Botnets Unearthed – The ZEUS BOT – InfoSec Institute
An interesting article by Aditya Balapure from InfoSecInstitute.com:
Zeus, also known as ZBot/WSNPoem, is famous for stealing banking information by using man in the browser keystroke logging and form grabbing. As the term suggests, man in the browser (MITB) is basically a proxy Trojan horse which uses man in the middle techniques to attack users. It attacks by exploiting vulnerabilities in the browser security to modify web pages and manipulate monetary transactions by changing or adding details that are malicious. The worst part is that no form of an application level or sessions layer security like SSL can protect such a form of attack. The best way to protect against these is out-of-band transaction verification. Form grabbing is a technique of capturing web form data in various browsers. Very recently Happy Hacker was arrested; he was alleged to be the mastermind behind the Zeus banking Trojan. Zeus comes as a toolkit to build and administer a botnet. It has a control panel that is used to monitor and update patches to the botnet. It also has a so-called builder tool that allows the creation of executables that are used to infect the user computers. Zeus comes as a commercial product for users who can buy it from underground markets and easily setup their own botnet. It is estimated to cost around $700 plus for the advanced versions.
Features of Zeus
Some of the features that this botnet displays are:
- Captures credentials over HTTP, HTTPS, FTP, POP3
- Steals client-side X.509 public key infrastructure certificates
- Has an integrated SOCKS proxy
- Steals/deletes HTTP and flash cookies
- Captures screenshots and scrapes HTML from target sites
- Modifies the local hosts file
- Groups the infected user systems into different botnets to distribute command and control
- Has search capabilities which may be used through a web form
- The configuration file is encrypted
- Has a major function to kill the operating system
- Contacts command and control server for additional tasks to perform
- Has a unique bot identification string
- Sends a lot of information to C&C server, such as the version of the bot, operating system, local time, geographic locations, etc.
You can read the full article on their site.
eForensics Open is available for free
The eForensics team has gathered the most practical articles about Computer Forensics, Network Forensics and Data Recovery from the last three months to create eForensics OPEN.
All of the articles have been written by experts in digital forensics industry and are based on their life experiences.
This issue title is “Let’s Play Forensic Tools”
You can download it off of their website here. But you will need to register first before you can download the magazine.
In this issues of eForensics OPEN, you will find the following topics:
FORENSICS AND HARD DRIVE DATA IMAGING & RECOVERY. THE PERILS AND PITFALLS OF WORKING WITH DEFECTIVE HARD DRIVES
by Jonathan R. Yaeger
This article will discuss some of the details of hard drive operation and failure, as related to digital data recovery or forensics. This will help the investigator to minimize compromises in evidence integrity. The article will also serve as an introduction to best practices when data recovery is required.
RAID 5 DATA RECOVERY – A GUIDE FOR THE RAID OWNER
by Wayne Horner
Your business stores data in a RAID 5 storage array and you just found out that the RAID has failed. Many RAIDs get damaged by the repair attempts. Your job is to keep an eye on well meaning IT consultants and in-a-hurry tech support centers. To do that you need to know whats going on. The purpose of this guide is to arm you with enough knowledge to keep your RAID from being destroyed.
GREP AND REGEX, THE OVERLOOKED FORENSIC TOOLS
by Dr Craig S Wright GSE GSM LLM MStat
This article takes the reader through the process of learning to use GREP and Regular Expressions (RegEx). GREP May not seem to be a tool that relates to the process of data recovery, but we will show that this is an essential tool in recovering data. If you cannot find data, how can you recover it?
Using the GREP command we can search through a variety of information sources. For the forensic analyst, incident handler or system administrator, this means a simplified method of searching for information. Coupled with the use of regular expressions grep is a powerful tool for the IT investigator. In this paper, we look at some uses of grep and regular expressions.
INTERVIEW WITH BRIAN GILL, CEO AT GILLWARE, INC.
by Kishore P.V. and Richard C. Leitz Jr.
WIRE-SPEED CAPTURES WITH PORTABLE DEVICES
by Francisco J. Hens and Vicente J. Bergas
Improvements of storage technology in terms of capacity / speed and continuous optimization of Field-programmable Gate Array (FPGA) integrated circuits are bringing a totally new wave of possibilities in data capture and processing applications. FPGAs are perfectly suited for wirespeed processing of fast data sources and small form factor Solid State Drives (SSD) supply excellent performance, large storage capacity and they are perfectly adapted to operation in portable equipments.
INTRUSION DETECTION SYSTEM AN INTELIGENT STEP TO CATCH THE INTRUDERS
by Deepanshu Khanna
Now-a-days the number of Internet users is growing. Almost everyone around the world is accessing the Internet. E-commerce and E-business are growing rapidly. Therefore, competition is also increasing rapidly. The number of intrusion events have also continued to grow because many companies’ networks use the Internet. So in this article I have focused on how a hacker attacks and on the contrary how can we catch that hacker.
WEB ATTACKS: ERROR BASED ASPX SQL INJECTION
by Rahul Tyagi
ASPX SQL injection is also parallel to a PHP based SQL injection. But here, we don’t use queries that contain order by, union select etc. Instead, we will cheat the server to respond with the information we need. It is called an error based injection technique. We will get the information we need in the form of errors.
THE MOST POPULAR NETWORK FORENSICS PRODUCT IN JAPAN , PACKET BLACK HOLE IS NOW ON SALE IN THE US
INTERVIEW WITH NETAGENT INC. WWW .NET-AGENT .COM
by Aby Rao, Gabriele Biondo and Andrew J Levandoski
A STEP BY STEP GUIDE TO BEGINNING COMPUTER FORENSICS
by David Biser
We live in an era of digital connectivity such as the world has never known. Each age has one symbol that seems to identify it to all other time periods, for instance Roman is known by the Imperial Eagle, the Industrial Revolution by the machines that were developed and used, our age can probably be symbolized by 1s and 0s. Nearly everyone is connected to the Internet in some form or manner, by smart phone, tablet or laptop. With such connectivity comes crime which brings the need for investigators with a specific skill set to be able to investigate, track and apprehend criminals in the digital world. This is where the exciting and ever changing world of computer forensics begins. As a computer forensic examiner you will find yourself tracking child pornographers, cyber thieves and terrorists, responding to the worst of crimes, all in an effort to deter and stop cyber crime. A very exciting field indeed!
DIGITAL IMAGE ACQUISITION – STEP BY STEP
by Thomas Plunkett, CISSP, EnCE, MSIS
Proper digital image acquisition is key to any forensics practice. Accurate and thorough documentation along with rigorous adherence to procedures and established best practices lead to a successful acquisition process. This article will help the beginner learn what is necessary to successfully accomplish this important part of digital forensics.
INTRODUCTION OF NETWORK FORENSICS USING WIRESHARK
by Dauda Sule
Network forensics involves recording, monitoring, capturing and analysis of network traffic in a bid to uncover how incidents occurred (like a breach, attack, abuse or error). Network data is highly volatile and may be easily lost if not captured in real-time; for example, if malicious code is sent to an endpoint, the source or path of the code would be difficult to discover if the traffic data was not captured as it was coming in through the network. There are various tools that can be used to capture and analyze network traffic such as NetworkMiner, tcpdump, snort, windump and Wireshark. This article introduces the use of Wireshark for network analysis.
REVIEW OF “GUIDE TO COMPUTER FORENSICS AND INVESTIGATIONS” 4TH
EDITION
by Richard Leitz
THE INTERVIEW WITH JAMES E. WINGATE VICE PRESIDENT OF BACKCONE
SECURITY
by Gabriele Biondo and Kishore P.V.
Google Glass hacked with QR Code to yield its pictures and video
Another interesting article by our content partners at HackersNewsBullentin.com:
Researchers at mobile security company Lookout discovered a security flaw in Google Glass which allowed them to capture data being sent from the head-mounted device to the web with the user’s knowledge.
Mobile Security Company Lookout has discovered a security flaw in Google Glass which allowed them to stay in the middle and capture data which being sent from the head-mounted device to the web.
Basically the fact which is used in the flaw that when head-mounted Glass camera takes any photo then it finds for a QR Code in order to set up Wi-Fi or Bluetooth connections to a smartphone for internet access.
Explore the Fact:
Whenever the Glass software detects a QR Code, it decodes that to see if it names a Wi-Fi Network to connect to and the major fact in this that if the code does not occupy the whole of the frame- so a hacker could get a Glass owner to hack their own device just by standing near a printout of special QR code.
“We created a QR code that told Glass to connect to a Wi-Fi network of my choosing and started sending data to that,” Mark Rogers, principal security analyst at Lookout, told the Guardian. “We could become the middleman, and if we needed to strip out the encryption on the connection. Then we could see the pictures or video that it’s uploading. We could also direct it to a site on the web which exploits a known vulnerability in Android 4.0.4″ – used by Glass – “which hacked Glass at it browsed the page.”
You can read the rest here.
TrueCaller website hacked and database breached by Syrian Electronic Army
An interesting article about the TrueCaller.com Hack by HackersNewsBullentin.com:
Syrian Electronic Army was silent from many days and today they wake up and again starts their hack, their latest target is truecaller.com.
SEA hijacked their website through wordpress and claimed that they have the database of True Caller which contains million of access codes of Facebook, Twitter, Linkedin, Gmail Accounts of different users, that can be used to post update from compromised Accounts.
SEA tweeted about the hack from their official twitter account:
Read the rest here.
Court sides with Yahoo in NSA PRISM data collection case
Yahoo has won a court fight that could help the public learn more about the government’s efforts to obtain data from Internet users.
The U.S. Foreign Intelligence Surveillance Court, which reviews government requests to spy on individuals, ruled Monday that information should be made public about a 2008 case that ordered Yahoo Inc. to turn over customer data.
The order requires the government to review which portions of the opinion, briefs and arguments can be declassified and report back to the court by July 29.
The government sought the information from Yahoo under the National Security Agency’s PRISM data-gathering program. Details of the secret program were disclosed by former NSA contractor Edward Snowden, who has fled the U.S.
The program came to light in early June after The Washington Post and Guardian newspapers published documents provided by Snowden. It allows the NSA to reach into the data streams of U.S. companies such as Yahoo, Facebook Inc., Microsoft Corp., Google Inc. and others, and grab emails, video chats, pictures and more. U.S. officials have said the program is narrowly focused on foreign targets, and technology companies say they turn over information only if required by court order.
Yahoo requested in court papers filed June 14 to have the information about the 2008 case unsealed. A Yahoo spokeswoman hailed Monday’s decision and said the company believes it will help inform public discussion about the U.S. government’s surveillance programs.
The government hasn’t taken a position on whether details of the case should be published as long as it’s allowed to review the documents before publication in order to redact classified information, according to the court order.
Mark Rumold, a staff attorney at the Electronic Frontier Foundation specializing in electronic surveillance and national security issues, called the ruling incremental and said he was reserving judgment until the case details are actually released.
“It remains to be seen how forthcoming (the government) will be,” Rumold said. “The administration has said they want a debate about the propriety of the surveillance, but they haven’t really provided information to inform that debate. So declassifying these opinions is a very important place to start.”
The unsealing of such secret rulings is not unprecedented, but it is rare. The last time that happened, Rumold said, was in 2002, in a case regarding the Patriot Act.
___
Tami Abdollah can be reached at http://www.twitter.com/latams .
© 2013 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
