Showing posts with label Malwares. Show all posts
Showing posts with label Malwares. Show all posts

Mac OS X rootkit - Support multiple kernel versions and gives root privileges

Labels:
, , ,

Mac OS X rootkit
Today, a 64bit Mac OS-X kernel rootkit has been released by prdelka from NullSecurity. It supports: multiple kernel versions, give root privileges, hide files / folders, hide process, hide user from 'who'/'w', hide network port, sysctl interface for userland control, execute a binary with root privileges via magic ICMP ping. See backdoor section.

64bit Mac OS-X kernel rootkit that uses no hardcoded address to hook the BSD subsystem in all OS-X Lion & below. It uses a combination of syscall hooking and DKOM to hide activity on a host. String resolution of symbols no longer works on Mountain Lion as symtab is destroyed during load, this code is portable on all Lion & below but requires re-working for hooking under Mountain Lion.

currently supports:
* works across multiple kernel versions (tested 11.0.0+)
* give root privileges to pid
* hide files / folders
* hide a process
* hide a user from 'who'/'w'
* hide a network port from netstat
* sysctl interface for userland control
* execute a binary with root privileges via magic ICMP ping

 Download Mac OS X rootkit - rubilyn-0.0.1.tar.gz


Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .
Subscribe Top Hacker Stories via email

Posted by Mohit Kumar at Wednesday, October 10, 2012  

Volatility 2.2 Released - Introduced Linux support (Intel x86, x64)

Labels:
, , , , , ,

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Windows Basic

  • Current date, time, CPU count, CPU speed, service pack
  • Current thread and idle thread
  • Addresses of the KDBG, KPCR, DTB, PsActiveProcessHead, PsLoadedModuleList, etc

Processes

  • List active processes (column or tree view)
  • Scan for hidden or terminated _EPROCESS objects (using pool tags or _DISPATCHER_HEADER)
  • Enumerate DLLs in the PEB LDR lists
  • Rebuild/extract DLLs or EXEs to disk based on name, base address, or physical offset
  • Print open handles to files, registry keys, mutexes, threads, processes, etc
  • List security identifiers (SIDs) for processes
  • Scan for cmd.exe command history and full console input/output buffers
  • List process environment variables
  • Print PE version information from processes or DLLs (file version, company name, etc)
  • Enumerate imported and exported API functions anywhere in process or kernel memory
  • Show a list of virtual and physical mappings of all pages available to a process
  • Dump process address space to disk as a single file
  • Analyze Virtual Address Descriptor (VAD) nodes, show page protection, flags, and mapped files
  • Represent the VAD in tree form or Graphviz .dot graphs
  • Dump each VAD range to disk for inspecting with external tools
  • Parse XP/2003 event log records

Kernel Memory

  • List loaded kernel modules and scan for hidden/unloaded module structures
  • Extract PE files including drivers from anywhere in kernel memory
  • Dump the SSDT for all 32- and 64-bit windows systems
  • Scan for driver objects, print IRP major function tables
  • Show devices and device tree layout
  • Scan for file objects (can show deleted files, closed handles, etc)
  • Scan for threads, mutex objects and symbolic links

GUI Memory

  • Analyze logon sessions and the processes and mapped images belonging to the session
  • Scan for window stations and clipboard artifacts (clipboard snooping malware)
  • Scan for desktops, analyze desktop heaps and attached GUI threads
  • Locate and parse atom tables (class names, DLL injection paths, etc)
  • Extract the contents of the windows clipboard
  • Analyze message hooks and event hooks, show the injected DLL and function address
  • Dump all USER object types, pool tags, and flags from the gahti
  • Print all open USER handles, associated threads or processes, and object offsets
  • Display details on all windows, such as coordiates, window title, class, procedure address, etc
  • Take screen shots from memory dumps (requires PIL)

Malware Analysis

  • Find injected code and DLLs, unpacker stubs, and decrypted configurations, etc
  • Scan process or kernel memory for any string, regular expression, byte pattern, URL, etc
  • Analyze services, their status (running, stopped, etc) and associated process or driver
  • Cross-reference memory mapped executable files with PEB lists to find injected code
  • Scan for imported functions in process or kernel memory (without using import tables)
  • Detect API hooks (Inline, IAT, EAT), hooked winsock tables, syscall hooks, etc
  • Analyze the IDT and GDT for each CPU, alert on hooks and disassemble code
  • Dump details of threads, such as hardware breakpoints, context registers, etc
  • Enumerate kernel callbacks for process creation, thread creation, and image loading
  • Display FS registration, registry, shutdown, bugcheck, and debug print callbacks
  • Detect hidden processes with alternate process listings (6+ sources)
  • Analyze kernel timers and their DPC routine functions

Networking

  • Walk the list of connection and socket objects for XP/2003 systems
  • Scan physical memory for network information (recover closed/terminated artifacts)
  • Determine if listening sockets are IPv4, IPv6, etc and link to their owning processes

Registry

  • Scan for registry hives in memory
  • Parse and print any value or key cached in kernel memory, with timestamps
  • Dump an entire registry hive recursively
  • Extract cached domain credentials from the registry
  • Locate and decrypt NT/NTLM hashes and LSA secrets
  • Analyze user assist keys, the shimcache, and shellbags
  • Crash Dumps, Hibernation, Conversion
  • Print crash dump and hibernation file header information
  • Run any plugin on a crash dump or hibernation file (hiberfil.sys)
  • Convert a raw memory dump to a crash dump for opening in !WinDBG
  • Convert a crash dump or hibernation file to a raw memory dump

Miscellaneous

  • Link strings found at physical offsets to their owning kernel address or process
  • Interactive shell with disassembly, type display, hexdumps, etc


Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .
Subscribe Top Hacker Stories via email

Posted by Mohit Kumar at Wednesday, October 03, 2012  

Cuckoo Sandbox 0.4.2 Released

Labels:
,

Team Cuckoo just released Cuckoo Sandbox 0.4.2. Cuckoo Sandbox is a malware analysis system.

CHANGELOG for version 0.4.2:
  • Added support for VMWare Workstation
  • Added VirtualBox status change monitor and option “timeout” to virtualbox.conf
  • Added log file processing size limit and option “analysis_size_limit” to cuckoo.conf
  • Added directory submission to submit.py utility
  • Added community.py utility to sync custom modules from the community repository
  • Fixed missing critical_timeout implementation
  • Fixed delete_original race condition
  • Fixed some bugs in virtual machine management
  • Fixed submission with relative path
  • Fixed UTF-8 chars handling in analysis.log
  • Fixed race conditions in Windows analyzer
  • Some minor fixes


Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .
Subscribe Top Hacker Stories via email

Posted by Mohit Kumar at Friday, September 07, 2012  

Androguard v1.5 : Reverse engineering & Malware analysis of Android applications

Labels:
, , , ,

Androguard (Android Guard) is mainly a tool written in python to play with :
  • Dex (Dalvik virtual machine) (.dex), and ODex
  • APK (Android application) (.apk),
  • Android's binary xml (.xml).
Androguard is available for Linux/MacOSX/Windows (python powered).
1.3 10

Change V1.5 :
- Session (save/load)
- Annotation
- Documentation
- Support of ARM
- Support of dex writing
- Disassembler/Decompiler(DAD)

Androguard has the following features :
  • Map and manipulate (disassemble/decompile/modify) DEX/ODEX/APK files into full Python objects,
  • Access to the static analysis of your code (basic blocks, instructions, permissions (with database from http://www.android-permissions.org/) ...) and create your own static analysis tool,
  • Check if an android application is present in a database (malwares, goodwares ?),
  • Open source database of android malware (this opensource database is done on my free time, of course my free time is limited, so if you want to help, you are welcome !),
  • Diffing of android applications,
  • Measure the efficiency of obfuscators (proguard, ...),
  • Determine if your application has been pirated (plagiarism/similarities/rip-off indicator),
  • Detection of ad/open source librairies (WIP),
  • Risk indicator of malicious application,
  • Reverse engineering of applications (goodwares, malwares),
  • Transform Android's binary xml (like AndroidManifest.xml) into classic xml,
  • Visualize your application with gephi (gexf format), or with cytoscape (xgmml format), or PNG/DOT output,
  • Integration with external decompilers (JAD/DED/...)
  • Dump the jvm process to find classes into memory.
You can find complete Tutorial here about usage.


Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .
Subscribe Top Hacker Stories via email

Posted by Mohit Kumar at Friday, August 31, 2012  

ASEF : Android Security Evaluation Framework

Labels:
, , , ,

A researcher at Qualys has released a new tool designed to allow users even non-technical ones to evaluate the security and behaviors of the apps installed on their Android devices, Known as the Android Security Evaluation Framework.
asef

Android Security Evaluation Framework - A S E F is designed and developed to simulate the entire lifecycle of an Android application in an automated virtual environment to collect behavioral data and perform security evaluations automatically over ‘n’ number of apps.

Android Security Evaluation Framework (ASEF) performs this analysis while alerting you about other possible issues. It will make you aware of unusual activities of your apps, will expose vulnerable components and help narrow down suspicious apps for further manual research.

ASEF is an Open Source tool for scanning Android Devices for security evaluation. Users will gain access to security aspects of android apps by using this tool with its default settings. An advanced user can fine-tune this, expand upon this idea by easily integrating more test scenarios, or even find patterns out of the data it already collects. ASEF will provide automated application testing and facilitate a plug and play kind of environment to keep up with the dynamic field of Android Security.


Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .
Subscribe Top Hacker Stories via email

Posted by Mohit Kumar at Thursday, August 16, 2012  

Web Shell Detector v1.51 - Include Signatures of 290 Types of Web Shells

Labels:
, , , , , , , , ,

Web Shell Detector is a php script that helps you find and identify php/cgi(perl)/asp/aspx shells. Web Shell Detector has a “web shells” signature database that helps to identify “web shell” up to 99%. By using the latest javascript and css technologies, web shell detector has a light weight and friendly interface.
web shell detector

Detection: Number of known shells: 290

Requirements: PHP 5.x, OpenSSL

Usage: To activate Web Shell Detector:
1) Upload shelldetect.php and shelldetect.db to your root directory
2) Open shelldetect.php file in your browser Example: http://www.website.com/shelldetect.php
3) Inspect all strange files, if some of files look suspicious, send them to http://www.websecure.co.il team. After submitting your file, it will be inspected and if there are any threats, it will be inserted into a “web shell detector” web shells signature database.
4) If any web shells found and identified use your ftp/ssh client to remove it from your web server (IMPORTANT: please be carefull because some of shells may be integrated into system files!).

Options
  • extension - extensions that should be scanned
  • showlinenumbers - show line number where suspicious function used
  • dateformat - used with access time & modified time
  • langauge - if I want to use other language
  • directory - scan specific directory
  • task - perform different task
  • report_format - used with is_cron(true) file format for report file
  • is_cron - if true run like a cron(no output)
  • filelimit - maximum files to scan (more then 30000 you should scan specific directory)
  • useget - activate _GET variable for easy way to recive tasks
  • authentication - protect script with user & password in case to disable simply set to NULL
  • remotefingerprint - get shells signatures db by remote


Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .
Subscribe Top Hacker Stories via email

Posted by Mohit Kumar at Saturday, June 09, 2012  

DarkComet RAT v 5.3.1 FIX 1 fwb Released

Labels:
, , ,

Finally the final version of DarkComet RAT 5.3.1 is out. DarkComet, a Remote Administration Tool already chosen by hundreds of thousands of people worldwide. These users describe DarkComer-RAT as one of the very best around, it is totally free to use and allows you to control multiple remote machines at the same time using hundreds of functions (webcam streaming, desktop streaming, micro streaming, keylogger, MSN control, system control, etc, etc.) DarkComet is also considered as the most stable RAT and it is even regarded more stable than some professional ones (profesional is another word for not free).
355005screen2

Change for 5.3.1 FIX 1:
  • New action added in FTP Client, you can copy to clipboard the link of a file (useful for file downloader (URL))
  • A very huge bug was fixed for stub startup, now it works fine
  • A bug fix when using user list thumbnails
  • [FIX ] HTTP Flood more efficient
  • [FIX ] In settings the last theme is correctly set in the combobox
  • [FIX ] Auto SIN Refresh ratio successfully saved in config.ini
  • [GUI ] Client Settings GUI changed, it is now more user friendly and fit with the rest of DarkComet RAT Design
  • [GUI ] EULA At startup is more beautiful
  • [GUI ] No IP Gui revised
  • [GUI ] User group Gui revised
  • [FUNC] Search for update added in settings
  • [GUI ] Keylogger GUI revised
  • [FIX ] Now desktop correctly save snapshots (if option enabled)
  • [DEL ] Delete in full editor (read only, archived, tempory) attributes to avoid some stub problems if used
  • [FIX ] Users list flags support now Serbia Country (Republic of Serbia)
  • [FIX ] VIP Lounge price and URL fixed
  • [FUNC] HOT, Now you can chose wich functions you need in the control center, and not be bloated with functions you might never used. (In settings window)
  • [FIX ] FTP Upload Keylogger Logs bug fixed
  • [FUNC] FTP Wallet added in settings, it allow you to setup and test your FTP accounts for compatible DarkComet RAT FTP Functions
  • [FUNC] FTP Wallet is now linked to the Edit Server keylogger FTP Managment
  • [FUNC] Now you can upload files from file manager to one of your FTP account (compatible with the FTP wallet)
  • [FUNC] Embedded FTP Client added to DarkComet, multithread using Pure API, very fast and reliable and of course user friendly.
  • [FIX ] Bug fixed when module startup enable, no more tons of process on reboot etc.. support Drag n Drop
  • [FUNC] Drag And Drop added in File Manager to upload files frop explorer directly to remote computer
  • [FUNC] New downloader method implemented using Pure low level API's instead of the shit URLDownloadUrlToFile bloated of crap
  • [FUNC] File Downloader manager from control center been improved and bug fixed, now file are correctly downloaded, also you can chose a PATH from combobox shortcut
  • [FUNC] Mass downloader from user list been improved and multithreaded, also download bug is now fixed
  • [FUNC] Same as for mass downloader, update from URL bug fixed and improved


Subscribe to our Daily Newsletter via email - Be First to know about Security and Penetration testing tools. or Join our Huge Hackers Community on Facebook , Google+ and Twitter .
Subscribe Top Hacker Stories via email

Posted by Mohit Kumar at Thursday, June 07, 2012  

Subscribe to: Posts (Atom)