securitybananas.com

To control and administer botnets, a lot of frameworks are developed for simplifying the
tasks. In a posting on an underground forum, the announcement was made for a new framework called Fragus v1.0.

Login screen:

Fragus, build with PHP,  has a nice and shiney interface which supports the English and Russian language. Statistics can be viewed about browsers, OS and the countries in which the zombies are situated. During the investigation some hosts with Windows 7 were detected to be infected.

Some of the features of Fragus:

#  Exploits imaging of high quality with possibility of checking with the help of ajax whether current exploit infects or not before loadint the next one.
# Possibility to edit host on necessary URL after it is done allows not to lose used traffic, and to utilize it pro domo sua.
# Complete exploits modularity in th system. Your coder will be able to add them easily
# Zero-written cryptor of exploits doesn’t overload browser, but nevertheless protects exploits pack safely from antiviruses
# Cryptor lies in separate file and if you want you can easily add you cryptor
# Patterns of pages on exploits imaging, with the page for those who visits twice,lie separately, disguising as 404 error.
# Fragus hides from searchbots, what disables domain detection
# Fragus is highly optimized for operating with massive traffic flows and minimum load on server

Using the exploit modular system is a piece of cake. You can add easily new ones and crypt them to prevent detection from anti-virus vendors.

Examples of malware in Fragus:

xploits:

* Mdac
* PDF: printf(), collectEmailInfo(), getIcon().
* MS DirectShow, large break increment
* MS09-002 – for IE7
* MS Spreadsheet, rather new exploit
* AOL IWinAmp
* MS Snapshot
* MS COM finish IE6

Example:

The basic pricing for this package is 800 USD; some extra features can be purchased e.g. a Zero-written cryptor for another extra 150 USD.

This morning I discovered some malware on one of my honeypots. By researching it I discovered it was malware connecting to a Zeus server. Zeus is crimeware which can be used to build a botnet. By investigating more of this botnet I discovered that several Dutch websites and servers were involved by spreading this malware. I made a quick analysis and after this I started to contact the website owners. After writing a little article about it, later in the afternoon it was published on the site of Computable, a Dutch IT site.

In the afternoon I was examaning a new type of backdoor_trojan. After analysing it, an example of it was send to several av-vendors.

Later in the afternoon made some calls with a website company. I discovered a sql-injection vulnerability in their CMS. After discussing about it they immediately started to work on a solution. After half an hour they fixed it. Great work guys, realy appreciate your quick response!

At the end of the afternoon, a last check on my presentation about cybercrime for tomorow. Changed a few slides because I got some nice slides about my botnet analysis.

Trendmicro has posted a great whitepaper about the analisys of the botnet network called ‘ Ilomo / Clampi’.

Ilomo has also being active for several years now, and like Pushdo has done so without attracting too much unwanted attention from the security industry. Like Pushdo, the Ilomo threat is quite modular in nature which makes it difficult to see the actions of the overall threat. Added to this is the fact that it uses a commercial virtual machine obfuscator, significantly adding to the effort involved in reverse engineering the malware binaries.

Their paper can be viewed from:

http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ilomo_external.pdf

David Rook from Security Ninja Blog held a presentation about the security risks of Web 2.0 on Defcon 17 this year. You can download his slidesby clicking on following link:

Defcon presentation David Rook

posted by Frank Breedijk on the Schuberg Philis Blog:

Nice way to upload files to a webserver. While there is nothing new about uploading a file to a web server and then executing it, using SQL injection to do it is a novelty. By using a Zlib compress, base64 encoded payload and uploading them via SQL injection the speaker would be able to bypass standard defenses like extension limiting and file type checking.

Unfortunately his demonstration turned into a demonstruction, even tough he managed to upload the file, the payload did not execute. The payload did however execute when he visited the uploaded php file himself, clearly demonstrating the exploit technique works.

The exploit works on WAMP platforms (Windows, Apache, MySQL, PHP) and may work on LAMP platforms (Linux, Apache, MySQL, PHP) but then requires that the user can upload to anywhere in the document root and that the file is then executable, both of which are classical examples of configuration mistakes.

source: http://www.cupfighter.net/index.php/2009/08/har-mysql-exploit/

As I wrote about a Proof-of-concept Twiiter botnet this week called Kreisos2, the people of Arbornetworks are reporting about a live twitter based

botnet command channel which is using base 64 decoding.  Read the full story on:

http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command-channel/

Peter van Eeckhoutte has written an excellent tutorial about writing stack based overflow exploits.

You can view his tutorial by clicking on this URL:

http://www.corelan.be:8800/index.php/2009/07/19/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-1/

Below this tutorial are the other ones, which are also great!

By simply installing a patch to your existing hardware, WPA came in as the “Saving Grace” for wireless networking.  It corrected almost every security problem either created or ignored by WEP. However, WPA was not perfect.  The method in which WPA initializes its encryption scheme is subject to capture and offline brute force attacks. Consequently, it’s actually easier to crack WPA which uses a weak password than it is to crack WEP. This article will walk you through the process of retreiving and cracking a WPA network key. In this guide I will skim over some of the powerful things that you can do with graphics cards.   By focusing on my personal setup, you will see it can be done with limited off the shelf equipment.

Read the full story on:

http://www.i-hacked.com/content/view/285/42/

Thomas Wilhelm, associate professor of information system security at Colorado Technical University, showed attendees at last week’s Defcon17 conference in Las Vegas how Apple’s seemingly benign iPod Touch can be converted into a portable and stealthy penetration testing or attack tool. He outfitted the iPhone cousin with the popular Metasploit software for exploiting vulnerabilities, as well as password-cracking and Web app hacking applications he was able to easily download onto the device.

Read the full story on:

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=219100135&cid=RSSfeed

The media is paying a lot of attention towards botnets. The traditional botnets make use of
zombies and C&C servers. Communication between them varied from simple IRC commands to P2P and HTTP. To stay in control of the botnets, botnet herders are looking for more and more advanced techniques. During a presentation held at Defcon 17, a new proof of concept bot was released. This bot makes use of Twitter.

During the presentation,Tom Eston and Kevin Johnson showed a demo of this bot called KreiosC2. KreiosC2 is the updated version of Twitterbot. This bot is working simple: you create an account that the bot wil follow. When you want the bot to do some action, you simply ‘tweet’ to the C&C Twitter account. Example of such a ‘tweet’: ‘cmd: look at 1.2.3.4′ which executes a ping to the address 1.2.3.4.

Since Twitter is capable of detecting and filtering text, the writer of the code (Robin of digninja.org) updated the new version with some features:
- dynamically changing the control language
- sending the command encoded (base64) and/or encrypted.

To defend against this bot is easy: block Twitter, but be honest, is this a real option? You would defend only your network, but what if people are using their smarphones to tweet?

For more background information about KreiosC2 go to:
http://www.digininja.org/projects/kreiosc2.php

Source code of KreiosC2:
http://www.digininja.org/files/kreiosc2_2.0.tar.bz2

KreiosC2 in action:
http://www.youtube.com/watch?v=2xLierFGOhQ