Archive for the ‘Malware’ Category

The Natwest Phishing attack

Posted: December 7, 2007 in Malware, Security, Web Security
2

Since I moved to UK, the number of phishing emails cluttering my inbox have dramatically increased. Some of them are pretty obvious to look and laugh upon, but this one was pretty interesting.

The email looked like below.

natwest.jpg

The interesting thing is that i WAS having problems signing in to my account since a couple of days. Nevertheless following the URL which took me to

http://gobelsburg.info/wordpress/wp-content/uploads/2007/06/www.nwolb.com/default.aspx/index.html

natwest2.jpg

Looks perfectly like the Natwest online banking website here: http://www.natwest.com

The poor http://gobelsburg.info on the other hand, seems an “innocent” host of the phishing kit.

Tor Controller

Posted: November 13, 2007 in Malware, Reverse Engineering, Security, Security Testing, Web Security
0

Vidalia is a cross-platform controller for Tor (The Onion Router) for network anonymity, built using the Qt toolkit. It allows the user to start, stop, and view the status of Tor, monitor bandwidth usage, view, filter, and search log messages, and configure some aspects of Tor.

The most feature of Vidalia is its Tor network map, which lets the user see the geographic location of servers on the Tor network, as well as where the user’s application traffic is going.

You can even dynamically change your paths (hops) and create a new identity for each connection.

Vidalia is released under the GPL. It runs on any platform supported by Qt 4.1, including Windows, Mac OS X, and Linux or other Unix-like variants using the X11 window system.

Blogged with Flock

Top 10 Web Hacks of 2006

Posted: December 16, 2006 in Malware, Security, Web Security
0

RSnake, Robert Auger, and Jeremiah of WhiteHatSecurity collected a list of the new 2006 web hacks. The term “hacks” loosely describe some of the more creative, useful, and interesting techniques/discoveries/compromises.

Top 10

1. Web Browser Intranet Hacking / Port Scanning – (with JavaScript and with HTML-only and the improved model)
2. Internet Explorer 7 “mhtml:” Redirection Information Disclosure
3. Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning
4. Web Browser History Stealing – (with CSS, evil marketing, JS login-detection, and authenticated images)
5. Backdooring Media Files (QuickTime, Flash, PDF, Images, Word [2], and MP3′s)
6. Forging HTTP request headers with Flash
7. Exponential XSS
8. Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)
9. Web Worms – (AdultSpace, MySpace, Xanga)
10. Hacking RSS Feeds

A more comprehensive list can be found here.

OC Defcon Presentation on Malware Detection

Posted: August 7, 2006 in Malware, Reverse Engineering, Security, Virtualisation
0

Offensive Computing just released their presentation slides, videos and sample codes from their Defcon 14 talk. There paper Further Down the VM Spiral discusses several new tools and describes some new VM detection techniques including a generic virtual machine detector. This VM detector tries a
variety of methods including the new machine status word (MSW) method which allows you to generically detect virtual machines regardless
of whether acceleration is enabled . More information can be found here: Hacking Malware: Offense is the new Defense

Blogged with Flock

Malware hunting with Google

Posted: July 30, 2006 in Google, Malware, Security, Web Security
0

There have been a few blogs out there on the subject of Google indexing not only PDFs and Docs, but executable files as well. A simple query for “Signature: 00004550” results in 192,000 (if Google’s count is accurate) links to executable files. The reason this search works is because when Google indexes the executable file, it parses the Portabe Executable (PE) file format of the windows executable. One of the things that is extracted from the PE file is the signature “4550″, the NT signature, present in all valid win32 PE files. if you look at the cache, you’ll see something like this:

WINDOWS EXECUTABLE
32bit for Windows 95 and Windows NT
Technical File Information:
Image File Header
Signature: 00004550
Machine: Intel 386
Number of Sections: 0003
Time Date Stamp: 3b7dc821
Symbols Pointer: 00000000

You can even many find innocent-looking sites that redirect to EXE files with spyware.

What’s interesting is that the results have addresses that make you think there’s nothing wrong with them (like for instance : http://www.crcdatatech.com/help/), they don’t have an EXE extension and when you go to the site you’re prompted to download the file. And if you click “run” instead of “save” or “cancel”, ahh, be prepare for the worst.

HDM (Metasploit) went on his own and developed a Malware search engine and he’s generous enough to release the code as well. You just have to type the name of a virus and you can find the queries that produce malware as search results. Some examples: MyDoom, Klez, BadTrans and other worms and trojans. He used some very well written Ruby scripts and Google API to search for almost 300 malware signatures. More info on his tool can be found here.

Blogged with Flock

eEye Security Research Tools

Posted: July 26, 2006 in Codes & Utilities, Malware, Reverse Engineering, Security, Web Security
0

An excellent resource for security research tools:

http://research.eeye.com/html/tools/

Blogged with Flock

Detecting Network Sniffers

Posted: July 15, 2006 in Malware, Reverse Engineering, Security
2

Did you ever had a need to know whether your Windows system is sniffing network traffic off the network without your knowledge?

This type of passive attack can be very difficult to detect. There are numerous third party tools that try to detect network sniffers running on the network by looking for signs of systems with network interfaces running in promiscuous mode. Since many of these tools use network-based detection techniques that rely on bugs in operating systems and/or specific sniffer behavior, they can generate false positive and false negative results.

Microsoft has released a tool that can detect managed Windows systems that have network interfaces running in promiscuous mode – a key indicator that a network sniffer is running on the system. It uses a host based detection technique instead of a network based detection technique to make it as accurate as possible.

Functionality:

  • Query the local systems network interfaces
  • Query a single remote systems interfaces
  • Query a range of remote systems interfaces

Additionally, the tools have the following limitations:

  • It cannot detect stand-alone sniffers.
  • It cannot detect sniffers that are running on operating systems prior to Microsoft Windows 2000.
  • It cannot remotely detect sniffers that are running on Windows systems where the network hardware has been modified specifically to avoid detection.

You can get both Promqry from:

http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en

Blogged with Flock

New rootkit detection tool

Posted: July 7, 2006 in Malware, Reverse Engineering, Security
4

Helios is a new rootkit detection tool that is designed to detect, remove and inoculate against windows rootkits. It uses behavioral analysis as opposed to signature based analysis to catch unknown threats. It is one of the only rootkit detection tools that can operate in the background.

The website also has videos of the product in action: http://helios.miel-labs.com

Blogged with Flock.