» Stuff

So, this is how The Netherlands look like ..

carrumba — Tue, 12 Jul 2011 15:18:08 +0000

Sorry for not writing the last months and it will go on like this the following weeks. I’ve finally moved over to Utrecht and finding the time to sit on the keyboard is difficult. The language is different, I’m surrounded by more than just 150 people, 10 dogs and 200 cows (that was my neighbourhood in .ch), a huge sky and no mountains.

I am still working on the old projects but didn’t make bigger progress so far. Also a new web based but not security focussed project is in the forge. If i make progress I’ll let you know.

Doei

Report on SC Magazine about the Skype trojan (August 2009)

carrumba — Wed, 13 Oct 2010 15:04:42 +0000

Skype snooping trojan detected, August 31 2009

Source code for a new trojan has been released that has the ability to snoop on phone calls over the popular voice over IP (VoIP) program Skype.

Ruben Unteregger, a Swiss software engineer formerly with the software development company ERA IT Solutions, released the source code for the trojan Tuesday. Unteregger provided details about the trojan on his blog, Megapanzer, which he said can “…intercept all audio data coming and going to the Skype process.”

“What we’re looking at is something that could be considered the first ‘wiretap trojan,’” Karthik Selvaraj, an analyst at Symantec Security Response Team, wrote in a blog post Thursday.

The code, identified as Trojan.Peskyspy, has the ability to record audio from Skype calls, convert the audio to an MP3 file, encrypt it and send it back to the attacker, Symantec said.

“What this threat is doing is actually grabbing the sound coming from the audio devices plugged into the computer,” Selvaraj wrote. “It does this by hooking various Windows API calls that are used in audio input and output.”

The trojan sniffs inbound and outbound audio as it travels between the PC’s audio device and Skype, Selvaraj explained. Outbound audio coming from a user’s microphone is captured before it even reaches Skype, and inbound audio is captured after it leaves Skype, but before it reaches the PC’s speakers.

“It gathers the audio independently of any application-specific protocols or encryption applied by Skype when it passes voice data at the network level,” Selvaraj said. “Essentially, it sits below these security measures, recording the audio at the Windows level.”

The trojan does not rely on any issue in Skype itself and could potentially be crafted to exploit any VoIP program, Selvaraj said.

Though source code became publicly available Tuesday, Unteregger told German news outlet Gulli.com that the trojan actually had been in development since at least 2006.

As of now, the trojan has not been identified in the wild, Kevin Haley, director of Symantec Security Response, told SCmagazineUS.com on Friday. But now that source code has been released, there is a potential that attackers could add this trojan to their exploits.
The source code does not have any means of propagating itself, so an attacker would have to use social engineering to trick a user into installing it, or have physical access to the machine they wish to infect.

“For the most part, this is a tool that would be used in a targeted way at someone,” Haley said.

A Skype spokesperson told SCMagazineUS.com in an email statement Friday that Skype’s Information Security team is aware of Trojan.Peskyspy.

“Skype strongly recommends that users follow security best practices like maintaining an up-to-date anti-virus program, using a personal firewall and ensuring that their computer is current with patches to help defend against attacks such as this.”

Skype on Windows 7

carrumba — Wed, 06 Oct 2010 10:03:54 +0000

The bad news first. Skype on Windows 7, according my experience, protects its binary that way that API hooking is not feasible anymore :/
I’ll check an other source that can either confirm that or hopefully prove the opposite. But I’m quite sure they closed the leak.

The good news is : gtalk has the same symptoms as Skype had once. I’ll invest the remaining time to analyse the leak on gtalk…

But anyway … after finishing the gtalk stuff I’ll put my focus back on Skype. I’m sure there is an other way to do it. We just have to look a level lower closer to the hardware.

Things to do for the next days …

carrumba — Fri, 01 Oct 2010 11:27:33 +0000

I’m still struggling to make SkypeTap (skype interception module) work on Win7. This week things just don’t go as smoothly as expected :/ As soon as I have a result (may it be positive or negative) I’ll let you know.

If it works I think a further post would be appropriate that shows in detail how to inject *something* into a process and what different approches exist to do that.

The opposites, dutch Hip-Hop

carrumba — Fri, 24 Sep 2010 13:24:52 +0000

Ahm … instead of an other piece of code I thought maybe you’d also appreciate a nice bouncing track from the Dutch hiphop combo The Opposites. I was at their concert some months ago and after browsing their videos on Youtube I stumbled on this one last night.

I grant, even if my mother tongue is quite close to the Dutch language it’s hard to get at least some of the lyrics. It contains some 4 letter words, some cursing here and there but on one side it’s hard to top Die Antwoord from an older post and it’s hiphop. It has to get a little rougher.

Ey jongens gaan we lekker biertje zuipuhh!!!?
Of wat!

willy:
Ey 3 liter bier en de base in me kop
Kills zwaar aan me race laat verslagen
Op tilt maar nemen nog een shot
en een pof en een slok pils op
Naar een chickie die vanavond me kop wil
Want al om me benen, en ik maar streven naar ketsen
Wie heeft dikke tieten en wil effe met me kletsen
Kont uithalen de gekste de enige echte
De Willy en Biggie die schijt heb-ben om te vechten
Chikies zie je billen gaan van bomb op bomb
En je loopt te kijken met je ogen zo van kont van kont
Terwijl het dom is en lomp van wat sta je aan de kant???
Dat ze denkt deze kerel die is lomp en dom
Dus ik volg der met der dans moves effe aan de kant, boest!
Struikel en val met me kop op de dansvloer die chick
tilt me op en staat vol op me AIR-MAX
EY BITCH BEN JE GEK!!? 

Refrein
Je moet niet zitten aan me nikerrrsz
Je moet niet zitten aan me nikerrrsz
Je moet niet zitten aan me nikerrrsz
Je moet niet zitten aan me nike-ersss 

Je moet niet zitten aan me nikerrrsz
( je moet niet zitten aan me nike-ies)
Je moet niet zitten aan me nikerrrsz
( je moet niet zitten aan me nike-ies)
Je moet niet zitten aan me nikerrrsz
( je moet niet zitten aan me nike-ies) 

JE MOET NIET ZITTEN AAN ME NIKE-ERS! 

SEF:
Doe maar 10 bieries en een stollie met ijs
Die biertjes zijn voor Twan en Willy
En die stollie is voor mij
(Lekker lekkahh)
Fok it we hebben de tijd dus doe nog
maar 10 biertjes en een stollie voor my
Want geef me 1 of 2 stollie`s en ik word helemaal leip
En geef me 3 of 4 stollie`s en dan ben je me kwijt
Ik word echt gezellig na een stollie of 6
Dus laat het ijs maar zitten en kom hier met die fles!
Ik sta te draaien in de discotheek
Terwijl ik niet hoef te draaien in de discotheek
Ik hoef niet te draaien in de discotheek
En toch sta ik te draaien in de discotheek
Sorry, zei ik nou 2 keer het zelfde?
Dat komt door de drank dat kan ik niet helpen
Ik heb genoeg gehad maar fok dat
GAAN WE LEKKER BIERTJE ZUIPEH HIER? 

Refrein
Je moet niet zitten aan me nikerrrsz
Je moet niet zitten aan me nikerrrsz
Je moet niet zitten aan me nikerrrsz
Je moet niet zitten aan me nike-ersss 

Je moet niet zitten aan me nikerrrsz
( je moet niet zitten aan me nike-ies)
Je moet niet zitten aan me nikerrrsz
( je moet niet zitten aan me nike-ies)
Je moet niet zitten aan me nikerrrsz
( je moet niet zitten aan me nike-ies) 

JE MOET NIET ZITTEN AAN ME NIKE-ERS! 

BIG 2:
Ey Ey Oké pak me hand vast
Zit in de drank vast geen favoriete leerling
Maar met me ding in die klank gast¿
Zo handtastelijk word ik als een chick in de randstad
Wil je me sterre nakken dat Willy in je kast gaat
Hey, Jij hier met die vriendinnetjes bitch
Ik wil een tanga met een string en erop niks
Dikke piemel op de tafel verschijnt
Ik ben een ragboer
Kleedkamer met urine in je afvoer
Pis, flik je dat ben ik!
BIG 2 motherfucker je word afgefikt
Geen Nederlandse uitspraak geen Opposites
Ho Oppo je weet wel wie de fok dit is
Van het dorp naar de stad dat je mij niet verwacht
Ik woon in Amsterdam maar ik ben helemaal plat
Marielle Timmer kan me pik likken in
de keuken staan aangenaam
Ik ben BIG met een 2 

Refrein
Je moet niet zitten aan me nikerrrsz
Je moet niet zitten aan me nikerrrsz
Je moet niet zitten aan me nikerrrsz
Je moet niet zitten aan me nike-ersss 

Je moet niet zitten aan me nikerrrsz
( je moet niet zitten aan me nike-ies)
Je moet niet zitten aan me nikerrrsz
( je moet niet zitten aan me nike-ies)
Je moet niet zitten aan me nikerrrsz
( je moet niet zitten aan me nike-ies) 

JE MOET NIET ZITTEN AAN ME NIKE-ERS!

The man in the middle

carrumba — Sat, 28 Aug 2010 19:28:03 +0000

The last weeks I was tinkering around on an old HTTP proxy skript I wrote about one year ago. This script doesn’t contain any rocket science skills and you have the same or probably even more functionality with any other HTTP proxy. Implementing the server in PERL allows me to extend, modify and adjust it according the required needs. I wanted to analyse the traffic caused by people who want to be anonymised and are sitting behind an identity obscuring proxy server, to find out what they are (bots, scripts, humans), what they do and why they want to obscure their identity.
In this post you find an houerly updated statistic from the data collected during two days and some addintional info about what this statistic wants to tell us.

Generated on

October 13 2010 13:11:26

Total requests	1115784

Proxy port	Total requests
8000	277183
8080	265029
3128	573559

Basic HTTP authentication

About 90% of the clients using the Basic HTTP method try to authenticate on servers with pornographic content. And most of these authentication requests belong to a login hacking attack and don’t contain valid user credentials.

Among all these login hack requests we find also successful login attemps. Mostly these authentication requests were typed in by humans and not by scripts and they didn’t authenticate on a porn server. If we filter out all these login hacking attempts we get a hand full of valid user accounts.

Requests	URL
1570	www.fetishliza.com
1478	members.teamskeet.com
1116	www.southern-charms3.com
611	sexstationtv.com
516	members.korny.adultbouncer.com
509	southeastsoles.com
449	nudesandnature.com
449	strapon-hell.com
388	www.humiliatrix.com
339	www.young-goddess.com
239	members.glamour.cz

HTML GET authentication

With the GET login requests we encounter a similar situation as with the Basic HTTP authentication. Most of the requests belong to login hacking attempts. Many of these attempts are executed on yahoo servers as they probably don’t identify automated login atempts as Google does. If you browse through the logs and ignore the sites with more than 2 or 3 requests chances are good you find valid requests typed by a humans.

Requests	URL
928	195.122.131.36
178	one-cpm.fr.nf
169	195.122.131.24
158	n4.login.re3.yahoo.com
132	login.korea.yahoo.com
117	195.122.131.30
102	l10.member.sp1.yahoo.com
101	login.india.yahoo.com
99	login.vip.kr3.yahoo.com
97	l16.member.sg1.yahoo.com
96	l09.member.tw1.yahoo.com

HTML POST authentication

The POST requests don’t really differ from the GET login requests. Ignore the sites with many login atempts and focus on the others with only a few requests. Also here you will probably stumble on valid user account data.

Requests	URL
2312	209.222.7.232
1087	174.140.154.23
718	209.222.7.235
580	hotfile.com
522	megaporn.com
496	79.143.184.247
372	209.222.148.141
327	174.140.154.12
165	174.140.154.18
147	174.140.154.14
106	m.upcoming.yahoo.com

Most active clients

We have not yet linked the clients to the servers or URLs and a reverse lookup of a client is mostly not possible. With help of a WhoIs lookup we can at least find out the clients country code and determine which countries have the most actives clients.

Requests	URL (Country code)
13228	216.245.196.122 (US)
9507	109.87.45.228 ()
8791	109.86.246.136 ()
8349	208.115.219.10 (US)
8278	74.63.192.66 (US)
6032	173.203.240.43 ()
5924	81.24.89.14 (ru)
4247	89.250.157.196 (RU)
3887	221.233.192.72 (CN)
3783	86.62.248.210 (qa)
3582	91.207.6.26 (UA)

Most requested servers

Looking at the servers hostname we can estimate what function a server may has. Considering our top 10 list it is not the typical stuff like mail or news people want to get while sitting behind a anonymising proxy. Instead advertisement seems to be the main reason using an HTTP proxy. You can see as well that Google even behind a proxy is a popular server. But after evaluating the passed search strings the users rather want to check if the proxy server works properly instead of searching stuff on the net. And the wired search strings tell us that the requests were executed automatically by a script and not by humans.

Requests	URL
22276	login.icq.com
17425	www.google.com
16060	ad.yieldmanager.com
14892	content.yieldmanager.com
10282	ad.reduxmedia.com
3078	home.uasar.org.ua
2835	ak1.abmr.net
2220	ad.xtendmedia.com
2176	www.adparlor.com
1995	ad.spot200.com
1972	www.besthitsnow.com

Most requested URLs by a system

When this page was created the most requested URLs were WebBugs, login hack attempts and mainly URLs to ad-servers containing either banners or javascript code that requests banners. The big picture gets clearer and we see that advertisers seem to appreciate the obscuring services of anonymising proxy servers.

Requests	URL
22276	http://login.icq.com:443 …
11911	http://content.yieldmanager.com/ak/q.gif …
1901	http://snandart.com:443 …
1836	http://proxylist.co:443 …
1509	http://www.google.com/intl/de/ads/ …
1476	http://members.teamskeet.com/ …
1363	http://www.google.de/about.html …
1297	http://botmasternet.com/proxy/http/engine.php …
1286	http://www.google.com/accounts/TOS?loc=DE …
1185	http://www.google.com:443 …
910	http://flashsexclips.com/proxy5/check.php …

Most comunicating systems

This overview shows which system likes which server and how often a request was sent from one to the other. The eye-catching thing here is that the source address is mostly located in China or in the USA and the requested server hosts advertisement… images, banners, scripts, etc.

Requests	Source	Destination
5924	81.24.89.14	login.icq.com
4247	89.250.157.196	login.icq.com
3783	86.62.248.210	login.icq.com
3478	81.4.136.2	login.icq.com
3474	216.245.196.122	content.yieldmanager.com
3078	93.126.101.119	home.uasar.org.ua
3026	204.124.183.90	www.google.com
2917	216.245.196.122	ad.yieldmanager.com
2726	62.228.153.82	login.icq.com
2705	173.236.70.187	www.google.com
2636	74.63.192.66	ad.reduxmedia.com

Most called URLs by a system

This overview shows which system likes which URL and how often a URL on a specific server was requested by a particular client system. The situation here is the same as in the paragraph above. The client sits somewhere in the USA or China and the destination server is involved in advertisement.


Requests	Source	URL
5924	81.24.89.14	http://login.icq.com:443 …
4247	89.250.157.196	http://login.icq.com:443 …
3783	86.62.248.210	http://login.icq.com:443 …
3478	81.4.136.2	http://login.icq.com:443 …
2726	62.228.153.82	http://login.icq.com:443 …
2672	216.245.196.122	http://content.yieldmanager.com/ak/q.gif …
1836	173.234.51.29	http://proxylist.co:443 …
1568	74.63.192.66	http://content.yieldmanager.com/ak/q.gif …
1509	208.115.219.10	http://content.yieldmanager.com/ak/q.gif …
1476	187.132.45.238	http://members.teamskeet.com/ …
1238	84.19.161.108	http://snandart.com:443 …

Most called destination ports

As the proxy server supports the CONNECT method clients are allowed to establish a TCP connection to any port. CONNECT is normally used to tunnel HTTPS through a proxy server. Spamers like to use it to SMTP servers and people + bots like this method to connect to IRC servers. This is the reason why beside port 80 and 443 also other, sometimes rather exocit ports, are listed.

Requests	Dest. port
1072189	80 (www)
39426	443 (https)
2730	25 (smtp)
485	6667 (ircd)
153	6112 (starcraft)
123	6668 (ircd)
120	6666 (ircd)
83	7000 (afs3-fileserver)
70	8080 (webcache)
58	33033 ()
48	81 ()
43	6669 (ircd)
29	6665 (ircd)
22	8018 ()
16	12350 ()
15	2866 ()

The bottom line

At the beginning I thought it would be easy fishing user accounts out of the data streams. But after some tests I noticed that the major part of the traffic was automated and related to advertisement in one or another way. There is not much sensitive data to catch. In a second step I tried to redirect all the clients to the Megapanzer web page to see how the traffic load changes and if some users will start browsing the page. But also this Plan didn’t work out as expected.

So obviously humans don’t like to use HTTP proxys which they have to configure somewhere in the browser properties. Either it is to complicated or there is an easier way to use a proxy as web proxies for example. You can find real user traffic but in a very low quantity. Also the Automated traffic originates often from login hacking scripts. A proxy suppressing the clients real identity makes the the attackers feel safer.

The heavy users are the advertisers. They are responsible for the major part of the requests passing the proxy and that sometimes let my inet link collapse. But for what reason actually? Why don’t they connect directly to the destination servers so they don’t rely on an instable and unreliable node in between? After pondering for a while and searching for a plausible answer the only reason I can imagine is to keep the click rate on their advertisements higher than it really is. An advertiser like xapads.com or defaultimg.com can ensure their customers a high amount of clicks and views per day what makes them as an advertisement partner more valuable. Or the customers pay these ads companies according the “Costs per impression” model. Then the clicks are generated by scripts running somewhere on a server in China or in the USA. For example if you have a list containing 1000 proxy servers and your customers pay you $20 CPM, the advertiser “could” earn this money in one day. 20$ * 30 makes 600$ a month. Serving ten customers for 30 days makes a nice amount at the end of the month.
But this is only an assumption. Any better ideas? Suggestions?

Cloud-based WPA cracking is here

carrumba — Sun, 25 Jul 2010 20:42:44 +0000

Nice article found on TechRepublic.

Welcome to the future: cloud-based WPA cracking is here

In 2008, I speculated about the future of distributed security cracking. That future has arrived, in the form of a $17 “cloud” based service provided through the efforts of a security researcher known as Moxie Marlinspike. It is effective against pre-shared key deployments of both WPA and WPA2 wireless networks.

The mechanism used involves captured network traffic, which is uploaded to the WPA Cracker service and subjected to an intensive brute force cracking effort. As advertised on the site, what would be a five-day task on a dual-core PC is reduced to a job of about twenty minutes on average. For the more “premium” price of $35, you can get the job done in about half the time. Because it is a dictionary attack using a predefined 135-million-word list, there is no guarantee that you will crack the WPA key, but such an extensive dictionary attack should be sufficient for any but the most specialized penetration testing purposes.

If you opt to use the service, you will of course leave a money trail via Amazon Payments — which is probably a bad idea if you are attempting to gain unauthorized access to a secured network illegally. For the good guys testing the security of a client’s network, however, this is an incredibly handy tool to have at one’s disposal.

It gets even better. If you try the standard 135-million-word dictionary and do not crack the WPA encryption on your target network, there is an extended dictionary that contains an additional 284 million words. In short, serious brute force wireless network encryption cracking has become a retail commodity.

….

Safer ebanking

carrumba — Sun, 25 Jul 2010 09:22:09 +0000

Recently I read an article in the newspaper about a new product incorporated in a Swiss bank where they use a security token with fingerprint check and visual data transmission interpreted by the token. Check this site if you want to know more about it and you understand German : http://www.axsionics.ch/ .
The point where many attacks will fail is the transaction combined with account information. If the Go or No Go of the transaction is controlled by the token, outside of the attackers reach, all of the known transaction attacks are useless. An attack is detected easily and the transaction won’t be conducted.
Good job. One step ahead. Now it’s the attackers turn to react to this.

Hacker cuffed for Moscow big screen entertainment

carrumba — Thu, 18 Feb 2010 12:45:10 +0000

Russian police have arrested the hacker who last month projected some adult entertainment on an enormous video screen in Moscow, giving locals around two minutes unexpurgated coverage of “a white male and a black female having sex”.

According to Pravda, the grumble flick appeared at 11pm on 14 January on an giant display on the city’s Garden Ring Road. Some gobsmacked Muscovites grabbed the action on their mobile phones (see still), but shaken passer-by Alyona Prokulatova told AP she was “so shocked that I couldn’t even shoot video or take a picture of it”.

The commerical director of Panno.ru, which operates the screen, said last month: “Most likely, a commercial video was replaced with an adult one when the control computer was hacked.” Correct, polices sources have confirmed, following the arrest of an unnamed 40-year-old unemployed man in the Black Sea port of Novorossiysk.

The perp, who has previous form, “repeatedly hacked other people’s computers simply out of curiosity to master his skills”, according to the authorities.

Holidays are over …

carrumba — Mon, 08 Feb 2010 12:54:05 +0000

So I am back again after one week away from the keyboard. I was not completely off-line but I reduced the efforts to a minimum. Recreation and preparation work for the exams had the main priority.

What I am going to release next is some kind of a digital bug. It’s a small piece of software you can install permanently on a remote computer and start and stop the microphone recording and listen what the person on the other side of the connection is telling. It was considered once as a bug for room surveillance but was never used that way. So there’s no reason why to keep it any longer in the archive. The release date is not fixed yet but I think it will happen before the approaching begin spring.

The code will be published toghether with a GUI app to customize it and do realistic tests.

BTW … I just stumbled upon this one. Enjoy.