A new Distributed Denial of Service (DDoS) crimeware bot known as “Zemra” and detected by Symantec as Backdoor.Zemra. Lately, this threat has been observed performing denial-of-service attacks against organizations with the purpose of extortion. Zemra first appeared on underground forums in May 2012 at a cost of €100.
This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. This allows it to issue commands to compromised computers and act as the gateway to record the number of infections and bots at the attacker’s disposal.
Similar to other crimeware kits, the functionality of Zemra is extensive:
- 256-bit DES encryption/decryption for communication between server and client
- DDoS attacks
- Device monitoring
- Download and execution of binary files
- Installation and persistence in checking to ensure infection
- Propagation through USB
- Self update
- Self uninstall
- System information collection
However, the main functionality is the ability to perform a DDoS attack on a remote target computer of the user’s choosing.
Initially, when a computer becomes infected, Backdoor.Zemra dials home through HTTP (port 80) and performs a POST request sending hardware ID, current user agent, privilege indication (administrator or not), and the version of the OS. This POST request gets parsed by gate.php, which splits out the information and stores it in an SQL database. It then keeps track of which compromised computers are online and ready to receive commands.
Inspection of the leaked code allowed us to identify two types of DDoS attacks that have been implemented into this bot:
- HTTP flood
- SYN flood
Symantec added detection for this threat under the name Backdoor.Zemra, which became active on June 25, 2012. To reduce the possibility of being infected by this Trojan, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed.
Nmap 6 Released
Most popular open source network discovery and security auditing tool Nmap has reached version 6.0.
The new code hit the Net last Monday, complete with a message from coder Gordon Lyon, aka Fyodor, that the new version represents “almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009.”
Fyodor recommends all users upgrade to the new version, so they can get their hands on 289 new scripts and a host of new features.
Top Improvements:
- Enhanced Nmap Scripting Engine (NSE)
- Better Web Scanning
- Full IPv6 Support
- New Nping Tool
- Better Zenmap GUI and Results Viewer
- Faster Scans
Download:
Linux: nmap-6.00.tar.bz2
Windows: nmap-6.00-win32.zip
Shylock Banking Trojan Spreads via Skype
The home Trojan-banker known as Shylock has just been updated with new functions. According to the CSIS Security Group, during an investigation, researchers found that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype.
The program was discovered in 2011 that steals online banking credentials and other financial information from infected computers. Shylock, named after a character from Shakespeare’s “The Merchant of Venice”.
Shylock is active in only a few parts of the world. The epicenter of infections is primarily located in the UK.
The Skype replication is implemented with a plugin called “msg.gsm”. This plugin allows the code to spread through Skype and adds the following functionality:
– Sending messages and transferring files
– Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
– Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
– Sends request to server: https://a[removed]s.su/tool/skype.php?action=…
Besides from utilizing Skype it will also spread through local shares and removable drives. Basically, the C&C functions allow the attacker to:
– Execute files
– Get cookies
– Inject HTTP into a website
– Setup VNC
– Spread through removable drives
– Uninstall
– Update C&C server list
– Upload files
Shylock is one of the most advanced Trojan-banker currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.
As always for this type of Trojans antivirus detection is low.
theHarvester – Information Gathering Tool
theHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources like search engines and PGP key servers.
This tools is intended to help Penetration testers in the early stages of the project It’s a really simple tool, but very effective.
The sources supported are:
– Google – emails,subdomains/hostnames
– Google profiles – Employee names
– Bing search – emails, subdomains/hostnames,virtual hosts
– Pgp servers – emails, subdomains/hostnames
– Linkedin – Employee names
– Exalead – emails,subdomain/hostnames
New features:
– Time delays between requests
– XML and HTML results export
– Search a domain in all sources
– Virtual host verifier
– Shodan computer database integration
– Active enumeration (DNS enumeration,DNS reverse lookups, DNS TLD expansion)
– Basic graph with stats
Some Examples:
Searching emails accounts for the domain microsoft.com, it will work with the first 500 google results:
./theharvester.py -d microsoft.com -l 500 -b google
Searching emails accounts for the domain microsoft.com in a PGP server, here it’s not necessary to specify the limit.
./theharvester.py -d microsoft.com -b pgp
Searching for user names that works in the company microsoft, we use google as search engine, so we need to specify the limit of results we want to use:
./theharvester.py -d microsoft.com -l 200 -b linkedin
Searching in all sources at the same time, with a limit of 200 results:
./theHarvester.py -d microsoft.com -l 200 -b all
Download: https://code.google.com/p/theharvester
Tor – Multiple Vulnerabilities
Multiple vulnerabilities have been found in Tor, the most severe of which may allow a remote attacker to execute arbitrary code.
Multiple vulnerabilities have been discovered in Tor:
- When configured as client or bridge, Tor uses the same TLS certificate chain for all outgoing connections (CVE-2011-2768).
- When configured as a bridge, Tor relays can distinguish incoming bridge connections from client connections (CVE-2011-2769).
- An error in or/buffers.c could result in a heap-based buffer overflow (CVE-2011-2778).
Impact:
A remote attacker could possibly execute arbitrary code or cause a Denial of Service. Furthermore, a remote relay the user is directly connected to may be able to disclose anonymous information about that user or enumerate bridges in the user’s connection.
Vulnerable Versions:
< 0.2.2.35
Workaround:
There is no known workaround at this time.
Resolution:
All Tor users should upgrade to the latest version:
# emerge –sync
# emerge –ask –oneshot –verbose “>=net-misc/tor-0.2.2.35″
References:
– CVE-2011-2768
– CVE-2011-2769
– CVE-2011-2778
Reaver – WiFi Protected Setup Brute Force Attack Tool
Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
While Reaver does not support reconfiguring the AP, this can be accomplished with wpa_supplicant once the WPS pin is known.
Description:
Reaver targets the external registrar functionality mandated by the WiFi Protected Setup specification. Access points will provide authenticated registrars with their current wireless configuration (including the WPA PSK), and also accept a new configuration from the registrar.
In order to authenticate as a registrar, the registrar must prove its knowledge of the AP’s 8-digit pin number. Registrars may authenticate themselves to an AP at any time without any user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be associated with the AP and does not need any prior knowledge of the wireless encryption or configuration.
Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP’s 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values.
The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum.
Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts. The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number.
Installation:
Reaver is only supported on the Linux platform, requires the libpcap and libsqlite3 libraries, and can be built and installed by running:
$ ./configure
$ make
# make install
To remove everything installed/created by Reaver:
# make distclean
Usage:
Usually, the only required arguments to Reaver are the interface name and the BSSID of the target AP:
# reaver -i mon0 -b 00:01:02:03:04:05
Download: reaver-1.3.tar.gz
Reaver Home: https://code.google.com/p/reaver-wps/