Archive for category Cybercrime & Hacking
Building your OWN Malware Lab (Part 2)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on March 7, 2010
Today’s Malware Strategy and Tactics are advanced and sophisticated. The main purpose for that is to trick antiviruses. Some are using encryption to make the detection difficult for any security software product, other add an AutoRuns to the registry entries to defend itself against anti-malware software or just adding a line to the host file to prevent the antivirus from updating their definition.
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. The produced report by ThreatExpert includes very important information regarding any file and is divided to two parts:
- Submission Summary:
- File submitted information (Date, processing Time and Malware Alias).
- Summary of the findings: here you will find the severity level and what is the impact on the machine (like Creates a startup registry entry, Contains characteristics of an identified security risk, etc).
- Technical Details:
- Possible Security Risk this mean the Threat Category with a short description.
- File System Modifications ( here you can find the filename Modified by Malware ,file size, file Hash , Alias and a Brief Note about the different system concerned )
- Memory modification (if there was a new process created in the system)
- Registry Modifications (The new Registry Values created/Modified or deleted)
- Other details (contains possible countries origin according to the analysis).
For using ThreatExpert services you can follow the Free Online File Scanner or install ThreatExpert Submission Applet for a quick and easy way to submit your samples but before submitting any files you need to register an account to be able to retrieve ThreatExpert reports.
What misses all previous tools is network suspicious traffic analyzing. For the web based threat we can use Anubis. Anubis helps user to submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process during visiting this URL. The negative point is that the service works slowly.
Flash, JavaScript, and PDF files can be scanned and handled with Wepawet. Wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or not and provides information to help you understand why it was classified in a way or the other. It also displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples.
Another tool to analyze Portable Executable (PE) format files is MANDIANT Red Curtain , MRC examines multiple aspects of an executable file by looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.
Now you can quickly gather information for any suspicious file. Most of these tools are provided for free and can process a sample of a highly detailed report with technical details match or exceed antivirus Lab.
make sure you subscribe to my RSS feed!
Building your OWN Malware Lab (Part 1)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on February 27, 2010
Malicious software pieces like viruses, worms and bots are currently one of the largest threats to the security of the Internet. Antivirus Labs have invested great Money for analyzing and reversing viruses, but for our case we can perform the analysis using some useful tools on our PC.
Let’s start with www.virustotal.com , if I feel that I have a suspicious file. First what I will do is to upload it to VirusTotal. VirusTotal gives the user the ability to analyze any file with more than 40 Antivirus products. With the latest signature definition, this brings a clear idea not only if your file is safe but also to know which AV is effective. The file can be uploaded directly from the site using SSL or sent over the email. You can also download the uploader to your PC and install it which enables you to directly send files from your system using the context menu.
Today it is very important for reversing malware to know virus behavior. User should run the program and detect the changes in the system but this can harm the main system. for this we need Sandboxie. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. After installing Sandboxie you will have a big choice of tools for detecting and monitoring the changes on the system. you can use Process Monitor from sysinternal, API Monitor or free analyzing tools from iDEFENSE LABS.
CWSandbox is another very nice tool for performing malware analysis that fulfills the three design criteria of automation, effectiveness and correctness for the Win32 family of operating systems. CWSandbox allows tracing and monitoring all relevant system calls and generating an automated report that describes:
• which files the malware sample has created or modified,
• which changes the malware sample performed on the Windows registry,
• which dynamic link libraries (DLLs) were loaded before executing,
• which virtual memory areas were accessed,
• which processes were created, or which network connections were opened and what information was sent over such connections.
Malware can be so hard to remove, and sometimes the best approach to clean an infected machine is by restoring a clean copy of the operating system. Here we arrived to the end of this new series of Building your own malware Lab.
make sure you subscribe to my RSS feed!
Hackers Target Internet Forum Database
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Internet, News on January 22, 2010
A popular Irish discussion forum, Boards.ie has been today forced to change all users’ passwords this is due to a security breach where hackers compromised a part of users database on the server.
Tom Murphy one of the portal founders has made an official statement that the site is “regularly the target for disruption and take continual actions to proactively protect data”.
During this attack hackers have gained access to part of the main Database server that stores usernames, email addresses and encrypted passwords for registered users. So as a security measure they started to change all users’ login and password and recommend all subscribers to not use the same accounts credentials on other websites to prevent any identity theft.
The site started life as a forum for the computer game Quake in 1998 and has more than 500 forums on a range of topics.
According to the most recent ABC internet traffic statistics in November, Boards.ie had more than 20m page views, averaging more than 1.1m page views a day.
make sure you subscribe to my RSS feed!
Hacker steals 8K customer logins
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Vulnerabilities & attacks on January 13, 2010
Hackers managed to steal authentication credentials for more than eight thousand New York based bank customers. The incident happened after by passing Internet security measures for an online banking system server.
According to early this week press release, the attack on Suffolk County National Bank (SCNB) started on the 18th of November last year and spent about six days while IT team has been aware of the incident only on the 24th of December during an internal audit mission. As a result 8378 online accounts were compromised, this is approximately less than 10% of the total customers number.
Once the problem has been identified, they immediately took down the server to start the investigation. And the bank confirmed to the customers that there is no evidence for unauthorized accounts access or any suspicious activity.
The most interesting is that for the last quarter of the last year the bank invested about 351 thousand dollar to protect their system and this incident proved that this amount of money is not enough to secure customers.
make sure you subscribe to my RSS feed!
Malware is Hiding in Amazon Cloud
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Cybercrime & Hacking, News on December 12, 2009
Cybercriminals have made this week unforgettable for Amazon team this is after that security researchers have reported existing of Zeus Botnet at The cloud-based EC2 (Elastic Compute Cloud) control center.
The incident has been detected after a Password-stealing Zeus banking Trojan had infected client computers where hackers were able to compromise a site on EC2 and use it as their own command and control operation.
Methusela Cebrian Ferrer, senior researcher at CA, said in a blog post the following:
“The group behind this criminal activity is obviously doing it for financial gain – stealing both your identity and your money,” Ferrer stated. “In this variant, we have learned how cloud on-demand pay-as-you-use — offerings could be used to fuel such online cybercrimes.”
After this Incident Amazon should review their entire environment to be sure that they provide a minimum level of security for their customers.
We are also detecting a big concentration on the Cloud based solution in the last time. Moxie Marlinspike has started a new WiFi (WPA) password cracking service hosted in the cloud. Password cracking system is based on comparing the hash from a WiFi AP against 135 million possibilities in 40 min.
make sure you subscribe to my RSS feed!
Hacking Cocktail for the Halloween!
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Internet, News on October 31, 2009
Cybercriminals are not leaving any chance or event without trying to gain more illegal incomes or distribute their Malware. Here there are some cases of Internet scam and other mail tricks are detected by viruslist regarding the Halloween. Cheap software:
Emails not from legitimate sources for advertising costumes and personalized gifts:
E-cards for the Halloween:
Another case which is unusual that this site provides a browser utility you need to install on your browser to send a wishing card, if the victim in US, Canada or other countries than the spammer will be paid by the toolbar developer, here the toolbar can be any kind of malicious code which can be used to take control over the pc:
If the victim is coming from Russian IP he will be redirected to a lottery site:
This is actually fully expected, Hackers are always optimizing thier website links by spam’s and website redirection accompanied with text intended to attract interest. These kinds of attack are intended to spread malicious software or gain more illegal money or to have more personal credentials. Happy Halloween!
Screen shot sources from Viruslist website.
make sure you subscribe to my RSS feed!
Compromised Webmails Used for Sending Spams
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, News on October 12, 2009
After the last week news about hacking a big number of email accounts, many security experts noticed a jump in the amount of Spam.
Websense security Lab announced a significant increase in the number of junk emails over the last few days.
Spam has been sent from the compromised email accounts (Hotmail,Gmail and Yahoo) to those people who are included in the contact lists, while many victims suppose that they are receiving letters from people they know.
Websense research Manager Patrick Runald mentioned that the level of spam increased in the last week which matches the publication of stolen email addresses in the Internet. This shows how hackers can make benefit of any kind of information even contact lists.
Runald also noted that these spams attract users to visit fake website for online shopping, these sites offers a reasonable discounts for some good products but after you pay you do not receive your order.
Websense research manager also mentioned that number of phishing attack is decreasing especially that cybercriminals prefer to use more effective ways to steal passwords like Trojans.
make sure you subscribe to my RSS feed!
DDoS Attack Hits Amazon Cloud!
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Cybercrime & Hacking on October 6, 2009
Bitbucket a web Service designed to host programming projects has faced an outages last weekend, the failure period was more than 19 hours which is relatively long. According to Amazon the incident was due to a DDoS attack on their computing infrastructure.
This Attack can only brings a doubt in the IT services that are provided by Amazon (Amazon Elastic Compute Cloud EC2), we had previously posted on a several cases of DDoS attacks, Jesper posted on the company blog some details about the incident which is not usual.
The story started when they noticed on the server a high load, even by turning off anything that took up CPU. They submitted an “urgent” ticket to the Amazon support system and in 5 minute the support responded by phone to help on the issue.
Later the support identified the problem it was a massive flood of UDP packets targeting the Bitbucket website and consuming the whole bandwidth to the box. This is what we call a distributed denial of service.
The source of attack was not identified but the developer assumed that the attack targeted one of their projects.
make sure you subscribe to my RSS feed!
McAfee Announces Major Initiative to Fight Cybercrime
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking on October 6, 2009
Security software company McAfee has published yesterday a Multipoint Strategy to Fight Cybercrime.
This announcement comes to reduce the National critical infrastructure Risks and have been launched one year ago with a focus on a three key areas Legal Frameworks and Law Enforcement, Education and Awareness, Technology and Innovation.
McAfee has emphasize that Energy, Telecommunication and Transport system are particularly vulnerable to attacks in which can affect on stumbling the Economy.
Here you can read more about McAfee Multipoint Strategy to Fight Cybercrime.
About McAfee Inc.
McAfee, Inc., headquartered in Santa Clara, California, is the world’s largest dedicated security technology company. It delivers proactive and proven solutions and services that secure systems and networks around the world, allowing users to browse and shop the Web securely. With its unmatched security expertise and commitment to innovation, McAfee empowers home users, businesses, the public sector and service providers by enabling them to comply with regulations, protect data, prevent disruptions, identify vulnerabilities and continuously monitor and improve their security. http://www.mcafee.com.
make sure you subscribe to my RSS feed!
What’s wrong with Twitter?
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Internet, News, Social Networking, Web Security on August 9, 2009
On the 6th of August Twitter went down for a pretty long period. After a while a brief message was added on the Twitter status says they’re fighting off a DDOS attack right now. Well the most interesting that the distributed denial-of-service attack also affected Facebook, LiveJournal and Google’s Blogger.
The idea of distributed denial-of-service (DDoS) attack on the sites is that computers have been compromised by a viruses or other malware and instructed by the Hacker to visit the specific Web sites all at the same time and repeatedly. The barrage of connection requests overwhelms the target sites, making it so that legitimate Web traffic can’t get through.
So this attack requires tens of thousands of machines in which all forms a botnet and in a few seconds can turn any website dawn, as the case of (Finjan report “Your PC might be traded online– without you knowing about it!”).
To secure yourself from being a part of a botnet network is to install an antivirus with the latest signature and in some time check the netstat command on windows to see if there is any unusual connection with your pc.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Cybercrime & Hacking category.
SUBSCRIBE
