Wireless hacking

It is no secret malware kits have been the source of many of the infections plaguing users in recent years. This trend is epitomized by Poison Ivy, a remote administration tool (RAT) at the heart of the Nitro attacks targeting the chemical and defense industries.

In a new research paper, Microsoft chronicled how Poison Ivy works and why it continues to be utilized by attackers. For one thing, the tool is available for free.

Poison-Ivy-Kit

“Poison Ivy has an official website from which the kit is distributed. It is also available on a variety of underground websites and forums,” according to the Microsoft report. “This free and open distribution is growing increasingly uncommon as the malware authors of today tend to operate exclusively within their trusted circles and sell their creations to the highest bidders.”

According to Microsoft, Poison Ivy uses a client/server architecture to essentially turn victim machines into “servers” that operators can then connect to and remotely control.

“The malware is considered a kit because operators can configure the server application to their liking before generating a server assembly that is then distributed and covertly installed on victim systems,” the Microsoft researchers wrote in the paper. “These server assemblies are very small (generally between 7 KB and 10 KB). The kit also contains a “client” component that a controller can use to remotely access and control compromised systems.”

Once on an infected system, the malware enables an attacker to download and upload files remotely, log keystrokes, inject malicious code and perform other malicious activities. The malware is distributed in a variety of ways, from software vulnerabilities to phishing e-mails, with the latter being how Poison Ivy infiltrated RSA earlier this year. Poison Ivy was also linked to the GhostNet spy operation uncovered in 2009, as well as the Nitro attacks recently publicized by Symantec.

“With Poison Ivy there's the option to pay the author for customized versions,” Roel Schouwenberg, senior researcher at Kaspersky Lab, told SecurityWeek. “However, we believe that in these APT-style attacks the attackers customize Poison Ivy themselves.”

Officials at Microsoft said the company has removed Poison Ivy from some 16,000 infected machines as of last month. In the report, researchers note the United States has been the hardest hit in 2011, accounting for 12 percent of infections. Second and third on the list are Korea and Spain, which registered nine and seven percent, respectively.

The Microsoft paper can be downloaded here.

the-hackers-choiceEen hackersgroep heeft een tool uitgebracht waarmee via ssl eenvoudig denial of service-aanvallen uitgevoerd zouden kunnen worden. Met relatief weinig processorkracht moeten servers met ssl-support offline kunnen worden gehaald.

De tool, verkrijgbaar als Windows-binary of broncode voor op Unix gebaseerde besturingssystemen, is vrijgegeven door de Duitse hackersgroep The Hacker's Choice. De tool, THC-SSL-DOS, leunt op het verschil in benodigd rekenwerk tussen het maken van een ssl-connectie aan de serverkant en het maken van de connectie aan de clientkant. Het eerste vereist meer rekenwerk omdat de server tijdens de handshake cryptografische sleutels moet genereren.

Volgens de hackersgroep is aan de serverzijde maar liefst vijftien keer meer processorkracht nodig, wat het uitvoeren van een denial of service-aanval eenvoudiger maakt. Een gewone laptop op een adsl-verbinding kan daardoor wedijveren met een server op een 30Gbps-pijp, stellen de hackers. Een gewone laptop zou daardoor één enkele server met ssl offline kunnen halen; bij een groter serverpark met load balancers zou een twintigtal laptops met een 120Kbps-verbinding nodig zijn.

MagicTree is a productivity tool for penetration testers. It allows consolidating data coming from various security tools, query and re-use the data and generate reports. It’s aim is to automate the boring and the mind-numbing work, so you can spend your time hacking.

Changelog Version 1.0

  • Fix for #216 – “Following Xrefs on Mac OS X with Ctrl+Click does not work”
  • Fix for #45 – “Java Desktop API does not work in KDE and XFCE”. Implemented a workaround. Now “View in Browser” and opening reports works on KDE and XFCE (tested on Xubuntu 11.04 and Kubuntu 11.04)
  • Updated report templates to use the data structures from web application scanners
  • mt:join() XPath function should use getValue() rather than toString()
  • Fix for #165 – “Linking cross-references is currently broken”
  • Fix for #209 – “Deleting newly created nodes fails”
  • Support for copy/paste MT data as files.
  • Support for copy/pasting MT nodes as XML text. Select tree nodes, Ctrl+C to copy, paste into text file. MT XML may be pasted into the tree.
  • Support for dragging and dropping files between MT and the OS. Selected nodes can be dragged to desktop – this creates a MT XM file on desktop. Mt XML files may be dragged to MT for merging
  • Implemented multiple node copy paste and drag and drop within the tree. Multiple nodes may be selected
  • and copied or moved. Nodes may also be pasted into multiple locations.
  • Implemented #80. Cross-references can now be created by drag and drop (Select nodes to link to and Ctrl+Shif+drag them to link location. Multiple cross-references can be created)
  • XRef nodes are now correctly displayed after creation
  • Considerable performace inprovements for #199 – “Setting node status for large number of nodes in large tree is slow”
  • Fixed #206 – “Set status recursive is broken”.
  • Fix for #207 – “Saving a query messes up the repository”
  • Fix for #203 – “View in browser broken”
  • Implemented #173 – “XSLT for OpenVAS 4″

Download MagicTree v1.0

More Articles …

  1. Web Application Hacking tools
  2. Wophcrack – Web Based Interface For Ophcrack Password Cracking Tool
  3. Hackertool Metasploit met nieuwe exploits en ASCII art
  4. #RefRef- DDos tool developed by Anonymous
Page 8 of 14