Duqu Analysis and Detection Tool by NSS Labs

NSS Labs has built a new, free tool that detects known and newly created Duqu drivers that have infiltrated systems, thus allowing security experts to further analyze the “functionality, capabilities and ultimate purpose of DuQu.”. The Tool is available free.

Duqu is notorious worm that exploit Windows Zero-day Vulnerability. Microsoft released temporary fix yesterday for this vulnerability . According to the test, NSS tool Success rate is 100%, zero false positivies. Developers said it is using advanced pattern recognition techniques, it is also capable of detecting new drivers as they are discovered.Two new drivers were discovered after the tool was completed, and both were detected by the NSS tool with no updates required.

It seems that Duqu contains similar code and utilizes similar techniques to Stuxnet. More precisely, it seems to make use of digital certificates that appear as legitimate, but it's far too early to describe it as Stuxnet 2.
More Info :

• DuQu contains similar code to that used by Stuxnet.
• DuQu uses similar techniques to Stuxnet, specifically the use of drivers signed by “legitimate” digital certificates. It is not known whether those certs were stolen or manufactured by the attackers following the compromise of a certificate authority (CA.)
• DuQu is not self-replicating (although some theorize that it can be commanded to replicate itself across network shares); it requires the use of an exploit-based “dropper” to install it on a system.
• The installer, which utilized a zero day kernel exploit delivered via a Microsoft Word document, has now been recovered and is currently being analyzed.
• DuQu installs a keylogger in order to record keystrokes and collect other system information.
• Stolen information is packaged into encrypted and compressed image files for subsequent exfiltration.
• DuQu was communicating over HTTP/HTTPS with its intial command and control (CC) server in India; a custom CC protocol was implemented using modified image files. As of this writing, the CC server has been deactivated.
• DuQu was initially configured with a fixed life, set to deactivate after 36 days, although additional components can be installed to extend this as required.

Download open-source scanner tool

ExeScan - PE File Anomaly Detector Tool

About ExeScan

ExeScan is the FREE console based tool to detect anomalies in PE (Portable Executable) files. It quickly scans givenexecutable file and detect all kind of anomalies in its PE header fields including checksum verifications, size of various header fields, improper size of raw data, non-ascii/empty section names etc.

Various packers/protectors modify PE header to make reversing harder. Sometimes anomalies in PE header may crash Debugging tools thereby blocking your attempt to reversing. Such anomalies can also make some of the GUI based PE analysis tools to fail to parse PE headers. 

In such cases ExeScan can come handy by helping you to quickly detect such anomalies. Then you can fix them and proceed to further analysis of malware. 

In addition to finding various anomalies, it can also detect packer/compiler used to pack/build the target executable file. Beingconsole based tool, you can easily integrate it with your malware automation suite. 

Features of ExeScan

Here are the main feature highlights

Quickly detect all kind of Anomalies in EXE/PE file. Console tool makes it easy for automation. Compiler and Packer signatures detection Scan for commonly used malware APIs PE header and Import table structure dispaly

Requirements  ExeScan requires following components  Python - Install latest version of Python. PEFile - PE File Python Module by Ero Carrera  Using ExeScan ExeScan is very simple and easy to use.   Here are the brief usage details  Before you launch - make sure you have installed all the above mentioned requirements.  Next launch command prompt (start=>Run=>cmd.exe) and move to directory where you have extracted ExeScan file  Then type 'exescan.py -a <path to exe file>' and instantly it will show all the anomalies along with other PE information as shown in the screenshot below.   Screenshots of ExeScan Here is the screenshot of ExeScan detecting various anomalies in packed PE file

 

Download ExeScan 

Facebook content restrictions bypass Vulnerability

Blackhat Academy claims to have found a way to bypass content restrictions on links, as posted on theirsite and posts put on a user's public wall. Even Security Analysts claim that Facebook was notified of these vulnerabilities on July 31st, 2011.

 

Facebook has only recently purchased Websense to attempt to push this vulnerability under the rug, however the exploit still works.To access Facebook's FQL API, Facebook was even so kind as to give a reference of tables and columns in the documentation for FQL. FQL does not allow the use of JOINS, however it is not needed as everything is thoroughly documented. Attackers can misuse this during the creation of a malicious Facebook application or directly on the FQL development api page for information gathering. :

<?php
# User agent checking methods
$fb_string = '/facebookexternal/i';                # facebookexternal shows in the facebook content scanner's user agent
$gplus_string = '/Feedfetcher-Google/i';       # googleplus shows up in the user agent as well.
# rDNS Lookup Methods
$host_websense = '/websense.com/i';         # Checking the rdns for websense filters
$host_fb = '/tfbnw.net/i';                              # Checking the rdns for tfbnw.net - facebook host
# Load the request properties
$u_agent = $_SERVER['HTTP_USER_AGENT'];
$u_ref     = $_SERVER['HTTP_REFERER'];
$u_host  = gethostbyaddr($_SERVER['REMOTE_ADDR']);
# If we're coming from or facebook or websense or google plus, 
if (preg_match($host_fb,$u_host) || preg_match($host_websense,$u_host) || preg_match($fb_string,$u_agent) || preg_match($gplus_string,$u_agent)) {
    # Display an image
    header('Content-Type: image/jpeg');
    @readfile ('/var/www/localhost/cute_kitten.jpeg');
} else {
    # Rickroll this unsuspecting user
    header('Location: http://www.youtube.com/watch?v=dQw4w9WgXcQ&ob=av3e');
}
?>

While most major sites that allow link submission are vulnerable to this method, sites including Websense, Google+, and Facebook make the requests easily identifiable. These sites send an initial request to the link in order to store a mirror thumbnail of the image, or a snapshot of the website being linked. In doing so, many use a custom user agent, or have IP addresses that resolve to a consistent domain name. Facebook IP addresses resolve to tfbnw.net, also set a custom user agent of "facebookexternalhit".Google+ (also notified Jul. 31st and guilty of reasonable care) again follows suit and utilizes "Feedfetcher-Google" as their user agent. Knowing this, we can easily filter out requests coming from these websites, and offer up a legitimate image to be displayed on their site, while redirecting or displaying a completely different page to anyone that follows the links. Facebook's recent partnership with Websense is laughable, due to Websense's "ACE" security scanner that is just as easily identified, by using gethostbyaddr in order to resolve the IP back to websense.com. Utilizing this technique would allow an overwhelming number of malware sites to remain undetected to their automatic site analysis. Other places like digg.com either spoof a user agent to look like normal traffic, or forward the client's user agent, which makes it more difficult to catch every one of their requests. Fortunately, digg.com only requests the link once, prior to submitting the link to the world. This allows attackers to serve up a legitimate image until that initial request clears our server, and then replace it with a less than honest file. We have affectionately named this vulnerability class Cross-Site Content Forgery.Proof of Concept can be seenhere.

JonDo 00.16.001 Released - Automatic error recognition and easier usability

JonDos publishes a new version of the JonDo-Software, an IP changer and IP anonymization program, that you can use for anonymous surfing in the Internet with high security anonymous proxy servers.

What is JonDo?
JonDo is an open source and free-of-charge program for Windows, Linux and MacOS X. It hides the user's IP adress behind an anonymous IP address. In contrast to other anonymizers (VPNs, anonymous proxy servers), the user's anonymity stays protected even against the providers (operators) of the anonymous IP address.

What is new?
Statistics and support requests about the usage of JonDo let assume that several users of older versions do not use the software correctly, and may thereby surf the net unsecured. The current version warns the user in such a case and launches an assistant for fixing the problem if necessary. Of course, users may also consult the extensive online help for this purpose, or use the forum or the support by e-mail or ask other user in the support chat. In any case, it is recommended to visit the IP Check in order to test the own configuration for weaknesses.

Moreover, several minor bugs and stability problems have been resolved, and the program's usability has been enhanced further. By changing to new server protocols within the next four weeks, older versions of JonDo will soon be unusable. Also for this reason, users of earlier versions should update instantaneously, if possible.

Download: JonDo IP changer

Department of Homeland Security Releases Cyber Security Evaluation Tool (CSET)

The Cyber Security Evaluation Tool (CSET) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS National Cyber Security Division (NCSD) by cybersecurity experts and with assistance from the National Institute of Standards and Technology. This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems. The tool is available for download, and the program also offers training and support at no cost to organizations engaged in administering networks that control facilities identified as being crucial to both the nation's economy and national security.

CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls.

CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as National Institute of Standards and Technology (NIST), North American Electric Reliability Corporation (NERC), International Organization for Standardization (ISO), U.S. Department of Defense (DoD), and others. When the tool user selects one or more of the standards, CSET will open a set of questions to be answered. The answers to these questions will be compared against a selected security assurance level, and a detailed report will be generated to show areas for potential improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment.

Key Benefits

• CSET contributes to an organization's risk management and decision-making process
• Raises awareness and facilitates discussion on cybersecurity within the organization
• Highlights vulnerabilities in the organization's systems and provides recommendations on ways to address the vulnerability
• Identifies areas of strength and best practices being followed in the organization
• Provides a method to systematically compare and monitor improvement in the cyber systems
• Provides a common industry-wide tool for assessing cyber systems

Download CSET

[Source]

Findmyhash - Find Cracked Hashes Online

findmyhash is a Python script which has been developed to find different types of password hashes using multiple cracking online services. In case that it does not find a favourable “cracked” hash, it will also present you with relevant Google search results.

This is open source script can mostly serve as a start up point for cracking any hash. It supports a lot many online hash cracking services.
Cracking services supported by findmyhash:

• Schwett.com
• Netmd5crack.com
• MD5-Cracker.tk
• tools.BenRamsey.com
• md5.Gromweb.com
• md5.HashCracking.com
• victorov.su
• md5.thekaine.de
• tmto.org
• md5-db.de
• md5.my-addr.com
• md5pass.info
• md5decryption.com
• md5crack.com
• md5online.net
• md5-decrypter.com
• authsecu.com
• hashcrack.com
• objectif-securite.ch
• c0llision.net
• md5.rednoize.com
• cmd5.org
• cacin.net
• ibeast.com
• password-decrypt.com
• bigtrapeze.com
• hashchecker.com
• md5hashcracker.appspot.com
• passcracking.com
• askcheck.com
• cracker.fox21.at
• crackfoo.nicenamecrew.com
• joomlaaa.com
• md5-lookup.com
• sha1-lookup.com
• sha-256.sha1-lookup.com
• ripemd-lookup.com
• md5.com.cn
• md5.digitalsun.pl
• md5.drasen.net
• md5.myinfosec.net
• md5.net
• md5.noisette.ch
• md5hood.com
• stringfunction.com
• xanadrel.99k.org
• isc.sans.edu
• bokehman.com

Chances are, if this script does not find your hash, it might be unique and you will have to crack it! As of now, it supports the following nine hashing algorithms:

• MD4
• MD5
• SHA1
• SHA256
• RMD160
• MYSQL
• CISCO7
• LM
• NTLM

This script has been duly tested with MD5, LM and NTLM hashes because they are the most common ones.
Download findmyhash

iScanner - Tool to detect and remove malicious codes and web page

iScanner is a free open source tool lets you detect and remove malicious codes and web page malwares from your website easily and automatically. iScanner will not only show you the infected files in your server but it's also able to clean these files by removing the malware code ONLY from the infected files.

Current Features:

• Ability to scan one file, directory or remote web page / website.
• Detect and remove website malwares and malicious code in web pages. This include hidden iframe tags, javascript, vbscript, activex objects, suspicious PHP codes and some known malwares.
• Extensive log shows the infected files and the malicious code.
• Support for sending email reports.
• Ability to clean the infected web pages automatically.
• Easy backup and restore system for the infected files.
• Simple and editable signature based database.
• You can easily send malicious file to iScanner developers for analyzes.
• Ability to update the database and the program easily from iScanner's server.
• Very flexible options and easy to use.
• Fast scanner with great performance.
• Yes, it's FREE!!

Download iScanner

Ani-Shell v1.4 Released With Python - Bind Shell , Anti-Crawler Feature and MD5 Cracker

Ani-Shell is a simple PHP shell with some unique features like Mass Mailer , A simple Web-Server Fuzzer , a DDoser , A MD5 hash Cracker , Python and PHP Bind-Shells , Anti-Crawler Features etc! This shell has immense capabilities and have been written with some coding standards in mind for better editing and customization!
New Features :-

• MD5 Hash Cracker
• Python Bind-Shell
• Anti-Crawler Function
• Shell Support for some Older Servers
• Better CSS
• Whole New Logo

Ani-Shell Project Page : http://sourceforge.net/projects/ani-shell/
Ani-Shell Homepage : http://ani-shell.sourceforge.net/

Pscan 2.0 - multi threaded TCP Syn port scanner

TCP Port scanner Multi threaded with possibility to scan 65535. TCP ports on an IP address.You can specify how many threads to run and the timeout. Further more it will tell you the MAC address of the target and the service runningFor LINUX and Windows. 
 

 

 

 Change Log

- Added option -s for Syn scan.
- Scanning made faster thanks to Syn scan
- Added even more default ports
- Improved error handler for Syn scan
- Improved text output
- Fixed minor bugs:
- changed pathname to oui.txt and port-numbers.txt files
- added missing call to cleanup function WSACleanup

Download multi threaded TCP Syn port scanner 2.0

How to crack or Reset BIOS Password?

Bios password is usually used to protect the user's BIOS settings on the computer. If you want to reset the password on the BIOS does not need to bother to connect bateray CMOSnya, with a little trick on the Dos you can reset the BIOS password on it in 2 ways:

1. Clear CMOS
This way I consider the most ancient and most easy to break down the password on the BIOS. The steps are easy, first open the casing cover computer CPU. Then find the bios battery that looks something like the battery just a little more big clock. After the meet and consider the area around the battery there is usually a jumper with 3 pins, 2 pins and 1 pin not connected. 

Suppose the three pins with the code 1 - 2 - 3. Connector that connects the initial position usually is 2-3. To reset the bios do I move the position of the plug that connects pins 2-3 to position 1-2 for about 5 seconds. Then plug it back into the starting position (2-3). Try restarting the computer back on, secured the bios password is gone. 

If the above looks complicated, is easy to clear cmos by unplugging the BIOS battery and then put it back. But with the consequences of removing the label is the warranty on the battery BIOS.

2. Through DOS 

First out of the windows with me restart your computer, start the computer in MS-DOS mode, use the option "Command Prompt Only" 

At c: prompt, type: DEBUG 
press enter. You will see the sign (-) at the DEBUG prompt, then type: 
o 70 2e 
at the DEBUG prompt will be displayed as-o 70 2e. 
press enter and type: 
-O 71 ff 
press enter, the last type: 
Q 
hit enter, then you will get out of the DEBUG prompt and return to the C:> prompt. 
Now restart your COMPUTER, and see the results

Nmap 5.61TEST1 Released

This Nmap 5.61TEST1 is an informal test release with all of the latest features from the SVN. Nmap (“Network Mapper”) is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are avalable for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results (Ndiff).
 

click here to Download

How to Hack passwords using Hardware Keylogger

 


Did you know that keyloggers are the simplest way to hack password?. Today I’ll be giving you a detailed information on hardware keyloggers and their use. I will also teach how to hack an passwords using hardware keylogger. 

A software keylogger (or simple keylogger) is a stealth computer program that captures every keystroke entered through the keyboard.

Now I’ll tell you what is a hardware keylogger and how it can be used for hacking an email.

Hardware Keyloggers are used for keystroke logging, a method of capturing and recording computer user keystrokes. They plug in between a computer keyboard and a computer and log all keyboard activity to an internal memory. They are designed to work with PS/2 keyboards, and more recently with USB keyboards. A hardware keylogger appears simply as a USB pendrive (thumb drive) or any other computer peripheral so that the victims can never doubt that it is a keylogger. So by looking at it’s appearence it is not possible to identify it as a keylogger. Here are some of the images of hardware keyloggers for your convenience.

So by looking at the above images we can come to know that hardware keyloggers look just like any USB or PS/2 device. So it is very hard to identify it as a keylogger.

Insatalling a Hardware Keylogger to Hack the Email Password

The hardware keylogger must be installed between the keyboard plug and the USB or PS/2 port socket. That is you have to just plug in the keylogger to your keyboard’s plug (PS/2 or USB) and then plug it to the PC socket. The following image shows how the keylogger is installed.

Once you install the hardware keylogger as shown in the above two images the keylogger starts recording each and every keystroke of the keyboard including email passwords and other confidential information. The hardware keylogger has an inbuilt memory in which the logs are stored.

BIOS based Virus discovered by Chinese Security Firm

A Chinese AV company 360 discovered a new Trojan, the “BMW Virus” (also called Mebromi), that can actually infect a computers BIOS: “BMW 360 Security Center virus is the latest catch of a high-risk virus, the virus that infected a chain BIOS (motherboard chip program), MBR (master boot drive) and Windows system files, reinstall the system, regardless of the victim computer, format the hard disk, or replace the hard disk can not completely remove the virus.”

It uses the CBROM command-line tool to hook its extension into the BIOS. The next time the system boots, the BIOS extension adds additional code to the hard drive's master boot record (MBR) in order to infect the winlogon.exe / winnt.exe processes on Windows XP and 2003 / Windows 2000 before Windows boots. The next time Windows launches, the malicious code downloads a rootkit to prevent the drive's MBR from being cleaned by a virus scanner. But even if the drive is cleaned, the whole infection routine is repeated the next time the BIOS module is booted. Mebromi can also survive a change of hard drive. If the computer doesn't use an Award BIOS, the contaminant simply infects the MBR.

If the system uses a BIOS other than Award, the Trojan skips trying to write to the BIOS, but still tries to infect the MBR of the boot hard drive.Removing the virus from the MBR and infected files really has no effect, because as soon as the system is restarted, the BIOS is read and the computer re-infected again.Seeming most virus companies will not want to create a BIOS cleaning utility, most likely the BIOS would need to be re-flashed to remove the virus infection completely.
[Source]

McAfee DeepSAFE - Anti-rootkit Security Solution

McAfee previewed its DeepSAFE hardware-assisted security technology for proactively detecting and preventing stealthy advanced persistent threats (APTs) and malware. The technology, which was co-developed with Intel, sits below the OS, providing the ability to fundamentally change the security game, according to the companies. 

According to McAfee Labs, more than 1,200 new rootkits per day are detected - equating to 50 per hour every single day. The DeepSAFE technology, which was demonstrated at the Intel Developer Forum in San Francisco, was able to detect and stop a zero-day Agony rootkit from infecting a system in real time. This technology is expected to launch in products later in 2011.

Key attributes of McAfee DeepSAFE:

• Builds the foundation for next-generation hardware-assisted security operating beyond the operating system
• Provides a trusted view of system events below the operating system
• Exposes many attacks that are undetectable today
• New vantage point to block sophisticated stealth techniques and APTs
• Provides real time CPU event monitoring with minimal performance impact
• Combines the power of hardware and flexibility of software to deliver a new foundation for security.

"Intel and McAfee are working on joint technologies to better protect every segment across the compute continuum from PCs to devices," said Renée James, senior vice president and general manager of the Software and Services Group at Intel and the Chairman of McAfee. "By combining the features of existing Intel hardware and innovations in security software, Intel and McAfee are driving innovation in the security industry by providing a new way to protect computing devices. We are truly excited to introduce this technology upon which we will deliver new solutions."
[Source]

FBPwn : A Cross-Platform Facebook Profile Dumper tool

FBPwn is an open source, cross-platform, Java based Facebook profile dumper. It can send friend requests to a list of Facebook profiles, and poll for their acceptance notification. Once the victim accepts the invitation, it dumps all their information, photos and friend list to a local folder. It supports a lot of modules that can expand its current functionalities. It has a well documented Wiki page explaining the process of building a FBPwn module. Though it has a lot of available modules prebuilt for your use.

All modules work on a selected profile URL (we’ll call him Bob), using a valid authenticated account (we’ll call him Mallory).

AddVictimFriends: Request to add some or all friends of Bob to increase the chance of Bob accepting any future requests, after he finds that you have common friends.

ProfileCloner: A list of all Bob’s friends is displayed, you choose one of them (we’ll call him Andy). FBPwn will change Mallory’s display picture, and basic info to match Andy’s. This will generate more chance that Bob accepts requests from Mallory as he thinks he is accepting from Andy. Eventually Bob will realize this is not Andy’s account, but probably it would be too late as all his info are already saved for offline checking by Mallory.

CheckFriendRequest: Check if mallory is already friend of Bob, then just end execution. If not, the module tries to add bob as as a friend and poll waiting for him to accept. The module will not stop executing until the friend request is accepted.

DumpFriends: Accessable friends of Bob is saved for offline viewing. The output of the module depends on other modues, if mallory is not a friend of Bob yet, the data might not be accessable and nothing will be dumped.

DumpImages: Accessable images (tagged and albums) are saved for offline viewing. Same limitations of dump friends applies.

DumpInfo: Accessable basic info are saved for offline viewing. Same limitations of dump friends applies.

So you can see, you can do almost everything that you could do manually with Facebook. People might use it for malicious purposes too like cloning a Facebook profile. In addition to reading the Facebook official security guide, you need to avoid friend requests from un-known people.

Download FBpwn

Registry Decoder - Digital Forensics Tool

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Digital forensics deals with the analysis of artifacts on all types of digital devices. One of the most prevalent analysis techniques performed is that of the registry hives contained in Microsoft Windows operating systems. Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents.

 

Download Here

how to change window 7 logon screen ? (win tricks)

Are you got bored seeing same logon screen ? you wanna change it?

Here is a trick to change logon screen for my friends :)

1. The image you need to set as the background should be a .jpg file and it’s size should not exceed 245KB.

2. The image resolution can be anything of your choice. However I prefer 1440 x 900 or 1024 x 768. You can use any of the photo editing software such as Photoshop to compress and set the resolution for your image. Once you’re done, save this image as backgroundDefault.jpg.

3. You will need to copy this image to

C:\Windows\system32\oobe\info\backgrounds

You will need to create that path if it does not already exist on your computer.

4. Now open the Registry Editor (Start -> Run -> Type regedit) and navigate to the following key

HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\

LogonUI\Background

If Background does not exist rightclick LogonUI, select New and then Key, and then name it Background. Now locate OEMBackground (listed on the right side). If it does not exist, right-click Background and select New and then DWORD and name it OEMBackground.

5. Double-click on OEMBackground and set the Value Data to 1.

6. Now log-off to see the new logon screen background. If you would like to revert back to the default background, just set the Value Data back to 0.