I have a new site: http://hacking4all.com !
The domain is going to be turned into a computer security forum.
It's still a work in progress but if you have the time, check it out, it'll be worth it!
Sunday, 24 August 2008
Wednesday, 4 June 2008
'Google Bot' to blame for recent mass hacks
Mass hacks have become increasingly prevelent over the past year. However, despite the large number of recent mass hacks, each attack appears almost identical to the other.
For example, all appear to have originated from China (examples of which are the 'Super Bowel' incident and March's 'dota11' attacks), employ 'SQL injection' and they all use 'GoogleBot'[1] to their advantage...
A few months ago I blogged about 'Google Hacking', a relatively new trend in the hacking community that utilises the popular search engine 'Google'[2] to locate vulnerabilities in websites indexed by 'Google's crawler bot: 'GoogleBot'.
This is generally done with the aid of automated search tools that make precise queries ("dorks") to 'Google'. This is what the Chinese hackers in question have been using to locate and exploit their targets. This however, was what the computer security community assumed but could not be sure of.. Until the 'SANS Internet Storm Center'[3] extracted the actual executable used in the 'dota11' attack from within the exploit coding of an infected domain (for an exact description of the application and it's functions, visit http://isc.sans.org/diary.html?storyid=4294)
As you can see from the image above, the executable is an automated 'Google Hacker' much like the 'Goolag' application released by 'Cult Dead Cow' ('cDc') last year.
It seems that we can expect to see significantly more 'Google Hacking' in the future especially in the instance of mass hacks.
[1]: http://www.google.com/support/webmasters/bin/topic.py?topic=8843
[2]: http://www.google.com/
[3]: http://isc.sans.org/diary.html?storyid=4294
For example, all appear to have originated from China (examples of which are the 'Super Bowel' incident and March's 'dota11' attacks), employ 'SQL injection' and they all use 'GoogleBot'[1] to their advantage...
A few months ago I blogged about 'Google Hacking', a relatively new trend in the hacking community that utilises the popular search engine 'Google'[2] to locate vulnerabilities in websites indexed by 'Google's crawler bot: 'GoogleBot'.
This is generally done with the aid of automated search tools that make precise queries ("dorks") to 'Google'. This is what the Chinese hackers in question have been using to locate and exploit their targets. This however, was what the computer security community assumed but could not be sure of.. Until the 'SANS Internet Storm Center'[3] extracted the actual executable used in the 'dota11' attack from within the exploit coding of an infected domain (for an exact description of the application and it's functions, visit http://isc.sans.org/diary.html?storyid=4294)
As you can see from the image above, the executable is an automated 'Google Hacker' much like the 'Goolag' application released by 'Cult Dead Cow' ('cDc') last year.
It seems that we can expect to see significantly more 'Google Hacking' in the future especially in the instance of mass hacks.
[1]: http://www.google.com/support/webmasters/bin/topic.py?topic=8843
[2]: http://www.google.com/
[3]: http://isc.sans.org/diary.html?storyid=4294
I'm back
I've decided to get back to writing blog articles when I have the time. Sorry all for the brief hiatus but I have been fairly busy recently and simply haven't been able to access time needed for a blog.
I'll be posting a new computer security at least once a week.
I'll be posting a new computer security at least once a week.
Thursday, 10 April 2008
'Storm worm' creators loose track of time
It seems the creators of the 'Storm Worm' have started yet another Valentine's Day campaign.. This time in April.
E-mails have been spammed out with body text offering Valentine's Day e-cards and linking to abused 'Google Blogspot' pages. These pages are purely social engineering-based and require the user to download and run the 'Storm' executable, without the presence of exploits.
It seems 'Blogspot' is now a popular target for malware authors, as it has recently been utilised by spammers as a domain forwarding method, to distribute the 'Zlob' trojan, and now 'Storm'.
This may also represent yet another link between the 'RBN' ('Russian Business Network') and the 'Storm Worm', as the 'Zlob' trojan has been confirmed to be of definite 'RBN' origins.
The executables involved in this wave are 'love.exe' and 'withlove.exe' and both are hosted on fast-flux domains.
We do not know why the 'Storm' authors have decided to run a Valentine-based campaign this April and I doubt we ever will.
E-mails have been spammed out with body text offering Valentine's Day e-cards and linking to abused 'Google Blogspot' pages. These pages are purely social engineering-based and require the user to download and run the 'Storm' executable, without the presence of exploits.
It seems 'Blogspot' is now a popular target for malware authors, as it has recently been utilised by spammers as a domain forwarding method, to distribute the 'Zlob' trojan, and now 'Storm'.
This may also represent yet another link between the 'RBN' ('Russian Business Network') and the 'Storm Worm', as the 'Zlob' trojan has been confirmed to be of definite 'RBN' origins.
The executables involved in this wave are 'love.exe' and 'withlove.exe' and both are hosted on fast-flux domains.
We do not know why the 'Storm' authors have decided to run a Valentine-based campaign this April and I doubt we ever will.
Sunday, 6 April 2008
"April Fool's! You're infected with storm!"
It seems while I was away in Italy (the past week), the 'Storm' worm has got up to it's old tricks, this time, in light of the recent 'April Fool's' day, a new e-mail spam campaign has been pushing storm.
Generally displaying the similar short body phrases such as "Happy April Fool's Day", the e-mails all contain numeric-IP http links leading to this page:
After 5 seconds, 'funny.exe' will commence downloading, the "click here" link downloads 'foolsday.exe' and clicking the image will download 'kickme.exe'.
Regardless of this, all are simply a new 'Storm' variant.
Generally displaying the similar short body phrases such as "Happy April Fool's Day", the e-mails all contain numeric-IP http links leading to this page:
After 5 seconds, 'funny.exe' will commence downloading, the "click here" link downloads 'foolsday.exe' and clicking the image will download 'kickme.exe'.Regardless of this, all are simply a new 'Storm' variant.
Sunday, 23 March 2008
'Google Hacking' in detail
A new trend in the hacking world: 'Google Hacking' enables individuals to locate vulnerabilities, harvest sensitive information and even acquire 'warez' simply via 'Google' search.
Recently made particularly popular by the 'grayhat'[1] hacking group: 'Cult Of The Dead Cow'[2] (or 'cDc', creators of the infamous 'Remote Access Tool': 'Black Orifice') and 'jonnyihackstuff'[3] ('JIHS'), 'Google hacking' is the utilisation of 'Google's syntax or it's individual language in order to locate security information via advanced 'Google' queries (or "dorks").
An example of a "dork" is as followed:
intitle:"index of admin"
The 'intitle:' phrase is used to ensure the query appears in the title of a web page and the inverted commas ensure that the phrase will appear in the search results.
As 'GoogleBot' crawls the web, indexing each page of a domain, it also indexes the 'admin' section of the domain. This "dork" enables users to search for and access indexed admin sections of domains.
Here is a more relevant example of how 'Google Hacking' can be employed when searching for and hacking vulnerable domains.
intext:"POWERED BY HIT JAMMER 1.0"
The 'intext' phrase ensures that the query will be located in the text of each resultant domain and the inverted commas ensure that the query will appear in each search result.
As follows is the description for this particular "dork" via 'JIHS'[4]:
"Hit Jammer is a Unix compatible script that allows you to manage the content and traffic exchange and make web changes, all without needing HTML. It is typicaly used by the underground sites on the Net who "pay for surfing ads" and advertise spam services or software. An attacker can find these sites by searching for the typical "powered by hit jammer !" frase on the bottom of the main page. Then if he changes the URL to www.target.com/admin/admin.php he is taken to the admin panel. Hit Jammer administrators are warned to protect this page with the .htaccess logon procedure, but many fail to do just that. In such cases, customer information like email addresses and passwords are in clear view of the attacker. Since human beings often use one simple password for many things this is a very dangerous practice."
As you can see, 'Google Hacking' can be an extremely powerful tool for simple 'whitehat' domain auditing or for 'blackhat' hacking.
The release of 'cDc's 'Goolag Scanner'[5], a program that searches domains for vulnerabilities using "dorks" has greatly increased the appeal for "Google Hacking" among the 'script kiddie' world and has been greatly enforced by 'JIHS' 'Google Hacking Database'[6].
It is certain that 'Google Hacking', due to 'Google's already immense popularity can be expected to be a prevalent factor in the world of computer security.
[1] : http://en.wikipedia.org/wiki/Grey_hat
[2] : cultdeadcow.com
[3] : http://johnny.ihackstuff.com/
[4] : http://johnny.ihackstuff.com/ghdb.php?function=detail&id=288
[5] : http://www.goolag.org/
[6] : johnny.ihackstuff.com/ghdb.php
Sunday, 9 March 2008
Security companies reccomend disabling 'firewire'
During the 'PacSec' security conference of 2004, Maximillian Dornsief demonstrated how an individual may gain access to a computers internal memory via physical access to it's 'firewire' port.
Simply by plugging in a modified 'iPod' or laptop to the computer's firewire port, an attacker can install malware, harvest encryption keys, unlock 'Windows' and thusly preform a number of other malicious activities.
Many people are not yet aware of this issue and though the vulnerability was demonstrated in 2004, a fix has not yet been generated for it and as a result of this, security experts are reccomending that users disable any generally unused or rarely used 'firewire' ports.
For users that wish to learn more about this issue, the 'PowerPoint' presentation Dornsief utilized during his speech can be downloaded from the 'PacSec' website[1].
[1] : http://www.pacsec.jp/psj04/psj04-dornseif-e.ppt
Simply by plugging in a modified 'iPod' or laptop to the computer's firewire port, an attacker can install malware, harvest encryption keys, unlock 'Windows' and thusly preform a number of other malicious activities.
Many people are not yet aware of this issue and though the vulnerability was demonstrated in 2004, a fix has not yet been generated for it and as a result of this, security experts are reccomending that users disable any generally unused or rarely used 'firewire' ports.
For users that wish to learn more about this issue, the 'PowerPoint' presentation Dornsief utilized during his speech can be downloaded from the 'PacSec' website[1].
[1] : http://www.pacsec.jp/psj04/psj04-dornseif-e.ppt
Wednesday, 5 March 2008
Symbian, meet Window's old friend: Extortionware
Yesterday, 'McAfee Avert Labs' discovered yet another article of mobile technology-based malware, this time directed at 'Symbian 60 series' mobile phones. This one, as with the last, origionated from China and has been dubbed: 'SymbOS/Kaizha.A' by 'McAfee'.
The 'extortionware' displays a message, informing the user that if they do not send RMB 50 (approximately $7 in American currency) to the malware author, they will never regain use of their phone.
Image property of 'mobilab.unina.it'
The extortianware is also bundled with other multiple droppers, simply emphasizing the point that the distribution malware aimed at mobile-based technology is raising at an alarming rate.
Anti-virus applications are already beginning to become available for mobile-based technology and can be expected to be seen much more of in the future.
Who knows, prehaps 'Microsoft', 'Nokia' and other large mobile technology brands will begin shipping their products with anti-virus products installed.
One things for certain, the majourity of end-users are not even aware of any mobile-based threats out there and education is required as these sort of threats continue to become more prevelent.
The 'extortionware' displays a message, informing the user that if they do not send RMB 50 (approximately $7 in American currency) to the malware author, they will never regain use of their phone.
Image property of 'mobilab.unina.it'
The extortianware is also bundled with other multiple droppers, simply emphasizing the point that the distribution malware aimed at mobile-based technology is raising at an alarming rate.
Anti-virus applications are already beginning to become available for mobile-based technology and can be expected to be seen much more of in the future.
Who knows, prehaps 'Microsoft', 'Nokia' and other large mobile technology brands will begin shipping their products with anti-virus products installed.
One things for certain, the majourity of end-users are not even aware of any mobile-based threats out there and education is required as these sort of threats continue to become more prevelent.
"MonaRonaDona": A revolution in social engineering
Recently, infections of the malware "MonaRonaDona" have been increasingly prevelent.
Once "MonaRonaDona" is installed on a user's system, it displays the following message:
"Hi, My name is MonaRonaDona. I am a virus
& I am here to Wreck your PC. If you
observe strange behaviour with your PC, like
program windows disappearing e.t.c, it's me
who is doing all this. I was created as a protest
against the Human Rights Violation
being observed throughout the world & the
very purpose of my existence is to remind
& stress the world to respect humainty."
Once active, "MonaRonaDona" attempts to terminate the following services:
Immidiatly after infection however, this activity will not be present as the malware registers itself to run as 'Windows' boots. As a result of this, how "MonaRonaDona" actually infects computers is still unknown as users often cannot remember their actions prior to the infection.
However, this is where it gets interesting as due such actions as displaying a warning message once infected, actively terminating common 'Windows' processes and displaying messages in application's title bars, we are forced to ask ourselvs the simple question:
"Why does the malware author want "MonaRonaDona" to be noticed by the user to such an extent?"
The awnswer lies in a simple search for "MonaRonaDona" in one of today's popular search engines. This query will direct the user to a page similar to this one:
"Unigray antivirus".
The article displayed in the image claims that "MonaRonaDona" can be fixed with the following legitimate applications:
'Kapersky'
'AVG'
and 'McAfee'
When in reality, only 'Kaspersky' has included "MonaRonaDona" in it's 'DATs' (as 'Trojan.Win32.Monagrey.a').
The article also claims that the best application that a user can use to fix the malware is called 'Unigray antivirus'.
'Unigray antivirus' is an application published on the web at the same time detections of "MonaRonaDona" began appearing.
Furthermore, when examined by 'Kaspersky Labs', the application was found to only detect (to a minimal standard) 19 different threats (including "MonaRonaDona") yet only removes one.. "MonaRonaDona".
When comparing the code of "MonaRonaDona" to that of 'Unigray', it is also noteable that there are many simularities.
Therefore, it extremely probable that the individual(s) behind "MonaRonaDona" are the same individual(s) that created "Unigray Antivirus".
It seems social engineering techniques are getting increasingly devious and manipulative and that fraudware/malware authors are gaining more insight into the psycology of their victims and can thusly be expected to be seen employing social engineering techniques as a venue for infection more regularly.
Once "MonaRonaDona" is installed on a user's system, it displays the following message:
"Hi, My name is MonaRonaDona. I am a virus
& I am here to Wreck your PC. If you
observe strange behaviour with your PC, like
program windows disappearing e.t.c, it's me
who is doing all this. I was created as a protest
against the Human Rights Violation
being observed throughout the world & the
very purpose of my existence is to remind
& stress the world to respect humainty."
Once active, "MonaRonaDona" attempts to terminate the following services:
Date And TimeThe 'Internet Explorer' title bar is also modified to contain text regarding "MonaRonaDona".
Windows Task Manager
Registry Editor
Irfanview
Google Talk
Macromedia
Adobe
Microsoft Visual
Windows Media Player
Winamp
Microsoft Office
Microsoft Excel
Microsoft Word
Messenger
Immidiatly after infection however, this activity will not be present as the malware registers itself to run as 'Windows' boots. As a result of this, how "MonaRonaDona" actually infects computers is still unknown as users often cannot remember their actions prior to the infection.
However, this is where it gets interesting as due such actions as displaying a warning message once infected, actively terminating common 'Windows' processes and displaying messages in application's title bars, we are forced to ask ourselvs the simple question:
"Why does the malware author want "MonaRonaDona" to be noticed by the user to such an extent?"
The awnswer lies in a simple search for "MonaRonaDona" in one of today's popular search engines. This query will direct the user to a page similar to this one:
"Unigray antivirus".
The article displayed in the image claims that "MonaRonaDona" can be fixed with the following legitimate applications:
'Kapersky'
'AVG'
and 'McAfee'
When in reality, only 'Kaspersky' has included "MonaRonaDona" in it's 'DATs' (as 'Trojan.Win32.Monagrey.a').
The article also claims that the best application that a user can use to fix the malware is called 'Unigray antivirus'.
'Unigray antivirus' is an application published on the web at the same time detections of "MonaRonaDona" began appearing.
Furthermore, when examined by 'Kaspersky Labs', the application was found to only detect (to a minimal standard) 19 different threats (including "MonaRonaDona") yet only removes one.. "MonaRonaDona".
When comparing the code of "MonaRonaDona" to that of 'Unigray', it is also noteable that there are many simularities.
Therefore, it extremely probable that the individual(s) behind "MonaRonaDona" are the same individual(s) that created "Unigray Antivirus".
It seems social engineering techniques are getting increasingly devious and manipulative and that fraudware/malware authors are gaining more insight into the psycology of their victims and can thusly be expected to be seen employing social engineering techniques as a venue for infection more regularly.
'Storm' returns to 'e-cards'
It seems the 'Storm' worm has returned to it's previous attempts to distribute via fake 'e-cards'.
A large number of e-mails promising humerous 'e-cards' have been spammed around the globe.
The e-mails direct the user to a numeric 'IP' link to a domain hosted on 'Storm'-infected computers. The domain purports to be a well known legitimate 'e-card' distributing domain named 'funnypostcard.com' (the legitimate domain' s owners are in no way responsible for these attacks).
Once a user clicks the link, they are presented with a domain similar to this one:
Clicking on the "click here" text prompts the user to download 'e-card.exe', whereas clicking on the image directs the user to downlaod 'e-card.exe' and if the user remains inactive for 5 seconds, a download for 'ecard.exe' is automaticly activated.
A large number of e-mails promising humerous 'e-cards' have been spammed around the globe.
The e-mails direct the user to a numeric 'IP' link to a domain hosted on 'Storm'-infected computers. The domain purports to be a well known legitimate 'e-card' distributing domain named 'funnypostcard.com' (the legitimate domain' s owners are in no way responsible for these attacks).
Once a user clicks the link, they are presented with a domain similar to this one:
Clicking on the "click here" text prompts the user to download 'e-card.exe', whereas clicking on the image directs the user to downlaod 'e-card.exe' and if the user remains inactive for 5 seconds, a download for 'ecard.exe' is automaticly activated.
Subscribe to:
Posts (Atom)
