Monday, June 29, 2009

DC 571: A confusion arose from previous posting

We asked for 2 things before you come in:

(1) Handle
(2) Any form of identification to identify yourself [try to keep it somewhat unique]

Food court 3rd floor in Tysons Corner is huge. We do not want you to miss the meeting by looking around every table, and at the same time we don't want ourselves to look like fools by looking around for some unknown entity.

So the best way to identify yourself would be to send something like: "Hey, this is str0ke[Artificial Name, not your NAME or SSN]. I would be wearing Defcon 16 T-shirt with blond hair and blue eyes." That should be good enough for us to identify you among the crowd. But if you wanna add description like "I am 6 feet tall." or something else, you are more than welcome to. But if you would mind to provide such details, we cannot identify you or call your HANDLE out loud to determine if it was you.

Hope this clarifies your questions. Do not hesitate to ask more questions? These questions clarifies things that wouldn't happen if we do not get to know what you feel.

EF

Sunday, June 28, 2009

DC 571: Defcon Northern Virginia[Falls Church]

We are having our first meeting after a long gap on July 18th, 2009 Saturday around 5 PM at the Tysons Corner Shopping center food court.

If you would be appearing at the meeting, kindly send us the following details to contact.fingers @ gmail.com:

(1) Handle
(2) Any form of identification to identify yourself [try to keep it somewhat unique]

NOTE: If you are someone who would like to misuse this educational gathering for some other malicious purpose or your mysterious day dream, then get the heck out of here.

Also, if you have any other questions do not hesitate to contact us.

- EF

Socialize

Hey guys,

Just added a complete section for socializing with your buddies.

You could tweat with us, join us at linkedin, read our blogs, get our feeds and bookmark stuff from this section.

Check it out @: http://www.rootkitanalytics.com/socialize/index.php.

-EF

Thursday, June 25, 2009

Symbiosis malware present. Koobface

Koobface is a worm designed to exploit the user profiles of popular social networks like MySpace and FaceBook in order to obtain sensitive and confidential information of their victims, although the latest versions limiting their goal FaceBook. In fact, the word Koobface is a transposition of the word Facebook.

His early versions date back to late 2008 and since then continues In-the-Wild with an infection rate of concern. Thus, the same company released a series of preventive measures to minimize the potential risk of infection, which is constantly latent for users who use the social network.

In principle, the usual means of dissemination used Koobface is via web through Visual Social Engineering and is the first facet of propagation.

The second facet (infection) channeled their malicious actions in a very common at present, based on a combination of malware, creating a symbiosis where each component of ambient display instructions to seek a common objective and comprehensive.

But let's see which are these components that form a part of the stage of infection of the variant Koobface. NBO. This worm, detected nowadays by approximately 31 companies antivirus of 41 (75.61 %), on having infected the system establishes connection with the following URL's:
  • http://oberaufseher.net/img/cmd.php
  • http://pornfat.net/img/cmd.php
It also downloads the following malware:
  • TrojanDownloader.Small.OCS Troyano
  • Tinxy.AD Troyano
  • Tinxy.AF Troyano
  • BHO.NOE Troyano
  • Koobface.NBH gusano
  • PSW.LdPinch.NEL Troyano
From the technical point of view, some data can be collected in the brief preliminary analysis of each of the malicious code downloaded by Koobface:

The trojan TrojanDownloader.Small.OCS has a detection rate of 35/40 (87.5%) creates keys in the registry and backs himself.
  • HKLM\SOFTWARE\Microsoft\MSSMGR\
  • HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\winccf32
  • C:\WINDOWS\system32\winccf32.dll (copy of itself).
Tinxy.AF, another trojan, it also creates files in the system and has a detection rate of slightly less than the previous 30/40 (75.00%).
  • C:\windows\ld09.exe
  • C:\docume~1\user\locals~1\temp\podmena.bat
The trojan Tinxy.AD has a detection rate of 35/40, was detected by approximately 87.50% of the virus. Creates a copy of itself and makes use of the tool to enable a NetShell DLL, open ports, and specify a proxy.
  • C:\WINDOWS\system32\SYSDLL.exe (copy of itself)
  • netsh add allowedprogram "SYSDLL" C:\WINDOWS\System32\SYSDLL.exe ENABLE
  • netsh firewall add portopening TCP 80 SYSDLL ENABLE
  • netsh firewall add portopening TCP 7171 SYSDLL ENABLE
  • netsh winhttp set proxy proxy-server="http=localhost:7171" Agrega la información del proxy en:HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
BHO.NOE is another of the trojans as part of the process of infection Koobface, with a detection rate of 92.11% (35/38), create a folder and a file.
  • C:\WINDOWS\system32\796525
  • C:\WINDOWS\system32\796525\796525.dll
As to PSW.LdPinch.NEL trojan, detected by 34 antivirus of 40 (85.00%), is designed to steal passwords from different web browsers, mail clients, IM clients and other services.

Finally, download a variant of the family, the worm Koobface.NBH, in this case, the detection rate was 27/40 (approx. 67.50%).

As we can see, the infection of this malware isn't just limited to malicious instructions they have, but it goes beyond that and download another. This action is a common behavior in the present, where the fusion of Web applications and control of botnets and the administration of different types of malware, joining forces with a common goal: improving the economics of crime.

# Jorge Mieres

www.allthreats.com

Hey Folks,

"Allthreats has born!!!. I started with this project one year ago, however I was really busy then and I coudn’t finish it before. Now it’s time to announce it. Allthreats is a free online network traffic analyzer. This system is able to analyze a pcap file with several tools: IDS (only Snort at the moment [Sourcefire VRT and Emerging Threats signatures], I’ll integrate Bro IDS soon), Honeysnap (from honeynet project. It’s able to analyze HTTP, FTP and SMTP traffic, extract files from the pcap and analyze them with several antivirus engines [by now: Clamav, Bitdefender and Avira] ).

This service can analyze binaries with several AV engines (like other well-knonwn online services), nevertheless it adds a new functionality: Remote File Analyzer (URL Analyzer). You don’t have to download the binary, we download it for you.

I would like to add more IDS and antivirus engines, so if you’re interested in add your AV or IDS engine, please send me an email: engines @ allthreats.com"

is a blog posting at http://www.inkatel.com/index.php/2009/06/19/wwwallthreatscom/.

This site looks pretty cool and has a pretty good start/direction. Check it out when you get a chance.

Tuesday, June 23, 2009

SORBS needs help

It comes with great sadness that I have to announce the imminent closure of SORBS. The University of Queensland have decided not to honor their agreement with myself and SORBS and terminate the hosting contract.

I have been involved with institutions such as Griffith University trying to arrange alternative hosting for SORBS, but as of 12 noon, 22nd June 2009 no hosting has been acquired and therefore I have been forced in to this announcement. SORBS is officially "For Sale" should anyone wish to purchase it as a going concern, but failing that and failing to find alternative hosting for a 42RU rack in the Brisbane area of Queensland Australia SORBS will be shutting down permanently in 28 days, on 20th July 2009 at 12 noon.

This announcement will be replicated on the main SORBS website at the earliest opportunity.

For information about the possible purchase of SORBS, the source code, data, hosts etc, I maybe contacted at michelle@sorbs.net, telephone +61 414 861 744.

For any hosting suggestions/provision, please be aware that the 42RU space is a requirement at the moment, and the service cannot be made into a smaller rackspace without a lot of new hardware, virtual hosting is just not possible. The SORBS service services over 30 billion DNS queries per day, and has a number of database servers with fast disk to cope with the requirements.

Thank you for all your support over the years,

Michelle Sullivan (Previously known as Matthew Sullivan)

Thursday, June 18, 2009

Bootkit Analytics - Releasing Soon

www.BootkitAnalytics.com - Vipin Kumar from http://www.nvlabs.in/ and Peter Kleissner from http://web17.webbpro.de/ have joined EvilFingers.com in a combined effort to create Bootkit Analytics, a website dedicated for boot sector, rootkits on boot sector, MBR, and other cool stuff.

We have been planning this since Jan 2009, and finally it is going to be out in the next few weeks.

- EF

Monday, June 15, 2009

Security Cameras - To See Or Not To See?!

These days, security is going digital.

From live and automatic event log analysis up to personal "on-key" tokens and remotely controlled security cameras.

These technologies should be used carefully. For example if the token generates 6 digits and there is no password complexity enforcement, users can set their password to "1" and then we'll get a 7 character length password. If the data from the log will not be filtered and will be in html format, it may execute code. Even worse, if it is viewed at the command line console, it may execute code using the console color control characters.

When talking about security cameras, a security flaw in the camera's simple application server may cause the entire video stream to be accessible to an intruder.



While consulting to a big financial customer, I discovered the security cameras installed are easily accessible to anyone thanks to a very simple logical flaw. Not to mention default user accounts, empty password sets, the ability to brute force, directory traversal and some classic authorization bypass vulnerabilities.

Most of the security cameras in my country are bought from Korea, some of the software is written by the vendor and some by the distributer. Both of them should pay much more attention to security so we won't have the same classic vulnerabilities over and over again.

Attached are a few screen captures:

another white night at work

another white night at work

Clothing Shop

Clothing Shop

Coffee Shop

Coffee Shop

Eyes on the ball!!!

Eyes on the ball!!!

How's that shirt?

How's that shirt?"

Anyone knows a Safe-Cracker?!

Anyone knows a Safe-Cracker?!

Wednesday, June 10, 2009

Trade Russian version of private crimeware. Take the offer!

Currently there are many applications crimeware kits based administration, control and dissemination of exploits composed of modules, written in php, where each has a particular role.

In the Russian black market, these applications are sold at different prices which have direct relationship with the "features" offered by the kit, however, are sometimes offers "juicy" so that many cyber criminals can exploit, such as this combo consisting of three applications crimeware: Neon Exploit System, Sploit25, Unique Sploits Pack.

All for the reasonable price of USD 450.

The price of the combo is only accessible when you consider the cost of buying each separately:
  • Neon Exploit System = USD 500
  • Sploit25 Lite version = USD 1500
  • Sploit25 Pro = USD 2500
  • Unique Sploits Pack = USD 600 + USD 100 for product updates (crossed out) USD 50 and get the encryption module.
These values are somewhat outdated. However, the actual cost of purchasing the three pack of USD 2600 is the basic version of each crimeware, USD 3750 and the full version (version Pro Sploit25 module update and more encryption Unique Sploits Pack).

Moreover, as any good businessman, cyber crime has the potential to perform a test prior to purchase, providing the demo of the three kits.

In the case of Neon Exploit System, you can see each of the modules with which the application and the advantages offered by criminal as well as the ability to store data on each node to be infected by incorporating the botnet.
With respect to Sploit25 upstream is a clear difference to other applications of its kind during the authentication process, the kit only asks password.

The third of crimeware is Unique Sploits Pack. Through the demo shows the administrative operations of the Kit and the configuration possibilities it offers, showing some of the exploits used with reference to them.

You can also try to select the order in which each of the activation exploits that affect the systems. In this example, the modules proposed for attacking the browsers Internet Explorer 5, 6, 7, 8 and some versions of Firefox are activated, while the attack for Opera modules are inactive.

Nevertheless, the "dealer" uses another strategy to sell, perhaps by the time of crisis, and offers a more juicy and just for a week, which suffers a combo discount and the cost decreases to USD 350.

However, not only ends with the most accessible offering that as the portfolio of "cyberdealer" is broader, and also offers the sale of another very famous crimeware: Zeus, at low cost.

However, the methodology proposed sale is for anything, and perhaps involves a covert strategy of social engineering for the "newbies" who come to the cyber criminals with the intention of buying the package crimeware, because, as in many cases, certain modules can be backdoreados or in the case of Zeus, the program features to generate the client can not be real, and be replaced by another malware to exploit the "innocence" of the aspiring cyber crime ;-P


Saturday, June 6, 2009

Pornography. Good excuse for spreading malware

Sites that offer pornography tend to have many visitors, perhaps much more than the fancy, and it's not a new trend or a fad today. It's no coincidence, because the pornographic material is the most wanted online, even historically speaking.

Accordingly, it's logical to think that "porn" is used as an attack vector to infect the computers of those who tend to frequent many of us, for research of course :D

Specifically, the research that curiosity led me to find a site that is a testament to the museum to describe malicious maneuver to use social engineering with a high component of deception to capture the attention of those Internet users who "surf" with the night the cloud, looking for a visual delight :D

In this case, under the slogan "Nude Celebrities on Video" We are a site that offers viewing of videos about celebrities, and the persons chosen Britnet Spears, Rihanna, Charlotte Gainsbourg, Emma Watson, Mischa Barton, Aisleyne Horgan, Kate Moss, Scarlett Johansson, LIndsay Lohan, Penelope Cruz, Singer Amy Winehouse, Louise Redknapp, Miley Cyrus, Sophie Howard, Emily Procter, Jessica Simpson and the classic Pamela Anderson ;D

When the person you want to see any of the cases videos click on them, a small window is displayed warning of the need to install a codec, offering the same download.

At this point, if the user agrees, is the downloading of a malware, also known as pornware in its direct connection to the pornographic.

This is a binary called softwarefortubeview.40056.exe (MD5: ce845a1e32ecc07ee0d58bc6ea55fe9c) that is downloaded from the address http://streaming-united. com (91.212.65.54) is hosted in Ukraine, whose detection rate is very low. Only detected by antivirus engines 6 out of 40.

Given the vector used for the propagation, the most visual component of social engineering and the low detection rate, we can assume that the degree of effectiveness with which it can count the threat is high. This requires great care when visiting :-) for research websites with such content.

Related Information
Ingeniería Social visual y el empleo de pornografía como vector de propagación e infección II
Ingeniería Social visual y el empleo de pornografía como vector de propagación e infección
Estrategia de infección agresiva de XP Police Antivirus
Google Grupos nuevamente utilizado para diseminar porno spam
Ingeniería Social visual para la propagación de malware

# Jorge Mieres

Thursday, June 4, 2009

Merger. A concept adopted by the current crimeware

Overall, we could say that the merger is the reunion, or union, of two or more components in the same environment. In such sense, this is the concept which seems to take the crimeware current through two of the kits administration and control of zombies via web are more active as ZeuS and LeFiesta.

The first, ZeuS, whose panel of authentication is shown in the picture, has implemented the template ZeuS Carding World, and the statistical data as type and number of operating systems infected countries where there are zombies and browsers who have exploited vulnerabilities in this case by LeFiesta.

As we can see in the screenshot, both packages have been merged into a single environment, apparently in an effort that seeks to unify the ideas malicious, and economic interests of both the potential to generate greater power of distributed attacks.

Although this may seem somewhat trivial, the truth is that this style of crimeware shared by others is to say, the same goals, transforming them into "weapons" highly compatible.

In another occasion I remember to have found a merger between two other crimeware packages that are also very active and has high levels of infection: Unique Sploits Pack and YES Exploit System.

So perhaps this strategy becomes a trend in which different actors, representing all Kits for centralized management and remotely via web, interact with each other to achieve a greater volume of zombies, allowing attackers a greater degree of power distributed.

Related Information
Unique Sploits Pack. Manipulando la seguridad del atacante II
YES Exploit System. Manipulando la seguridad del atacante
Entidades financieras en la mira de la botnet Zeus. Primera parte
Zeus Botnet. Masiva propagación de su troyano. Segunda parte
Zeus Botnet. Masiva propagación de su troyano. Primera parte
LuckySploit, la mano derecha de Zeus

# Jorge Mieres

Tuesday, June 2, 2009

Botnet. Securing the new version of Zeus

A few days ago a new version of Zeus (also known as Zbot, wsnpoem, Ntos or Prg) is around for the big cloud. This new version incorporates several features which emphasizes the possibility of spreading the threat of an exploit vector of infection is most commonly used as e-mail.

But perhaps the most interesting is in making its structure through the incorporation of a new security layer implemented during the authentication process to its panel of administration and control.

The authentication process in previous versions, is composed of three fields: the user name, password and another that provides the language with which it's displayed crimeware, offering two options: English and Russian (the latter, the native tongue of the creator of the package).

The new version not only has the authentication options above but adds a new field that offers greater security against attempts to "cracking the password".

The incorporation of this new change isn't unique. It has also optimized the code Zeus and slightly modified the display of its different modules, the structure being setup as follows:
  • /install > folder where the installer is housed
  • /system > folder that hosts the file system
  • /theme > design to be displayed with the Zeus
  • cp.php > control panel
  • gate.php > backdoreo of the bot
  • index.php > prevents the file list
  • /system/config.php > configuration file
  • /system/fsarc.php > script that calls an external file
The appearance of previous versions of the panel installation, as seen in the catch, has five sections: Root login, MySQL server, MySQL tables, Paths and Local Options.

The new version optimized features four sections: Root user (authentication data equivalent to Root login), MySQL server (login information to the database), Local folders (log file on the actions of Zeus) and Options (which incorporates the default encryption option).

Another thing "interesting" that incorporates this package is a module that lets you add scripts.

This implies a scope much broader, since it's possible to add the quantity and variety of the script botmaster want.

As we can see, the crimeware continues to evolve through malicious applications, and Zeus is a true test where "professionalism" of cyber criminals engaged in the business to keep dark representing malware continues to escalate positions within the criminal market.

Related Information
ZeuS Carding World Template. Jugando a cambiar la cara de la botnet
Entidades financieras en la mira de la botnet Zeus. Segunda parte
Entidades financieras en la mira de la botnet Zeus. Primera parte
Zeus Botnet. Masiva propagación de su troyano. Segunda parte
Zeus Botnet. Masiva propagación de su troyano. Primera parte
LuckySploit, la mano derecha de Zeus

# Jorge Mieres