Learning your history is important

It is said that if you don’t know your history you are bound to repeat the past. They same holds true even in the world of Malware. The below Infographics helps with bringing you up to speed with what occurred over the last 28 years in the wonderful world of Malware.

A big thanks to the ESET team for creating and sharing this with the community. I would like to pride myself on know a bit more about Malware than the average user, but even so I learned quite a lot form this Infographics.

So sit back and enjoy the journey that begins with Pakistani Brain in 1986 and ends with Windigo 2014.

Advertisements

Second time’s a charm “Linux Kernel 0-day bug”

I am sure by noon today you will see lots more technology blogs talking about this old but yet new bug. “The Linux kernel has been purged of a bug that gave root access to untrusted users – again.”

Background:

The vulnerability in a component of the operating system that translates values from 64 bits to 32 bits (and vice versa) was fixed once before – in 2007 with the release of version 2.6.22.7. But several months later, developers inadvertently rolled back the change, once again leaving the OS open to attacks that allow unprivileged users to gain full root access.

//

The bug was originally discovered by the late hacker Wojciech “cliph” Purczynski. But Ben Hawkes, the researcher who discovered the kernel regression bug, said here that he grew suspicious when he recently began tinkering under the hood of the open-source OS and saw signs the flaw was still active. Read the complete article over at The Register..

Sample exploit is already in the wild as show via http://seclists.org/fulldisclosure/2010/Sep/268 . Since I am not a expert in exploit development or analysis I will sit back and wait for the guys over at Metasploit or SET to whip up so I can test.

Notes for Linux Basix Eps20

I  appeared on the Linux Basix podcast once more, I am becoming a regular :). Below are some of the things I spoke of during my segment.

Discussion Links:

  1. Symantec Snoop Dogg rap contest site rickrolled: Symantec’s attempts to link up with Snoop Dogg to launch a cybercrime rap contest, to bring about awareness on the issue. However it turned out that the site had several vulnerabilities and had to be taken down for maintenance, read more over at  http://www.theregister.co.uk/2010/09/03/symantec_rap_contest_farce/.
  2. Facebook adds new remote log-out security feature: Facebook on Thursday announced a new security feature that will allow users to see if they are logged into their accounts on a different computer and to remotely log out if so. This can also be used to see if someone has your password and has been logging in when you are not around. The new security feature follows a Login Notification feature the company announced in May that lets users tell Facebook to notify them via e-mail or SMS when a new computer or device is used to log into their account, read more over at  http://news.cnet.com/8301-27080_3-20015482-245.html .
  3. Rosetta Stone for Unix: The goal of this site is to give you a command syntax comparison between Linux, Unix, MAC OSX, and a few others, visit http://bhami.com/rosetta.html and have some fun. Another good site with a collection of Unix/Linux/BSD commands is –> http://cb.vu/unixtoolbox.xhtml which gives you the option to save the page as a new PDF ebook.
  4. Malware hosted on Google Code project site: Malicious individuals are using the Google Code repository to host Trojans horses, backdoors and password stealing keyloggers, according to researchers at Zscaler. The researchers found a malicious project hosted on the free Google Code site with about 50+ malware executables stored in the download section of the project. “The first malicious file was uploaded on June 24, 2010 and was still active at the end of August this year, proving that Google is slow to find and remove malicious projects”, read more over at http://www.zdnet.com/blog/security/malware-hosted-on-google-code-project-site/7247

Tech Segment: Installing and using Xplico

What is Xplico?

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

Features

  • Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
  • Port Independent Protocol Identification (PIPI) for each application protocol;
  • Multithreading;
  • Output data and information in SQLite database or Mysql database and/or files;
  • At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
  • Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
  • TCP reassembly with ACK verification for any packet or soft ACK verification;
  • Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
  • No size limit on data entry or the number of files entrance (the only limit is HD size);
  • IPv4 and IPv6 support
  • Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcer) are all modules
  • The ability to easily create any kind of dispatcer with which to organize the data extracted in the most appropriate and useful to you

Installing and Configuring:

First begin with a little sudo fu and install the following packages:

apt-get install tcpdump tshark apache2 php5 php5-sqlite build-essential perl zlib1g-dev libpcap-dev libsqlite3-dev php5-cli libapache2-mod-php5 libx11-dev libxt-dev libxaw7-dev python-all sqlite3 recode sox lame libnet1 libnet1-dev libmysqlclient15-dev

Create a temp directory to wget your files too with mkdir Xbuild and cd Xbuild

Download Xplico source code from SorceForge or BerliOS

tar zxvf xplico-0.5.x.tgz

wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.6.tar.gz
tar zxvf GeoIP-1.4.6.tar.gz

cd GeoIP-1.4.6
./configure
make

cd ..
rm -f *.tar.gz

cd xplico
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gzip -d GeoLiteCity.dat.gz
rm -f *dat.gz
make

cd ..
wget http://mirror.cs.wisc.edu/pub/mirrors/ghost/GPL/ghostpdl/ghostpdl-8.70.tar.bz2
tar jxvf ghostpdl-8.70.tar.bz2

The ghostpcl contains the pcl6 application that it is necessary to “network printer job”

rm -f *.bz2
cd ghostpdl-8.70
make

Wait for some time

cd ..
cp ghostpdl-8.70/main/obj/pcl6 xplico-0.5.x
rm -rf ghostpdl-8.70

Download videosnarf from http://ucsniff.sourceforge.net/videosnarf.html. Note for 64 bits architectures: Some codec libraries are proprietary and are only for 32bits architecture. The only solution in this case is this: http://forum.xplico.org/viewtopic.php?p=453#p453

wget http://downloads.sourceforge.net/project/ucsniff/videosnarf/videosnarf-0.63.tar.gz
tar xvzf videosnarf-0.63.tar.gz
cd videosnarf-0.63
./configure
make
cd ..
cp videosnarf-0.63/src/videosnarf xplico-0.5.x

Install Xplico

cd xplico-0.5.x
make install

Copy Apache configuration file

cp /opt/xplico/cfg/apache_xi /etc/apache2/sites-enabled/xplico

After this we have to change Apache ports file to add port of XI. Then, in /etc/apache2/ports.conf add:

# xplico Host port
NameVirtualHost *:9876
Listen 9876

We must also modify the php.ini file to allow uploads (pcap) files. Edit /etc/php5/apache2/php.ini.

The lines to modify are:\
**post_max_size = 100M** \
**upload_max_filesize = 100M**\

Enable mode rewrite in Apache:

a2enmod rewrite

And finally restart Apache:

/etc/init.d/apache2 restart

You can find much more information and documentation on the wiki –> http://wiki.xplico.org.

Uploading your first PCAP file:

  1. Log into the user inter by going to http://xplicoip:9876
  2. Username:xplico and password:xplico please change after
  3. Click on Case to create a new case.
  4. Click on session to create a new session
  5. Click on newly created session within the newly created case and click upload–> browse to your capturefile.pcap.
  6. You can also create a live stream and just have the host sit there passively listening.

Sit back wait for xplico to works it’s magic and then browse your results. View this page to see screen-shots of all the various options of xplico –> http://wiki.xplico.org/doku.php?id=web_interface. Now all your have to do is go sniffing, read the manual and have fun viewing your results.