The Art Of Con [Defcon 20]

New Rootkit infects Linux Web servers

A previously unknown rootkit is infecting Linux web servers and injecting malicious code into web pages served by infected servers. The rootkit was discovered by a user of security mailing list Full Disclosure, who has posted his observations, including the suspicious kernel module, to the mailing list. The malware adds an iframe to every web page served by the infected system via the nginxproxy – including error pages.

Anyone who visits a web page on the server is then attacked by a specially crafted web page which is loaded in an iframe. Criminals typically use exploit kits such as BlackHole to examine the system of the victim to establish which one of a number of vulnerabilities in Flash, Java and other applications can be exploited. Once an exploitable hole is identified, it is used to install malware on the visitor’s system. The web server is ultimately being used to redirect users to another web server which can then infect their system, such as poorly maintained Windows systems, with malware.

Anti-virus software company Kaspersky Lab has analysed the malware. According to them, the rootkit, which it has dubbed Rootkit.Linux.Snakso.a, is designed to target 64-bit systems and has been compiled for kernel version 2.6.32-5, used in Debian Squeeze. The rootkit adds the line insmod /lib/modules/2.6.32 5-amd64/kernel/sound/module_init.ko to the /etc/rc.local script, ensuring that the malicious module is executed each time the system boots.

After booting, it determines the memory address of a number of kernel functions, which it then hooks into. This allows it both to hide itself from the user and to manipulate the server’s network traffic. The rootkit obtains deployment instructions from a command and control server. According to Kaspersky, the rootkit may still be under development, as it has been compiled with debug information in situ.

Security expert Georg Wicherski has also analysed the rootkit, and suggests that it was developed by an advanced beginner who does not yet have a great deal of experience with the kernel. According to Wicherski, the attacker who deployed the rootkit is probably based in Russia.

Kextstat_ASLR: Hiding Your Rootkits Mac OSX

I found a small utility for hiding your kernal rootkits in OSX Mountain Lion. Mountain Lion introduced kernel ASLR and the kextstat util output doesn’t support (yet?) this feature. The addresses are not the real ones and this is quite annoying (kgmacros from kernel debugging also seem to fail at this!).

What this util does is to read the kernel extensions information via the /dev/kmem device (hence this util is probably not useful for a large audience) and display it like kextstat does with the correct address for each kext (just the most important information, the linked against info might be added in the future).

Besides useful for anyone wanting to read the kexts information, it’s also useful for rootkits because it implements the trick that Crisis uses to retrieve this information for 64bits kernels. The only piece left is how to find the sLoadedKexts symbol. Here it’s hardcoded for version 10.8.2.

The code is located at
One feature the devoloper palns to add is the ability to “bruteforce” the whole sLoadedKexts array. The reason is that rootkits usually decrease the count but the information remains there. One minor detail is that it may be susceptible to changes to OSArray and OSKext classes since it’s using offsets into the instance variables.


Setting a Mac into Monitor Mode

Due to overwhelming request I’m going to write a quick guide to setting you Mac into monitor mode for use with Cookie Cadger or Aircrack. In order to do this you will need a AirPort Extreme 802.11. The card that ships with any modern Mac. Depending on what version of OSX you hav installed the way set to monitor mode varies. I will be using Wireshark to set into monitor mode. You can download it from

Panther (or earlier)

In Mac OS X releases prior to 10.4.0 (Panther and earlier), neither monitor mode, nor seeing 802.11 headers when capturing data, nor capturing non-data frames are supported – although promiscuous mode is supported.


In Mac OS X 10.4.x (Tiger) (at least in later updates), monitor mode is supported; 802.11 headers are provided, and non-data frames are captured, only in monitor mode. To capture in monitor mode on an AirPort Extreme device named enn, capture on a device named wltn instead – for example, if your AirPort Extreme device is named en1, capture on wlt1. On PowerPC Macs, you will have to enable that device by changing the !APMonitormode property in the /System/Library/Extensions/AppleAirport2.kext/Contents/Info.plist property list file to have the value “true” (<true/>) and rebooting; on Intel Macs, that device is enabled by default.

Leopard & Snow Leopard

In Mac OS X 10.5.x (Leopard) and 10.6.x (Snow Leopard), monitor mode is supported; 802.11 headers are provided, and non-data frames are captured, only in monitor mode. To capture in monitor mode on an AirPort Extreme device, select a “Link-layer header type” other than “Ethernet” from the Capture -> Options dialog box in Wireshark or by selecting a link-layer header type other than “EN10MB” with the “-y” flag in TShark or from the command line in Wireshark (the available link-layer types are printed if you use the “-L” flag).

Disassociating and Capturing

If you don’t already have Wireshark go ahead an download an install it from Once installed and started, select the capture option and fill out the dialog as follows:

  • Capture using interface “en1” which will be the wireless interface on the MAC
  • Select “Capture packets in monitor mode” which is needed to allow Wireshark to capture all wireless frames on the network.
  •   The channel being sniffed will be the channel the MAC was associated to when Wireshark is started. While it is possible to change the channel being sniffed, you must do this via the “Airport” command on the terminal application. I’ve included a guide on how to use this below.

If you plan on using the captured packets in Cookie Cadger you have the option to open the captured file for exploitation.

$ airport

It’s possible to capture in monitor mode on an AirPort Extreme while it’s associated, but this necessarily limits the captures to the channel in use. You can use the undocumented “airport” command to disassociate from a network, if necessary, and set the channel. As the command is not in the standard path, you might find it convenient to set up a link, as shown in

sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport

You will be prompted for your root password enter it and hit return. Now you can use the simple command ‘airport’. You’ll probably find the -I flag and -S flags to be most useful and informative, so type airport -I at the Terminal prompt, which will return something like the this:

$ airport -I
commQuality: 75
rawQuality: 59
avgSignalLevel: -40
avgNoiseLevel: -97
linkStatus: ESS
portType: Client
lastTxRate: 11
maxRate: 11
lastAssocStatus: 1
BSSID: 00:06:5b:2a:37:10
SSID: OSXNetwork
Security: none

The output is detailed information on signal quality, noise, security, and other WiFi network attributes. The airport command is more powerful than just being able to list information on the current wireless network though, you can actually manually adjust many settings and troubleshoot too. While there is no manual page for the airport command, attaching the -h command to it will issue a brief list of flags and explanations of their function.

So just as a quick example of the usage of the airport command

sudo airport -z #disassociates you card from the current network
sudo airport -c["channel you want to switch to"] #sets the channel the card monitors on

If you have any questions or think I missed something feel free to tell me in the comments.

Citadel: The Thoroughbred of Cyber Crime

In old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the (too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes and taking screenshots/videos of victims’ computers. Citadel came out circa January 2012 in the online forums and quickly became a popular choice for criminals. A version of Citadel ( was leaked in late October and although it is not the latest (, it gives us a good insight into what tools the bad guys are using to make money.

In this post, I will show you how criminals operate a botnet. This is not meant as a tutorial and I do want to stress that running a botnet is illegal and could send you to jail.

A nice home

In order to get into business the bad guys need a server that is hosted at a company that will turn a blind eye on their activities and also guarantee them some anonymity. Such companies are called Bulletproof hosting and can be found in most underground forums.

Those hosting firms are for the most part located in countries like China or Russia and therefore in their own jurisdiction where so long as you don’t commit crimes against your own people not a whole lot can happen to you. To cover their tracks even more, the bad guys use proxy or VPN services that disguise their own IP address.

A shiny new toy

Once set up with a server, it is time to install what will be the mastermind program to create and organize an entire array (botnet) of infected computers worldwide. A variety of crimekits exist but in this post we will concentrate on Citadel.

Once again, the core installation files can be found in the underground community or through your own connections. Recently, the Citadel kit was withdrawn from forums to prevent too much exposure and attention. It costs around $3000 USD.

To install Citadel, you simply browse to the install folder with your browser and set up the main access username and password as well as database information.

In this testing, the installer did not automatically create the database but you can do so by hand. To finally access the login page, you need to browse to the cp.php file:

 Before logging in, I want to show you the other component that makes this package complete. It is called the builder and is essentially used to create the piece of malware that criminals will distribute (forced installs through infected websites) and that links to their crimekit.

Stolen credentials are harvested by various means:

  • Keystroke logging
  • Screenshot capture
  • Video capture

A powerful feature used to trick users into revealing confidential information is dubbed WebInject. It is powerful because it happens in real time and is completely seamless. A WebInject is a piece of code that contains HTML and JavaScript which creates a fake pop-up that asks the victim for personal information within the context of logging into a site. The bad guys can trigger it in two ways: either automatically when a site of interest is opened by the victim, or manually on the fly.

It is the ultimate phishing tool because it does not go against any known proper precautions a user would normally take. For instance, the site’s URL is unchanged and shows the secure pad lock with the financial institution’s SSL certificate. This type of hack is also called a man-in-the-middle attack. Many times this kind of attack doesn’t work as users get suspicious. Ransom-ware works much better in my opinion.

Since a lot of people download music and movies from torrents or other shady sites, the message tricks them into thinking they have been caught by the local authorities. It’s a very smart scare tactic which works quite well, unfortunately. To add to the drama, the malware will attempt to turn on the user’s webcam as if they were already under surveillance.

The FBI has posted an article regarding this scam ( and urges people to not pay any money as it could get you into even more troubles.

Malwarebytes users are protected against the FBI Moneypak malware. If you aren’t one of them and are already infected you can remove this ransomware by following these 3 steps:

  1. Reboot your computer into Safe Mode with Networking. (Instructions from Microsoft here)
  2. Download Malwarebytes Anti-Malware.
  3. Run Malwarebytes Anti-Malware and remove all malware

What’s next for Citadel?

The latest version ( whose code name is Rain Edition is getting pricey at $3931 but it includes a lot of valuable features (advanced support for Chrome and Firefox, improved WebInjects, smarter ‘on-the-fly’ updates to the Trojan, etc…).

The makers of Citadel are trying to keep a low enough profile to avoid gathering too much attention which could result in efforts to go after them (as we have seen with Zeus). Getting your hands on Citadel is more difficult because of a stricter validation process within the Russian underground.

How to protect yourself

When seeing such technically advanced crimekits it puts a lot of things into perspective. The methods used to steal personal information are so advanced and sneaky that even the most cautious user may get fooled. It is best to avoid infection in the first place by using a solution such as Malwarebytes Anti-Malware PRO that constantly protects your computer by blocking malicious sites and files. Using a combination of both safe online practices (if you ever feel uncomfortable disclosing personal information, give your bank a call or ask a friend) and a good anti malware solution will keep you safe(r).

Attacking TrueCrypt Containers

TCHead decrypts and verifies the information in a TrueCrypt container’s header. Containers can range from files to copied system volumes from fully-encrypted hard drives. For this, you do of course need the password. If you don’t have the right one, TCHead can run through a word list. Unlike cracking tool John the Ripper, however, it is not able to systematically vary these details by, for example, converting lower case letters to upper case or converting letters to leetspeak.

Still faster than doing it by hand – TCHead tests out different passwords. TCHead also carries out this kind of dictionary attack very, very slooooooowly. In tests on a fairly fast computer, the tool required about a minute to run through 1,000 candidate passwords. By comparison, password crackers usually measure their speed in millions of attempts per second. This poor performance is largely due to the fact that TrueCrypt saves keys for testing internally using Password-Based Key Derivation Function 2 (PBKDF2), which is specifically designed to slow down these types of brute-force attacks.

TCHead is able to deal with standard encryption algorithms such as AES, Serpent and Twofish. TrueCrypt, however, also offers the option of using cascaded algorithms such as a combination of AES and Serpent. Our attempts to deploy TCHead against a combination container failed, with no error message, even though the target password was in the word list. The tool does not currently support mixed encryption algorithms, but that this is on their to-do list.

A statically linked Linux binary and source code, which we were able to compile under Ubuntu 12.04 LTS with a little tinkering, are available to download from the project’s site. There is also a script for building a Windows version using the g++ compiler, though we have not tested this.

In summary, TCHead is a useful addition to any forensic IT specialist’s collection and is one of the few available options for tackling encrypted TrueCrypt containers. But don’t expect too much: if the targeted TrueCrypt user followed even basic password rules, you don’t stand a chance.

A Study On Russian Cyber Crime

As we all know a lot of the crime that happens on the internet originates in Russia. Mostly because of Russia’s rather relaxed approach to enforcing any laws on internet interactions. With the relative lack of control over what goes on on the internet in Russia, a large underground network for cyber criminals has developed. They sell some perfectly normally things VPN’s, bullet proof VPS’s as well as dedicated servers. But what is also on the market are things like Botnets, DDOS attacks, root kits and some other pretty sketchy stuff.

Reading about it is rather interesting you begin to see how you could relativity cheaply DDOS anyone you want or even have custom made rootkits made specially for you. It kind of scares me that if I was to make someone mad how easy it would be for them to screw up my life. As long as they know where to look.

If you interested in learning more about how this Russian cyber crime works, Trend Micro has a great white paper on the subject. if you don’t want to find it on the site you can just download it.