[Full-disclosure] Decrypting SSL for Network Monitoring

[Adam Behnke]

InfoSec Institute resources author Alec Waters gives you step by step
instructions on how to decrypt SSL for network monitoring:

 

http://resources.infosecinstitute.com/ssl-decryption/

 

Your thoughts? 

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Security risks in public APIs?

[Adam Behnke]

Hello full disclosurites, what do you think about security in public APIs? 

 

Dan Morrill here at InfoSec Institute writes about how to insecurely and
securely use APIs in the Facebook SDK:

 

http://resources.infosecinstitute.com/api-security/

 

Your thoughts?

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Writing Self Modifying Code

[Adam Behnke]

Hello full disclosureites, a new tutorial is available at InfoSec Institute
review from Andrew King on writing self modifying code. This is part one of
a three part series:

http://resources.infosecinstitute.com/writing-self-modifying-code-part-1/

In subsequent parts, Andrew will demonstrate how this can be used to bypass
antivirus and other neat tricks. 

Your thoughts?



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] VLAN Hacking Tutorial at InfoSec Institute

[Adam Behnke]

Ever wanted to learn how to hack a VLAN? Here is a tutorial for all of you:

 

http://resources.infosecinstitute.com/vlan-hacking/

 

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Firefox forensics with SQLite Manager at InfoSec Institute

[Adam Behnke]

Hello, a recent article here on how to perform forensics investigations on
Firefox with SQLite Manager:

 

http://resources.infosecinstitute.com/firefox-and-sqlite-forensics/

 

This is relevant because it is easy to install, doesn't require you to buy a
$4,000 forensic software tool (Encase, FTK, etc.), and gives you lots of
good data on forms, cookies, addons, extension, SSL sessions, etc.

 

Your thoughts?

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Creating backdoors using SQL Injection

[Adam Behnke]

An InfoSec Institute Review on Creating backdoors using SQL Injection:

 

http://resources.infosecinstitute.com/backdoor-sql-injection/

 

A novel technique that highlights the risk of not chrooting your SQL
servers. 

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] New Android Malware Botnet Reversed/Uncovered

[Adam Behnke]

Hello, one of InfoSec Institute's security researchers reverse engineered a
new botnet that is active for the Android platform. RootSmart has some
unique features that make it newsworthy:

. Takes advantage of Gingerbreak exploit to take control of Android device
. The main malware payload is a rootkit that hides itself inside of legit
app
. The rootkit hooks itself into the legit app as a boot service
. The rootkit installs its own shell into the OS, allowing it to silently
install other packages
. Encrypts the C&C URLs with a clever non-standard communication stream 

RootSmart is a successful botnet in the wild, between 10,000 and 30,000
devices are currently infected per Symantec. We were also able to uncover
the C&C server locations, they are currently active and residing in China.
More details are available here:

http://resources.infosecinstitute.com/rootsmart-android-malware/





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Attacking the Phishers: An Autopsy on Compromised Phishing Websites

[Adam Behnke]

InfoSec Institute researcher Quaker Doomer explores various phishing sites
to see what the phishers are doing behind the scenes:

http://resources.infosecinstitute.com/attacking-the-phishers/







___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] New DNS exploit - Ghost Domains

[Adam Behnke]

To explain:

Whenever there is a query for a domain which is not in the resolver's cache,
the process happens by traversing through the entire DNS hierarchy from the
root servers to the top-level domain (e.g., .com). The top-level domain
(TLD) then gives us the information about the name server that has been
delegated the responsibility of the domain whose IP address we are looking
for. We then get the information about that domain from its name server. The
results are then cached by the DNS resolver with a particular value of TTL
(time-to-live), after which the entry in the cache expires.

The exploit targets a weakness in the cache update logic of some of the DNS
servers. The exploit allows the cache to be overwritten in such a way that
it is possible to continuously extend the TTL for the delegation data of a
particular domain and prevents it from ever expiring. The domain will be
completely resolvable indefinitely even though it has been deleted from the
TLD servers. These types of domains have been termed Ghost Domain Names.

In this article we will discuss a recent DNS exploit which is present in
most of the DNS servers that was discovered by researchers Jian Jiang,
Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu. 

Read the full article and view a sample Ghost Domain here:
http://resources.infosecinstitute.com/ghost-domain-names/







___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] New DNS exploit - Ghost Domains

[Adam Behnke]

Good point, well said. Should have called it a technique. Will do so in other 
postings elsewhere. 

-Original Message-
From: InterN0T Advisories [mailto:advisor...@intern0t.net] 
Sent: Tuesday, February 14, 2012 1:05 PM
To: Adam Behnke
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] New DNS exploit - Ghost Domains

To question:

I don't get it, where's the vulnerability (or exploit)? DNS is supposed to
work this way, and because some name-servers like OpenDNS use longer TTL
values, it doesn't necessarily mean that it's a vulnerability or an
exploit. It's like saying because an IPv4-address is leased via DHCP for a
week, it's a vulnerability too even if the target host isn't using it.

I'd rather say it's a technique, that you can use to perform phishing,
botnet c&c control, spamming, etc., (as described in the paper mentioned in
the blog), without even having an official primary or secondary nameserver
linked to the domain, as the domain can live on other nameservers that have
cached it. 

The only weakness (not vulnerability or exploit) of long TTL values, is
that domains can exist as "ghosts" (aka ghost domains) for a long time
without even really existing officially.

But you can't attack anyone with this weakness, as it's just a way of
keeping a domain live on the Internet. 


If it's because the paper discusses it can be used to perform phishing,
botnet c&c, etc., well, so can active non-ghost too. The only difference is
that ghost-domains doesn't have an active primary and secondary nameserver,
but are instead cached in nameservers functioning as resolvers, such as
those used by ISP's, OpenDNS, etc.


Send an e-mail to Dan Kaminsky and tell him it's an exploit, I think he
might laugh. No offense intended.



Link:
https://www.isc.org/files/imce/ghostdomain_camera.pdf


Best regards,
MaXe

On Tue, 14 Feb 2012 11:09:13 -0600, "Adam Behnke"
 wrote:
> To explain:
> 
> Whenever there is a query for a domain which is not in the resolver's
> cache,
> the process happens by traversing through the entire DNS hierarchy from
the
> root servers to the top-level domain (e.g., .com). The top-level domain
> (TLD) then gives us the information about the name server that has been
> delegated the responsibility of the domain whose IP address we are
looking
> for. We then get the information about that domain from its name server.
> The
> results are then cached by the DNS resolver with a particular value of
TTL
> (time-to-live), after which the entry in the cache expires.
> 
> The exploit targets a weakness in the cache update logic of some of the
DNS
> servers. The exploit allows the cache to be overwritten in such a way
that
> it is possible to continuously extend the TTL for the delegation data of
a
> particular domain and prevents it from ever expiring. The domain will be
> completely resolvable indefinitely even though it has been deleted from
the
> TLD servers. These types of domains have been termed Ghost Domain Names.
> 
> In this article we will discuss a recent DNS exploit which is present in
> most of the DNS servers that was discovered by researchers Jian Jiang,
> Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu. 
> 
> Read the full article and view a sample Ghost Domain here:
> http://resources.infosecinstitute.com/ghost-domain-names/
> 
> 
> 
> 
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] pcAnywhere Leaked Source Code - An Anonymous Review

[Adam Behnke]

DISCLAIMER: InfoSec Institute received an anonymous submission concerning
the leaked pcAnywhere source code. The article is published here, we have
redacted any code snippets or other pieces of source code that were included
in the original article. Otherwise it has been left unedited/unaltered. 

 

The pcAnywhere source code leaked out onto the internet late January 2012
includes 47,021 files weighing in at 1.3GB. The October 2006 snapshot
provides an insight into Symantec development practices, polices, and of
course the code itself. Below is a brief assessment of the source code and
what it all means for computer users, hackers, and Symantec.

 

http://resources.infosecinstitute.com/pcanywhere-leaked-source-code/

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Circumventing NAT via UDP hole punching.

[Adam Behnke]

A new write up at InfoSec Institute on circumventing NAT.  The process works
in the following way. We assume that both the systems A and B know the IP
address of C.

 

a) Both A and B send UDP packets to the host C. As the packets pass through
their NAT's, the NAT's rewrite the source IP address to its globally
reachable IP address. It may also rewrite the source port number, in which
case UDP hole punching would be almost impossible.

 

b) C notes the IP address and port of the incoming requests from A and B.
Let the port number for A equal X and the port number for B equal Y.

 

c) C then tells A to send UDP packet to the global IP address of the NAT for
B at port Y, and similarly tells B to send UDP packet to the global IP
address of the NAT for A at port X.

 

d) The first packets for both A and B get rejected while entering into each
other's NAT's. However as the packet passes from the NAT of A to the NAT of
B at port Y, NAT A makes note of it and hence punches a hole in its firewall
to allow incoming packets from the IP address of the NAT of B, from port Y.
The same happens with the NAT of B and it makes a rule to allow incoming
packets from the IP address of the NAT of A from port X.

 

e) Now when A and B send packets to each other, these get accepted and hence
a P2P connection is established.

 

http://resources.infosecinstitute.com/udp-hole-punching/

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Soft skills needed for an information security career?

[Adam Behnke]

Two people can interview for a position who look to be nearly equal in terms
of experience, yet a hiring manager comes away with a strong recommendation
to hire one and not the other. Or sometimes there are even instances in
which someone may appear to be even stronger in terms of experience and
training, and yet someone else gets the job. Setting aside potential
discrimination issues, a very valid difference could be what some would call
soft skills, or behavioral skills. These skills are the intangibles that
really pull everything together and drive someone's success or failure in a
role.

Read more at:

http://resources.infosecinstitute.com/soft-skills-hiring/






___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Cookie based SQL Injection

[Adam Behnke]

All data sent by the browser to a Web application, if used in a SQL query, can 
be manipulated in order to inject SQL code: GET and POST parameters, cookies 
and other HTTP headers. Some of these values ​​can be found in the environment 
variables. The GET and POST parameters are typically entered into HTML forms, 
they can contain hidden fields, i.e. information that is in form but not shown. 
GET parameters are contained in the URL and POST parameters are passed as HTTP 
content. Nowadays, and with the growth of Web 2.0 technologies, the GET and 
POST requests can also be generated by JavaScript.

Injecting malicious code in cookie:

Unlike other parameters, cookies are not supposed to be handled by users. 
Outside of session cookies which are (usually) random, cookies may contain data 
in clear or encoded in hexadecimal, base64, hashes (MD5, SHA1), serialized 
information. If we can determine the encoding used, we will attempt to inject 
SQL commands. Read more about the technique here:

http://resources.infosecinstitute.com/cookie-based-sql-injection/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] DarkComet - syrian revolution trojan analysis and author interview

[Adam Behnke]

On February 17th the CNN published an interesting article, where some
Syrian's regime opponents claimed that the government was using a Trojan to
monitor and disrupt the protestor's network. Apparently the regime has been
using a well-known social engineering technique: impersonate a trusted
person then attack from the inside. It is not possible to confirm the story
but this is what is being told by the opponents of the regime: apparently
one of the protestors was brought to jail and promptly forced to hand over
his passwords. Those passwords were used later on to access his Skype
account and infiltrate the network of protestors, spreading via chat a
program containing some malicious code. In other cases the same file was
delivered as a Facebook Chat security update, together with a Facebook icon,
while some other people claim that it was also sent by mail. Whatever the
means, the common sign among all the stories is that this file, after being
opened, did simply nothing and even the antivirus didn't complain at all. 

What follows is an indepth analysis of the Trojan as well as an interview
with the author of the RAT:

http://resources.infosecinstitute.com/darkcomet-analysis-syria/







___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Mexican Drug Cartels and Cyberspace

[Adam Behnke]

Mexican drug trafficking organizations are increasingly demonstrating a
desire to make money from cyber-crime, attracted by the high profits and
minimal risks, offered by such activities as fraud, theft, and piracy. These
gangs lack the needed technical know-how within their ranks, which means
they would be desperate to recruit programmers with the expertise to break
into the world of cyber-crime.

Recent claims that computer programmers are being forcibly recruited by
Mexican drug gangs, if true, suggest that these groups are acquiring the
ability to reap the potential profits of cyber-crime. Read the full article
here: http://resources.infosecinstitute.com/mexican-cartels-infosec/







___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Hacking AutoUpdate by Injecting Fake Updates

[Adam Behnke]

We all know that hackers are constantly trying to steal private information
by getting into the victim's system, either by exploiting the software
installed in the system or by some other means. By performing routine
updates for their software, consumers can protect themselves, patching known
vulnerabilities and therefore greatly reducing the chance of getting hacked.

Commonly used software, such as MS Office, Adobe Flash and PDF reader (as
well as the browsers themselves) are the major targets for exploits if left
unpatched. In the past, fake patches for Firefox, IE, etc. displayed
messages informing users that updated versions for a plugin or the browser
were available, prompting the user to update their software. For example,
the page will tell the user that updating their Flash version is critical.
Once the user clicks the fake update, it will download malicious content
(like, for example, the Zeus Trojan) to the victim's computer, as well as
perhaps a rogue anti-virus, asking the user to pay in order to remove the
infections. Similar attacks have been done in the past for various browsers,
too.

When you think about it, how many people are really cautious about the
updates, the type of update or the link from where they are downloading and
installing the update? Obviously, there are very few people that are really
cautious and vigilant about updates, therefore making the success rates for
those exploiting the users high. 

Read more about how to perform a few different AutoUpdate man-in-the-middle
attacks that work against Java, AppleUpdate, Google Analytics, Skype,
Blackberry and more: http://www.ethicalhacking.com







___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] SQL Injection through HTTP Headers

[Adam Behnke]

During vulnerability assessment or penetration testing, identifying the
input vectors of the target application is a first step. Sometimes, when
dealing with Web application testing, verification routines related to SQL
injection flaws discovery are restricted to the GET and POST variables as
the unique inputs vectors ever. What about other HTTP header parameters?
Aren't they potential input vectors for SQL injection attacks? How can one
test all these HTTP parameters and which vulnerability scanners to use in
order to avoid leaving vulnerabilities undiscovered in parts of the
application?

A result of a comparison of 60 commercial and open-source black box web
application vulnerability scanners was released and titled: < The Scanning
Legion: Web Application Scanners Accuracy Assessment & Feature Comparison >.
This benchmark, performed by the security researcher Shay Chen in 2011,
focused on testing commercial and open source tools that are able to detect
(and not necessarily exploit) security vulnerabilities on a wide range of
URLs.  This study shows that 75% of Web application scanners couldn't
discover HTTP Headers parameters related flaws. 

In this article at InfoSec Institute we cover how to perform SQL Injection
against HTTP headers, realizing a potential dormant method of SQL injection
that is not looked at as much as other SQL injection methods:
http://resources.infosecinstitute.com/sql-injection-http-headers/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Backtrack 5 R2 priv escalation 0day found in CTF exercise

[Adam Behnke]

wicd Privilege Escalation 0Day
Tested against Backtrack 5, 5 R2, Arch distributions
 
Spawns a root shell. Has not been tested for potential remote exploitation
vectors. 

Discovered by a student that wishes to remain anonymous in the course CTF.
This 0day exploit for Backtrack 5 R2 was discovered by a student in the
InfoSec Institute Ethical Hacking class, during an evening CTF exercise. The
student wishes to remain anonymous, he has contributed a python version of
the 0day, a patch that can be applied to wicd, as well as a writeup
detailing the discovery and exploitation process. You can find a python
version of the exploit and full write up with patch here:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Erronous post concerning Backtrack 5 R2 0day

[Adam Behnke]

Yesterday I made a post concerning a 0day advisory in Backtrack 5 R2:
http://seclists.org/fulldisclosure/2012/Apr/123

The posting was incorrect, the vulnerability was NOT in Backtrack but in
wicd, no Backtrack contributed code is vulnerable. When we tweeted and
emailed to mailing lists the notifications of this vulnerability, we
incorrectly shortened the title and called it "Backtrack 5 R2 priv
escalation 0day ", which is misleading and could lead people to believe the
bug was actually in Backtrack. The bug has always resided in wicd and not in
any Backtrack team written code. We apologize for the confusion to the
Backtrack team and any other persons affected by this error. We feel the
Backtrack distro is a great piece of software and wish muts and the rest of
the team the best. 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Hacking WolframAlpha

[Adam Behnke]

Sharing source code with peers is one thing; sharing secrets over a public
medium is another. The all-seeing eye of Google has no mercy, and once the
secret has been seen, indexed, and copied to clone sites, it is no longer a
secret. Now combine the search power of Google with the computational power
of WolframAlpha and the results are limitless! It's raining data from these
saturated clouds, and you just need to hold out your hands for a taste:
http://resources.infosecinstitute.com/hacking-wolframalpha/





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Checking out backdoor shells

[Adam Behnke]

A backdoor shell can be a PHP, ASP, JSP, etc. piece of code which can be
uploaded on a site to gain or retain access and some privileges on a
website. Once uploaded, it allows the attacker to execute commands through
the shell_exec () function, upload/delete/modify/download files from the web
server, and many more. For defacers, it allows them to navigate easily to
the directory of the public_html or /var/www and modify the index of the
page. 

 

In this write-up, we will be talking about PHP backdoor shells, how they
work, how to detect them and remove them. Below is a simple PHP code that is
very popular and is scattered all over the web
(http://stackoverflow.com/questions/3115559/exploitable-php-functions;
http://shipcodex.blogspot.com/2012/01/simple-php-backdoor-shell.html).  This
code allows an attacker to execute *nix commands. For the full write up at
InfoSec Institute, check here:
http://resources.infosecinstitute.com/checking-out-backdoor-shells/

 

 

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Decrypting encrypted iPhone backups

[Adam Behnke]

Data protection mechanism introduced in iOS 4 protects the sensitive data in
files on the file system and items in the keychain by adding another layer
of encryption. Data protection uses the user’s passcode key and the device
specific hardware encryption keys to generate a set of class keys which
protect the designated data. Developers use the data protection API to add
protection class flag to the files and the keychain items. On the iPhone,
protection class keys are stored in the System Keybag. During the backup,
iTunes generates a new set of protection class keys and stores them in the
Backup Keybag. Class keys stored in the System Keybag are different from the
keys in the Backup Keybag. Protected files and data in the backup are
encrypted using the class keys that are stored in the Backup Keybag. In
normal backups Backup Keybag is protected with a key generated from the
iPhone hardware (Key 0×835) and in encrypted backups it is protected with
the iTunes password. 

The article at InfoSec Institute here:
http://resources.infosecinstitute.com/iphone-forensics-part2/ discloses the
procedure to extract protection class keys from the Backup Keybag and covers
the techniques & the tools to decrypt the protected backup files and the
encrypted backups.



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Metadata exfiltration

[Adam Behnke]

In today's Information age, data is very crucial for every organization.
Data loss for any organization can have a very negative impact financially
as well as reputation wise. Generally organizations are aware of the
information they are revealing through different online mediums, but what
about the data that is being exposed without the knowledge of the
organization and which could be crucial from security perspective? In this
InfoSec Institute article we are going to learn about the information hidden
in the documents and files present in the public domain which could be
sensitive from security perspective and remediate this security issue.
http://resources.infosecinstitute.com/metadata-the-hidden-treasure/

 

 

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] A Chat With The NGR Bot

[Adam Behnke]

NGR Bot (also known as Dorkbot) was examined to be a user-mode rootkit that
could be remotely controlled via Internet-Relay-Chat (IRC) protocol. It was
designed with the intention to steal digital identity, perform denial of
service, and manipulate the domain name resolution.

It spreads via Recycler bin social engineering as well as by hooking into
via social networking sites.

This article aims to provide some technical insights of this NGR Bot V1.0.3
sample (MD5 “1CA4E2F3C8C327F8D823EB0E94896538″) on the following topics:

(1) Encryption & tampering detection mechanism
(2) Functionalities
(3) Hooking technique
(4) Architecture Set-up for communicating with this malware

To view the entire article, go here:
http://resources.infosecinstitute.com/ngr-rootkit/




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] IObit Protected Folder Authentication Bypass

[Adam Behnke]

>From IObit: "Protected Folder is designed to password-protect your folders
and files from being seen, read or modified in Windows 7, Vista, XP and
Server 2008, 2003. It works like a safety box, just drag and drop the
folders or files you want to hide or protect into Protected Folder, then no
one can see, read or modify them. Whether you are concerned with privacy,
data theft, data loss, or data leaks, Protected Folder is an ideal tool for
you."

Some simple bit flipping of the return value from password checking function
allows anyone to bypass the security of this product:
http://resources.infosecinstitute.com/iobit-bypass/




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Antivirus Evasion: Developing an undetectable USB dropper

[Adam Behnke]

Usually when we talk about bypassing antivirus software, and especially when
we talk about antivirus programs like NOD32, Kaspersky, BitDefender. We
automatically think about deep coding knowledge, using undocumented APIs or
using Zero days exploits, but this is not always true, since by applying
some "very" basics approaches we will be able to bypass most of (if not all)
antivirus programs, at least for doing some basic things. Learn more about
how to develop an undetectable USB dropper at InfoSec Institute  here:
http://resources.infosecinstitute.com/antivirus-evasions-the-making-of-a-ful
l-undetectable-usb-dropper-spreader/

 

 

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Learn to Fuzz with SPIKE

[Adam Behnke]

Hi full disclosure dudes. InfoSec Institute author Stephen Bradshaw put
together a nice tutorial: A complete guide to Fuzzing, using the SPIKE
fuzzer. There is a good chance you have heard of SPIKE, maybe even attempted
to get its block based fuzzing awesomesauce to work. It is a powerful
fuzzer, but poorly documented. 

Ever wanted to learn how to fuzz an unknown proprietary binary protocol?
This is your chance:

http://resources.infosecinstitute.com/intro-to-fuzzing/

Already fuzzing with SPIKE (or some other lesser tool) and want to learn how
to do some advanced vuln dev? How about some fuzzer automation for dessert: 

http://resources.infosecinstitute.com/fuzzer-automation-with-spike/

Let me know what you think of this tutorial! 

Adam 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] SLAAC Attack - 0day Windows Network Interception Configuration Vulnerability

[Adam Behnke]

Hi full disclosure dudes, 

 

InfoSec Institute security researcher Alec Waters has just released a new
article on SLAAC Attacks. The basic premise is to use the default network
configuration found on all Windows 7 (as well as Server 2008, Vista)
installations to intercept and hijack all network traffic without any user
knowledge or interaction. 

 

The testing in our lab shows that this attack requires no interaction on the
user's part, and is totally transparent. It is hard to detect even in
enterprise computing environments with significant security gear in place.
It works on wired and wireless networks. Even though we are exploiting the
IPv6 to IPv4 translation process, it does not require an existing IPv6
network to be set up or functional. It only requires the operating system to
have IPv6 enabled by default. Mac OS-X is also likely vulnerable, but we
have not tested it yet. 

 

We detail the vulnerability, the effect, as well as provide scripts and some
tools for setting up the attack here:

 

http://resources.infosecinstitute.com/slaac-attack-

--0day-windows-network-interception-configuration-vulnerability/

 

We contacted Microsoft over the weekend, but, because this is a default
installation configuration vulnerability, Microsoft is not able to release a
patch and states "While you are correct that this may not be something that
is easily/quickly corrected (at least with regards to just pushing out a
patch to change the default configuration if needed) this would be something
that we want to review and explore our options to mitigate against any
potential attacks. "

 

The fix right now is for Microsoft to default disable IPv6, but this cannot
be done retroactively to production desktops and servers because customers
may be using IPv6 for legitimate reasons. We believe the public needs to
know about the possibility of this attack, because other bad guys could have
figured it out before us and be exploiting unsuspecting companies right now.


 

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Reversing x64 TDSS at InfoSec Institute

[Adam Behnke]

Hello everyone,

 

We have a new article series on x64 TDSS up at InfoSec Institute. The series
discusses the first malware to reliably attach x64 operating systems such as
Windows Vista and Windows 7. This technically advanced malware bypasses many
protective measures in various operation systems and exploits the normal
boot process.

 

You can find the first article, in the series of three, here:

 

http://resources.infosecinstitute.com/tdss4-part-1/

 

In this research we focused on the most interesting and exceptional features
of the Win32/Olmarik bootkit. Special attention was paid to the bootkit
functionality which appeared in TDL4 and enabled it to begin its launch
process before the OS is loaded, as well as its ability to load an unsigned
kernel-mode driver - even on systems with kernel-mode code signing policy
enabled - and bypassing kernel-mode patch protection mechanisms. These
characteristics all make TDL4's a prominent player on the malware scene.

 

Your thoughts?

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Default config bug leaves 394, 000 computers open proxies

[Adam Behnke]

A flaw in the PPLive video streaming software leaves quite a lot of
computers open as proxies for clickfraud, clickjacking and spam. 

 

A new port, TCP port 9415, was appearing regularly on websites that list
open proxies. Most of these open proxies were based in China. However, some
were also based within Taiwan, Hong Kong and there were small a small number
within the United States. Within a year, more than 394,000 instances of open
proxies listed with the TCP port 9415 being open were documented.

 

 

http://resources.infosecinstitute.com/tcp-port-9415/

 

 

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Understanding Man-In-The-Middle Attacks

[Adam Behnke]

Hi everyone, a few instructors here at InfoSec Institute have put together a
short presentation and video tutorial on how to perform a Man-In-The-Middle
(MitM) attack. You can view the presentation that diagrams out how a MitM
attack works:

 

http://resources.infosecinstitute.com/man-in-the-middle-demystified/

 

You can also view a how-to video tutorial that you can follow along with if
you have a few virtual machines to play with on your local network:

 

http://resources.infosecinstitute.com/video-man-in-the-middle-howto/

 

In a pen test, it is important to learn how to do these attacks to intercept
server to server communication, server to client communication, etc. 

 

Coming soon we will demonstrate how to perform a MitM attack against SSL
encrypted sessions. 

 

Happy hacking! 

 

InfoSec Institute

 

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Reverse Engineering the Source of the ZeroAccess Crimeware Rootkit

[Adam Behnke]

Hello everyone, we recently undertook a project to update the hands-on labs
in our Reverse Engineering Malware course, and one of our InfoSec Resources
Authors, Giuseppe "Evilcry" Bonfa defeated all of the anti-debugging and
anti-forensics features of ZeroAccess and traced the source of this
crimeware rootkit:

http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engin
eering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/

InfoSec Institute would classify ZeroAccess as a sophisticated, advanced
rootkit. It has 4 main components that we will reverse in great detail in
this series of articles. ZeroAccess is a compartmentalized crimeware rootkit
that serves as a platform for installing various malicious programs onto
victim computers. It also supports features to make itself and the installed
malicious programs impossible for power-users to remove and very difficult
security experts to forensically analyze.

At the conclusion of the analysis, we will trace the criminal origins of the
ZeroAccess rootkit. We will discover that the purpose of this rootkit is to
set up a stealthy, undetectable and un-removable platform to deliver
malicious software to victim computers. We will also see that ZeroAccess is
being currently used to deliver FakeAntivirus crimeware applications that
trick users into paying $70 to remove the "antivirus". It could be used to
deliver any malicious application, such as one that steals bank and credit
card information in the future. Further analysis and network forensics
supports that ZeroAccess is being hosted and originates from the Ecatel
Network, which is controlled by the cybercrime syndicate RBN (Russian
Business Network).

Symantec reports that 250,000+ computers have been infected with this
rootkit. If 100% of users pay the $70 removal fee, it would net a total of
$17,500,000. As it is not likely that 100% of users will pay the fee,
assuming that perhaps 30% will, resulting $5,250,000 in revenue for the RBN
cybercrime syndicate.

It has the following capabilities:

1.  Modern persistence hooks into the OS - Make it very difficult to
remove without damaging the host OS
2.  Ability to use a low level API calls to carve out new disk volumes
totally hidden from the infected victim, making traditional disk forensics
impossible or difficult.
3.  Sophisticated and stealthy modification of resident system drivers
to allow for kernel-mode delivery of malicious code
4.  Advanced Antivirus bypassing mechanisms.
5.  Anti Forensic Technology - ZeroAccess uses low level disk and
filesystem calls to defeat popular disk and in-memory forensics tools
6.  Serves as a stealthy platform for the retrieval and installation of
other malicious crimeware programs
7.  Kernel level monitoring via Asynchronous Procedure Calls of all
user-space and kernel-space processes and images, and ability to seamlessly
inject code into any monitored image

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Hijack SSL with a Man-In-The-Middle Attack

[Adam Behnke]

Hello pen testers, if you are interested in learning how to Hijack SSL with
a Man-In-The-Middle attack, check out the latest InfoSec Institute article
on the subject:

 

http://resources.infosecinstitute.com/mitm-using-sslstrip/

 

Our instructor covers how to perform the SSL attack, which tools you will
need, how to configure them, and the technical details of how the attack
works. 

 

This article is a follow up to our tutorial on Man-In-The-Middle attacks:

 

http://resources.infosecinstitute.com/video-man-in-the-middle-howto/

 

I hope this is useful for you guys!

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Security Incident Response Testing To Meet Audit Requirements

[Adam Behnke]

Hi everyone, InfoSec Institute author Russ McRee has written up an overview
on tools to ensure maximum readiness for incident response teams, including
drill tactics. PCI-DSS audits often require IR testing validation; drill
quarterly and be ready next audit cycle. 

 

http://resources.infosecinstitute.com/incident-response-and-audit-requiremen
ts/

 

Please let me know your thoughts. 

 

 

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/