Archive | February, 2016

YARA – Pattern Matching Tool For Malware Analysis


YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.

YARA - Pattern Matching Tool For Malware

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.

Quite a few tools related to intrusion detection, malware analysis and compromise detection tools utilise YARA rules during the scanning phase. LOKI and FastIR being two recent examples.

Sample Rule

Let’s see an example:

The above rule is telling YARA that any file containing one of the three strings must be reported as silent_banker. This is just a simple example, more complex and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you’ll find explained in YARA’s documentation.

You can also find some cool YARA rules at this project: https://github.com/Yara-Rules/rules/

You can download YARA here:

yara-v3.4.0.zip

Or read more here.

Posted in: Malware, Secure Coding

Topic: Malware, Secure Coding


Latest Posts:


Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)


Gophish – Open-Source Phishing Framework


Gophish is a phishing framework that makes the simulation of real-world phishing attacks very straight forwards. The idea behind gophish is simple – make industry-grade phishing training available to everyone.

Gophish - Open-Source Phishing Framework

There are various other similar tools available such as Simple Phishing Toolkit and sptoolkit Rebirth.

I wonder if this is the beginning of an emergence of portable, compiled Golang based security tools.

Features

  • One-click Installation
  • Standalone, portable binary with static assets
  • Point-and-click Phishing
  • Beautiful Web UI
  • Automated Phishing campaigns
  • RESTful API (JSON)
  • Automated Training
  • Open-Source

What’s New

Gopshish is pretty new and just hit the milestone of it’s first public beta release, so there are the main recent features:

  • Added the timeline feature for campaign results
  • Added default tracking to email templates
  • Added additional events (such as when errors occur)
  • Added the ability to access admin server/ phishing server over TLS
  • Multiple UI fixes/tweaks (datatables, etc.)
  • Added the ability to export results as CSV

You can download the User Guide here: Gopshish User Guide [PDF]

And you can download Gophish here:

Windows 64-Bit – gophish_windows_64bit.zip
Linux 64-Bit – gophish_linux_64bit.tar.gz
OSX 64-Bit – gophish_osx_64bit.zip

(If you’re still on a 32-Bit OS, you can go to the releases page to find a suitable download)

Or read more here.

Posted in: Countermeasures, Phishing

Topic: Countermeasures, Phishing


Latest Posts:


Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)


Malwarebytes Bug Bounty Program Goes Live


So Malwarebytes bug bounty program is live, the official name is actually Malwarebytes Coordinated Vulnerability Disclosure Program – what a mouthful (guidelines here).

Malwarebytes Bug Bounty Program Goes Live

It’s good to see, bug bounty programs typically tend to have a nett positive effect and end in win-win situations for researchers and software vendors alike.

In an effort to encourage researchers to responsibly disclose security flaws found in its products, anti-malware company Malwarebytes announced on Monday the launch of a bug bounty program.

The company is prepared to offer between $100 and $1,000 for eligible vulnerabilities, depending on how severe and exploitable they are. Bounty hunters are also offered an entry in the Malwarebytes Hall of Fame and “cool Malwarebytes swag.”

Malwarebytes’ Coordinated Vulnerability Disclosure program covers vulnerabilities found in the company’s products and web services, particularly weaknesses that can lead to remote code execution or sensitive information disclosure. Experts are also encouraged to report crashes and stability issues, but these are generally considered not eligible for a bounty.

In the case of vulnerabilities discovered by Malwarebytes in third-party products, the company’s standard public disclosure deadline is 150 days.


No surprise here, Tavis Ormandy is up to his tricks again and quite possible is the driving force behind the release of this bounty program. As he recently found several pretty serious buggs in Malwarebytes software.

The disclosure period is nice and long too, they give themselves 5 months to fix any bugs found – that seems more than ample.

The launch of Malwarebytes’ bug bounty program comes after Google researcher Tavis Ormandy reported finding several vulnerabilities in the consumer version of Malwarebytes Anti-Malware in early November.

Marcin Kleczynski, the CEO of Malwarebytes, said his company patched several of the vulnerabilities server-side within days and is currently working on releasing a new version that will patch the client-side issues.

“The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time,” Kleczynski said. “However, this is of sufficient enough a concern that we are seeking to implement a fix.”

Malwarebytes Anti-Malware Premium users can protect themselves against possible attacks leveraging the flaws reported by Ormandy by enabling the product’s self-protection feature.

It’s pretty good software, I’ve used it quite a few times to disinfect people’s machines. So if you do use it regularly, have a poke around and see if you can find any flaws – might be worthwhile now.

Good old Tavis Ormandy – he’s been poking holes in people’s software for years.

Source: Security Week

Posted in: Exploits/Vulnerabilities

Topic: Exploits/Vulnerabilities


Latest Posts:


Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)


WAF-FLE – Graphical ModSecurity Console Dashboard


WAF-FLE (Web Application Firewall: Fast Log and Event Console) is a OpenSource ModSecurity Console – which allows the modsecurity admin to store, view and search events sent by sensors.

WAF-FLE - Graphical ModSecurity Console Dashboard

It uses a graphical dashboard to drill-down and find quickly the most relevant events. It is designed to be fast and flexible, while keeping a powerful and easy to use filter, with almost all fields clickable to use on filter.

Features

  • Central event console
  • Support Modsecurity in “traditional” and “Anomaly Scoring”
  • Brings mlog2waffle as a replacement to mlogc
  • Receive events using mlog2waffle or mlogc
    • mlog2waffle: in real-time, following log tail, or batch scheduled in crontab
    • mlogc: in real-time, piped with ModSecurity log, in batch scheduled in crontab
  • No sensor limit
  • Drill down of events with filter
  • Dashboard with recent events information
  • Almost every event data and charts are “clickable” deepening the drill down filter
  • Inverted filter (to filter for “all but this item”)
  • Filter for network (in CIDR format, x.x.x.x/22)
  • Original format (Raw) to event download
  • Use Mysql as database
  • Wizard to help configure log feed between ModSecurity sensors and WAF-FLE
  • Open Source released under GPL v2

Requirements

  • Apache 2.x server with modrewrite
  • PHP 5.3 or higher
  • PHP PDO Mysql extension
  • PHP GeoIP extension
  • MySQL 5.1 or later

Supported:

Consider installing APC or APCu (php cache) to improve WAF-FLE performance.

You can download WAF-FLE here:

waf-fle-master.zip

Or read more here.

Posted in: Countermeasures, Security Software

Topic: Countermeasures, Security Software


Latest Posts:


Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)