Somebody has just committed fraud, and the Feds have traced it to your IP address, they have issue a warrant and are getting ready to kick down your door... but you have done nothing wrong, you have been used as a proxy for an unknown attacker, but do the Feds know this? Do they even know how to check? Do they even care?
Proxies are common place now in Malware: Socks 4, Socks 5, HTTP proxies are found in rxbot to Poison Ivy. Hardware Firewalls can by bypassed via UPnP or by reverse connecting RATs/Proxies (Such as D3XT3R's Reverse VB Proxy RAT).
Its not just PCs which can be used: Routers, Switches, Firewalls, even your Website, could be turned into a Proxy for an attacker; and its not just proxies! VPNs, RDP, VNC, and other Remote Control tools can hide an attackers traces and are traded on the underground daily.Then theres Wireless! There are websites dedicated to teaching how to break into Wireless Access Points (WAP), an attacker can join the WAP and launch an attack from there. "What about there MAC address?" I hear you cry! Its very easy to change your MAC address, and can be done on ANY operating system.
The majority of the above have no logging and no way to trace the attacker, especially if its to late.
You dont even have to infect a victim to be anonymous; theres online webservices which provide anonymous browsing, VPN services which provide anonymous encrypted traffic which can anonymize all kinds of traffic. Then there the TOR network which was designed by the US military/government for its agents abroad to send data anonymously. There are also misconfigured proxies: there are lots of websites dedicated to finding and listing these proxy servers and they generally become victim of multiple attacker using them for a variety of different purposes.
So where is this all going?
Well the whole point of this is that we can no longer look at an IP address as being unique to a user. I do not know if an IP address 'as the source of attack' would stand up in court as being the critical piece of evidence to put somebody away? I dont know if the Prosecutor (Feds) or the Defendant (You) would have to proove if the IP address in mention was compromised (or NOT compromised (based on the theory of "innocent until proven guilty...")).
What happens if somebody uses your WAP HotSpot Username/Password and launches an attack? You could say that your MAC and the Attackers MAC address are not the same, but then again how cheap are USB WLAN devices these days? The Feds could say you brought one, launched the attack and discarded it, then again, you could have just changed your MAC address as above.
But would somebody be stupid enough to use there own registered Hotspot Username/Password to launch an attack? Look at Garry Mckinnon: He purchased 'Remotely Anywhere' with his real name, credit card etc, and then went and installed and register it on NASA & .mil computers using HIS real name & email address... Stupid people make the world go round...
Monday 11 May 2009
Friday 1 May 2009
Dynamic Social Engineering Spreading
So what is 'Dynamic Social Engineering Spreading'?
Its simply using social engineering techniques but with dynamic content: The main use of this would be spreading via Email or IM etc.
So how do we get our dynamic content? simple: RSS Feeds.
This is also where our social engineering techniques come into play:
We use popular RSS Feeds on topics such as the News, Sports, etc.
Lets take the BBC: The BBC has a RSS Feed which is updated regularly with new content which gives us constant fresh data to work with. The fact it is stored in XML means it makes it very easy to parse the content and manipulate it to our needs.
Using the News gives us the Social Engineering edge. The victim is more likely to accept something which they have read/heard about on TV, News Paper etc.
IM Example:
Template:
Hey you heard about *NEWS SUBJECT* ?
*NEWS CONTENT*
Look at this *LINK/ZIP*
With Real Data (Taken from BBC News RSS Feed):
Hey you heard about Venezuela army helicopter crashes ?
A military helicopter has crashed in Venezuela killing at least 18 people on board, President Hugo Chavez says.
Look at this http://www.badguy.com/evilwebpage.htm
Its simply using social engineering techniques but with dynamic content: The main use of this would be spreading via Email or IM etc.
So how do we get our dynamic content? simple: RSS Feeds.
This is also where our social engineering techniques come into play:
We use popular RSS Feeds on topics such as the News, Sports, etc.
Lets take the BBC: The BBC has a RSS Feed which is updated regularly with new content which gives us constant fresh data to work with. The fact it is stored in XML means it makes it very easy to parse the content and manipulate it to our needs.
Using the News gives us the Social Engineering edge. The victim is more likely to accept something which they have read/heard about on TV, News Paper etc.
IM Example:
Template:
Hey you heard about *NEWS SUBJECT* ?
*NEWS CONTENT*
Look at this *LINK/ZIP*
With Real Data (Taken from BBC News RSS Feed):
Hey you heard about Venezuela army helicopter crashes ?
A military helicopter has crashed in Venezuela killing at least 18 people on board, President Hugo Chavez says.
Look at this http://www.badguy.com/evilwebpage.htm
Thursday 26 March 2009
AKill "one of the worlds best known hackers" ... lol
Im just posting this in response to the news article about Telstra (New Zealand ISP) hiring convicted botter Owen Thor Walker aka AKill.
Now AKill if your reading this, no offense...
AKill wrote AKBot an IRC DDoS bot written in C++
There are a few variants going around, but chances are it was just another rx rename.
AKill (age 18 at the time) was caught & convicted as a part of the FBIs "Operation Bot Roast".
Now AKill apparently infected an estimated 50k PCs, (Ref) and did an estimated $26 million+ in damages. He also installed Adware and made approx $40k and (accidently) DDoS'd the University of Pennsylvania (see further below) aswell as DDoS'ing some other targets.
AKill managed to get off pretty lite, he had to pay $14.5k (fine & fees) and got NO jail time and NO criminal record.
The reason for this:
To summarise what happened with Digerati:
Digerati (age 22 at the time) was in TeamLoosh, he fell out with "rofles" (TeamLoosh leader?), 'rofles' then started a campaign against Digerati posting his personal info and accusing him of being a pedo (which turned out true) all over the net, mainly anywhere Digerati posted. In revenge Digerati "hired" AKill to launch a DDoS attacks against against a numbber of targets including: TAUNET, and LCIRC (Ref).
Digerati went to the University of Pennsylvania and gained access to another students username & password(s); He then supplied these details to AKill so he could update his bots. When AKill updated all his bots (all 50k of them) this caused an accidental DDoS and alerted staff at University of Pennsylvania who reported the 'attack' to the FBI.
Whilst this was all going on, the feds "Operation Bot Roast" was in full swing, logging all IRC/Forum chatter from known feeds. This chatter also most probably included the conversations between Digerati & AKill (as they quote Digerati a number times).
So... Owen Thor Walker aka AKill, would I describe him as "one of the worlds best known hackers"? I would say hes best known for getting caught and getting away scot free. A number of sources from 'the underground' report he snitched on Digerati and pushed the blame onto him, which obviously worked far better for the FBI: Digerati was a US citizen, and was a "known trouble maker". For his troubles he got 90 days is prison, 90 days in a "half way house" and 180 days house arrest and was banned from using computers for 5 years (unless it was for work or school). Nothing happened in regards to the 1000+ child porno pics he had.
It would have been a very hard case to extradite AKill to the US for conviction:
AKill left school at the age of 14 due to bullying, and was home taught; He had no friends, no social life which caused him to gain Aspergers Syndrome (a disorder in the same family as autism, characterised by very poor social interaction (thx google)), he was also 18 at the time of his conviction, so putting a 'boy' like that into jail would have ended up making him somebodies bitch for the next 7-10 years.
End of the day, AKill & Digearti acted like kids and thats what got them caught.
Would I hire him? Hell no. He is no different to the rest of the script kiddies which argue on the internet.
The best known hackers are the unknown hacker, the ones who dont get caught.
D3ADLiN3
Now AKill if your reading this, no offense...
AKill wrote AKBot an IRC DDoS bot written in C++
There are a few variants going around, but chances are it was just another rx rename.
AKill (age 18 at the time) was caught & convicted as a part of the FBIs "Operation Bot Roast".
Now AKill apparently infected an estimated 50k PCs, (Ref) and did an estimated $26 million+ in damages. He also installed Adware and made approx $40k and (accidently) DDoS'd the University of Pennsylvania (see further below) aswell as DDoS'ing some other targets.
AKill managed to get off pretty lite, he had to pay $14.5k (fine & fees) and got NO jail time and NO criminal record.
The reason for this:
"Judge Judith Potter acknowledged his [AKill] high level of skill and said a conviction could jeopardise his prospects, saying he has a potentially outstanding future ahead of him."Now alot of the above is linked in with Ryan Goldstein aka Digerati.
To summarise what happened with Digerati:
Digerati (age 22 at the time) was in TeamLoosh, he fell out with "rofles" (TeamLoosh leader?), 'rofles' then started a campaign against Digerati posting his personal info and accusing him of being a pedo (which turned out true) all over the net, mainly anywhere Digerati posted. In revenge Digerati "hired" AKill to launch a DDoS attacks against against a numbber of targets including: TAUNET, and LCIRC (Ref).
Digerati went to the University of Pennsylvania and gained access to another students username & password(s); He then supplied these details to AKill so he could update his bots. When AKill updated all his bots (all 50k of them) this caused an accidental DDoS and alerted staff at University of Pennsylvania who reported the 'attack' to the FBI.
Whilst this was all going on, the feds "Operation Bot Roast" was in full swing, logging all IRC/Forum chatter from known feeds. This chatter also most probably included the conversations between Digerati & AKill (as they quote Digerati a number times).
So... Owen Thor Walker aka AKill, would I describe him as "one of the worlds best known hackers"? I would say hes best known for getting caught and getting away scot free. A number of sources from 'the underground' report he snitched on Digerati and pushed the blame onto him, which obviously worked far better for the FBI: Digerati was a US citizen, and was a "known trouble maker". For his troubles he got 90 days is prison, 90 days in a "half way house" and 180 days house arrest and was banned from using computers for 5 years (unless it was for work or school). Nothing happened in regards to the 1000+ child porno pics he had.
It would have been a very hard case to extradite AKill to the US for conviction:
AKill left school at the age of 14 due to bullying, and was home taught; He had no friends, no social life which caused him to gain Aspergers Syndrome (a disorder in the same family as autism, characterised by very poor social interaction (thx google)), he was also 18 at the time of his conviction, so putting a 'boy' like that into jail would have ended up making him somebodies bitch for the next 7-10 years.
End of the day, AKill & Digearti acted like kids and thats what got them caught.
Would I hire him? Hell no. He is no different to the rest of the script kiddies which argue on the internet.
The best known hackers are the unknown hacker, the ones who dont get caught.
D3ADLiN3
Sunday 15 March 2009
BBC Botnet
Incase you didn't see it, check this out then read on: "BBC team exposes cyber crime risk."
When I saw this on TV I was like LOLOMGWTF...W.T.F!?!?!
OK to summarise what happened:
The BBC purchased a live working 20,000+ strong Botnet for $2000, they then demonstrated its abilities buy spamming a Hotmail & Gmail account, then DDoS'ed PrevX test website (with permission), then set the users wallpaper to a custom wallpaper to inform the users they have been infected and then 'disabled' the botnet.
Now to me... this is slightly illegal... and stupid...
Now when have the BBC (or PrevX) been above the law? and when did they all of a sudden gain great knowledge about Malware etc and knew that what they were doing was having no ill effect on the uninformed victims?
If the consortium of companies such as FSecure, Microsoft, ICANN etc decide they can not do anything about the conficker botnet which grew to a size of estimated 10 million+, what the hell does the BBC think there doing? Some comments people said was "yes its a good thing the BBC disabled the Botnet"... WTF. Seriously. I would have no problem with Microsoft & Co disabling and removing conficker from my PC rather than the inexperienced BBC, but no, they decided not todo it because it would be illegal.
So firstly the BBC funded criminals (and potentially terrorism), they then flood 2 email accounts (I take it they didn't get permission from GMail or Hotmail before doing so) causing unnecessary load on the ISP & victims PC, then they DDoS'ed PrevX (I think this made PrevX looks really stupid and unprofessional) and whay happens if one of the victim pays there Internet by bandwidth? So they have potentially cost the victims money. Next they change the victims wallpaper which is again against the law.
My favourite quote is this:
IT WAS BREAKING THE LAW, YOU ILLEGALLY ACCESSED PEOPLES COMPUTERS WITHOUT PERMISSION.
God damn it makes me rage writing this... The BBC gets away with it. Now if I demonstrated to one of my customers using the above methods, how long would it be until I had a call from the police?
Well shit next time I get a call from the popo I know what to say "If this exercise had been done with criminal intent it would be breaking the law."
When I saw this on TV I was like LOLOMGWTF...W.T.F!?!?!
OK to summarise what happened:
The BBC purchased a live working 20,000+ strong Botnet for $2000, they then demonstrated its abilities buy spamming a Hotmail & Gmail account, then DDoS'ed PrevX test website (with permission), then set the users wallpaper to a custom wallpaper to inform the users they have been infected and then 'disabled' the botnet.
Now to me... this is slightly illegal... and stupid...
Now when have the BBC (or PrevX) been above the law? and when did they all of a sudden gain great knowledge about Malware etc and knew that what they were doing was having no ill effect on the uninformed victims?
If the consortium of companies such as FSecure, Microsoft, ICANN etc decide they can not do anything about the conficker botnet which grew to a size of estimated 10 million+, what the hell does the BBC think there doing? Some comments people said was "yes its a good thing the BBC disabled the Botnet"... WTF. Seriously. I would have no problem with Microsoft & Co disabling and removing conficker from my PC rather than the inexperienced BBC, but no, they decided not todo it because it would be illegal.
So firstly the BBC funded criminals (and potentially terrorism), they then flood 2 email accounts (I take it they didn't get permission from GMail or Hotmail before doing so) causing unnecessary load on the ISP & victims PC, then they DDoS'ed PrevX (I think this made PrevX looks really stupid and unprofessional) and whay happens if one of the victim pays there Internet by bandwidth? So they have potentially cost the victims money. Next they change the victims wallpaper which is again against the law.
My favourite quote is this:
"If this exercise had been done with criminal intent it would be breaking the law."
IT WAS BREAKING THE LAW, YOU ILLEGALLY ACCESSED PEOPLES COMPUTERS WITHOUT PERMISSION.
God damn it makes me rage writing this... The BBC gets away with it. Now if I demonstrated to one of my customers using the above methods, how long would it be until I had a call from the police?
Well shit next time I get a call from the popo I know what to say "If this exercise had been done with criminal intent it would be breaking the law."
Friday 23 January 2009
Some useful registry keys
Vista:
Disable User Account Control (UAC):
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
"EnableLUA" = "0"
Disable DEP:
Run: "bcdedit /set nx alwaysoff"
Enable RDP:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
"fDenyTSConnections" = "0"
XP:
Disable "Show Hidden Files and Folders":
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"Hidden" = "2"
Restore the Prompt to save passwords in IE:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"FormSuggest PW Ask" = "yes"
Enable Password Caching (IE):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
"DisablePasswordCaching" = "0"
Disable "Shift Override":
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"ShiftOveride" = "1"
Disable Password Caching in Internet Explorer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"DisablePasswordCaching" = "1"
Disable 'Control Panel' items:
HKEY_CURRENT_USER\Control Panel\don't load
Windows Firewall:
"firewall.cpl" = "No"
Windows LiveUpdate Control Panel Module:
"S32LUCP1.cpl" = "No"
Windows Security:
"wscui.cpl" = "No"
Windows Automatic Updates:
"wuaucpl.cpl" = "No"
Enable RDP:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
"fDenyTSConnections" = "0"
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
Disable User Account Control (UAC):
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
"EnableLUA" = "0"
Disable DEP:
Run: "bcdedit /set nx alwaysoff"
Enable RDP:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
"fDenyTSConnections" = "0"
XP:
Disable "Show Hidden Files and Folders":
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"Hidden" = "2"
Restore the Prompt to save passwords in IE:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"FormSuggest PW Ask" = "yes"
Enable Password Caching (IE):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
"DisablePasswordCaching" = "0"
Disable "Shift Override":
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"ShiftOveride" = "1"
Disable Password Caching in Internet Explorer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"DisablePasswordCaching" = "1"
Disable 'Control Panel' items:
HKEY_CURRENT_USER\Control Panel\don't load
Windows Firewall:
"firewall.cpl" = "No"
Windows LiveUpdate Control Panel Module:
"S32LUCP1.cpl" = "No"
Windows Security:
"wscui.cpl" = "No"
Windows Automatic Updates:
"wuaucpl.cpl" = "No"
Enable RDP:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
"fDenyTSConnections" = "0"
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
DLL Malware
I have been having a play with DLL's recently and have realised the potential advantages over normal executables, here are a few thoughts:
From what I understand, depending on how you create your DLL you can either Inject the DLL into a process and/or load it using a Loader (such as 'rundll32').
Heres an example of what could be done...
Create a custom loader which contains a copy of the DLL as an encrypted resource file (easily done in VB6);
Check for the existence of Sandboxes etc; If found we quit, otherwise:Detect if we have Admin rights:
If we do, decrypt and extract the DLL to eg: %windir%\*random-file-name*.dll
If not, decrypt and extract the DLL to eg: %temp%\*random-file-name*.dllCheck the file actually extracted (and wasn't blocked):
If it still fails we quit, and melt into null.
Alternatively I believe we could extract the DLL into memory and not even write to disk.
Alternatively I believe we could extract the DLL into memory and not even write to disk.
The Loader then detects the PCs default browser from the Registry;
Then creates a Suspended copy of the Default Browser;Injects the DLL into the Suspended Process, this way we bypass the Firewall*.
If injection fails, load the DLL using 'rundll32' and hope everything goes ok (alternatively we could try inject into a different process, say MSN, Explorer.exe etc)
If injected we can then delete the DLL we extracted as it is now in memory.
Then exit the loader.
So based on the concept that we have injected the DLL, we now have no visible process running in Task Manager, and potentially have bypassed the Firewall without creating additional rules.
Startup methods?
Well we can either can add an entry for the Loader again (which would allow injection) or load the DLL using say rundll32 or from a Service via SVCHOST.
* This is simple Firewall Bypass which probably doesn't work anymore, but you get the idea.
Startup methods?
Well we can either can add an entry for the Loader again (which would allow injection) or load the DLL using say rundll32 or from a Service via SVCHOST.
* This is simple Firewall Bypass which probably doesn't work anymore, but you get the idea.
Subscribe to:
Posts (Atom)
