Mar 5, 2011

Securing Your Email With Thunderbird and GPG:

Here is a quick and easy way to secure your email via public-key encryption using Thunderbird and GPG in an OS-agnostic environment.

  • Thunderbird >= 1.5
  • GPG
1. Download and Install the Enigmail Thunderbird Extension:
2. Generate Key Pair in Thunderbird:
  • Goto the new OpenPGP menu and select Key Managment
  • In the new window, select Generate->New Key Pair
  • Select which account you would like to associate the Keys with.
  • Enter a password for the keys and select Generate Keys.
  • Your newly generated keys should now be in the key management list of managed keys. 
    *** if you want to create your own gpg key, see in the last of this topic.

3. Test the Encryption
  • Create a new Email to yourself
  • Enter some text in the subject and body
  • From the OpenGPG menu, select Sign Message and Encrypt Message
  • When you select the Send button, you will see your message converted to ASCII Armor, which is your message encrypted using your key information.
  • Select Get Mail to receive your new encrypted message. By default the encrypted message will be decrypted automatically. You can change this from the OpenPGP menu.
4. Distribute your public key. It will be used by others to encrypt email sent to you.


Creating GPG Keys Using the Command Line 

1. gpg --gen-key
2. Select your kind of key.

    Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?
3. Select your keysize

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
4. Specifies expired date

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

5. Export public key for sending to your friends.
gpg --export --armor > r00tsec.asc

Pen Test Report Template

  • Report Template
    • Introduction
      • Date carried out
      • Testing Team details
        • Name
        • Contact Nos.
        • Relevant Experience if required.
      • Network Details
        • Peer to Peer, Client-Server, Domain Model, Active Directory, integrated
        • Number of Servers and workstations
        • Operating System Details
        • Major Software Applications
        • Hardware configuration and setup
        • Interconnectivity and by what means i.e. T1, Satellite, Wide Area Network, Lease Line Dial up etc.
        • Encryption/ VPN’s utilized etc.
        • Role of the network or system
      • Scope of test
        • Constraints and limitations imposed on the team i.e. Out of scope items, hardware, IP addresses.
        • Constraints, limitations or problems encountered by the team during the actual test
        • Purpose of Test
          • Deployment of new software release etc.
          • Security assurance for the Code of Connection
          • Interconnectivity issues.
        • Type of Test
          • Compliance Test
          • Vulnerability Assessment
          • Penetration Test
        • Test Type
          • White-Box
            • The testing team has complete carte blanche access to the testing network and has been supplied with network diagrams, hardware, operating system and application details etc, prior to a test being carried out. This does not equate to a truly blind test but can speed up the process a great deal and leads to a more accurate results being obtained. The amount of prior knowledge leads to a test targeting specific operating systems, applications and network devices that reside on the network rather than spending time enumerating what could possibly be on the network. This type of test equates to a situation whereby an attacker may have complete knowledge of the internal network.
          • Black-Box
            • No prior knowledge of a company network is known. In essence an example of this is when an external web based test is to be carried out and only the details of a website URL or IP address is supplied to the testing team. It would be their role to attempt to break into the company website/ network. This would equate to an external attack carried out by a malicious hacker.
          • Grey-Box
            • The testing team would simulate an attack that could be carried out by a disgruntled, disaffected staff member. The testing team would be supplied with appropriate user level privileges and a user account and access permitted to the internal network by relaxation of specific security policies present on the network i.e. port level security.
    • Executive Summary (Brief and Non-technical)
      • OS Security issues discovered with appropriate criticality level specified
        • Exploited
          • Causes
            • Hardware failing
            • Software failing
            • Human error
        • Unable to exploit – problem area
          • Causes
            • Hardware failing
            • Software failing
            • Human error
      • Application Security issues discovered with appropriate criticality level specified
        • Exploited
        • Unable to exploit – problem area
      • Physical Security issues discovered with appropriate criticality level specified
        • Exploited
        • Unable to exploit – problem area
      • Personnel Security issues discovered with appropriate criticality level specified
        • Exploited
        • Unable to exploit – problem area
      • General Security issues discovered with appropriate criticality level specified
        • Exploited
        • Unable to exploit – problem area
    • Technical Summary
      • OS Security issues discovered
        • File System Security
          • Details of finding
            • Example: A FAT partition was found. FAT by default does not give the ability to set appropriate access control permissions to files. In addition moving files to this area removes the protection of the current ACLs applied to the file.
          • Recommendation and fix
            • Example: Format the file system to NTFS.
        • Password Policy
          • Details of finding
            • Example: LM Hashes found still being utilized on the network.
          • Recommendation and fix
            • Example: Ensure NTLM2 is enforced by means of the correct setting in Group Policy.
        • Auditing Policy
          • Details of finding
            • Example: Logon success and failure was not enabled
          • Recommendation and fix
            • Example: Amend appropriate Group Policy Objects and ensure it is tested and then applied to all relevant Organizational Units etc.
        • Patching Policy
          • Details of finding
            • Example: Several of the latest Microsoft patches were found to be missing
          • Recommendation and fix
            • Example: Ensure a rigorous patching policy is instigated after first being tested on a development LAN to ensure stability. Review the settings on the WSUS server and ensure that it is regularly updated and an appropriate update strategy is instigated for the domain.
        • Anti-virus Policy
          • Details of finding
            • Example: Several workstations were found to have out of date anti-virus software. In addition where it was found to be installed the actual product was found to be mis-configured and did not provide on-access protection.
          • Recommendation and fix
            • Example: Ensure all workstations are regularly updated and configured correctly to ensure maximum protection is afforded
        • Trust Policy
          • Details of finding
            • Example: Users from one domain were unable to access resources on another tree.
          • Recommendation and fix
            • Example: Review transitive and non-transitive trusts and ensure that all relevant trusts have been established.
      • Web Server Security
        • File System Security
          • Details of finding
          • Example: i.e. Incorrect permission on www root Recommendation and fix
          • Example: Apply more stringent permissions or remove various users/groups that currently have access to this area.
        • Password Policy
          • Details of finding
            • Example: Areas of the website that should be Protected did not have any password mechanism enforced.
          • Recommendation and fix
            • Example: Ensure areas that require access to be limited are password protected.
        • Auditing Policy
          • Details of finding
            • Example: Web server logs were not being reviewed for illicit behaviors.
          • Recommendation and fix
            • Example: Regularly review all audit logs.
        • Patching Policy
          • Details of finding
            • Example: The latest patch was not applied to the server leaving it susceptible to a Denial of Service Attack.
          • Recommendation and fix
            • Example: Apply the latest patch after testing on a development server to ensure compatibility with installed applications and stability of the server is maintained.
        • Lockdown Policy
          • Details of finding
            • Example: The IIS lockdown tool has not been applied to the web server.
          • Recommendation and fix
            • Example: Apply the IIS lockdown tool to the server after first testing on a development server to ensure compatibility with installed applications and stability of the server is maintained.
      • Database Server Security
        • File System Security
          • Details of finding
            • Example: Loose access control permissions were found on directories containing important configuration files that govern access to the server.
          • Recommendation and fix
            • Example: Ensure stringent access control permissions are enforced.
        • Password Policy
          • Details of finding
            • Example: Clear text passwords were found stored within the database.
          • Recommendation and fix
            • Example: Ensure all passwords, if required to be stored within the database are encrypted and afforded the maximum protection possible.
        • Auditing Policy
          • Details of finding
            • Example: Reviewing the audit logs from the TNS Listener were not being carried out.
          • Recommendation and fix
            • Example: Ensure all relevant audit logs are regularly inspected. Audit logs may give you the first clue to possible attempts to brute force access into the database.
        • Patching Policy
          • Details of finding
            • Example: The latest Oracle CPU was not installed, leaving the system susceptible to multiple buffer and heap overflows and possible Denial of Service attacks.
          • Recommendation and fix
            • Example: Install the latest Oracle CPU after first testing on a development server to ensure adequate compatibility and stability.
        • Lockdown Policy
          • Details of finding
            • Example: Numerous extended stored procedures were directly accessible by the public role.
          • Recommendation and fix
            • Example: Ensure the public role is revoked from all procedures that direct access is not required or utilized.
        • Trust Policy
          • Details of finding
            • Example: Clear text Link passwords were discovered.
          • Recommendation and fix
            • Example: Ensure all Link passwords are encrypted, review the requirement to utilize these Links on a regular basis.
      • General Application Security
        • File System Security
          • Details of finding
          • Recommendation and fix
          • Password Policy Details of finding
          • Recommendation and fix
        • Auditing Policy
          • Details of finding
          • Recommendation and fix
        • Patching Policy
          • Details of finding
          • Recommendation and fix
        • Lockdown Policy
          • Details of finding
          • Recommendation and fix
        • Trust Policy
          • Details of finding
          • Recommendation and fix
      • Business Continuity Policy
        • Backup Policy
          • Details of finding
          • Recommendation and fix
        • Replacement premises provisioning
          • Details of finding
          • Recommendation and fix
        • Replacement personnel provisioning
          • Details of finding
          • Recommendation and fix
        • Replacement software provisioning
          • Details of finding
          • Recommendation and fix
        • Replacement hardware provisioning
          • Details of finding
          • Recommendation and fix
        • Replacement document provisioning
          • Details of finding
          • Recommendation and fix
    • Annexes
      • Glossary of Terms
        • Buffer Overflow
          • Normally takes the form of inputting an overly long string of characters or commands that the system cannot deal with. Some functions have a finite space available to store these characters or commands and any extra characters etc. over and above this will then start to overwrite other portions of code and in worse case scenarios will enable a remote user to gain a remote command prompt with the ability to interact directly with the local machine.
        • Denial of Service
          • This is an aimed attacks designed to deny a particular service that you could rely on to conduct your business. These are attacks designed to say overtax a web server with multiple requests which are intended to slow it down and possibly cause it to crash. Traditionally such attacks emanated from one particular source.
        • Directory Traversal
          • Basically when a user or function tries to “break” out of the normal parent directory specified for the application and traverse elsewhere within the system, possibly gaining access to sensitive files or directories in the process.
        • Social Engineering
          • Normally uses a limited range of distinct subject matter to entice users to open and run an attachment say. Usually associated with phishing/E-mail type attacks. The main themes are:
            • Sexual – Sexual ideas/pictures/websites,
            • Curiosity – Friendly themes/appealing to someone’s passion or obsession,
            • Fear – Reputable sources/virus alert,
            • Authority – Current affairs/bank e-mails/company e-mails.
        • SQL Injection etc.
          • Basically when a low privileged user interactively executes PL/SQL commands on the database server by adding additional syntax into standard arguments, which is then passed to a particular function enabling enhanced privileges.
      • Network Map/Diagram
      • Accompanying Scan Results – CD-ROM
      • Vulnerability Definitions
        • Critical
          • A vulnerability allowing remote code execution, elevation of privilege or a denial of service on an affected system.
        • Important
          • A security weakness, whose exploitation may result in the compromise of the Confidentiality, Integrity or Availability of the company’s data.
        • Information Leak
          • Insecure services and protocols are being employed by the system allowing potentially allowing unrestricted access to sensitive information i.e.:
            a. The use of the Finger and Sendmail services may allow enumeration of User IDs.
            b. Anonymous FTP and Web based services are being offered on network devices or peripherals.
            c. Disclosure of Operating System, Application version details and personal details of system administration staffs.
        • Concern
          • The current systems configuration has a risk potential to the network concerned though the ability to exploit this is mitigated by factors such as default configuration, auditing, or the difficulty level or access level required to carry out an exploit. This includes the running of network-enabled services that are not required by the current business continuity process.
        • Unknowns
          • An unknown risk is an unclear response to a test or an action whose impact can be determined as having minimal impact on the system. The test identifying this risk may or may not be repeatable. While the results do not represent a security risk per see, they should be investigated and rectified where possible. Unknowns may also be due to false positives being reported, however, do require follow up response.
      • Details of Tools Utilized.
      • Methodology Utilized.
        • Reconnaissance
          • The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilizing a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.
        • Enumeration
          • The tester would use varied operating system fingerprinting tools to determine what hosts are alive on the network and more importantly what services and operating systems they are running. Research into these services would then be carried out to tailor the test to the discovered services.
        • Scanning
          • By use of vulnerability scanners all discovered hosts would be tested for vulnerabilities. The result would then be analyzed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network.
        • Obtaining Access
          • By use of published exploits or weaknesses found in applications, operating system and services access would then be attempted. This may be done surreptitiously or by more brute force methods. An example of this would be the use of exploit engines i.e. Metasploit or password cracking tools such as John the Ripper.
        • Maintaining Access
          • This is done by installing a backdoor into the target network to allow the tester to return as and when required. This may be by means of a rootkit, backdoor trojan or simply the addition of bogus user accounts.
        • Erasing Evidence
          • The ability to erase logs that may have detected the testing teams attempts to access the network should ideally not be possible. These logs are the first piece of evidence that may prove that a possible breach of company security has occurred and should be protected at all costs. An attempt to erase or alter these logs should prove unsuccessful to ensure that if a malicious attacker did in fact get access to the network then their every movement would be recorded.
        • See Penetration Test Framework for more details
      • Sources of Information


Malicious PDF attack spammed out from compromised VioVet email system

ViovetIf you're a customer of VioVet, the UK pet supplies and medications website, then be very careful opening your email this morning.
Customers are reporting that they have received an email purporting to contain a £50 gift certificate from the company - but the files linked to by the email actually contain malware.
VioVet email
One VioVet customer who received the dangerous email was Naked Security reader Rob Sanders, who told us about his experience:
I received an email to my email address at 12:39am GMT. It was sent to an email address I use solely for Viovet purchases and purported to contain a £50 gift certificate for use on It was sent from support[at] by osCommerce, according to the headers and the IPs appear to check out, so it seems legitimate.
It contains 4 links to a RAR file hosted on 3 file lockers and 1 IP address. The file contains a single PDF which appears to be empty, at least when uploaded to Google Docs. I assume this is an exploit of some sort, so I haven't opened it locally.
Judging by the email and the broken English it's written in, someone seems to have hacked the osCommerce installation on the Viovet website. Their website is also showing a bright red message reading: "We are experiencing intermittent problems with processing payments at the moment, so please do try but if it fails then you should find it works again shortly. Once we are happy that the payment provider has resolved all issues we will remove this message. This is not a security issue, don't worry!"
SophosLabs researcher Paul Baccas took a look at the PDF file, and sure enough he confirmed that it was malicious, and exploited a number of different Adobe Reader vulnerabilities. Paul told me that the PDF does attempt to exploit CVE-2010-2883 (patched in Adobe Advisory APSA10-02), the SING Table Parsing Vulnerability and other vulnerabilities depending on the version of Adobe.
Sophos products detect the file as Mal/PDFEx-C.
Someone has also submitted the file to VirusTotal, where you can see what some other security vendors are calling it.
Interestingly, the boobytrapped PDF can display a CV as a decoy while doing its dirty work.
CV PDF decoy
A number of VioVet customers have posted messages on the company's Facebook page, confirming that they had also received the email. The firm's response on Facebook was a little curious, however, as it appeared to suggest that the emails had been "spoofed", and hadn't really come from their systems.
However, VioVet does confirm that it has removed "offending software" from its servers.
VioVet statement on Facebook
VioVet's website carries a warning to customers, about the incident explaining that the malicious spam messages were sent via a "legacy email system".
Whilst this is highly embarrassing, this is actually a good thing - we now know without any doubt that whoever did this did not have access to anything other than being able to send out some emails to customers.
In summary, it sounds like hackers were able to abuse VioVet's old mailing list software to send out a spam message to their customer base. That's a good reminder to everyone to make sure that obsolete software is removed from your servers - you may no longer be using it, but if it's just sitting there unpatched and unprotected it could potentially be exploited by cybercriminals.


Mar 4, 2011

What is svchost.exe And Why Is It Running?

What is svchost.exe And Why Is It Running?
You are no doubt reading this article because you are wondering why on earth there are nearly a dozen processes running with the name svchost.exe. You can't kill them, and you don't remember starting them… so what are they?

So What Is It?
According to Microsoft: "svchost.exe is a generic host process name for services that run from dynamic-link libraries". Could we have that in english please?
Some time ago, Microsoft started moving all of the functionality from internal Windows services into .dll files instead of .exe files. From a programming perspective this makes more sense for reusability… but the problem is that you can't launch a .dll file directly from Windows, it has to be loaded up from a running executable (.exe). Thus the svchost.exe process was born.

Why Are There So Many svchost.exes Running?
If you've ever taken a look at the Services section in control panel you might notice that there are a Lot of services required by Windows. If every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows… so they are separated out.
Those services are organized into logical groups, and then a single svchost.exe instance is created for each group. For instance, one svchost.exe instance runs the 3 services related to the firewall. Another svchost.exe instance might run all the services related to the user interface, and so on.

So What Can I Do About It?
You can trim down unneeded services by disabling or stopping the services that don't absolutely need to be running. Additionally, if you are noticing very heavy CPU usage on a single svchost.exe instance you can restart the services running under that instance.
The biggest problem is identifying what services are being run on a particular svchost.exe instance… we'll cover that below.
If you are curious what we're talking about, just open up Task Manager and check the "Show processes from all users" box:
Checking From the Command Line (Vista or XP)
If you want to see what services are being hosted by a particular svchost.exe instance, you can use the tasklist command from the command prompt in order to see the list of services.
tasklist /SVC
The problem with using the command line method is that you don't necessarily know what these cryptic names refer to.

Checking in Task Manager in Vista
You can right-click on a particular svchost.exe process, and then choose the "Go to Service" option.
This will flip over to the Services tab, where the services running under that svchost.exe process will be selected:
The great thing about doing it this way is that you can see the real name under the Description column, so you can choose to disable the service if you don't want it running.

Using Process Explorer in Vista or XP
You can use the excellent Process Explorer utility from Microsoft/Sysinternals to see what services are running as a part of a svchost.exe process.
Hovering your mouse over one of the processes will show you a popup list of all the services:
Or you can double-click on a svchost.exe instance and select the Services tab, where you can choose to stop one of the services if you choose.
Disabling Services
Open up Services from the administrative tools section of Control Panel, or type services.msc into the start menu search or run box.
Find the service in the list that you'd like to disable, and either double-click on it or right-click and choose Properties.
Change the Startup Type to Disabled, and then click the Stop button to immediately stop it.
You could also use the command prompt to disable the service if you choose. In this command "trkwks" is the Service name from the above dialog, but if you go back to the tasklist command at the beginning of this article you'll notice you can find it there as well.
sc config trkwks start= disabled


UPDATE: Scapy v2.2.0

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). 

It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.

Now scapy has a quick and easy interactive tutroail , Click here to access.
There are many feature and bugs fixed in Scapy v2.2.0 which makes scapy diffrent from other network secuerity tools.
Download Scapy v2.2.0 here


Mar 3, 2011

Bypassing Firewalls with SYN+FIN

There exists a vulnerability within many firewalls and other systems that permit a session to be established in spite of firewall rules. The specifics are outlined here
To briefly demonstrate this, I will craft custom TCP packets with the SYN and FIN flags set. I will use Nmap for my port scanning, and Nemisis for all others:


nmap -v -v --scanflags SYNFIN -P0 <target>


nemesis tcp -v -fS -fF -D <target>  -S <myip>

In the case of Nmap, notice how the ports that were originally “filtered” are now “open”. Note, not all systems are vulnerable to this bypass.  Sorry for not having a better demo. Go and try it out on your own and see how it works. enjoy!


Wophcrack – Ophcrack web interface

Rainbow tables are really useful when cracking password hashes, One disadvantage of these tables is their size which can get up to tens and even hundreds of gigs.
I really liked the Offensive security Crackpot online hash cracker and  i thought it would  be really nice to have a web interface for my rainbow tables which i can access from web anywhere without having to carry them with me whenever i need them.

When cracking lm/ntlm hashes i really like using Ophcrack which provides a free GUI and CLI software along with  some free and paid tables.  

I wrote a quick and dirty PHP based web frontend for Ophcrack called Wophcrack, I must say i am not a programmer and i  am sure this could be done more efficiently and elegantly, anyway…its working fine :) , I thought maybe someone will find it useful so i decided to share it here.

Wophcrack was designed to work on Backtrack 4 R2, Although it can be install on any Linux distribution with some small adjustments, Wophcrack can also easily edited to support Rainbow crack.
Please read the requirements and installation notes before using Wophcrack.
Wophcrack will require some manual code adjustments to suite you environment.

Wophcrack Backtrack Installation

I uploaded the  wrong file version by mistake, Sorry for the inconvenience.
You can download Wophcrack Source Here:
or from here:


Wophcrack is a Web based frontend for Ophcrack-cli
Title: Wophcrack Caption: Wophcrack File: Size: 17 kB

Installation:(For Backtrack user and Ubuntu Server)
1. Install mysql server
2. set user,password root or user for mysql server
3. create cracker database in mysql server
4. import cracker.sql into your mysql server
5. edit wophcrack/config.php with your environment.
6. edit my apache2 configuration(sites-available/default) file with (/pentest/password/wophcrack is my wophcrack path.)
        Alias /wophcrack "/pentest/password/wophcrack/"
        <Directory /pentest/password/wophcrack/>
                Options FollowSymLinks
                AllowOverride None
                Order allow,deny
                allow from all

7. I try to use but it's not work 'cause ^M and ophcrack-cli in the script. And I try to fix it by myself like this.

crontab -r
#the original line

#ophcrack-cli -g -d /pentest/passwords/RainbowTables/ -t /pentest/passwords/RainbowTables/$1 -f /tmp/temp.txt -o /tmp/output.txt
#my edit and rcrack/rainbow is my rainbow tables path.
ophcrack -g -d /pentest/passwords/rcrack/rainbow -t /pentest/passwords/rcrack/rainbow/$1 -f /tmp/temp.txt -o /tmp/output.txt

if [ $? -ne 0 ] ; then
        echo "Not Finished!";
        for mail in $(cat /tmp/mail.txt);do
                sendEmail -f -u 'Hash Result' -t $mail < /tmp/output.txt
        php /var/www/check.php



Mar 2, 2011

Update: Intel completes $7.68B McAfee buyout

Intel will now run security company McAfee as a subsidiary, out of its Software and Services Group

Intel has completed its $7.68 billion acquisition of security vendor McAfee, the chip maker announced on Monday. SLIDESHOW: Top tech M&A deals of 2011 -- so far
The all-cash deal makes Intel a security industry powerhouse, giving it a broad range of consumer and enterprise security products. Though the acquisition has left some observers scratching their heads, Intel says it needs the McAfee technology to help it bake security into its microprocessors and chipsets -- especially as Intel looks to become more competitive in smartphones and other portable devices.
"Intel and McAfee believe today's approach to security does not adequately address the billions of new Internet-ready devices, including PCs, mobile and wireless devices, TVs, cars, medical devices and ATM machines," Intel said Monday in a statement announcing the acquisition's close. "With the surge in cyber threats, providing protection to a diverse online world requires a fundamentally new approach involving software, hardware and services." 
Intel had been working to get the deal approved by U.S. and European Union regulators since it was announced last August. The European Commission, in particular, had expressed concerns that Intel would give McAfee special treatment when it came to its processors and chipsets, locking other security vendors out of the technology. Those concerns had reportedly been threatening to hold up the deal, but late last month the European Commission announced that Intel had assuaged its concerns. 
Although McAfee's technology can now be integrated into a wide range of Intel products, McAfee itself will be run as a subsidiary, operated out of Intel's Software and Services Group. That group is run by Renée James, who will now be the boss of McAfee chief Dave DeWalt.
McAfee is the world's second-largest security software company after Symantec.


Google buys malware analysis and reverse engineering firm Zynamics

Google has bought reverse-engineering and analysis tools firm Zynamics. Financial terms of the deal, announced on Tuesday, were undisclosed.
Zynamics is led by Thomas Dullien, a respected white-hat hacker better known by his online handle, Halvar Flake. The acquisition further strengthens Google's security team, which already includes noted security researcher Tavis Ormandy.
Much of the combined security brainpower of Google's engineers is geared towards outsmarting black-hat search optimisation, a tactic commonly applied so that links to scareware portals appear prominently in searches for topical terms, and in the classification and blocking of otherwise malign websites.
Germany-based Zynamics sells various malware analysis tools, such as VxClass, and reverse engineering products, such as BinDiff. ®


Google Pulls 21 Apps In Android Malware Scare

Mar 1, 2011

Injecting malicious HTML IFrames – Still a popular attack vector

Injecting malicious HTML IFrames into the legitimate web pages has become a commonplace technique in web based attacks. We recently came across another website that is infected with a malicious IFrame. Further research shows that the same malicious IFrame used in this website was also used to infect a number of other legitimate websites. Here is the main page of the infected site:

The page itself provides no visible indication of infection, but if you look at the source of the webpage, you will notice a malicious IFrame injected under the Latest News section. Here is the source of page,

The malicious IFrame points to “hxxp://” which is currently down. By taking the advantage of known/unknown vulnerabilities, attackers have injected malicious IFrames into many legitimate web pages. In this particular case, not only the home page is infected, but all the other pages on the site are infected. This likely indicates that the attacker used a SQL injection vulnerability to inject the malicious IFrame into the backend database from which webpages are dynamically generated. A quick search on Google reveals a significant number of websites infected with with the same IFrame. Here is screenshot of the search results:

Another search reveals that Google has begun to proactively warn users about some of the pages associated with this attack.

You will note that the search results include ~85k sites which suggests that this particular attack was very broad in scope. This attack also appears to have leveraged persistent XSS (Cross Site Scripting) vulnerabilities to inject malicious IFrames into the comment sections of various web forums. Here is a screenshot of one such website:

Here is a list of malicious IFrames associated with this attack that you should block: 
Attackers are continuing to take advantage of the poor security in web applications by writing utilities that are capable of infecting large numbers of sites in short period of time due, which in turn translates to thousands of victims with minimal effort. 


Two Android viruses circulating in the wild

Two Google Android viruses have been spotted circulating and infecting users’ smartphones in the wild. The viruses are potentially nasty because one – SW.SecurePhone – uploads data to remote servers from the users' handset, while the other – SW.Qieting – auto-forwards messages to a remote number.

NetQin Mobile, a Chinese smartphone security specialist, spotted the two viruses late last week and recommends that Android users check their mobile bills regularly for any unexplained charges.
According to NetQin, once installed SW.SecurePhone will run in the background without any icon being displayed and will monitor the phone, as well as collecting data to save on the SD card.
"The data – including messages, call log, location of the phone, recorded sounds around the phone and pictures in the phone – will then be uploaded to a remote server every 20 minutes . This will compromise privacy as well as use up internet traffic", says the firm.
"This virus is mainly distributed in the US through downloading from the internet", the company added.
SW.Qieting, meanwhile, is said to automatically forward messages received to a monitoring phone without the user being aware.
The malware is difficult to detect, says the company, since there is no icon displayed on the Android handset's screen following installation.
These two Android viruses, says NetQin, are proof that security threats in the wild are now a real threat.
As a result of its discoveries, the firm recommends that Android users should only download applications from trusted sources and always check reviews, ratings and developer information before downloading.
Android users should also never blindly accept application requests, and closely monitor permissions requested by any application.
"An application should not request to do more than what it offers in its official list of features", the company notes.


Bank oF Malware

Joining the ranks to be one of the largest malware, virus, and malicious code hash and information databases available to the public.
Public Scene: 2011 Collecting since: 1994

BoM does not support or condone the creating of malicious software. We just gather information about it and archive copies of it for current education & future examinations as technology enhances in the field of reversing. Not leaving out the history in it's self by tracking trends and techniques in the evolution of malicious code.


Defacements Statistics 2010: Almost 1,5 million websites defaced, what it is happening?

Stats 2010
Last year the Zone-​H archived a sad record num­ber, we archived 1.419.203 web­sites deface­ments.
Why and how this is hap­pen­ing?
If you are look­ing at on the stats, the things remain the same: file inclu­sion, sql injec­tion, web­dav attacks and shares mis­con­fig­u­ra­tion are still at the top ranks of the attack meth­ods used by the defac­ers to gain first access into the server. As an impor­tant fac­tor influ­enc­ing the stats we con­sider the fact that last year brought a very high num­ber of the local linux ker­nel exploits.

Since many years ago, Linux became the most used OS for web­servers and of course the pre­ferred tar­get for the defac­ers. Last year we archived 1.126.987 attacks against web­sites run­ning on the Linux sys­tems. The most used exploit by the defac­ers is the CVE-​2010 – 3301,
that was fixed in 2007 and was mys­te­ri­ously rein­tro­duced in 2008, in a large pile of ker­nel ver­sions x86_​64.

But should be the out-​of-​date Linux server the only rea­son of this huge amount of deface­ments?
Yes and no.
We were talk­ing about local ker­nel exploits, but the first prob­lem is in the web­site code. For exam­ple, we received too many sin­gle deface­ments due a remote upload flaw in OsCom­merce CMS, that allows the defac­ers to upload any­thing to the CMS folder with­out a proper cre­den­tial check. When this flaw became pub­lic, the devel­op­ers had a too much time to fix it, but the fix appeared few months later. Pity.
Year after year, the devel­op­ers are still cod­ing by an unsafely, keep­ing tons of the remote and local file inclu­sion and the SQL injec­tions, that the attack­ers use as the first step to gain the access into the server OS.
Then an another prob­lem with the out-​of-​date sys­tem is that the old ker­nel ver­sions indi­cate also that another pack­ages (some­times also mis­con­fig­ured) by per­form­ing priv­i­lege esca­la­tion for the services/​users access.
But we should not speak only about the Linux servers, the Win­dows Servers are also in the stats, (not) sur­pris­ingly still hacked by the same flaws like in year 2000 and early. Every year we also recorded a high num­ber of the web­dav and shares mis­con­fig­u­ra­tion attacks. For web­dav there are tons of the updates, for shares too, admin­is­tra­tors just need to put their hands on it and update and/​or change the con­fig­u­ra­tion.

From the results one out­come is clear – code devel­oper teams and web­server admins are still liv­ing in two dis­tinct worlds. And if some­thing is not work­ing prop­erly, their answer is that this is most likely the other side’s fault. While this “fight” con­tin­ues, the deface­ment count still grows up.
If you have any com­ments, send them to comments@​zone-​h.​org


Attacks by month Year 2010
Jan 53.915
Feb 57.867
Mar 73.712
Apr 95.078
May 83.182
Jun 81.865
Jul 87.364
Aug 63.367
Sep 185.741
Oct 194.692
Nov 258.355
Dec 184.064

Spe­cial Attacks by month  Year 2010
Jan 891
Feb 1.851
Mar 1.228
Apr 1.361
May 1.693
Jun 1.711
Jul 1.198
Aug 1.411
Sep 1.265
Oct 1.463
Nov 1.227
Dec 1.576
Total 16.875

Sin­gle attacks by month  Year 2010
Jan 10.332
Feb 10.936
Mar 11.908
Apr 14.333
May 12.496
Jun 15.352
Jul 13.762
Aug 13.449
Sep 16.559
Oct 13.366
Nov 32.829
Dec 24.316
Total 189.638

Mass attacks by month  Year 2010
Jan 43.583
Feb 46.931
Mar 61.804
Apr 80.745
May 70.686
Jun 66.513
Jul 73.602
Aug 49.918
Sep 169.182
Oct 181.326
Nov 225.526
Dec 159.748
Total 1.229.564

Oper­a­tive System  Year 2010 
Linux 1.126.987
Win­dows 2003 197.822
FreeBSD 46.992
Win 2008 15.083
F5 Big-​IP 14.000
Unknown 7.840
Win 2000 6.097
Solaris 910 2.373
MacOSX 1.038
Cit­rix Netscaler 232
Win NT9x 221
Win XP 196
NetBSDOpenBSD 99
HP-​UX 73
Unix 15
SolarisSunOS 13
Solaris 8 11
OpenBSD 8
Com­paq Tru64 5
Com­paq OS2 5
OS390 3
MacOS 3
NovellNetware 1
AS/​400 1

Web­server defaced Year 2010
Apache 1.095.982
IIS/6.0 195.154
nginx 40.640
LiteSpeed 37.795
Zeus 14.111
Unknown 10.763
IIS/7.0 10.433
IIS/5.0 6.109
IIS/7.5 4.002
NOYB 2.083
lighttpd 733
YTS 306
IdeaWebServer 305
IIS/5.1 196
IIS/4.0 141
WebSitePro 59
Microsoft-​HTTPAPI 52
Rapidsite 51
SunONE WebServer 37
ConcentricHost-​Ashurbanipal 21
Squid 21
Cherokee 20
Zope 15
DinaHTTPd Server 13
Resin 11
Sil­ver­Stream Server 10
Sun-Java-System-Web-Server/7.0 10
exteNd Appli­ca­tion Server 10
Netscape-​Enterprise 9
DataPalm 6
Allegro-​Software-​RomPager 6
IceWarp 5
AOL server 5
Abyss 3
Sun Java Sys­tem Appli­ca­tion Server 9.1_02 3
HP-​ChaiServer 3
Jetty 2
Sun Java Sys­tem Web Server 6.1 2
Roxen 1
Caudium 1
Squeegit 1
Lasso 1
Net Port Soft­ware 1.1 1
NetWare-​Enterprise-​Web-​Server 1
4D_​WebSTAR_​S 1
OmniHTTPd 1
Ora­cle AS  1

Attack Method Year 2010
File Inclusion 634.620
Attack against the administrator/​user (pass­word stealing/​sniffing) 220.521
Other Web Appli­ca­tion bug 124.878
SQL Injection 98.250
Not available 91.402
Known vul­ner­a­bil­ity (i.e. unpatched system) 42.849
Undis­closed (new) vulnerability 25.552
Other Server intrusion 19.528
Web Server intrusion 18.976
FTP Server intrusion 15.619
SSH Server intrusion 15.214
Con­fig­u­ra­tion /​admin. mistake 13.901
URL Poisoning 13.191
Remote admin­is­tra­tive panel access through bruteforcing 12.132
Brute force attack 10.145
Shares misconfiguration 9.530
RPC Server intrusion 7.911
Tel­net Server intrusion 7.530
Web Server exter­nal mod­ule intrusion 7.368
Mail Server intrusion 6.260
social engineering 4.776
DNS attack through cache poisoning 3.689
DNS attack through social engineering 2.878
Rerout­ing after attack­ing the Firewall 2.550
Rerout­ing after attack­ing the Router 2.458
Remote ser­vice pass­word bruteforce 1.987
Remote ser­vice pass­word guessing 1.917
Access cre­den­tials through Man In the Mid­dle attack 1.752
Remote admin­is­tra­tive panel access through social engineering 992
Remote admin­is­tra­tive panel access through pass­word guessing 849

Attack Reason Year 2010
Heh…just for fun! 829.975
I just want to be the best defacer 289.630
Not available 94.017
Patriotism 58.970
Polit­i­cal reasons 57.083
Revenge against that website 45.093
As a challenge 44.457

Linux X Windows
Year Total deface­ments Linux (all distros)  Total deface­ments Win­dows (all versions)
2000 931 2.587
2001 4.080 13.549
2002 22.693 43.441
2003 191.720 58.571
2004 247.113 119.402
2005 276.294 179.945
2006 446.039 258.129
2007 305.968 139.427
2008 352.449 141.061
2009 378.728 143.151
2010 1.126.987 219.419
Total 3.076.889 1.318.682