Malware patiently waits for victims to successfully log into their online banking account using their 2 factor authentication token before proceeding to steal their money.
I'm not surprised that most AV engines can't detect Zeus. I proved previously how ineffective AV engines are against malware.
Flash cookies
First, it was cookies residing on your system that could compromise your privacy. Now I read about the threat of Flash cookies??? WTH???Windows users are safe thanks to the almight Ccleaner. It wipes Flash cookies on your computer.
Ubuntu users can add the following command to "ubuntuprivacy" if you have Flash Player installed on your system.
sudo srm -rllv .macromedia/Flash_Player/#SharedObjects/
For the paranoid
I wrote a new script for the paranoid. This script will wipe your memory, swap and free space on your Ubuntu system. Please note that this is a time consuming process.
#!/bin/sh
echo "\033[0;34mProceeding to wipe your memory, swap and free space. Please be warned that this is time consuming and may take hours.\033[0m"
echo
echo "\033[0;31mWiping memory.\033[0m"
sudo smem -lv
echo "\033[0;32mMemory wiped.\033[0m"
echo "\033[0;31mWiping swap.\033[0m"
#Please run "cat /proc/swaps" to determine your mounted swap devices and customise the following line for your machine.
sudo swapoff /dev/sda5
sudo sswap -llv /dev/sda5
sudo swapon /dev/sda5
echo "\033[0;32mSwap wiped.\033[0m"
echo "\033[0;31mWiping free space.\033[0m"
sudo sfill -llv /home/
echo "\033[0;32mFree space wiped.\033[0m"
#"ubuntuparanoia" written by commandrine.
#Please send comments and queries to commandrine[at]gmail[dot]com.
#Version 1.0 dated 16th Sept 2009.
#Pre-requisite is having "secure-delete" installed. Install it using "sudo apt-get install secure-delete".
#Save this script to your home folder. Run "sudo chmod +x ubuntuparanoia.sh" to make it executable.
Download it here.
#!/bin/sh
echo "\033[0;34mProceeding to wipe your memory, swap and free space. Please be warned that this is time consuming and may take hours.\033[0m"
echo
echo "\033[0;31mWiping memory.\033[0m"
sudo smem -lv
echo "\033[0;32mMemory wiped.\033[0m"
echo "\033[0;31mWiping swap.\033[0m"
#Please run "cat /proc/swaps" to determine your mounted swap devices and customise the following line for your machine.
sudo swapoff /dev/sda5
sudo sswap -llv /dev/sda5
sudo swapon /dev/sda5
echo "\033[0;32mSwap wiped.\033[0m"
echo "\033[0;31mWiping free space.\033[0m"
sudo sfill -llv /home/
echo "\033[0;32mFree space wiped.\033[0m"
#"ubuntuparanoia" written by commandrine.
#Please send comments and queries to commandrine[at]gmail[dot]com.
#Version 1.0 dated 16th Sept 2009.
#Pre-requisite is having "secure-delete" installed. Install it using "sudo apt-get install secure-delete".
#Save this script to your home folder. Run "sudo chmod +x ubuntuparanoia.sh" to make it executable.
Download it here.
v2.0
I have modified "ubuntuprivacy" for enhanced privacy.
#!/bin/sh
echo "\033[0;34mProceeding to clean your system to ensure your privacy.\033[0m"
echo
echo "\033[0;31mWiping Firefox history and cache.\033[0m"
sudo srm -rllv .mozilla/firefox/*.default/*.sqlite
sudo srm -rllv .mozilla/firefox/*.default/Cache/*
echo "\033[0;32mFirefox history and cache wiped.\033[0m"
echo "\033[0;31mWiping Trash.\033[0m"
sudo srm -rllv .local/share/Trash/
echo "\033[0;32mTrash wiped.\033[0m"
echo "\033[0;31mWiping Applications history and cache.\033[0m"
sudo srm -rllv .recently-used
sudo srm -rllv .recently-used.xbel
sudo srm -rllv .thumbnails
sudo srm -rllv .openoffice.org/*/user/temp
sudo srm -rllv .openoffice.org/*/user/backup
sudo srm -rllv .purple/logs/*/*
sudo srm -rllv .xsession-errors
sudo srm -rllv .gimp-*/tmp
echo "\033[0;32mApplications history wiped.\033[0m"
#"ubuntuprivacy" written by commandrine.
#Please send comments and queries to commandrine[at]gmail[dot]com.
#Version 2.0 dated 14th Sept 2009.
#Pre-requisite is having "secure-delete" installed. Install it using "sudo apt-get install secure-delete".
#Save this script to your home folder. Run "sudo chmod +x ubuntuprivacy.sh" to make it executable.
Download it here.
#!/bin/sh
echo "\033[0;34mProceeding to clean your system to ensure your privacy.\033[0m"
echo
echo "\033[0;31mWiping Firefox history and cache.\033[0m"
sudo srm -rllv .mozilla/firefox/*.default/*.sqlite
sudo srm -rllv .mozilla/firefox/*.default/Cache/*
echo "\033[0;32mFirefox history and cache wiped.\033[0m"
echo "\033[0;31mWiping Trash.\033[0m"
sudo srm -rllv .local/share/Trash/
echo "\033[0;32mTrash wiped.\033[0m"
echo "\033[0;31mWiping Applications history and cache.\033[0m"
sudo srm -rllv .recently-used
sudo srm -rllv .recently-used.xbel
sudo srm -rllv .thumbnails
sudo srm -rllv .openoffice.org/*/user/temp
sudo srm -rllv .openoffice.org/*/user/backup
sudo srm -rllv .purple/logs/*/*
sudo srm -rllv .xsession-errors
sudo srm -rllv .gimp-*/tmp
echo "\033[0;32mApplications history wiped.\033[0m"
#"ubuntuprivacy" written by commandrine.
#Please send comments and queries to commandrine[at]gmail[dot]com.
#Version 2.0 dated 14th Sept 2009.
#Pre-requisite is having "secure-delete" installed. Install it using "sudo apt-get install secure-delete".
#Save this script to your home folder. Run "sudo chmod +x ubuntuprivacy.sh" to make it executable.
Download it here.
How it all started?
My passion for Information Security began when I took a module called "Internet Security" in university. It was in the lab sessions where I was first exposed to Linux, host-based firewalls, encryption, sniffing, spoofing and Trojans.
A flip was switched in my head and I realised my calling in life. I was hooked and the rest as they say is history.
A flip was switched in my head and I realised my calling in life. I was hooked and the rest as they say is history.
ubuntuprivacy
Realised that "wipefox" was too limited as it only wiped files related to Firefox usage. I wrote a new script that I named "ubuntuprivacy" to include commands to clear other traces left behind as a result of activities performed on your system.
"ubuntuprivacy" currently wipes your Firefox history and cache, Ubuntu Trash and "Recent Documents" history.
#!/bin/sh
echo “Proceeding to clean your system to ensure your privacy.”
echo “Wiping Firefox history and cache.”
sudo srm -rllv .mozilla/firefox/*.default/*.sqlite
sudo srm -rllv .mozilla/firefox/*.default/Cache/*
sudo srm -rllv .mozilla/firefox/*.default/OfflineCache/*
echo “Wiping Ubuntu Trash.”
sudo srm -rllv .local/share/Trash/files
echo “Wiping Recent Documents history.”
sudo srm -rllv .recently-used.xbel
#"ubuntuprivacy" written by commandrine.
#Please send comments and queries to commandrine[at]gmail[dot]com.
#Version 1.0 dated 12th Sept 2009.
#Pre-requisite is having "secure-delete" installed. Install it using "sudo apt-get install secure-delete".
Lazy to create the script. Download it here. More items to be tackled by this script in the near future.
"ubuntuprivacy" currently wipes your Firefox history and cache, Ubuntu Trash and "Recent Documents" history.
#!/bin/sh
echo “Proceeding to clean your system to ensure your privacy.”
echo “Wiping Firefox history and cache.”
sudo srm -rllv .mozilla/firefox/*.default/*.sqlite
sudo srm -rllv .mozilla/firefox/*.default/Cache/*
sudo srm -rllv .mozilla/firefox/*.default/OfflineCache/*
echo “Wiping Ubuntu Trash.”
sudo srm -rllv .local/share/Trash/files
echo “Wiping Recent Documents history.”
sudo srm -rllv .recently-used.xbel
#"ubuntuprivacy" written by commandrine.
#Please send comments and queries to commandrine[at]gmail[dot]com.
#Version 1.0 dated 12th Sept 2009.
#Pre-requisite is having "secure-delete" installed. Install it using "sudo apt-get install secure-delete".
SSLScan
Need to assess your SSL/TLS-enabled webserver to ensure that it is configured securely? Use SSLScan.
commandrine@bridge:~$ sslscan 10.10.10.12
It is an accurate and fast scanner. As seen in the extracted output below, it determines that my test webserver supports the weak SSLv2.
Testing SSL server 10.10.10.12 on port 443
Supported Server Cipher(s):
Accepted SSLv2 168 bits DES-CBC3-MD5
Accepted SSLv2 56 bits DES-CBC-MD5
Accepted SSLv2 40 bits EXP-RC2-CBC-MD5
Accepted SSLv2 128 bits RC2-CBC-MD5
Accepted SSLv2 40 bits EXP-RC4-MD5
Accepted SSLv2 128 bits RC4-MD5
commandrine@bridge:~$ sslscan 10.10.10.12
It is an accurate and fast scanner. As seen in the extracted output below, it determines that my test webserver supports the weak SSLv2.
Testing SSL server 10.10.10.12 on port 443
Supported Server Cipher(s):
Accepted SSLv2 168 bits DES-CBC3-MD5
Accepted SSLv2 56 bits DES-CBC-MD5
Accepted SSLv2 40 bits EXP-RC2-CBC-MD5
Accepted SSLv2 128 bits RC2-CBC-MD5
Accepted SSLv2 40 bits EXP-RC4-MD5
Accepted SSLv2 128 bits RC4-MD5
SANS network forensics contest
Sent in my submission for the SANS network forensics contest and since its past the entry deadline, I decided to post my answer.
My forensics machine of choice is a Lenovo Thinkpad T60 running Ubuntu 9.04. It has an Intel Duo Core processor with 3GB RAM. Samples of tools I have installed to facilitate network forensic analysis are: ngrep, Splunk, Wireshark, Netifera, Tcpxtract, Foremost, GHex, ssldump, etc.
I downloaded the pcap file and calculated the hash to confirm that I had the complete evidence file.
commandrine@bridge:~$ md5sum evidence.pcap
d187d77e18c84f6d72f5845edca833f5 evidence.pcap
commandrine@bridge:~$
Typically I would use ngrep to do keyword searches against large pcap files. An alternative would be running Tshark to convert the contents of large pcap files to text before using search tools like Splunk to identify clues/evidence. The Anarchy-R-Us staff mentioned that the suspect machine was only on the network for a short duration thus the rational for using Wireshark to filter out packets to and from IP 192.168.1.158 to narrow the scope instead of a more sophisticated filtering mechanism. The filter I use within Wireshark is "ip.addr==192.168.1.158".
Manually combing through the 68 displayed packets, I witness the username "sec558user1" and the first IM message "Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)".
Multiple packets with the text "Cool FileXfer" and the filename "recipe.docx" are discovered. Searching Google for the keywords "Cool FileXfer" reveals that AIM is the IM medium being used. I use the "Follow TCP Stream" feature in Wireshark to reveal the raw data related to the file transfer of "recipe.docx". The magic bytes associated with .docx files are "50 4B 03 04" or its ASCII equivalent of "PK..". I saw all the raw data from the TCP stream and save it into a file called "evidence.zip" which is coincidently also associated with the magic bytes "PK..".
Next I run "Foremost" against this file to extract out the transferred file. A zip file is extracted to the folder "sansevidence".
commandrine@bridge:~$ foremost -i evidence.zip -o sansevidence/
Processing: evidence.zip
|*|
commandrine@bridge:~$
Expanding the archive, I drill down to the folder "word", I find a file called "document.xml".
Opening the file in OpenOffice, the file reveals the following information.
Recipe for Disaster:
1 serving
Ingredients
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar.
Stir gently over low heat until sugar is fully dissolved.
Remove the saucepan from heat. Allow to cool completely.
Pour into gas tank. Repeat as necessary.
Calculated the MD5 checksum of the evidence file.
commandrine@bridge:~/word$ md5sum document.xml
90ce695222b157c7148d83e19ea549f6 document.xml
commandrine@bridge:~/word$
Alternatively, I am also able to manually carve out the archive without using "Foremost". I open up the file "evidence.zip" (containing the raw data saved from Wireshark) using Ghex. I delete the ASCII values before the first instance of the ASCII values "Pk.." and delete the chunk starting with "OFT2" at the end of the file.
Once the extra bytes are removed, save the file and it can be opened using any archive management software to reveal the stolen recipe.
My forensics machine of choice is a Lenovo Thinkpad T60 running Ubuntu 9.04. It has an Intel Duo Core processor with 3GB RAM. Samples of tools I have installed to facilitate network forensic analysis are: ngrep, Splunk, Wireshark, Netifera, Tcpxtract, Foremost, GHex, ssldump, etc.
I downloaded the pcap file and calculated the hash to confirm that I had the complete evidence file.
commandrine@bridge:~$ md5sum evidence.pcap
d187d77e18c84f6d72f5845edca833f5 evidence.pcap
commandrine@bridge:~$
Typically I would use ngrep to do keyword searches against large pcap files. An alternative would be running Tshark to convert the contents of large pcap files to text before using search tools like Splunk to identify clues/evidence. The Anarchy-R-Us staff mentioned that the suspect machine was only on the network for a short duration thus the rational for using Wireshark to filter out packets to and from IP 192.168.1.158 to narrow the scope instead of a more sophisticated filtering mechanism. The filter I use within Wireshark is "ip.addr==192.168.1.158".
Manually combing through the 68 displayed packets, I witness the username "sec558user1" and the first IM message "Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)".
Multiple packets with the text "Cool FileXfer" and the filename "recipe.docx" are discovered. Searching Google for the keywords "Cool FileXfer" reveals that AIM is the IM medium being used. I use the "Follow TCP Stream" feature in Wireshark to reveal the raw data related to the file transfer of "recipe.docx". The magic bytes associated with .docx files are "50 4B 03 04" or its ASCII equivalent of "PK..". I saw all the raw data from the TCP stream and save it into a file called "evidence.zip" which is coincidently also associated with the magic bytes "PK..".
Next I run "Foremost" against this file to extract out the transferred file. A zip file is extracted to the folder "sansevidence".
commandrine@bridge:~$ foremost -i evidence.zip -o sansevidence/
Processing: evidence.zip
|*|
commandrine@bridge:~$
Expanding the archive, I drill down to the folder "word", I find a file called "document.xml".
Opening the file in OpenOffice, the file reveals the following information.
Recipe for Disaster:
1 serving
Ingredients
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar.
Stir gently over low heat until sugar is fully dissolved.
Remove the saucepan from heat. Allow to cool completely.
Pour into gas tank. Repeat as necessary.
Calculated the MD5 checksum of the evidence file.
commandrine@bridge:~/word$ md5sum document.xml
90ce695222b157c7148d83e19ea549f6 document.xml
commandrine@bridge:~/word$
Alternatively, I am also able to manually carve out the archive without using "Foremost". I open up the file "evidence.zip" (containing the raw data saved from Wireshark) using Ghex. I delete the ASCII values before the first instance of the ASCII values "Pk.." and delete the chunk starting with "OFT2" at the end of the file.
Once the extra bytes are removed, save the file and it can be opened using any archive management software to reveal the stolen recipe.
wipefox
I got tired of manually keying in commands to wipe my Firefox surfing history and cache so I decided to write my own shell script called "wipefox".
#!/bin/sh
echo “Clearing Firefox surfing history and cache”
sudo srm -rllv .mozilla/firefox/*.default/*.sqlite
sudo srm -rllv .mozilla/firefox/*.default/Cache/*
sudo srm -rllv .mozilla/firefox/*.default/OfflineCache/*
#"wipefox" written by commandrine.
#Please send comments and queries to commandrine[at]gmail[dot]com.
#Version 1.0 dated 4th Sept 2009.
#Pre-requisite is having "secure-delete" installed. Install it using "sudo apt-get install secure-delete".
Lazy to write the script? Download it here.
#!/bin/sh
echo “Clearing Firefox surfing history and cache”
sudo srm -rllv .mozilla/firefox/*.default/*.sqlite
sudo srm -rllv .mozilla/firefox/*.default/Cache/*
sudo srm -rllv .mozilla/firefox/*.default/OfflineCache/*
#"wipefox" written by commandrine.
#Please send comments and queries to commandrine[at]gmail[dot]com.
#Version 1.0 dated 4th Sept 2009.
#Pre-requisite is having "secure-delete" installed. Install it using "sudo apt-get install secure-delete".
Lazy to write the script? Download it here.
Decrypting HTTPS
Had a need to inspect HTTPS to scrutinise application data. Installed ssldump and fired it up.
commandrine@bridge:~$ ssldump -r https.pcap -k server.key -d host 10.10.10.13 > appdata.txt
Enter PEM pass phrase:
commandrine@bridge:~$
Pretty cool stuff. You need the server's private key before you can view session data associated with the said key.
commandrine@bridge:~$ ssldump -r https.pcap -k server.key -d host 10.10.10.13 > appdata.txt
Enter PEM pass phrase:
commandrine@bridge:~$
Pretty cool stuff. You need the server's private key before you can view session data associated with the said key.
Self-signed Digital Certificate
I am currently tinkering with a new pet project. I need a self generated cert for my experiment. I've created a cert using Microsoft's CA offering but it turns out that it is easier to use OpenSSL which is native to Ubuntu. The first step is creating a private key.
commandrine@bridge:~$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.............................................++++++
...................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
commandrine@bridge:~$
Next step is generating the test cert.
commandrine@bridge:~$ openssl req -new -x509 -key server.key -out cacert.pem -days 1095
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:Singapore
Locality Name (eg, city) []:Singapore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Security Republic
Organizational Unit Name (eg, section) []:Information Security
Common Name (eg, YOUR name) []:commandrine
Email Address []:commandrine@gmail.com
commandrine@bridge:~$
Hmmmm. Turns out that IIS only accepts PKCS format certs. Had to convert my cert before I could import it.
commandrine@bridge:~$ openssl pkcs12 -export -passout pass:"testing" -inkey server.key -in cacert.pem -out cacert.p12 -name "cacert"
Enter pass phrase for server.key:
commandrine@bridge:~$
commandrine@bridge:~$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.............................................++++++
...................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
commandrine@bridge:~$
Next step is generating the test cert.
commandrine@bridge:~$ openssl req -new -x509 -key server.key -out cacert.pem -days 1095
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:Singapore
Locality Name (eg, city) []:Singapore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Security Republic
Organizational Unit Name (eg, section) []:Information Security
Common Name (eg, YOUR name) []:commandrine
Email Address []:commandrine@gmail.com
commandrine@bridge:~$
Hmmmm. Turns out that IIS only accepts PKCS format certs. Had to convert my cert before I could import it.
commandrine@bridge:~$ openssl pkcs12 -export -passout pass:"testing" -inkey server.key -in cacert.pem -out cacert.p12 -name "cacert"
Enter pass phrase for server.key:
commandrine@bridge:~$
Subscribe to:
Posts (Atom)
-
This annoying message popped up after I ran the update in avast! in Ubuntu yesterday. avast! crashes every time I attempt to launch it after...
-
I decided to install a digital certificate for my Gmail account. This is simple and free to set up. Apply for a free certificate from Comod...