Security Hero Rotating Header Image

Lab

Nikto 2.1.0 released

Nikto 2.1.0 released

Posted by david lodge on Oct 18

It’s final time to stop procrastinating: Nikto 2.1.0 is here!

(Available from http://cirt.net/nikto2)

This version has gone through significant rewrites under the hood to

how Nikto works, to make it more expandable and usable.

Changes include:

* Rewrite to the plugin engine allowing more control of the plugin

structure and making it easier to add plugins

* Rewrite to the reporting engine allowing reporting plugins to cover

more and also…

URL: http://seclists.org/fulldisclosure/2009/Oct/249

DOS attack tool can be used in lab

DOS attack tool can be used in lab

Posted by L. Pop on Sep 2

Hi Guys,

Recently one of our freebsd servers always experience "Socket: No
buffer space available…" Errors, and there are too many FIN_Wait1s
in system, it is likely that we are being DOSed.

Is there any handy DOS simulate tool that i can use in lab to
reproduce the problem….

URL: http://seclists.org/pen-test/2009/Sep/0001.html

Cyber Wiki page planned

Cyber Wiki page planned

The U.S. Department of Homeland Security intends to contract with WiiKno, a Texas-based knowledge management solutions provider, to create a Wiki page for the agency that will be used to share information among the National Cyber Security Center and its six federal cybersecurity centers, according to a notice posted this week on the Federal Business Opportunities website. The Wiki page will offer a “development platform for improved situational awareness” for communication and collaboration related to national cybersecurity plans. X DK

URL: http://feedproxy.google.com/~r/SCMagazineHome/~3/vOtdnYeB8xA/

Service vulnerability

Cisco WLC 4402 Denial-of-Service vulnerability

Posted by SySS security advisories — Christoph Bott on Jul 26

=======================================

Vulnerable Product: Cisco WLC 4402 (most likely among many others)

Vulnerability discovered: January 2009

Reported to vendor: Jan 01, 2009

Fix available: not yet

=======================================

TIMELINE:

URL: http://seclists.org/fulldisclosure/2009/Jul/0407.html

Woman responsible for loss of anonymity

Woman responsible for loss of anonymity

The civil complaint doesn’t just accuse Ben Roethlisberger of a heinous and despicable act.

It also labels him a slob.

That curious assertion sticks out in the 36-page lawsuit that accuses the Steelers’ star quarterback of sexually assaulting a woman in a Nevada hotel room in July 2008.

It sticks out because the …

URL: http://www.pogowasright.org/?p=2224

CIS releases security configuration standards for iPhone

CIS releases security configuration standards for iPhone

The nonprofit Center for Internet Security (CIS) this week released free guidelines that can help organizations develop custom policies related to use of the increasingly popular mobile device, said Blake Frantz, CTO of the CIS. The benchmarks inform users about the security configuration settings available to them on the iPhone. For example, the standards explain how to make adjustments to protect data and deter potential attacks, such as disabling Bluetooth or JavaScript, or creating a strong password policy.

Frantz told SCMagazineUS.com on Friday that feedback from the CIS’ 150 members showed that there was a need for iPhone security standards. “It’s going to have your organization’s confidential information on it,” he said. “We want to equip organizations with some best practices that that information remains confidential.”

The guidance arrive at a time when businesses are facing increased pressure to manage their employees’ smartphones. A recent Osterman Research study, sponsored by Zenprise, provider of mobile management solutions, reported that the percentage of North American workers issued mobile devices by their employers will double from 23 percent last year to 46 percent in 2011. Other studies have said the number of iPhones in use in the enterprise will triple between now and 2011.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31541

4117

4117

PDF/Exploit.Pidief.ONG, VBS/TrojanDownloader.Small.L (6), Win32/Adware.BHO.GBP (2), Win32/Adware.BHO.NCG (2), Win32/Adware.GooochiBiz (4), Win32/Adware.WSearch, Win32/Agent.NXT (2), Win32/AutoRun.Agent.NP, Win32/AutoRun.Delf.BY, Win32/Delf.PFS, Win32/FlyStudio.NML, Win32/FlyStudio.NMM (5), Win32/Hupigon, Win32/Hupigon.NPE, Win32/KillAV.NDV (2), Win32/Koutodoor.AF (3), Win32/Koutodoor.G, Win32/Peerfrag.AG, Win32/Poison.NBC (2), Win32/PSW.Agent.NLP (2), Win32/PSW.OnLineGames.NMP (2), Win32/PSW.OnLineGames.NMY (3), Win32/PSW.OnLineGames.NNM, Win32/PSW.OnLineGames.NSU (2), Win32/PSW.OnLineGames.OKE, Win32/PSW.WOW.DZI, Win32/PSWTool.MailPassView.151 (4), Win32/Rootkit.Agent.NLY, Win32/Rustock.NIH, Win32/Rustock.NIK (3), Win32/Spy.Banker.AFFJ, Win32/Spy.Banker.QLG (4), Win32/TrojanDownloader.Bredolab.AA (2), Win32/TrojanDownloader.FakeAlert.AAX, Win32/TrojanDownloader.FakeAlert.ABV, Win32/TrojanDownloader.FakeAlert.ACU, Win32/TrojanDownloader.FakeAlert.ACV (2), Win32/TrojanDownloader.Zlob.CZJ, Win32/TrojanDropperDelf.NNM (2), Win32/TrojanDropper.VB.NHZ (2), Win32/Wigon.KU (2), Win32/Wigon.KY

URL: http://www.eset.com/joomla/index.php?option=com_content&task=view&id=6089&Itemid=26

Mass Injection Compromises More than Twenty-Thousand Web Sites

Malicious Web Site / Malicious Code: Mass Injection Compromises More than Twenty-Thousand Web Sites

Websense Security Labs™ Threatseeker™ Network has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites.

This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.

Screeenshot of injected code in an injected site:

 

The exploit site is laden with various attacks. After successful exploitation, a malicious file is run on the exploited computer. The executed malware file has a very low AV detection rate.

Websense® Messaging and Websense Web Security customers are protected against this attack.

URL: http://securitylabs.websense.com/content/Alerts/3405.aspx

Its summer…Do you know what your kids are doing?, (Fri, May 29th)

Its summer…Do you know what your kids are doing?, (Fri, May 29th)

School is over or about to be over for many kids. With that comes many families whose parents work and kids will be left at home to relax and enjoy their summer vacation. This means alot of free time and an internet out there just waiting to be explored. Everyone is aware of the need to keep your kids safe while on the internet. But in some cases, there is a need to keep the internet and others safe from your kids. Let me explain that last comment. Kids with too much time on their hands get into trouble. You hear about it all the time on the news with kids getting into trouble with things such as vandalism, stealing,etc. What about kids getting into trouble on the internet?
Do a google search on the phrase teenage hacker and see what comes up. Kids are curious and learn fast. The internet can become a playground for them to explore and test out cool new programs and tools they find on the internet or write themselves. Chat rooms are available where kids can learn many things from others and want to try them for themselves. They can also get pulled into the wrong crowd on the internet and get in way over their heads fast. They may not even see anything wrong with it, its just computers after all.
Most of the filtering technology today focuses on web traffic. What are your kids looking at on the web. That is a good thing, but there are many other ports and protocols available and nothing watching them. Would you know if your child was running a botnet? Stealing credit card numbers? Hacking into websites? Its not a game and there are real consequences to it, even sometimes when the intent may have been to do good.Here are some recent examples:
Nineteen-year-old Dmitriy Guzner from New Jersey was part of an underground hacking group named ‘Anonymous’ that targeted the church with several attacks. He could face ten years in prison on computer hacking charges and is due to be sentenced on August 24. http://www.securecomputing.net.au/News/144850,teenage-hacker-pleads-guilty-to-church-of-scientology-cyber-attacks.aspx

Twitter has announced a review into four worm attacks on the site as a teenage hacker admits he could be jailed for his role in the stunt. http://news.sky.com/skynews/Home/Technology/Twitter-Worm-Attack-Biz-Stone-Announces-Review-As-Teenage-Hacker-Michael-Mooney-Speaks-Out/Article/200904215261579
A teenage hacker whose campaign to expose holes in Internet security sparked an FBI investigation was being sentenced in court today. http://www.independent.co.uk/news/business/news/teenage-hacker-to-be-sentenced-for-internet-crusade-676871.html

As parents, we need to also talk to our kids about the other dangers that are on the internet. Dangers such as hacking, virus making, botnet creation, stealing, etc. You may think your child is doing nothing but sitting on a computer playing. But keep in mind that computer on the internet is a portal to a whole nother world.

URL: http://isc.sans.org/diary.php?storyid=6490&rss

President Obama address nation on cyber security

President Obama address nation on cyber security

Within the past hour, President Obama addressed the nation from the White House to emphasize the importance of cyber security, to announce the release of the administration’s report of its 60-day cyberspace policy review, and to announce the creation of a new White House position, the Coordinator of National Cyber Security.

This represents an enormous step forward in national awareness of the role cyber security in general and malware in particular play in our economy and our physical security. Having the "leader of the free world" describe the threat of botnets and spyware on national television will expand press and citizen interest in this issue.

As important as the threats, though, are the freedoms that the President discussed. He emphasized the importance of preserving both personal privacy and net neutrality while securing our infrastructure. He also pointed out that this will require a collaborative effort amongst individuals, schools, corporations, and governments from the local level through the national level, not just in the U.S., but internationally, as well.

The attention is an important start, but of course execution is the key. Melissa Hathaway, Cybersecurity Chief at the National Security Council, posted some information about the policy review she led, as well as links to the report (PDF) and to the papers that informed the report. Based on a preview of the report that Melissa Hathaway delivered at the Kennedy School last night, I expect the administration is moving in the right direction. I look forward to reading the report, and I encourage others to do so, as well. Meanwhile, it’s up to all of us to work together to build a safer Internet. StopBadware looks forward to playing a role in bringing together the people, the organizations, and the data that make this possible.

URL: http://blog.stopbadware.org/2009/05/29/president-obama-address-nation-on-cyber-security

4116

4116

BAT/Qhost.NBP (2), INF/Autorun (3), PDF/Exploit.Pidief.ONM, PDF/Exploit.Pidief.ONN (2), PDF/Exploit.Pidief.ONO, PDF/Exploit.Pidief.ONP (2), Win32/Adware.BHO.NCX, Win32/Adware.Coolezweb (4), Win32/Adware.InternetAntivirus, Win32/Adware.PersonalAntivirus, Win32/Adware.SpywareRemover, Win32/Adware.SystemSecurity (18), Win32/Agent.PMR (2), Win32/Agent.WPI, Win32/AntiAV.AZQ, Win32/AntiAV.NAO (2), Win32/AutoRun.ABH, Win32/AutoRun.ADR (2), Win32/AutoRun.FakeAlert.BR, Win32/AutoRun.FakeAlert.M, Win32/AutoRun.VB.CN (2), Win32/Bagle.RG, Win32/Delf.NSQ (3), Win32/Dialer.NHQ (3), Win32/Dialer.NHR (3), Win32/FlyStudio.NMJ, Win32/FlyStudio.NMK, Win32/Hupigon.NPD, Win32/Injector.PK, Win32/IRCBot.ADZ, Win32/Koobface.NBG (2), Win32/Koutodoor.AB, Win32/Koutodoor.AD, Win32/Koutodoor.AE (4), Win32/Koutodoor.G, Win32/Kryptik.QY, Win32/Olmarik.GW (2), Win32/Olmarik.HG (4), Win32/Olmarik.IB, Win32/Peerfrag.BA, Win32/Peerfrag.BG, Win32/Peerfrag.BH, Win32/Popwin.NBJ (2), Win32/PSW.OnLineGames.NMP, Win32/PSW.OnLineGames.NMY, Win32/PSW.OnLineGames.OKC, Win32/PSW.Small.NBE (4), Win32/Qhost, Win32/Qhost.NIJ (2), Win32/Rootkit.Agent.KZU, Win32/Rootkit.Ressdt.NBS, Win32/Spy.Banker.QRW (2), Win32/Spy.Banker.QYO (3), Win32/Spy.Banker.QZB (2), Win32/Spy.Banker.QZC (2), Win32/Spy.Goldun.NFA, Win32/Spy.Zbot.JF (3), Win32/Spy.Zbot.PG (2), Win32/Spy.Zbot.RD, Win32/Spy.Zbot.RN, Win32/Tifaut.C (4), Win32/TrojanDownloader.Agent.PCZ, Win32/TrojanDownloader.Agent.PDA, Win32/TrojanDownloader.Agent.PDB, Win32/TrojanDownloader.Agent.PDC, Win32/TrojanDownloader.Agent.PDD, Win32/TrojanDownloader.Bagle.NBJ, Win32/TrojanDownloader.Bredolab.AB, Win32/TrojanDownloader.FakeAlert.AAX, Win32/TrojanDownloader.FakeAlert.ABV, Win32/TrojanDownloader.Small.OPS (2), Win32/TrojanDownloader.Zlob.CZK, Win32/VB.NHD, Win32/VB.OEY (2), Win32/Wigon.KX

URL: http://www.eset.com/joomla/index.php?option=com_content&task=view&id=6085&Itemid=26

4115

4115

PDF/Exploit.Pidief.ODH, PDF/Exploit.Pidief.OLC, PDF/Exploit.Pidief.ONL, Win32/Adware.SystemSecurity, Win32/Agent.PMP (2), Win32/Agent.PMQ, Win32/AutoRun.Agent.OJ (2), Win32/AutoRun.KS (2), Win32/BHO.NPK (2), Win32/Injector.PJ, Win32/KillFiles.NCF, Win32/Kryptik.QX, Win32/Peerfrag.BF (2), Win32/Rootkit.Agent.NMA, Win32/Rootkit.Ressdt.NBR, Win32/SpamTool.Agent.NCL, Win32/TrojanDownloader.Bredolab.AA (4)

URL: http://www.eset.com/joomla/index.php?option=com_content&task=view&id=6084&Itemid=26

4113

4113

BAT/Agent.NBW, PDF/Exploit.Pidief.ONK, Win32/Adware.Antivirus2008 (2), Win32/Adware.Coolezweb (2), Win32/Adware.InternetAntivirus (5), Win32/Adware.SystemSecurity (4), Win32/Agent.NXT, Win32/Agent.PHC, Win32/Agent.PKT (2), Win32/Agent.WPI (4), Win32/AutoRun.Agent.OG, Win32/AutoRun.Agent.OH, Win32/AutoRun.Agent.OI, Win32/AutoRun.FakeAlert.AF (3), Win32/AutoRun.KS, Win32/AutoRun.VB.DQ, Win32/Boberog.AC, Win32/Dialer.NHP (2), Win32/Hupigon.NPB, Win32/Hupigon.NPC, Win32/Injector.PH, Win32/Injector.PI, Win32/IRCBot.ADZ (2), Win32/KeyLogger.BitLogic, Win32/NetPass (2), Win32/Obfuscated.NCY, Win32/Olmarik.HG (4), Win32/Poebot, Win32/Prosti.NCL (2), Win32/PSW.LdPinch.NJG, Win32/PSW.WOW.NKO (2), Win32/PSW.YahooPass.NAD (2), Win32/PSWTool.IEPassView.NAD, Win32/PSWTool.MailPassView.150, Win32/PSWTool.PassFox.111 (2), Win32/Rustock.NIH, Win32/Rustock.NIK, Win32/Sohanad.BM, Win32/Sohanad.NEJ, Win32/Spy.Banker.QZA, Win32/Spy.KeyLogger.NEC (2), Win32/Spy.Zbot.CK, Win32/Spy.Zbot.JF, Win32/Spy.Zbot.RL, Win32/Spy.Zbot.RM, Win32/StartPage.BR, Win32/StartPage.NKJ (3), Win32/TrojanClicker.Agent.NGT (2), Win32/TrojanClicker.VB.NHG (2), Win32/TrojanClicker.VB.NHH, Win32/TrojanDownloader.Agent.PAQ (2), Win32/TrojanDownloader.Agent.PCY, Win32/TrojanDownloader.Bredolab.AB (2), Win32/TrojanDownloader.FakeAlert.UX, Win32/TrojanDownloader.Small.NTQ (3), Win32/TrojanDownloader.Small.OCS (2), Win32/TrojanDownloader.Small.OOT, Win32/TrojanDownloader.Small.OPP, Win32/TrojanDownloader.Small.OPR, Win32/TrojanDownloader.Zlob.CZK, Win32/TrojanDropper.VB.NHW, Win32/TrojanProxy.Wintu.B

URL: http://www.eset.com/joomla/index.php?option=com_content&task=view&id=6082&Itemid=26

Host file black lists , (Wed, May 27th)

Host file black lists , (Wed, May 27th)

Henry Hertz Hobbit who maintains a black list of bad hosts wrote in today with some host file links

and comments on them. I have included most of his comments with very little editing

(I removed a few names and comments about other list maintainers and corrected a bit of the grammer).

I have NOT verified all of the lists than Henry discusses below. Our users should be warned that

I have seen poorly maintained lists block legitimate sites in the past.

We have had some less attentive or overly aggressive list maintainers use our hosts

list as a block list even though it clearly states DO NOT USE AS A BLOCK LIST

and then blame isc.sans.org for the listing, http://isc.sans.org/ipsascii.html.

Other handlers have written some excellent diaries about blacklists addressing issues

such as Spam blocking by RBLs, Blacklists and politics,

and making the right choice in black list selection:

http://isc.sans.org/diary.html?storyid=3194

http://isc.sans.org/diary.html?storyid=3042

http://isc.sans.org/diary.html?storyid=1309

For more information on host based blocking this site has a good descriptions,

some lists that are on Henrys lists and some additional lists didnt include in his set.

http://www.malwarehelp.org/how-to-effectively-prevent-malware-hosts-file.html

>From Henry Hertz Hobbit:

Two old venerable lists are MVPHosts and hpHosts.

http://www.mvps.org/winhelp2002/hosts.htm

http://hosts-file.net/

MalwareDomainList is here with their lists and they block ONLY sites with malicious

content (no ads or trackers / spies):

http://www.malwaredomainlist.com/hostslist/hosts.txt

http://www.malwaredomainlist.com/

http://www.malwaredomainlist.com/mdl.php

The French connection consists of what I would call the MVPHosts file with a Franais twist

(there are some trackers that are quite prevalent if France that don’t exist any place else):

http://sysctl.org/cameleon/hosts

http://sysctl.org/cameleon/

Another list that has the most comprehensive lists that may need some pruning:

http://rlwpx.free.fr/WPFF/hosts.htm

This list primarily don’t belong on the desktop but into something like this:

http://www.peereboom.us/adsuck/

And then there is my list which includes many of the hosts that MalwareDomainList lists.

http://www.SecureMecca.com/hosts.html

http://www.HostsFile.org/hosts.html

But I provide something far more powerful called a PAC (Proxy Auto Configuration) filter

that blocks unknown threats:

http://www.SecureMecca.com/pac.html

http://www.HostsFile.org/pac.html

http://www.SecureMecca.com/Downloads/

Now I have heard you need an IQ of 130 plus or higher to use the PAC filter.

If that is a problem so be it. But consider the following points.

1. hpHosts (hosts-file.net) blocks approximately 3700 typo hosts.

I block them with just two hosts in the hosts file (ownbox.com and www.ownbox.com)

and these two rules in the PAC filter:

// OWNBOX FE TYPO

BadNetworks[i++] = 216.65.41.185, 255.255.255.255

BadNetworks[i++] = 216.65.41.188, 255.255.255.255

Now that cuts it down to size, doesn’t it? There is a lot of other power reducers and

falling through the cracks rules in there! Otherwise my file would be almost as large

as the list at rlwpx.free.fr/WPFF/hosts.htm.

2. If you enable the PAC filter on Windows in IE you will have your eyes opened.

I had full debug on that way once and found the PAC filter was even working at the level

of tellimg me I sent a print-out to the network printer! But debug really should only

be used in Firefox with debug mode set to debugNormal. Do not turn debug on in Opera or

Safari (they kill it), or IE (you will have pop-up nightmares).

3. The REGEXPs are precompiled for speed. It is faster in debug mode than John LoVerso’s

original was without any debug. But then I noticed some of his ad patterns are pretty convoluted.

But if you have to interpret them every time …

4. I notice patterns that occur frequently enough that I block yet to be discovered

hosts with patterns like these:

BadHostParts[i++] = antispy // VOTRE CHOIX

BadHostParts[i++] = antivir // VOTRE CHOIX

There are of course some white-list rules to counteract the bad rules

(and now you are back to blocking in the hosts file):

GoodDomains[i++] = antispamfilterblocker.com

GoodDomains[i++] = antivirusyellowpages.com

GoodDomains[i++] = pcantivirusreviews.com

5. Even if hosts make it past the rules for the hosts and there is no host block,

for some of the malware there are patterns and I block them as I discover and

mentally count them and consider the count high enough to go into panic mode

(and I think a lot of people are already there now):

BadURL_Parts[i++] = av2008

BadURL_Parts[i++] = av2009

BadURL_Parts[i++] = sms.exe

BadURL_Parts[i++] = smsreader

Oh yes, HostsMan is available here:

http://www.abelhadigital.com/

URL: http://isc.sans.org/diary.php?storyid=6469&rss

4109

4109

IRC/SdBot, Win32/Adware.AdvancedCleaner (3), Win32/Adware.BHO.NCG, Win32/Adware.BHO.NCX, Win32/Adware.Coolezweb (2), Win32/Adware.PersonalAntivirus.AA, Win32/Adware.PersonalAntivirus.AB, Win32/Adware.SystemSecurity.AA (2), Win32/Adware.Virtumonde, Win32/Adware.WinPCDefender (2), Win32/Adware.WSearch, Win32/Agent.PME, Win32/Agent.PMF, Win32/Agent.PMG (6), Win32/Agent.PMH (2), Win32/AntiAV.NAK, Win32/AutoRun.Autoit.P, Win32/BHO.NOS, Win32/BHO.NPJ, Win32/BHO.TBL (2), Win32/Bifrose.ADR, Win32/Delf.OJA (2), Win32/Flyagent.NAV (2), Win32/Flyagent.NAW (2), Win32/FlyStudio.NMH, Win32/Injector.PB, Win32/Injector.PC, Win32/Koutodoor.AB (3), Win32/Koutodoor.G, Win32/Kryptik.QO, Win32/Kryptik.QP, Win32/Mebroot.BL, Win32/Merond.P (2), Win32/Olmarik.GW, Win32/Olmarik.HG (2), Win32/Popwin.NBI, Win32/PSW.OnLineGames.NMY, Win32/PSW.OnLineGames.OKB (3), Win32/PSW.QQPass.NEH (4), Win32/Rootkit.Agent.NLZ (2), Win32/Rootkit.Podnuha.NCB, Win32/Rustock.NIH, Win32/Rustock.NIK, Win32/Spy.Agent.NNQ, Win32/Spy.Banbra.NPR (2), Win32/Spy.Banker.QQJ, Win32/Spy.Banker.QYP (2), Win32/Spy.Banker.QYQ (2), Win32/Spy.Banker.QYR (2), Win32/Spy.Banker.QYS (2), Win32/Spy.Banker.QYT (2), Win32/Spy.Banker.QYU (2), Win32/Spy.Delf.NUL (2), Win32/SpyBot (2), Win32/StartPage.BR, Win32/TrojanDownloader.Adload.NFC, Win32/TrojanDownloader.Agent.PCW (2), Win32/TrojanDownloader.Autoit.NAM, Win32/TrojanDownloader.Bredolab.AA (2), Win32/TrojanDownloader.FakeAlert.AAX, Win32/TrojanDownloader.FakeAlert.ACS (2), Win32/TrojanDownloader.Flux, Win32/TrojanDownloader.Small.OPO, Win32/TrojanDownloader.Swizzor.NCA (2), Win32/TrojanDownloader.Zlob.CZK, Win32/TrojanDownloader.Zlob.CZV (3), Win32/TrojanDropper.Agent.OBD, Win32/TrojanDropper.Delf.NNK, Win32/VB.NRL, Win32/VB.OET (3)

URL: http://www.eset.com/joomla/index.php?option=com_content&task=view&id=6078&Itemid=26