Archive | January, 2011

China Facing Problems With Android Handsets & Pre-installed Trojans

Keep on Guard!


It seems like the Chinese are always coming up with inventive ways to scam people, this time the people in their own country. Android is of course growing quickly globally and China is no exception with the availability of cheap hardware there the open-source Android OS is a natural choice.

The latest scam is some new generation of “money sucking mobiles” – which are basically Android handsets that steal the users credit by making covert calls or sending premium SMS. It does this very slowly so the user doesn’t notice, it also enables the vendors to sell the handsets very cheaply as they are essentially subsidized by the fraud.

The Chinese government is to crack down on “money sucking” mobiles: Android-based handsets that subsidise themselves by stealing from the customer’s account.

The crackdown aims to involve network operators, target retailers and ensure that selling handsets featuring pre-installed Trojans is explicitly illegal, according to the Google translation.

The idea is to set up a central unit to manage complaints, though it seems the scam has been going on long enough to build up considerable momentum.

The handsets concerned are sold cheaply, and generally unbranded, though some bear forged logos. Once they go into use the Android-based handsets start quietly sending text messages, or making a silent call or two. The transactions only incur a fee of about around 20 pence (0.3USD) a time, in the hope the user will never notice, while the miscreant collects the termination fee or other premium charge.

It’s pretty shady, but not much different from the reports of US and UK consumers with branded network phones having all kinds of weird network charges which they can’t stop because the phones are loaded up with proprietary crapware (oh hello Vodafone, Orange, T-Mobile and so on).

It’s an interesting model for fraud and honestly I think it will continue for a long time as it’s unlikely the users of low end Android devices will bother reading such tech-news and even if they did…what can they do about it? If they are really techy of course they can just root the phone and remove the malware themselves.

But for the rest of the unwashed masses, what options do they have? Not a lot really apart from the ditching the phone and buying another with the hope that it doesn’t come pre-installed with a trojan.


The amounts are small, but the idea is to collect it over a long period, enabling the handset to be sold very cheaply and thus feeding a virtuous circle that benefits everyone – except the poor sap who thought he was getting a cheap Android handset.

“I think the software industry lacks a better business model, they can only make these knock-off and money-sucking software in order to survive,” said Zhao Wei, CEO of Chinese security company Knownsec, according to PC World. “This is fast becoming an industry in itself.”

Manufacturers and network operators have a long history of preinstalling applications which they hope will rake in additional cash, much to the annoyance of users. Hiding them from the user is an obvious evolution of that idea, though hopefully a step too far for the bigger brands at least.

It does show that these handset and mobile software developers don’t really have a sustainable legitimate business model. Partially due to the fact that the competition in China is just so immense and partially because this kind of business can prosper.

Just look at Huawei now.

Source: The Register

Posted in: Legal Issues, Malware, Privacy

Topic: Legal Issues, Malware, Privacy


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


MagicTree – Penetration Tester Productivity Tool

Outsmart Malicious Hackers


MagicTree is a penetration tester productivity tool, it allows easy and straightforward data consolidation, querying, external command execution, and report generation. In case you wonder, “Tree” is because its stores all the data in a tree, and “Magic” because it is designed to magically do the most cumbersome and boring part of penetration testing – data management and reporting.

I think this could be combined with something like dradis (the Open Source Security Reporting Tool) for very good project management.

MagicTree is a closed-source, proprietary software. This release is distributed free of charge and so will be the future releases of MagicTree Community Edition. They plan on offering a reasonably priced professional edition soon.


MagicTree Beta Two is mostly written in Java and has been tested on Linux, Windows, and MacOS. It has no complicated installation procedure.

Documentation is available here:

MagicTree Docs

You can download MagicTree here:

MagicTree-1300.jar

Or read more here.

Posted in: Hacking News, Security Software

Topic: Hacking News, Security Software


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


Researchers Hack Mobile Calls On GSM Network

Keep on Guard!


Gotta love a bit of hardware hacking in the new year, this Karsten Nohl guy has been busy lately – he recently exposed Car Immobilisers Using Weak Encryption Schemes and more relevant to this article we’ve written about him and GSM Hacking Coming To The Masses Script Kiddy Style before.

This kind of GSM snooping has been possible for a long time, but it’s always been prohibitively expensive. Now researchers using simple techniques and inexpensive equipment have managed to find a way to do it by running custom firmware on cheap Motorola handsets.

Researchers have demonstrated an alarmingly simple technique for eavesdropping on individual GSM mobile calls without the need to use expensive, specialised equipment.

During a session at the Chaos Computer Club Congress (CCC) in Berlin, Karsten Nohl and Sylvain Munaut used cheap Motorola handsets running a replacement firmware based on open source code to intercept data coming from a network base station.

Armed with this, they were able to locate the unique ID for any phone using this base, breaking the encryption keys with a rainbow table lookup.

Although far from trivial as hacks go, the new break does lower the bar considerably compared to previous hacks shown by the same reasearchers. In 2009, Nohl published a method for cracking open GSM’s A5/1 encryption design using a lookup table in near real time.

What was missing, however, was a way of identifying the call stream for an individual phone in order to apply the lookup to a real call within the clutter of data moving back and forth between a particular base station and the many phones using it. That is what Nohl appears to have worked out in his latest demo.

It’s by no means a simple or straight forwards attack but it just shows with the knowledge of the crypto algorithms used by GSM base-stations it’s possible to intercept conversations from specific handsets.

There hasn’t been a whole lot of stories about GSM hacking so it’s good to see something in this area as most of the World owns at least 1 GSM device and not a whole of people are looking at the security the networks are relying on.


Another important detail is that Nohl was able to replace the firmware of the handsets with custom software. According to the BBC report on which most stories are being based, this was only possible because the Motorola handsets in question had been reverse engineered after an unspecified leak.

How easy would it be to exploit the new hack? In short, not particularly easy. Creating a custom lookup table similar to Nohl’s would take months of work and any eavesdropper would still need to break into the handset in question.

The crack does lower the bar from being a hardware problem to one of software expertise, which will cause some alarm in the GSM engineering community.

Governments and the military won’t worry unduly as they will be using encrypted satellite phone systems and GSM phones equipped with extra layers of call encryption to make sensitive calls. Large companies might want to take note, however.

As far as I know most military and government phones even when relying on GSM have another layer of encryption on top as stated in the article, so they should be pretty safe. But what about the rest of the World? Some big companies and important people are relying on standard GSM handsets without any extra protection.

I hope to see more news in this area as it has pretty big implications for everyone.

Source: Network World

Posted in: Cryptography, Hardware Hacking, Privacy

Topic: Cryptography, Hardware Hacking, Privacy


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


cross_fuzz – A Cross-Document DOM Binding Fuzzer

Outsmart Malicious Hackers


cross_fuzz is an amazingly effective but notoriously annoying cross-document DOM binding fuzzer that helped identify about one hundred bugs in all browsers on the market – many of said bugs exploitable – and it is still finding more.

The fuzzer owes much of its efficiency to dynamically generating extremely long-winding sequences of DOM operations across multiple documents, inspecting returned objects, recursing into them, and creating circular node references that stress-test garbage collection mechanisms.

The cross_fuzz fuzzing Algorithm

  1. Open two windows with documents of any (DOM-enabled) type. Simple HTML, XHTML, and SVG documents are randomly selected as targets by default – although any other, possibly plugin-supported formats could be targeted instead.
  2. Crawl DOM hierarchy of the first document, collecting encountered object references for later reuse. Visited objects and collected references are tagged using an injected property to avoid infinite recursion; a secondary blacklist is used to prevent navigating away or descending into the master window. Critically, random shuffling and recursion fanout control are used to ensure good coverage.
  3. Repeat DOM crawl, randomly tweaking encountered object properties by setting them to a one of the previously recorded references (or, with some probability, to one of a handful of hardcoded “interesting” values).
  4. Repeat DOM crawl, randomly calling encountered object methods. Call parameters are synthesized using collected references and “interesting” values, as noted above. If a method returns an object, its output is subsequently crawled and tweaked in a similar manner.
  5. Randomly destroy first document using one of the several possible methods, toggle garbage collection.
  6. Perform the same set of crawl & tweak operations for the second document, but use references collected from the first document for overwriting properties and calling methods in the second one.
  7. Randomly destroy document windows, carry over a percentage of collected references to the next fuzzing cycle.

This design can make it unexpectedly difficult to get clean, deterministic repros; to that effect, in the current versions of all the affected browsers, we are still seeing a collection of elusive problems when running the tool – and some not-so-elusive ones. I believe that at this point, a broader community involvement may be instrumental to tracking down and resolving these bugs.

I also believe that at least one of the vulnerabilities discovered by cross_fuzz may be known to third parties – which makes getting this tool out a priority.

You can download cross_fuzz here:

http://lcamtuf.coredump.cx/cross_fuzz

Or read more here.

Posted in: Hacking Tools, Secure Coding

Topic: Hacking Tools, Secure Coding


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


Internet Explorer Zero-Day Accidentally Leaked To Chinese Hackers

Keep on Guard!


First up, happy new year – let’s hope 2011 is an interesting year for the infosec community. Anyway today’s story is about the recently released tool cross_fuzz by Michal Zalewski and an inadvertent leak that have occurred.

tl;dr version is something like this: Michal Zalewski writes a DOM fuzzer, fuzzes IE, finds flaws, Chinese dudes Google some .dll functions and find fuzzer results.

It could be some kind of weird coincidence, or you could read a whole conspiracy theory into it (unreleased tool, very specific search terms etc.).

Details concerning a potentially serious security vulnerability in fully patched versions of Microsoft’s Internet Explorer have been leaked to people in China, a researcher warned over the weekend.

Michal Zalewski, a security researcher at Google, blogged that data concerning at least one “clearly exploitable crash” in the Microsoft browser was inadvertently disclosed to people who were using a Chinese IP address. Details about the bug, which resides in the mshtml.dll component, were stored on a server that had accidentally been indexed by Google, Zalewski wrote elsewhere. On December 30, detailed search queries showed that the sensitive information, in addition to files for an unpublished security tool, had been retrieved by the unknown party.

“This pattern is very strongly indicative of an independent discovery of the same fault condition in MSIE by unrelated means,” Zalewski wrote. “Other explanations for this pair of consecutive searches seem extremely unlikely.”

The bug leads to arbitrary crashes in the EIP, or extended instruction pointer, of machines running the Microsoft browser. Zalewski said the flaw “is pretty much fully attacker-controlled.” It was uncovered using cross_fuzz, a security tool the researcher developed in his spare time more than two years ago to identify potential security vulnerabilities in IE, Firefox, and other browsers. Since its release, the tool has helped to identify nearly 100 various browser bugs.

You can find the complete history between MZ and Microsoft regarding both ref_fuzz and cross_fuzz here:

fuzzer_timeline.txt

As for the ‘discovery’ it does seem likely that someone else had already discovered the same vulnerability and were searching for further information about it and if it had been published/disclosed. The search logs are here:

known_vuln.txt


A statement attributed to Jerry Bryant, group manager in Microsoft’s Response Communications, said company researchers are working to reproduce the crash to see if the underlying vulnerability can be exploited by malicious hackers.

“At this point, we’re not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes,” Bryant said.

Zalewski provided this account of his communications with Microsoft, which started in May 2008. In it, he claims that on December 21, Microsoft researcher David Ross “confirms being able to reproduce crashes locally right away.”

Zalewski said that Microsoft researchers asked him to delay the release of cross_fuzz until they had more time to investigate the crashes. He published his warning on New Year’s Day, after he learned that the crash logs and related files had been downloaded.

“These search queries are looking for information on two MSHTML.DLL functions – BreakAASpecial and BreakCircularMemoryReferences – that are unique to the stack signature of this vulnerability, and had *absolutely* no other mentions on the internet at that time,” he said.

cross_fuzz has been released officially now by Zalewski after Microsoft have had some time to investigate the crashes further. The moral of the story is, once again don’t use Internet Explorer!

As right now, there is a potentially dangerous 0-day for IE in the wild and as we well known with Patch Tuesday it’ll be quite some time before it gets fixed.

Source: The Register

Posted in: Exploits/Vulnerabilities, Windows Hacking

Topic: Exploits/Vulnerabilities, Windows Hacking


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.