securitybananas.com

In many reports we see that countries like Russia, India, Brasil are taking part in the world of cybercrime. During a research I discoverd an executbale which was new to me. Before going into reverse engineering I always try to use the short-way and searched for it on some forums. The ‘tool’ is called ‘Deeper RAT’. According to the developer with the nickname ‘binaryEvil’, ‘it’s a reverse connection remote administration tool that allows you to remote control computers that are behind firewalls and routers’

According to the developer it has following features:

[Features:]

[1] Main:
[a] Server size ~ 80 Kb
[b] Memory execution
[c] Encrypted connection
[d] All traffics are through one port
[e] Users filtration
[f] Broadcasting
[g] Sound events

[2] Spy:
[a] Information
[b] Unicode Key Logger
-> OFF Keys
[c] CAM Capture
[d] Screen Capture
[e] Clipboard Monitor

[3] Manage:
[a] Process Manager
[b] Service Manager
-> Install Service
-> Edit Service
[c] Window Manager
[d] File Manager
-> File Search
-> Multiple File Transfer
[e] Registry Manager
-> Registry Search

[4] Tools:
[a] CMD Shell
[b] Multiple Downloader
[c] Power Manager

In the next screenshot you will see the ‘Service Manager’

The main port Deeper is running on is TCP 511 and the default password provided is abcd1234 (duh)

No detection (yet) from AV vendors.

Extra information:

File size executable Deeper: 1929216 bytes

MD5 checksum 5581b843081c9cc1d742b4cac0d13fe9

PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×3968
timedatestamp…..: 0x4aa72241 (Wed Sep 09 03:34:25 2009)
machinetype…….: 0x14c (I386)

name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0x19c720 0x19d000 6.66 3e882a17b12c010579566ad855d3eb0f
.data 0x19e000 0xe664 0×1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x1ad000 0x37c1d 0×38000 6.77 71725bba745f5d3fde9ced06721de930

posted by Frank Breedijk on the Schuberg Philis Blog:

Nice way to upload files to a webserver. While there is nothing new about uploading a file to a web server and then executing it, using SQL injection to do it is a novelty. By using a Zlib compress, base64 encoded payload and uploading them via SQL injection the speaker would be able to bypass standard defenses like extension limiting and file type checking.

Unfortunately his demonstration turned into a demonstruction, even tough he managed to upload the file, the payload did not execute. The payload did however execute when he visited the uploaded php file himself, clearly demonstrating the exploit technique works.

The exploit works on WAMP platforms (Windows, Apache, MySQL, PHP) and may work on LAMP platforms (Linux, Apache, MySQL, PHP) but then requires that the user can upload to anywhere in the document root and that the file is then executable, both of which are classical examples of configuration mistakes.

source: http://www.cupfighter.net/index.php/2009/08/har-mysql-exploit/

I was thinking about the problem of Cross Site Request Forgery and current mitigation strategies used in the Industry. In many of the real world applications I have tested so far, I see the use of random tokens appended as part of url. If the request fails to provide any token or provide a token with incorrect value, then the request is rejected. This prevents CSRF or any cross domain unauthorized function execution.

Uptil now, it was considered infeasible for an attacker to discover your CSRF token using Brute Force Attacks on the server.

The reasons being:

1. It generates lot of noise on the network and is slow. So most probably an IDS or Web App Firewall will pick up the malicious behavior and block your ip. For example, a Base16 CSRF token of length 5 characters (starting with a character) will generate approximately 393,216 requests.
2. Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values. E.g. 30.

I am going to change this belief by showing you a technique to quicky find csrf tokens without generating alerts. This technique is a client side attack, so there is almost no network traffic generated and hence, your server and IDS/Web App Firewalls won’t notice it at all. This attack is based on the popular CSS History Hack found by Jeremiah Grossman 3 years ago.

Read the full article on:

http://securethoughts.com/2009/07/hacking-csrf-tokens-using-css-history-hack/

On the full disclosure list the following posting was made:

Dear Reader,
In 48 hours, the anti-sec movement will publicly unveil working exploit code and full details for the zero-day OpenSSH vulnerability we discovered. It
will be posted to the Full-Disclosure security list.
Soon, the very foundations of Information Technology and Information Security will be unearthed as millions upon million of systems running ANY
version of OpenSSH are compromised by wave after wave of script-kiddie and malicious hacker.

Within 10 hours of the initial release of the OpenSSH 0-day exploit code, anti-sec will be unleashing powerful computer worm source code with the
ability to auotmatically find and compromise systems running any and all versions of OpenSSH.

This is an attack against all White Hat Hackers who think that running a Penetration Test simply searching for known vulnerabilities is all they have
to do in order to receive their payment. Anti-sec will savor the moment when White Hat Hackers are made to look like fools in the eyes of their clients.

Sincerely,

anti-sec

Any updates or activity or exploit code to investigate is/are welcome