Archive for category Tools
Building your OWN Malware Lab (Part 2)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on March 7, 2010
Today’s Malware Strategy and Tactics are advanced and sophisticated. The main purpose for that is to trick antiviruses. Some are using encryption to make the detection difficult for any security software product, other add an AutoRuns to the registry entries to defend itself against anti-malware software or just adding a line to the host file to prevent the antivirus from updating their definition.
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. The produced report by ThreatExpert includes very important information regarding any file and is divided to two parts:
- Submission Summary:
- File submitted information (Date, processing Time and Malware Alias).
- Summary of the findings: here you will find the severity level and what is the impact on the machine (like Creates a startup registry entry, Contains characteristics of an identified security risk, etc).
- Technical Details:
- Possible Security Risk this mean the Threat Category with a short description.
- File System Modifications ( here you can find the filename Modified by Malware ,file size, file Hash , Alias and a Brief Note about the different system concerned )
- Memory modification (if there was a new process created in the system)
- Registry Modifications (The new Registry Values created/Modified or deleted)
- Other details (contains possible countries origin according to the analysis).
For using ThreatExpert services you can follow the Free Online File Scanner or install ThreatExpert Submission Applet for a quick and easy way to submit your samples but before submitting any files you need to register an account to be able to retrieve ThreatExpert reports.
What misses all previous tools is network suspicious traffic analyzing. For the web based threat we can use Anubis. Anubis helps user to submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process during visiting this URL. The negative point is that the service works slowly.
Flash, JavaScript, and PDF files can be scanned and handled with Wepawet. Wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or not and provides information to help you understand why it was classified in a way or the other. It also displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples.
Another tool to analyze Portable Executable (PE) format files is MANDIANT Red Curtain , MRC examines multiple aspects of an executable file by looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.
Now you can quickly gather information for any suspicious file. Most of these tools are provided for free and can process a sample of a highly detailed report with technical details match or exceed antivirus Lab.
make sure you subscribe to my RSS feed!
Building your OWN Malware Lab (Part 1)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on February 27, 2010
Malicious software pieces like viruses, worms and bots are currently one of the largest threats to the security of the Internet. Antivirus Labs have invested great Money for analyzing and reversing viruses, but for our case we can perform the analysis using some useful tools on our PC.
Let’s start with www.virustotal.com , if I feel that I have a suspicious file. First what I will do is to upload it to VirusTotal. VirusTotal gives the user the ability to analyze any file with more than 40 Antivirus products. With the latest signature definition, this brings a clear idea not only if your file is safe but also to know which AV is effective. The file can be uploaded directly from the site using SSL or sent over the email. You can also download the uploader to your PC and install it which enables you to directly send files from your system using the context menu.
Today it is very important for reversing malware to know virus behavior. User should run the program and detect the changes in the system but this can harm the main system. for this we need Sandboxie. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. After installing Sandboxie you will have a big choice of tools for detecting and monitoring the changes on the system. you can use Process Monitor from sysinternal, API Monitor or free analyzing tools from iDEFENSE LABS.
CWSandbox is another very nice tool for performing malware analysis that fulfills the three design criteria of automation, effectiveness and correctness for the Win32 family of operating systems. CWSandbox allows tracing and monitoring all relevant system calls and generating an automated report that describes:
• which files the malware sample has created or modified,
• which changes the malware sample performed on the Windows registry,
• which dynamic link libraries (DLLs) were loaded before executing,
• which virtual memory areas were accessed,
• which processes were created, or which network connections were opened and what information was sent over such connections.
Malware can be so hard to remove, and sometimes the best approach to clean an infected machine is by restoring a clean copy of the operating system. Here we arrived to the end of this new series of Building your own malware Lab.
make sure you subscribe to my RSS feed!
Apache SpamAssassin New Release
Posted by Mourad Ben Lakhoua in News, Software Security, Tools on January 27, 2010
New version of the anti-spam filter SpamAssassin Today has been released, the free anti spam solution is widely used by hundreds of thousands organization around the globe.
Apache SpamAssassin 3.3.0 offers a new way of updating rules for spam filtering. Now the rules database are separated from the main product and loaded through the automatic updates. This approach has been provided as an option in the previous versions.
SpamAssassin supports a huge number of filtration mechanisms, including text analysis, Bayesian filtering, DNS blocklists, collaborative filtering databases and much more. All these methods will help in the spam identification and reduce the false positive (ham incorrectly marked as spam).
You can download Apache SpamAssassin 3.3.0 here.
US CERT Warns of PhoneSnoop Attack Against BlackBerry
Posted by Mourad Ben Lakhoua in Tools, Vulnerabilities & attacks, hacking on October 28, 2009
US-CERT Issued a new warning concerning a free application that allows a hacker to spy on phone conversation, the program should be installed on the victim device and after the installation a hacker will be able to listen to all victims call.
This free application called PhoneSnoop and despite the fact that this application provides a similar functionality as FexiSPY, this is the first free program of its kind. Chirashi Zensay the creator of this tool posted on his Blog: “PhoneSnoop demonstrates how a BlackBerry can be used to spy on its owner. While the BlackBerry remains one of the more secure devices out there, user awareness and education is paramount to remaining completely safe from spyware. I tweaked the application since my first post now allowing anyone to download, install and try it. PhoneSnoop now has the ability for a user to customize the ‘trigger number’; rather than me having to give out customized versions.”
This program has been released to demonstrate how it is easy to exploit vulnerability on the BlackBerry devices and currently there is an effort to release new software that can rout SMS over a hacker.
US-CERT currently encourages users to only download BlackBerry applications from trusted sources and to password protect and lock BlackBerry devices.
make sure you subscribe to my RSS feed!
DisCryptor Protects Your Privacy
Posted by Mourad Ben Lakhoua in Privacy & data protection, Software Security, Tools on October 26, 2009
DisCryptor is a complete software for protecting your privacy by providing a free personal product to save sensitive data, send important documents via E-mail and transfer folders on USB memory in an easy and very fast way.
After the installation you will have a very rich dashboard that provides tab for creating new virtual or physical drive so it only needs to click to start encrypting the disk.
You can also creat a traveler disk this functionality will help you encrypt your usb drive so your entire content will be encrypted with a very high security level , the interesting point that later when you are looking to open your files on any PC it is possible even if you have no DisCryptor on it , by choosing Travel disk functionality and you burn an autorun soft to a CD/DVD , and you just need to have the CD and the USB device or external hard drive to open your file.
it is also possible to use this software package to encrypt your files, Encrypted file in software DisCryptor will always has a .DCF extension and icon of DisCryptor logo.
Maybe the biggest panic for any person is to remember passwords. You can imagine how a person will remember thousands of passwords or to write them on a sheet of paper this all is very risky and easy to be lost. Here this software solved the issue by providing a solution to manage passwords and store them in an encrypted way (Hash function includes SHA-256, SHA-384 a SHA-512..), even when you create a password it automatically show the security Level of this password according to the chosen security profile and it is recommended to use the strongest password as possible and keep you tracking your passwords.
Currently there are three types of license a free personal edition, a Business edition and an Enterprise edition you can read more details about Discryptor Here.
make sure you subscribe to my RSS feed!
TrueCrypt 6.3 Free Open-Source Disk Encryption Software
Posted by Mourad Ben Lakhoua in Encryption, Software Security, Tools on October 23, 2009
TrueCrypt one of the popular tools for encrypting and hiding partition under Linux, MacOS and Windows system has released a new version.
The new features at this release include:
• Full support for Windows 7.
• Full support for Mac OS X 10.6 Snow Leopard.
• The ability to configure selected volumes.
TrueCrypt is an open-source, multi-platform application that allows you to create secure, encrypted folders for your data.
It is always recommended to use Truecrypt instead of other built in encryption system because it can hide your volumes and make it impossible for anyone to note the file existing on the HD, plus it provides a flexible way to choose encryption algorithms.
With TruCrypt your data remains encrypted until you need it.More details about the release can be found Here.
make sure you subscribe to my RSS feed!
Microsoft Security Essentials First Week
Posted by Mourad Ben Lakhoua in Anti-Viruses, News, Tools on October 20, 2009
Microsoft security Essential the new antivirus solution has been downloaded during the first week by 1.5 million users.
The Free Antivirus has been able to detect 4 million malicious software during the period of 29 September to 6 October on 535,752 PC. Majority of these infected computers are running Windows XP while we find less infection on Windows Vista and Windows7.
According to Microsoft AV computers reporting the most common Infections at the United states were Trojans, while in China computers are more infected by several Malicious application including Adware, spyware and in Brazil the main Malware are worms especially Conficker.
Here you can find Microsoft presentation that lists the malware statistics but at AV-Test.org which is an independent organization has listed Microsoft Security Essentials in better position among other free antiviruses including AVG and Avast in terms of scanning speed and level of threat detection .on the other hand the AV still require improvement on the Malware behavioral analysis.
make sure you subscribe to my RSS feed!
Password Auditing Tools
Posted by Mourad Ben Lakhoua in Password Security, Pentesting, Tools on August 15, 2009
VPN (Virtual private network) is often used for securing communication over the public network, many security specialists advice to use it in the public Wi-Fi to encrypt all traffic and make it impossible for outsider to sniff information or to provide a remote access to an offsite user, but after implementing the VPN connection there is a testing phase for user’s authentication.
Now the question is who said that cracking password for VPN account impossible?
THC group has proved that this is reachable by using THC PPTP bruter. This software is a brute force for PPTP protocol (1723/TCP), this tool works only if the authentication servers are using Microsoft windows Chap v2 and can be used for Windows and Cisco gateways.
The good point in bruter that you can attempt up to 300-400 passwords depends on packets delivery speed. So the operation time can depends on how many bytes long is your password (8 or less is very risky) and the network speed, by hours we can try 14 million password per hour (but this can takes less time if you know the password policy used by the organization). The only disadvantage of pptp-bruter is that we need some third-party libraries to compile the program.
Microsoft SQL servers are also using authentication and after implementing the data base infrastructure, checking user accounts security is a must. Piggy 1.0.1 is a good tool for brut forcing and auditing passwords on Microsoft SQL server. The good point on Piggy that you can check multiple servers at the same time , after NMAP scans for the available services on the network it provides IP addresses of the servers with 1433 (TCP) port and piggy automatically starts to audit the user servers password with a very big possibility to find those accounts by using dictionary password attack.
Finally here is some online useful links for cracking hashes:
http://passcracking.com/
http://www.hashchecker.com/index.php
http://www.milw0rm.com/
http://www.gdataonline.com/
http://www.md5hood.com/
and here brute force on Python and Perl
make sure you subscribe to my RSS feed!
Brute Force & password recovery tools
Posted by Mourad Ben Lakhoua in Password Security, Tools on July 29, 2009
There are an immense number of tools for Brute force and password recovery that have been created to help security specialist in pentesting and evaluate application and system password level security.
Let’s start with Brutus AET2, from 2000 there were no update for this tool. But this tool appears as one of the fastest and the most modern tool for internet protocols brute forcing. If you need to test passwords for HTTP (website that uses authentication with Login and password) like forums, emails account, file and telnet servers Brutus are the good decision.
For working with this tool you just add the target IP address and service port, select the protocol and number of threads desired (Max 60) and timeout if you are also looking to hide yourself during the operation you can use Socks or proxy.
This tool uses the dictionary attack or by defining a word list file. If you will use the word list you just can add some words that you doubt the administrator can use so it is a universal tool for HTTP, FTP, POP3 and Telnet.
L0phtcrack this is used for auditing windows system password you can find more about their latest release LC6. L0phtcrack is not free anymore while you can replace it with Pwdump in which you can get the same result.
THC-Hydra is the ideal tool for cracking authentication this tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system. This all plus that it supports more than 30 protocol among them TELNET, FTP, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTP-HEAD, HTTP-PROXY, VNC, POP3, IMAP,NNTP, ICQ, SAP/R3, Cisco auth, Cisco enable, SMTP-AUTH, SSH2, SNMP, Cisco AAA.
You can find this tool in the Backtrack Live CD.
Now a day many application uses some restriction for the login attempts, so after several attempts failure your IP will be banned, TSGrinder is the first production Terminal Server brute force tool the most interesting in TSGrinder that you can specify how many times to try a username/password combination within a particular connection and if you are using a proxy that will change your IP each connection after sometime you can pass the authentication phase.
It is important to note that all programs are used just for educational purposes.
make sure you subscribe to my RSS feed!
New major updates for Sysinternal
Posted by Mourad Ben Lakhoua in News, Tools on July 28, 2009
Sysinternal announced some major updates for their tools package. The most interesting in these updates is the end life of Filemon and Regmon and adding a number of enhancements for Procmon, including new by-extension and by-directory views in the File Summary dialog, a new Network Summary view, quick filtering in all the summary views, additional IOCTL and error result decoding, and a number of bug fixes.
Process Monitor is the replacement for Filemon and Regmon and is much more advanced and scalable than its predecessors. We only aim to make Sysinternals tools work on Windows XP and higher, we’ve decided that it’s time to retire these venerable utilities that were born in the early days of Sysinternals (then NTinternals) back in 1996. So that you have a chance to say goodbye, we’re announcing now that they will be removed from the site on September 1.
It is always good when we have a new functionality and updates in Sysinternal.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Tools category.
SUBSCRIBE
