Feb 20, 2015

Howto: Detect SuperFish(MITM with javascript)

<img style="width:300px;height:300px;" src="https://superfish.xmarks.com/infected.png" onerror="this.src='https://lastpass.com/superfish/safe.png';">
If client was mitm(man-in-the-middle), it will show https://superfish.xmarks.com/infected.png , if not, it will show https://lastpass.com/superfish/safe.png because when client visit the web and it's self-sign-certificate, it's will error. That's mean when you was mitm with trust certificate, the script will bypass onerror condition because you was show with trust certificate, if not you will get the error and onerror condition will activate.


Powershell for find superfish certificate (By Carnal0wnage)
powershell -Command Get-ChildItem -Recurse Cert: > certs.txt
powershell -Command Get-ChildItem -Recurse Cert: | findstr -i Superfish

Source:: https://filippo.io/Badfish/
 

Tools: CMSmap is a python open source CMS (Content Management System) scanner


CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.
At the moment, CMSs supported by CMSmap are WordPress, Joomla and Drupal.
Please note that this project is an early state. As such, you might find bugs, flaws or mulfunctions. Use it at your own risk!

Source::  https://github.com/dionach/CMSmap

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: pemcrack - Cracks SSL PEM files that hold encrypted private keys.

 Cracks SSL PEM files that hold encrypted private keys. Brute forces or dictionary cracks. This code is extraordinarily slow, DON'T JUDGE ME!!!

Source:: https://github.com/robertdavidgraham/pemcrack

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 19, 2015

Howto: Truncate all tables in one line

# mysql -Nse 'show tables' DATABASE_NAME | while read table; do mysql -e "truncate table $table" DATABASE_NAME; done



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 18, 2015

SSLBL - SSL Blachlist Website

SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists that can found in the SSL Blacklist section.

 
Source:: https://sslbl.abuse.ch/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 17, 2015

Tools: Example of Equation Malware and Yara Rule to detect it.

Sample
https://www.dropbox.com/s/latggdox9s3xv4t/Equation_x86_x64.zip?dl=0
http://contagiodump.blogspot.com/2015/02/equation-samples-from-kaspersky-report.html 

Yara Rules: (http://pastebin.com/P0Fb9DPb)
rule Equation_Kaspersky_TripleFantasy_1 {
        meta:
                description = "Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9"
        strings:
                $mz = { 4d 5a }
       
                $s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide
                $s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide
                $s2 = "%WINDIR%\\sjyntmv.dat" fullword wide
                $s3 = "Global\\{8c38e4f3-591f-91cf-06a6-67b84d8a0102}" fullword wide
                $s4 = "%WINDIR%\\System32\\owrwbsdi" fullword wide
                $s5 = "Chrome" fullword wide
                $s6 = "StringIndex" fullword ascii
               
                $x1 = "itemagic.net@443" fullword wide
                $x2 = "team4heat.net@443" fullword wide
                $x5 = "62.216.152.69@443" fullword wide
                $x6 = "84.233.205.37@443" fullword wide
               
                $z1 = "www.microsoft.com@80" fullword wide
                $z2 = "www.google.com@80" fullword wide
                $z3 = "127.0.0.1:3128" fullword wide
        condition:
                ( $mz at 0 ) and filesize < 300000 and
                (
                        ( all of ($s*) and all of ($z*) ) or
                        ( all of ($s*) and 1 of ($x*) )
                )
}
rule Equation_Kaspersky_DoubleFantasy_1 {
        meta:
                description = "Equation Group Malware - DoubleFantasy"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"
        strings:
                $mz = { 4d 5a }
               
                $z1 = "msvcp5%d.dll" fullword ascii
               
                $s0 = "actxprxy.GetProxyDllInfo" fullword ascii
                $s3 = "actxprxy.DllGetClassObject" fullword ascii
                $s5 = "actxprxy.DllRegisterServer" fullword ascii
                $s6 = "actxprxy.DllUnregisterServer" fullword ascii
               
                $x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
                $x2 = "191H1a1" fullword ascii
                $x3 = "November " fullword ascii
                $x4 = "abababababab" fullword ascii
                $x5 = "January " fullword ascii
                $x6 = "October " fullword ascii
                $x7 = "September " fullword ascii
        condition:
                ( $mz at 0 ) and filesize < 350000 and
                (
                        ( $z1 ) or
                        ( all of ($s*) and 6 of ($x*) )
                )
}
rule Equation_Kaspersky_GROK_Keylogger {
        meta:
                description = "Equation Group Malware - GROK keylogger"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"
        strings:
                $mz = { 4d 5a }
                $s0 = "c:\\users\\rmgree5\\" ascii
                $s1 = "msrtdv.sys" fullword wide
               
                $x1 = "svrg.pdb" fullword ascii
                $x2 = "W32pServiceTable" fullword ascii
                $x3 = "In forma" fullword ascii
                $x4 = "ReleaseF" fullword ascii
                $x5 = "criptor" fullword ascii
                $x6 = "astMutex" fullword ascii
                $x7 = "ARASATAU" fullword ascii
                $x8 = "R0omp4ar" fullword ascii
               
                $z1 = "H.text" fullword ascii
                $z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
                $z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword
        condition:
                ( $mz at 0 ) and filesize < 250000 and
                (
                        $s0 or
                        ( $s1 and 6 of ($x*) ) or
                        ( 6 of ($x*) and all of ($z*) )
                )      
}
rule Equation_Kaspersky_GreyFishInstaller {
        meta:
                description = "Equation Group Malware - Grey Fish"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "58d15d1581f32f36542f3e9fb4b1fc84d2a6ba35"
        strings:
                $s0 = "DOGROUND.exe" fullword wide
                $s1 = "Windows Configuration Services" fullword wide
                $s2 = "GetMappedFilenameW" fullword ascii
        condition:
                all of them
}
rule Equation_Kaspersky_EquationDrugInstaller {
        meta:
                description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "61fab1b8451275c7fd580895d9c68e152ff46417"
        strings:
                $mz = { 4d 5a }
               
                $s0 = "\\system32\\win32k.sys" fullword wide
                $s1 = "ALL_FIREWALLS" fullword ascii
               
                $x1 = "@prkMtx" fullword wide
                $x2 = "STATIC" fullword wide
                $x3 = "windir" fullword wide
                $x4 = "cnFormVoidFBC" fullword wide
                $x5 = "CcnFormSyncExFBC" fullword wide
                $x6 = "WinStaObj" fullword wide
                $x7 = "BINRES" fullword wide
        condition:
                ( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*)
}
rule Equation_Kaspersky_EquationLaserInstaller {
        meta:
                description = "Equation Group Malware - EquationLaser Installer"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"
        strings:
                $mz = { 4d 5a }
                $s0 = "Failed to get Windows version" fullword ascii
                $s1 = "lsasrv32.dll and lsass.exe" fullword wide
                $s2 = "\\\\%s\\mailslot\\%s" fullword ascii
                $s3 = "%d-%d-%d %d:%d:%d Z" fullword ascii
                $s4 = "lsasrv32.dll" fullword ascii
                $s5 = "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" fullword ascii
                $s6 = "%s %02x %s" fullword ascii
                $s7 = "VIEWERS" fullword ascii
                $s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide
        condition:
                ( $mz at 0 ) and filesize < 250000 and 6 of ($s*)
}
rule Equation_Kaspersky_FannyWorm {
        meta:
                description = "Equation Group Malware - Fanny Worm"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
        strings:
                $mz = { 4d 5a }
       
                $s1 = "x:\\fanny.bmp" fullword ascii
                $s2 = "32.exe" fullword ascii  
                $s3 = "d:\\fanny.bmp" fullword ascii
       
                $x1 = "c:\\windows\\system32\\kernel32.dll" fullword ascii
                $x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" fullword ascii
                $x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" fullword ascii
                $x4 = "\\system32\\win32k.sys" fullword wide
                $x5 = "\\AGENTCPD.DLL" fullword ascii
                $x6 = "agentcpd.dll" fullword ascii
                $x7 = "PADupdate.exe" fullword ascii
                $x8 = "dll_installer.dll" fullword ascii               
                $x9 = "\\restore\\" fullword ascii
                $x10 = "Q:\\__?__.lnk" fullword ascii
                $x11 = "Software\\Microsoft\\MSNetMng" fullword ascii
                $x12 = "\\shelldoc.dll" fullword ascii
                $x13 = "file size = %d bytes" fullword ascii
                $x14 = "\\MSAgent" fullword ascii
                $x15 = "Global\\RPCMutex" fullword ascii
                $x16 = "Global\\DirectMarketing" fullword ascii
        condition:
                ( $mz at 0 ) and filesize < 300000 and
                (
                        ( 2 of ($s*) ) or
                        ( 1 of ($s*) and 6 of ($x*) ) or
                        ( 14 of ($x*) )
                )
}
rule Equation_Kaspersky_HDD_reprogramming_module {
        meta:
                description = "Equation Group Malware - HDD reprogramming module"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
        strings:
                $mz = { 4d 5a }
                $s0 = "nls_933w.dll" fullword ascii
               
                $s1 = "BINARY" fullword wide
                $s2 = "KfAcquireSpinLock" fullword ascii
                $s3 = "HAL.dll" fullword ascii
                $s4 = "READ_REGISTER_UCHAR" fullword ascii
        condition:
                ( $mz at 0 ) and filesize < 300000 and all of ($s*)
}
rule Equation_Kaspersky_EOP_Package {
        meta:
                description = "Equation Group Malware - EoP package and malware launcher"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"
        strings:
                $mz = { 4d 5a }
                $s0 = "abababababab" fullword ascii
                $s1 = "abcdefghijklmnopq" fullword ascii
                $s2 = "@STATIC" fullword wide
                $s3 = "$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" fullword ascii
                $s4 = "@prkMtx" fullword wide
                $s5 = "prkMtx" fullword wide
                $s6 = "cnFormVoidFBC" fullword wide
        condition:
                ( $mz at 0 ) and filesize < 100000 and all of ($s*)
}
rule Equation_Kaspersky_TripleFantasy_Loader {
        meta:
                description = "Equation Group Malware - TripleFantasy Loader"
                author = "Florian Roth"
                reference = "http://goo.gl/ivt8EW"
                date = "2015/02/16"
                hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
        strings:
                $mz = { 4d 5a }
               
                $x1 = "Original Innovations, LLC" fullword wide
                $x2 = "Moniter Resource Protocol" fullword wide
                $x3 = "ahlhcib.dll" fullword wide      
       
                $s0 = "hnetcfg.HNetGetSharingServicesPage" fullword ascii
                $s1 = "hnetcfg.IcfGetOperationalMode" fullword ascii
                $s2 = "hnetcfg.IcfGetDynamicFwPorts" fullword ascii
                $s3 = "hnetcfg.HNetFreeFirewallLoggingSettings" fullword ascii
                $s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii
                $s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii
        condition:
                ( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) )
    }

News::
http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/
https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 16, 2015

Tools: OSXCollector - Forensic OSX

OSXCollector is a forensic evidence collection & analysis toolkit for OSX.

Forensic Collection

The collection script runs on a potentially infected machine and outputs a JSON file that describes the target machine. OSXCollector gathers information from plists, SQLite databases and the local file system.

Forensic Analysis

Armed with the forensic collection, an analyst can answer the question like:
  • Is this machine infected?
  • How'd that malware get there?
  • How can I prevent and detect further infection?
Yelp automates the analysis of most OSXCollector runs converting OSXCollector output into an easily readable and actionable summary of just the suspicious stuff.

Source:: http://yelp.github.io/osxcollector/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Asgard - PHP Malware Scanner (Machine Learning)

Asgard Security Scanner is a fast and free security tool that helps you detect malware in your WordPress installation. Secure your site and increase search ranking. Our "Cloud" scanner helps you identify and remove any backdoors, trojans and hidden frames in themes/plugins.

Source:: http://www.asgardapi.com/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.