Saturday, December 12, 2009

n00bRAT -[Linux Remote Admin Tool]- (Use as Trojan to test your Firewall/IDS)

n00bRAT -[Linux Remote Admin Tool]-

I am working on an open-source undetectable TuX.RAT project, currently in its Beta stage, released at Sourceforge at following link.
Give feedback of how to grow this project... what our geek community wants.

URL :: http://sourceforge.net/projects/n00brat/

::Description::
An undetectable Remote Administration Tool -OR- trojan, an all new approach. Easily usable, Client just requires any Web Browser to control remote machine via WebPage. Fooling firewalls/ids/ips security solutions, as it operates like any web-site.

::Usage::
* Remote Administration Tool for Linux/Unix (POSIX Based Machines)
* Can use it like a Trojan to test your Firewall / IDS / IPS


A Demo Video of Why This? What Code Is? How it Works?
http://www.youtube.com/watch?v=Jnx7nD0qU7M

Saturday, October 10, 2009

Scareware / Ransomware [Know Ur Lingo]

[Know Ur Lingo]

Scareware
are the rogue security softwares i.e. malicious softwares pretending to be security solutions working against viruses and worms. It pranks user to feel its need to make the machine secure against some attack or virus infection and gets installed.
Ransomware
are the malwares which hold the infected machine/service/data as hostage, and demand ransom for disinfecting the hostage. ;)

COUNTERMEASURES
if you think you have been infected by such malwares, or wanna minimize the risk of getting infected beforehand... you can use security solutions like
Microsoft Malicious Software Removal Tool : http://www.microsoft.com/security/malwareremove/default.aspx

Or you could get your file scanned by Kaspersky Free Online Virus Scan http://www.kaspersky.com/scanforvirus

Sunday, September 6, 2009

ADS [ Alternate Data Stream ] : NTFS - The Dark Side

ADS [ Alternate Data Stream ] : NTFS - The Dark Side

The feature of NTFS from WinNT v3.1 onwards which is very dangerous as can be used to hide files on your system even undetected from several Antivirus, and other Security Products.

This ADS can even be used to hide malicious files, so to counter such covert attacks one need to figure out the the unwanted files in ADS on their disk drives.

To hide files in ADS (say adsF.ext into ADS of mainF.ext), at command prompt
cmd:\> type adsF.ext > mainF.ext:adsFile.ext
Now to access it (say it opens in Notepad)
cmd:\> notepad mainF.ext:adsFile.ext

For this several professional tools can be used, like
HijackThis (from Trend Micro) : http://free.antivirus.com/
Lads (from Heysoft) : http://www.heysoft.de/en/software/lads.php?lang=EN
SFind (in Forensic Toolkit) : http://www.foundstone.com/us/resources/

Here we discuss how to use ADS to hide files... and how to secure yourself from files in ADS.

To get a live demo Video on this stuff watch the video below:
http://blip.tv/file/2565748
or
http://www.youtube.com/watch?v=h96meoDYWSg

Tuesday, July 7, 2009

Vulnerable Microsoft's Video ActiveX Control Allows Remote Access [ 0-day attacks]

Vulnerable Microsoft's Video ActiveX Control Allows Remote Access [ 0-day attacks]

As made public on June 6'2009, Microsoft's Video ActiveX has Remote Code Exploit threat, where using a malformed web-page Remote code execution could be enabled on the target machine. Cybercriminals are using the vulnerability to install a data stealing trojan on target machine affecting Microsoft Directshow.

If the target user is using IE, then attacker could get local user rights using exploits by without any user-intervention. So, the CyberCriminal just need to pursue victim to view it's malformed web-page and the victim's machine gets compromised.

Microsoft states it is aware of the vulnerability and suggests Kill-bit MPEG2TuneRequest ActiveX Control Object (CLSID 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF) as the workaround to avoid the threat.
The defense it would provide is more than the minor side-effects it would cause.

To Avoid Threat
This kill-bit to avoid the threat can be automatically applied to your windows machine by "Microsoft Fix It" from online utility provided by Microsoft.com @ http://support.microsoft.com/kb/972890

Microsoft's Link : Enable The Fix || Workaround
Microsoft's Link : Disable The Fix || Workaround

Data 'bout Threat
Can be exploited via any kind of HTML document, a website or e-mail, etc. . This vulnerability is not a risk if you are using Windows Vista.

. 967 Chinese websites replorted to successive redirecting to finally download a JPG file containing the exploit, detected by Trend Micro as JS_DLOADER.BD., that downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates AV processes, and drops other malware on the affected system.

Detailed Info from Microsoft
Security Advisory

Friday, July 3, 2009

First Firefox Malware : Trojans Stealing Passwords Typed in Firefox using Firefox Add-on Disguise

First Firefox Malware : Trojans using Firefox Add-on Disguise
Roll your mouse over topics to expand them... :)
Information On Malware

Symptoms of Infection

List of Accounts mainly under attack

What To Do If Infected
__________________________________________________
Bitdefender released information on this threat naming it as Trojan.PWS.ChromeInject.A, which spawns with the execution of Firefox and poses as a Plug-in to it, mainly works on Key Banking... can get access to all your passwords entered in the Password boxes opened in Firefox Browser.

The ChromeInject suffix refers to the Chrome component Firefox has. This malware infects your machine via drive-by download or download duping.
Once installed on the machine it registers itself as a fake 'GreaseMonkey' (a great firefox add-on for website customization using javascripts), and using javascript checks your machine for mainly banking passwords of more than 100 sites (like PayPal, etc.).
All this sensitive data collected by it is then transferred online to a server supposed to be located in Russia.

So, don't stop using Greasemonkey... but make sure you download it from Mozilla.com, so that you don't fall pray to malware.
__________________________________________________

Saturday, June 13, 2009

ATMs under Trojan Attack in Eastern Europe

ATMs under Trojan Attack in Eastern Europe

security experts revealed a family of data-stealing trojans is infecting automatic teller machines in Eastern Europe over the past 18 months

It monitors transaction message queue for track 2 data stored on inserted cards. If it contains data belonging to a banking customer, it logs it, along with the PIN code that was entered.

The software works with Controller Cards... in its Primary Menu the main features it provide are
1. Print Collected Data
2. Restore logged files before malware infected the machine
3. Uninstallling the malware

there is a secomdary menu with main features as
1. Dispensing all Cash in ATM
2. Upload data to a chip on cotroller card

Thursday, June 11, 2009

Conficker : one of most dreaded worm of 2008

Conficker
(also known as Downup, Downadup and Kido)
targets Microsoft Windows operating system, first detected in November 2008.
Believed to be the largest computer worm infection since the 2003 SQL Slammer.

If got infected try it:
Microssoft's Live Online Scan
or
download and run this utility on your infected machine


Its Nature:
* Extracts all of its files to the %System% directory with random DLL file names, which can wreak havoc on your computer.
* Deletes the user's Restore Points.
* Registers a services called Netsvcs
* Creates scheduled tasks that execute all of the DLL files.
* Creates it's own simple HTTP server on the infected computer and spreads the worm to other computers in the network through file shares.
* Creates an Autorun.inf file in file shares to execute the warm files once the share is accessed by another computer.
* Connects to external sites to download additional files.

This exploits vulnerability called MS08-067 in Windows 2000, XP, and Server 2003.
Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability.

Click Image To Enlarge It


For Detailed Information : Click Here