Category Archives: phishing

New Rootkit infects Linux Web servers

A previously unknown rootkit is infecting Linux web servers and injecting malicious code into web pages served by infected servers. The rootkit was discovered by a user of security mailing list Full Disclosure, who has posted his observations, including the suspicious kernel module, to the mailing list. The malware adds an iframe to every web page served by the infected system via the nginxproxy – including error pages.

Anyone who visits a web page on the server is then attacked by a specially crafted web page which is loaded in an iframe. Criminals typically use exploit kits such as BlackHole to examine the system of the victim to establish which one of a number of vulnerabilities in Flash, Java and other applications can be exploited. Once an exploitable hole is identified, it is used to install malware on the visitor’s system. The web server is ultimately being used to redirect users to another web server which can then infect their system, such as poorly maintained Windows systems, with malware.

Anti-virus software company Kaspersky Lab has analysed the malware. According to them, the rootkit, which it has dubbed Rootkit.Linux.Snakso.a, is designed to target 64-bit systems and has been compiled for kernel version 2.6.32-5, used in Debian Squeeze. The rootkit adds the line insmod /lib/modules/2.6.32 5-amd64/kernel/sound/module_init.ko to the /etc/rc.local script, ensuring that the malicious module is executed each time the system boots.

After booting, it determines the memory address of a number of kernel functions, which it then hooks into. This allows it both to hide itself from the user and to manipulate the server’s network traffic. The rootkit obtains deployment instructions from a command and control server. According to Kaspersky, the rootkit may still be under development, as it has been compiled with debug information in situ.

Security expert Georg Wicherski has also analysed the rootkit, and suggests that it was developed by an advanced beginner who does not yet have a great deal of experience with the kernel. According to Wicherski, the attacker who deployed the rootkit is probably based in Russia.

Citadel: The Thoroughbred of Cyber Crime

In old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the (too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes and taking screenshots/videos of victims’ computers. Citadel came out circa January 2012 in the online forums and quickly became a popular choice for criminals. A version of Citadel (1.3.4.5) was leaked in late October and although it is not the latest (1.3.5.1), it gives us a good insight into what tools the bad guys are using to make money.

In this post, I will show you how criminals operate a botnet. This is not meant as a tutorial and I do want to stress that running a botnet is illegal and could send you to jail.

A nice home

In order to get into business the bad guys need a server that is hosted at a company that will turn a blind eye on their activities and also guarantee them some anonymity. Such companies are called Bulletproof hosting and can be found in most underground forums.

Those hosting firms are for the most part located in countries like China or Russia and therefore in their own jurisdiction where so long as you don’t commit crimes against your own people not a whole lot can happen to you. To cover their tracks even more, the bad guys use proxy or VPN services that disguise their own IP address.

A shiny new toy

Once set up with a server, it is time to install what will be the mastermind program to create and organize an entire array (botnet) of infected computers worldwide. A variety of crimekits exist but in this post we will concentrate on Citadel.

Once again, the core installation files can be found in the underground community or through your own connections. Recently, the Citadel kit was withdrawn from forums to prevent too much exposure and attention. It costs around $3000 USD.

To install Citadel, you simply browse to the install folder with your browser and set up the main access username and password as well as database information.

In this testing, the installer did not automatically create the database but you can do so by hand. To finally access the login page, you need to browse to the cp.php file:

 Before logging in, I want to show you the other component that makes this package complete. It is called the builder and is essentially used to create the piece of malware that criminals will distribute (forced installs through infected websites) and that links to their crimekit.

Stolen credentials are harvested by various means:

  • Keystroke logging
  • Screenshot capture
  • Video capture

A powerful feature used to trick users into revealing confidential information is dubbed WebInject. It is powerful because it happens in real time and is completely seamless. A WebInject is a piece of code that contains HTML and JavaScript which creates a fake pop-up that asks the victim for personal information within the context of logging into a site. The bad guys can trigger it in two ways: either automatically when a site of interest is opened by the victim, or manually on the fly.

It is the ultimate phishing tool because it does not go against any known proper precautions a user would normally take. For instance, the site’s URL is unchanged and shows the secure pad lock with the financial institution’s SSL certificate. This type of hack is also called a man-in-the-middle attack. Many times this kind of attack doesn’t work as users get suspicious. Ransom-ware works much better in my opinion.

Since a lot of people download music and movies from torrents or other shady sites, the message tricks them into thinking they have been caught by the local authorities. It’s a very smart scare tactic which works quite well, unfortunately. To add to the drama, the malware will attempt to turn on the user’s webcam as if they were already under surveillance.

The FBI has posted an article regarding this scam (http://www.fbi.gov/news/stories/2012/august/new-internet-scam) and urges people to not pay any money as it could get you into even more troubles.

Malwarebytes users are protected against the FBI Moneypak malware. If you aren’t one of them and are already infected you can remove this ransomware by following these 3 steps:

  1. Reboot your computer into Safe Mode with Networking. (Instructions from Microsoft here)
  2. Download Malwarebytes Anti-Malware.
  3. Run Malwarebytes Anti-Malware and remove all malware

What’s next for Citadel?

The latest version (1.3.5.1) whose code name is Rain Edition is getting pricey at $3931 but it includes a lot of valuable features (advanced support for Chrome and Firefox, improved WebInjects, smarter ‘on-the-fly’ updates to the Trojan, etc…).

The makers of Citadel are trying to keep a low enough profile to avoid gathering too much attention which could result in efforts to go after them (as we have seen with Zeus). Getting your hands on Citadel is more difficult because of a stricter validation process within the Russian underground.

How to protect yourself

When seeing such technically advanced crimekits it puts a lot of things into perspective. The methods used to steal personal information are so advanced and sneaky that even the most cautious user may get fooled. It is best to avoid infection in the first place by using a solution such as Malwarebytes Anti-Malware PRO that constantly protects your computer by blocking malicious sites and files. Using a combination of both safe online practices (if you ever feel uncomfortable disclosing personal information, give your bank a call or ask a friend) and a good anti malware solution will keep you safe(r).

A Study On Russian Cyber Crime

As we all know a lot of the crime that happens on the internet originates in Russia. Mostly because of Russia’s rather relaxed approach to enforcing any laws on internet interactions. With the relative lack of control over what goes on on the internet in Russia, a large underground network for cyber criminals has developed. They sell some perfectly normally things VPN’s, bullet proof VPS’s as well as dedicated servers. But what is also on the market are things like Botnets, DDOS attacks, root kits and some other pretty sketchy stuff.

Reading about it is rather interesting you begin to see how you could relativity cheaply DDOS anyone you want or even have custom made rootkits made specially for you. It kind of scares me that if I was to make someone mad how easy it would be for them to screw up my life. As long as they know where to look.

If you interested in learning more about how this Russian cyber crime works, Trend Micro has a great white paper on the subject. if you don’t want to find it on the site you can just download it.

Cookie Cadger Is Free! But How Do I Use It?

Cookie Cadger is now free but I’ve had some people asking how you set your card into monitor mode a requirement for Cookie Cadger. Before you set into monitor mode download Cookie Cadger you will need Java 7 installed as well as a package called tshark, normally part of the wireshark package though I had to install it from my package manager. I know you asked for a guide to use Cookie Cadger I hope you can get by with just a guide to monitor mode until I get home. You can now use the guide Cadger for basic capture. Also for Mac users I’ve written a guide for setting your card into monitor mode the usage of Cookie Cadger is exactly the same on any OS.

First step to begin hacking the WEP networks is to put your wireless network card into monitor mode. For this we will use ifconfig and iwconfig. These instructions may not work for your card. I will explain how to set it up with atheros chipset cards in a separate post. This is for Broadcoms or RT2500 and most other stock cards.

Step 1: Open a shell
Now we want to see what the cards installed on our computer are known as.

Step 2: At the prompt type iwconfig
You will see something like this:

lo no wireless extensions

eth0 IEEE 802.11b/g ESSID:Off/any Nickname: "Broadcom 4311"

Mode: Managed Frequency=2.437 GHz...

Disregard the ‘lo’ card. Your card is the one or more other cards listed. In my case the card is known as ‘eth0’ yours also could be know as ‘wlan0’. As we can also see in the second line, the card is currently in managed mode, we must get it into monitor mode.

We also need our card to be “UP”. To check the up and down status, we use:

ifconfig

The results should show your card and the second line of the cards information should start with ‘UP’. If your card is not shown or if it is not showing it with the word ‘UP’, then we must put it up. If you’re not sure, you can also put it up and there will be no harm done. Here’s how we do it.

ifconfig eth0 up

Now type ifconfig again and you should see your card and marked as up.

 iwconfig eth0 mode monitor

In case you couldn’t tell, this places the card into monitor mode. Doing iwconfig again should now show mode as monitor.

If you followed these steps correctly you should be able to start up Cookie Cadger, Aircrack or any thing else that requires monitor mode and it should work exactly how you want it to. I’m writing this from my phone but I’ll be post some screen shots later on. If you have any questions ask them in the comments.

Phishing Using Only a Android Phone

Recently evilsocket released a Android app called dSploit, it’s basically a stripped down version of Metasploit for Android. You can preform Man in The Middle attacks and also scan for vulnerable operating systems. But one of the MITM attacks that I think could be the best, is the ability to redirect all traffic on a network to a web page. For example you could go to a coffee shop having before hand written up a legitimate looking sign in page for the target shop or public wifi network.
You join just like any other patron open up dSploit and redirct all traffic to a fake login page being served off you phone. Rather than just having guest sign in you could also have them register to pay to get access to the wifi, they are unsuspectingly handing you their credit card numbers or logins to any site you chose. All you need is a Android cell phone or tablet and a few minutes to set the server up.

  • I will be using kWS for serving my fake login pages. You can download it form the Android store.
  • You will need to download dSploit for the developers web page I posted earlier about installing and using dSploit.

First you need to decide where you HTML page will be stored. Mine is going in /mnt/sdcard/publichtml you can put yours anywhere.

Once you decide what directory to put your HTML in click on Port and enter a port number I decided to go with 8888. Because it is not normally blacklisted on any public networks.

After you finish setting up the directories and port go ahead and place what ever HTML you want into the selected /publichtml folder. Once you do that open up kWS and click on run server.

Hopefully you get a return from the server that looks exactly like this one. Take note of you local IP address. If you don’t there’s something wrong with your setup. Go back and make sure that the server is looking for the html in the right place. If that doesn’t change anything try again with a different port. Once you get it running correctly, all you need to do is open up dSploit and it will scan the network you are attached to. Select 192.168.1.0/24 then select MITM and finally Redirect. Fill out the menu with your phones local IP address that you found when you started the web server and what ever port the server is using.

Finally click Ok and it will begin redirecting all HTTP traffic to your fake web page. The few times I’ve used this I simply redirected people to a fake Facebook login where I saved the email and password to a text file. But this could be used for a much more malicious purpose. If you have any problems or suggestions tell me in the comments and I’ll try to work them out for you.