Archive for March, 2012

A number of key Command and Control servers for the Zeus and SpyEye Botnets have been taken down in an operation led by Microsoft. On Friday, March 23, Microsoft employees and US Marshalls armed with a federal warrant raided facilities in Pennsylvania and Illinois that were housing equipment allegedly being used by the botnets. The takedown was the result of months of work culminating in Microsoft filing a suit against 39 unnamed parties seeking permission to disrupt the command and control infrastructure for the botnets. The action follows similar tactics used by Microsoft to takedown other botnets such as the Waledac, Rustock and Kelihos botnets. Microsoft worked with officers from the Financial Services – Information Sharing and Analysis Center (FS-ISAC), the US Marshalls, the National Automated Clearing House Association, the US electronic payments association and researchers from the F-Secure. While the move is seen by many as one that will cause severe disruption to the operation of these botnets experts warn that those botnets will not be entirely disabled.


Windows Server 2008 R2 Hyper-V has passed the Common Criteria Evaluation Assurance Level 4+ (EAL 4+). Over the past 10 years, Microsoft has continued to demonstrate leadership in certifying our operating systems and applications, in order to provide customers with the additional confidence of independent validation of our design and security engineering.

Similar to their previous operating system evaluations and the independent Windows Server 2008 Hyper-V evaluation, they used the Windows Server 2008 R2 evaluation to demonstrate how Hyper-V is methodically designed, tested, and reviewed from a security perspective. The Hyper-V evaluation focused on isolation between the host partition and guest partitions, isolation between guest partitions and the Live Migration capability, which was added in Windows Server 2008 R2.

The Hyper-V evaluation was performed by atsec Information Security GmbH and certified by the Federal Office for Information Security (BSI), the body of the German government which certifies products according to the ITSEC criteria for evaluating computer security and the Common Criteria (CC).

Windows Server “8” will continue to build on this capability and security in Hyper-V and the Windows Server platform to provide consistent, reliable and secure platform solutions for private clouds and datacenters. Microsoft encourage customers to explore and build on the evaluated Hyper-V platform to meet your needs for the next generation applications and services!

source :

Malware that resides in your RAM

Posted: March 20, 2012 in Analysis

Kaspersky Lab researchers have discovered a drive-by download attack that evades hard-drive checkers by installing malware that lives in the computer’s memory. The ‘fileless’ bot is more difficult for antivirus software to detect, and resides in memory until the machine is rebooted.

This Malware doesn’t create any files on the affected systems was dropped on to the computers of visitors to popular news sites in Russia in a drive-by download attack.Drive-by download attacks are one of the primary methods of distributing malware over the web. They usually exploit vulnerabilities in outdated software products to infect computers without requiring user interaction.

The attack code loaded an exploit for a known Java vulnerability (CVE-2011-3544), but it wasn’t hosted on the affected websites themselves. Once the malware infected a Microsoft machine, the bot disabled User Account Control, contacted a command and control server and downloaded the ‘Lurk’ Trojan. The malware also attacked Apple devices.
The Java exploit’s payload consisted of a rogue DLL that was loaded and attached on the fly to the legitimate Java process.Normally this malware is rare, because it dies when the system is rebooted and the memory is cleared. But the hackers do not really care because there is a good chance that most victims would revisit the infected news websites.Once the malicious DLL loaded into memory it sends data and receives instructions from a command and control server over HTTP.

A free framework for bug hunters to find vulnerabilities, write proof-of-concept exploits and play in Android. Use dynamic analysis on Android applications and devices for quicker security assessments. Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices. The easy extensions interface allows users to write custom modules and exploits for Mercury Replace custom applications and scripts that perform single tasks with a framework that provides many tools.

Mercury allows you to:

  • Interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services
  • Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
  • Find information on installed packages with optional search filters to allow for better control
  • Built-in commands that can check application attack vectors on installed applications
  • Tools to upload and download files between the Android device and computer without using ADB (this means it can be done over the internet as well!)
  • Create new modules to exploit your latest finding on Android, and playing with those that others have found.

This demonstration shows how you can find and exploit SQL injection in Android applications using Mercury.


One of the world’s largest BitTorrent sites “The Pirate Bay” is going to put servers on GPS-controlled aircraft drones in order to evade authorities who are looking to shut the site down. In a Sunday blog post, The Pirate Bay announced new “Low Orbit Server Stations” that will house the site’s servers and files on unmanned, GPS-controlled, aircraft drones.
TPB said:
With the development of GPS controlled drones, far-reaching cheap radio equipment and tiny new computers like the Raspberry Pi, we’re going to experiment with sending out some small drones that will float some kilometers up in the air. This way our machines will have to be shut down with aeroplanes in order to shut down the system. A real act of war.We’re just starting so we haven’t figured everything out yet. But we can’t limit ourselves to hosting things just on land anymore. These Low Orbit Server Stations (LOSS) are just the first attempt. With modern radio transmitters we can get over 100Mbps per node up to 50km away. For the proxy system we’re building, that’s more than enough.

Low earth orbit is 100 miles up and requires a launch vehicle capable of achieving speeds of 17,000 miles an hour. At “some kilometers up in the air,” these drones would require significant power to stay afloat, and that’s even before the power required to transmit megabits per second over a wireless connection.

The LOSS are already in development, writes the blog from TPB. As you might wish to solve the energy problem, you have not thought about it well. And that will probably be the weak point. In the air it is hardly the drones now at least can fill up with energy. You will need to load them somewhere where they will be charged. By then, the authorities can access and turn off the drones easily.

It seems despite the will of the courts the pirate bay will not be going down without somewhat more of a fight.To learn more about the latest developments in the next generation of quadcopters check out the ted talk by the leader of the leading research group:

An appeal for help from the programming community has allowed antivirus analysts to classify the unknown language used to develop key components of the Duqu Trojan. The sections responsible for downloading and executing additional modules in the Duqu Trojan, referred to by some as Stuxnet 2.0, were written in standard C++.

Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called “OO C” and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion.

Kaspersky’s Igor Soumenkov wrote, “No matter which of these two variants is true, the implications are impressive. The Payload DLL contains 95 Kbytes of event-driven code written with OO C, a language that has no automatic memory management or safe pointers,”.
Kaspersky’s analysis now concludes:

  • The Duqu Framework consists of “C” code compiled with MSVC 2008 using the special options “/O1″ and “/Ob1″
  • The code was most likely written with a custom extension to C, generally called “OO C”
  • The event-driven architecture was developed as a part of the Duqu Framework or its OO C extension
  • The C&C code could have been reused from an already existing software project and integrated into the Duqu Trojan
The Duqu Framework may have been created by a different programming team, since it is unique to Duqu, unlike many parts of Duqu that seem to be directly borrowed from Stuxnet. It’s believed that the developers are old school that don’t trust C++ and that’s probably why they relied on C. Another reason for using OO C is because back in the good old days it was more portable than C++.
Knowing the techniques used to develop the malware allows Kaspersky’s researchers to make better guesses about who might be behind the code. Creating Duqu was a major project, so it’s possible that an entirely different team was responsible for creating the Duqu Framework, while others worked on creating drivers and system infection exploits. In this scenario it’s even possible that those who created the Duqu framework were ignorant of the real purpose of their work.
Duqu was first detected in September 2011, but Kaspersky Lab believes it has seen the first pieces of Duqu-related malware dating back to August 2007.

Born to be Hacked

Posted: March 18, 2012 in Penteration Testing


A few days ago an update “Mutillidae” version 2.1.17 was released. Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver.
If you would like to practice pen-testing/hacking a web application by exploiting cross-site scripting, sql injection, response-splitting, html injection, javascript injection, clickjacking, cross frame scripting, forms-caching, authentication bypass, or many other vulnerabilities, then Mutillidae is for you.
Mutillidae has been tested/attacked with Cenzic Hailstorm ARC, W3AF, SQLMAP, Samurai WTF, Backtrack, HP Web Inspect, Burp-Suite, NetSparker Community Edition, and others.

  • Installs easily by dropping project files into the “htdocs” folder of XAMPP.
  • Switches between secure and insecure mode
  • Secure and insecure source code for each page stored in the same PHP file for easy comparison
  • Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver.
  • Has dozen of vulnerablities and challenges. Contains at least one vulnearbility for each of the OWASP Top Ten 2007 and 2010
  • System can be restored to default with single-click of “Setup” button
  • Used in graduate security courses, in corporate web sec training courses, and as an “assess the assessor” target for vulnerability software
  • Mutillidae has been tested/attacked with Cenzic Hailstorm ARC, W3AF, SQLMAP, Samurai WTF, Backtrack, HP Web Inspect, Burp-Suite, NetSparker Community Edition, and other tools.