Is it a robot from a sci-fi book or a character from Futurama? Nope, it's worse! This is an irc bot that infects routers. You read it right. The idea is that people a. leave their routers on all of the time, even though they shut down their PCs, and b. most people don't keep an eye on their router cuz it should just run. It appears to be doing so by taking advantage of vulnerabilites in applications that run on the router such PHPMyAdmin, or MySQL for example. You can read more at the following two links: (at the time of this writing I couldn't get to the first which is the group noted for discovery, the second includes exerpts from members of that group)
Dronebl
irc-junkies
I can't say I'm suprised. I worked on a contract for a company, who shall remain nameless to protect the innocent, who was running FatPipe load balancers which were taken over by a bot, almost 2 years ago. We really didn't do analysis on it to know where it was going but I know it was bot activity as blocking normal IRC ports on the core router stopped the traffic. It's a great but fiendish idea. Make sure your passwords are not easy to guess and keep up on the software/firmware updates for your routers! There are some suggestions for lowering your probability to infection on the Dronebl site.
Wednesday, March 25, 2009
Monday, March 23, 2009
Symantec Underground Economy
Symantec has released their report on the activity going on in the computer underworld. It doesn't claim to have a profile on all cybercrime in the world, but it is a good sample of the things that are being seen, sold, bought etc. You can check it out here:
Symantec Underground Economy
You do not have to register to read it, just answer 2 simple questions. I'll probably post a blog tomorrow on what I find interesting in the document after I have some time to read it.
Symantec Underground Economy
You do not have to register to read it, just answer 2 simple questions. I'll probably post a blog tomorrow on what I find interesting in the document after I have some time to read it.
Tuesday, March 17, 2009
Social Engineering; The new thing?
Social engineering has received a lot of media in the recent past in regards to security. Just how new is this technique? I'm sure arguments could date this back to biblical times when Jacob obtained Esau's firstborn privileges by giving him stew or even back to the serpent duping Eve into not following God's commands.
What about examples in more recent times? Again, I'm sure there are plenty of examples, but I stumbled on this one. It is a document released under the freedom of information act, talking about how FBI agents can and should use social engineering in their investigations.
FBI Social Engineering Manual Revealed!
This document is from 1956. There is no ground breaking stuff here, but it is an interesting read to see that even the man is aware of how well this technique works.
Credit for discovery goes to Mr. Kevin Mitnick, surprise :)
What about examples in more recent times? Again, I'm sure there are plenty of examples, but I stumbled on this one. It is a document released under the freedom of information act, talking about how FBI agents can and should use social engineering in their investigations.
FBI Social Engineering Manual Revealed!
This document is from 1956. There is no ground breaking stuff here, but it is an interesting read to see that even the man is aware of how well this technique works.
Credit for discovery goes to Mr. Kevin Mitnick, surprise :)
Monday, March 16, 2009
Always seems to be the simple things...
I just wanted to post a thought I had from this morning. For the past 4 major security projects I had to do, it took longer than it should have. The reason? Simple, I always out think the problem at hand. In all 4 cases the solution to getting into the box or recovering the password or testing for cross site scripting, or mapping the network has been so easy that I missed it. I'm throwing everything but the kitchen sink at this MS box this morning. Intense injection attempts and other remote exploits and 20 seconds in Hydra got me administrator user access because the password was really just that weak.
It seems that I just want to apply all of the cool new techniques available and the good old password guessing, reading documents received from a client, or simple trial and error produced the access needed. There was no need for rainbow tables attacks or complex sploits to get what I neeed. I just needed to start at the basics.
Don't forget the basics! As much as we would like to think "naaw, it can't be that simple", it turns out to be just that. Don't get me wrong pwning a box with the latest greatest 0day is cool, but when your doing this for a living and just need to get it done, don't leave out the simple stuff cuz it's not 733t!
It seems that I just want to apply all of the cool new techniques available and the good old password guessing, reading documents received from a client, or simple trial and error produced the access needed. There was no need for rainbow tables attacks or complex sploits to get what I neeed. I just needed to start at the basics.
Don't forget the basics! As much as we would like to think "naaw, it can't be that simple", it turns out to be just that. Don't get me wrong pwning a box with the latest greatest 0day is cool, but when your doing this for a living and just need to get it done, don't leave out the simple stuff cuz it's not 733t!
Thursday, March 12, 2009
Remote Desktops
So this isn't really security related but I want to keep up on this blog so I figured I would put down some things I found today. I'm not sure how many of you use the Remote Desktops MMC to connect to multiple Windows boxes. I like the idea of having all of my connections in one place but man do I hate that you cannot sort them or group them in any way.
That said, I found some tools that add some nice features. RoyalTS (http://www.code4ward.net/main/) and Visionapp Remote Desktop 2009 (http://www.visionapp.com/). Now I haven't used both for very long, only today actually, but here are my findings so far.
I really like RoyalTS 6.1. It has a kick butt feature of being able to pull computer management, event log and more from a right click menu. You can also add your own custom WIMC commands to add too the toolset. The biggest problem with 6.1 is that it's $30 bucks! I'm having trouble justifying spending money on a tool like this. The free version is limited to only 10 connections and with more than 100 servers to connect to, not very helpful.
Visionapp is very nice in the user interface arena. It is easy to group your connections into logical folders. RoyalTS does this too but it is a little less pretty. One of the best features this one has over the RoyalTS is that you can import the systems via AD query. This made it a cake walk to pull all of the needed systems into one place. Alas no tool set.
It's quite odd that I have immediately set the bar for the need of a wimc toolset in such a tool when only this morning I barely had a place to connect to multiple systesm from one place :) More to come after a full evaluation. If any of you know of like applications, especially free, let me know in a comment!
Curt
That said, I found some tools that add some nice features. RoyalTS (http://www.code4ward.net/main/) and Visionapp Remote Desktop 2009 (http://www.visionapp.com/). Now I haven't used both for very long, only today actually, but here are my findings so far.
I really like RoyalTS 6.1. It has a kick butt feature of being able to pull computer management, event log and more from a right click menu. You can also add your own custom WIMC commands to add too the toolset. The biggest problem with 6.1 is that it's $30 bucks! I'm having trouble justifying spending money on a tool like this. The free version is limited to only 10 connections and with more than 100 servers to connect to, not very helpful.
Visionapp is very nice in the user interface arena. It is easy to group your connections into logical folders. RoyalTS does this too but it is a little less pretty. One of the best features this one has over the RoyalTS is that you can import the systems via AD query. This made it a cake walk to pull all of the needed systems into one place. Alas no tool set.
It's quite odd that I have immediately set the bar for the need of a wimc toolset in such a tool when only this morning I barely had a place to connect to multiple systesm from one place :) More to come after a full evaluation. If any of you know of like applications, especially free, let me know in a comment!
Curt
Wednesday, March 11, 2009
New Blog!
So this will be my attempt to share the things that I am learning through this endless journey of IT Security. I hope to post details of projects I'm doing, thoughts I am having related to IT security and any news or interesting articles that I stumble upon. I hope to share at least one of these things daily.
Check back soon!
Check back soon!
Subscribe to:
Posts (Atom)
