The Blackhat Europe 2009 Conference is over; some new technics and exploits have been published:
the Blackhat Europe 2009 Toolbox
Blackhat Europe 2009 Toolbox
April 19th, 2009Scam-Page
April 9th, 2009There was another scam-page discovered: http://www.scam7.net/which not
only shows different packed phishing-kits, but also some tools for spamming and usernames / passwords for the smtp-server smtp.orange.fr: “http://www.scam7.net/smtp/index.html
Let’s see how long this side stays up.
ophcrack
March 4th, 2009Stormfucker
January 10th, 2009Recently a team of scientists posted an article about dealing with the Storm – Botnet.
leder_at_informatik.uni-bonn.de posted some parts of the source-code “stormfucker” in the mailing-list “Full Dislosure”.
Here is the alpha code for Stormfucker. Patched a few things to not make
it work out of the box.
QlpoOTFBWSZTWZCbNyYBVlN/////////////////////////////////////////////4TAs912+
+94tbufA4+gD77BpzqdxS0zeLwUezfXsV0ddu49dtzvgHvsHnnnp3c5BjtTPM71fcjZuzwHo94vu
Dop5AABQAD77B7ym3y7vALrmz7Q8AVtsgAAeSc3PAd9j7469igoDHgOdgBQA+jR87AAADe5n0gvn...
If you want to work with this code, you need to undecrypt the source. Here is a version of
python:
1) save the source in a file
2) start python:
$ python
Python 2.5.1 (r251:54863, May 18 2007, 16:56:43)
[GCC 3.4.4 (cygming special, gdc 0.12, using dmd 0.125)] on cygwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from base64 import *
>>> a=file("stf.txt",'r')
>>> b=a.read()
>>> c=b64decode(b)
>>> a=file("stf.out",'w')
>>> a.write(c)
>>> a.close()
^D
Now we have a stf.out - file, which is bzip2 compressed. (check with "file")
$ bzip2 -d stf.out
bzip2: Can't guess original name for stf.out -- using stf.out.out
Now we have tar-file.. lets have a look:
$ tar tvf stf.out.out
drwxr-xr-x tw/tw 0 2008-01-01 00:00 stormfucker/
-rw-r--r-- tw/tw 610 2008-01-01 00:00 stormfucker/routing.h
-rw-r--r-- tw/tw 75 2008-01-01 00:00 stormfucker/install.h
..
Extract with tar xvf and have phun..:)
submit-mwserv.conf
January 1st, 2009When dealing with submit modules of nepenthes, you will find several notices about the favourite one of the authors of nepenthes, namely submit-mwserv (with the appropriate submit-mwserv.conf – file).
However, there is no hint on how to write the necessary ‘submit’ application on the receiving server-side..
To see what data is actually sent, I set up a listening socket and wrote the incoming raw – data to a file.
They looked like:
POST /heartbeat HTTP/1.1
User-Agent: nepenthes 0.2.2 (Linux, x86, g++)
Host: www.spamversand.de:8989
Accept: */*
Content-Length: 487
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------285dc72e
916a
A normal http-post request. Not really normal though, because the Expect: “100-continue” header was new to me. A quick google-check found rfc2616 : 8.2.3 Use of the 100 (Continue) Status So I will answer the request with a “100” response and will see what data will follow..
New Sandbox
December 29th, 2008Additionally to well known sandboxes like norman or CWsandbox there is a new one
out: Zero Wine. A Python written malware analyzing tool, doing: ”
1. Report: The complete raw report of all the APIs called by the malware. Hard to follow and hard to understand (a 10mb report is not uncommon).
2. Strings: Just the output of the typical unix command “stringsâ€.
3. File headers: All the information gathered from the PE using the library PEFile.
4. Signature: The signature report is an extract of the full raw report with the most interesting calls.”
It is an open sourceforge-project, so you might want to look at it. I personally like the output of cwsandbox a lot more.. 🙂
CastleCops gone..
December 28th, 2008Castlecops went offline. This active anti-phishing/anti-spam group will be missed in the fight against spam. Some of the content of their website has been moved to systemlookup, rumors on bugtraq say.
Article about keylogger
December 18th, 2008A new analysis of dropzones, botnets and keyloggers (like “limbo”) have been published by Thorsten Holz, Markus Engelberth and Felix Freiling: Topic:
Learning More About the Underground Economy:
A Case-Study of Keyloggers and Dropzones
new security scanner
December 17th, 2008A new Version 2.0.0 of the security scanner OpenVAS has been announced for free download: http://www.openvas.org/ , a fork from the goold old Nessus Scanner. I’ll give it a try..
honeyd: insecure temporary file usage
December 15th, 2008There was a posting on the “Full Disclosure” mailing list showing that Dmitry E. Oboukhov reported an insecure temporary file usage within the “test.sh” script, leaving honeyd vulnerable to local attackers (at least for Gentoo Linux)
——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 net-analyzer/honeyd < 1.5c-r1 >= 1.5c-r1
Package / Vulnerable / Unaffected
——————————————————————-
1 net-analyzer/honeyd < 1.5c-r1 >= 1.5c-r1