultants for actions they don’t really understand – which is the scary part for me.

I hope it gets distilled into something useful and fair for both sides.

Source: The Register

Posted in: General News, Legal Issues

Tags: 202(c), anti hacking, ban, german 202(c), Hacking Tools, hacking-uk, illegal, legality, uk hacking tools, uk legislation

Posted in: General News, Legal Issues | Add a Comment

Recent in General News:
- Security Vendor Trustwave Bought By Singtel For $810M
- Teen Accused Of Hacking School To Change Grades
- Google’s Chrome Apps – Are They Worth The Risk?

Related Posts:

Most Read in General News:
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,543 views
- eEye Launches 0-Day Exploit Tracker - 86,319 views
- Seattle Computer Security Expert Turns Tables On The Police - 45,326 views

Unicornscan v0.4.7 Released for Download – Fast Port Scanner

January 10, 2008 | 11,325 views

Unicornscan has always been a favourite of mine, especially for UDP scanning and scanning large networks (and getting it done fast).

Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. It is released for the community to use under the terms of the GPL license.

In some ways the implementation is better than Nmap – in some ways worse. Both are great tools and for me they work well hand in hand, both have certain advantages over the other in different situations.

I did get half way to writing an article about Nmap vs Unicornscan for large network scanning.

Benefits of Unicornscan

Unicornscan is an attempt at a User-land Distributed TCP/IP stack. It is intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network. Although it currently has hundreds of individual features, a main set of abilities include:

Asynchronous stateless TCP scanning with all variations of TCP Flags.
Asynchronous stateless TCP banner grabbing
Asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a response).
Active and Passive remote OS, application, and component identification by analyzing responses.
PCAP file logging and filtering
Relational database output
Custom module support
Customized data-set views

Anyway on the news – Unicornscan has finally been updated and v0.4.7 is available and released for download.

Unicornscan has also been awarded 2nd place in the security category for this years Les Trophees du libre 2007 (http://www.tropheesdulibre.org).

You can download Unicornscan here:

Source Code: unicornscan-0.4.7-2.tar.bz2
Fedora Core 8 RPM: unicornscan-0.4.7-4.fc8.i386.rpm

Or read more here.

Documentation is available here: Unicornscan-Getting_Started.pdf

Posted in: Hacking Tools, Network Hacking

Tags: fast port scanner, Hacking Tools, hacking-networks, Network Hacking, nmap, port-scanner, port-scanning, udp port scanner, unicorn scan, unicornscan

Posted in: Hacking Tools, Network Hacking | Add a Comment

Recent in Hacking Tools:
- Bluto – DNS Recon, Zone Transfer & Brute Forcer
- dork-cli – Command-line Google Dork Tool
- T50 – The Fastest Mixed Packet Injector Tool

Related Posts:

GFI Survey – 4 in 10 US Companies are NOT Secure!

January 9, 2008 | 3,560 views

GFI has recently conducted a survey concering corporate security in the US for small and medium sized enterprizes (SMEs).

Despite the best efforts of many small and medium sized companies, a recent US survey shows that four in 10 companies believe that their networks are not secure. Thirty-two percent of the companies also reported that they had suffered a breach in the past 12 months alone citing virus attacks and Internet downloads as the leading cause of the security breach.

The survey, conducted by eMediaUSA on behalf of GFI Software, an international network security software developer, was given to 455 IT executives from U.S. based small and medium sized businesses (SMBs).

Commenting on the results, Andre Muscat, GFI’s Director of Engineering, said: “Email viruses top the ‘greatest threat to network security’ list and this does not come as a surprise. It is one of the easier attack routes and this is confirmed by those respondents who reported a breach. While companies are aware of, and are focused on, tackling viruses and malware, they appear to be giving sparse attention to other equally dangerous threats such as data theft and leakage from endpoints such as connected USB sticks, iPods and PDAs on the network.”

Further results on the survey can be found in the full survey here:

smbsurvey.pdf

Source: GFI

Posted in: Advertorial, General News

Tags: corporate security, gfi, gfi survey, Information-Security, Security, survey

Posted in: Advertorial, General News | Add a Comment

Recent in Advertorial:
- Free Manual Pen-Testing Tools
- Acunetix Web Vulnerability Scanner v11 Released
- Securing MySQL Installation on Ubuntu 16.04 LTS

Related Posts:

Most Read in Advertorial:
- eLearnSecurity – Online Penetration Testing Training - 43,308 views
- Acunetix Web Vulnerability Scanner 6 Review - 15,532 views
- Acunetix WVS (Web Vulnerability Scanner) 7 Review – Engine & Scanning Improvements - 15,403 views

The Revisionist – Metadata Retrieval Tool

January 8, 2008 | 6,253 views

The Revisionist is a tool for extracting and indexing hidden metadata (such as deleted or modified text) from large collections of MS Word files. It can operate whole Web sites or SMB or NFS directories. It is handy for pen-testing, or it can be used just to spot embarrassing secrets.

It’s useful in that it can deal with documents in batch rather than one at a time.

You might remember we posted about Metagoofil a while back, which is similar in concept.

You can download The Revisionist here:

therev.tgz

Or read more here – the demo site.

Posted in: Forensics, Hacking Tools, Privacy

Tags: data gathering, Hacking Tools, information gathering, information leaking, metadata, metadata extraction, metadata gathering, revisionist, surveillance

Posted in: Forensics, Hacking Tools, Privacy | Add a Comment

Recent in Forensics:
- PowerShellArsenal – PowerShell For Reverse Engineering
- Androguard – Reverse Engineering & Malware Analysis For Android
- Volatility Framework – Advanced Memory Forensics Framework

Related Posts:

Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 66,821 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 35,697 views
- OpenDLP – Free & Open-Source Data Loss Prevention (DLP) Tool - 35,000 views

Uber Spammer Alan Ralsky Back In The News

January 7, 2008 | 2,905 views

Ah so Mr Alan Ralsky one of the biggest spammers of all-time is back in the news after his indictment with 10 others for running a large scale spam operation intended to inflate stocks artificially.

At one time it was thought Mr Ralsky and his friends were responsible for the majority of the spam sent, he’s certainly one of the most prolific and there are around 150 spammers in the World responsible for about 90% of the spam received.

Infamous spam king Alan M. Ralsky is on the run following the Jan. 3 indictment of Ralsky and 10 others for operating a sophisticated spam scam involving pump-and-dump Chinese stocks.

The 41-count indictment, unsealed in a Detroit federal court, claims Ralsky, 52, and his fellow defendants operated a wide-ranging international fraud scheme involving millions of illegal e-mails touting thinly-traded Chinese penny stocks. Ralsky profited by selling the stock at artificially inflated prices.

Only two of the defendants appeared in court Jan. 3 for arraignment. Ralsky is reportedly at large in Europe.

It looks like he wants to skip on this one. It is a pretty serious case though – international stock fraud.

According to the indictment, Ralsky and his group earned approximately $3 million on the scheme during the summer of 2005. Ralsky faces charges including conspiracy, fraud in connection with electronic mail, computer fraud, mail fraud, wire fraud and money laundering.

The illegal e-mail practices cited in the indictment include evading spam-blocking devices, falsifying headers and domain names, using proxy computers to distribute the spam and misrepresenting the advertising content in the actual e-mail.

Ralsky seems to have made a good living from spamming when back in his palatial, 8,000-square-foot mansion in suburban Detroit was raided. He was living well.

He has admitted that spam had made him a millionaire.

Source: eWeek

Posted in: Spammers & Scammers

Tags: alan ralsky, email-spam, fraud, junk-mail, pump and dump, ralsky, spam, spam syndicate, spammers, spamming, stocks

Posted in: Spammers & Scammers | Add a Comment

Recent in Spammers & Scammers:
- Russian Cyber-Crime Market Doubled In 2011
- Android Trojan Targets Japanese Market – Steals Personal Data
- Ramnit Worm Stealing Facebook Account Passwords, E-mail Address & Bank Details

Related Posts:

Most Read in Spammers & Scammers:
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,831 views
- Pro ATM Hacker ‘Chao’ Gives Out ATM Hacking Tips - 37,498 views
- Twitter DM Phishing Scam - 28,979 views

December Commenter of the Month Competition Winner!

January 4, 2008 | 3,023 views

Competition time again!

As you know we started the Darknet Commenter of the Month Competition on June 1st and it ran for the whole of June and July. We have just finished the seventh month of the competition in December and are now in the eight, starting a few days ago on January 1st – Sponsored by GFI.

We are offering some pretty cool prizes like iPods and PSPs, along with cool GFI merchandise like shirts, keyrings and mugs.

And now the winner will also get a copy of the Ethical Hacker Kit.

GFI Goodies

Keep up the great comments and high quality interaction, we really enjoy reading your discussions and feedback.

Just to remind you of the added perks, by being one of the top 5 commenter’s you also have your name and chosen link displayed on the sidebar of every page of Darknet, with a high PR5 (close to 6) on most pages (4000+ spidered by Google).

So announcing the winner for December…it’s Sir Henry! Sir Henry is a relative newcomer in commenting here, but he’s very active!

Special mentions also go to Goodpeople (the predicted winner for December before Sir Henry turned up!) and Pantagruel for their active and interesting comments.

Commenter December

December has been an extremely active month for comments with some interesting discussions happening, I’d like to thank you all for your participation!

Thanks to everyone else who commented and thanks for your links and mentions around the blogosphere!

Feel free to share Darknet with everyone you know :)

Keep commenting guys, and stand to win a prize for the month of January.

We are still waiting for pictures from backbone, Sandeep and TRDQ, dirty and dre of themselves with their prizes!

Winner for June 2007 was Daniel with 35 comments.
Winner for July 2007 was backbone with 46 comments.
Winner for August 2007 was TheRealDonQuixote with 53 comments.
Winner for September 2007 was Sandeep Nain with 32 comments.
Winner for October 2007 was dre with 19 comments.
Winner for November 2007 was dirty with 38 comments.