Category Archives: Downloads

Recommended Downloads

TCPView & AutoRuns vs Undetectable Backdoor

5
Filed under Downloads, Misc, Personal, Security News
Tagged as , , ,

Intro:
We’re going to useTCPView to check active network traffic and AutoRuns to check and see what’s loading with Windows.

Scenerio:
The user is complaining of system slowness. Upon looking at the workstation I noticed AVG Free Edition, Spybot Search and Destroy installed and Windows Firewall enabled. Pretty standard novice user protection plan. Almost a given this system is infected.

Analysis:
I close Firefox and all open applications. Open TCPView and right off the bat I see outbound traffic to *.CO.UK using Firefox to make the remote connection. This is common in backdoors to use reverse connection methods. Once you execute the backdoor, it binds to a common process (IE, Firefox) and then reverse connects to the attacker. The reason for binding to a common process such as Internet Explorer or Firefox, is the fact that most novice users create rules for their software firewall and select “always allow” for common processes. This way the user isn’t bothered every time they open Firefox with “Do You want to allow firefox.exe access…” This is perfect for the backdoor, you’ve allowed unrestricted access outbound through firefox. Strike 1 for this novice user.

tcpview1

Port 95? Firefox should only be allowed access on port 80 and 443 (HTTP / HTTPS) Now that I know the user is infected, I need to find out what the file is called, where it lives, and why AVG’s superior detection is showing a clean system. I load AutoRuns and check for the suspicious Logon items. Bingo Bango! I see scchost.exe (not to be confused with svchost.exe, which is actually legit in most cases) loading upon reboot and it’s stored safely from novice users in the system32 folder. Now, 100% sure that is the backdoor, I would like AVG to agree, so I attempt to update AVG and check the file, No! AVG insists the file is clean. OK, to the USB drive for MalwareBytes. Sure enough a nice password stealer has been detected. Strike 2 for trusting AVG (signature based detection).

malwarebytes

MalwareBytes detected and removed the password stealer, I then put in the KAV rescue disk to scan the system and everything came back clean. In the end, I convinced the user to let me perform a clean install and even teach this user how to properly use Firefox (w/NoScript). Reminding the user that the software firewall is only as good as the user and that the AntiVirus program is only as good as its definitions.

Conclusion:
TCPView provided you with the information needed to see you have unauthorized access to a server in the UK. AutoRuns was able to show us the malicious file loading with Windows. The actual detection and removal is up to you and your utilities, however TCPView and AutoRuns gave you the heads up. On the flip side, the backdoor successfully executed and called home on the system. Being that it’s a password stealer, the information it was programmed to gather completed successfully.

I call this one a DRAW. Why? because a backdoor is designed to go unnoticed and AVG let it do just that, but with a few basic programs you can see that your system is not preforming normally. Also, after detecting the backdoor, I installed it on a virtual machine and after about 18 hours of leaving it alone, it downloaded a new executable and maintained a connection to the client. This shows that we caught it early enough on the users computer to detect and remove it before it phoned home for the latest instructions.

Malwarebytes – Bites Malware Back!

0
Filed under Downloads, Security Programs
Tagged as , , , , ,

Let’s face it! The same tools you used to remove malware/spyware/adware in 2006, are out of date and completely ineffective in battling malware/spyware/adware that actually has a purpose. That’s right! I said it, AdAware, Spy Bot Search and Destroy are no more than basic registry and cache cleaners. These days that can be accomplished with a simply application called, CCleaner.

So you ask, “Oh sweet nectar! What can I do to protect myself?” Well, rather than going on and on with a list of tools longer than your to-do list around the house, I’ll simply list a new one for you to add to your collection.

Malwarebytes’ Anti-Malware, This bad boy you should have already been using for some time now, so if that’s not the case, START NOW! It’s free, or for the 24.95 you can get automated scanning and automatic updates with real time protection. If you have a tidy system and stay on top of your computer cleansing and play nice around the web, the free version will do just fine. However, if your a click happy user who clicks on any link sent to you, please do yourself a favor and anyone else whom uses your high risk computer and purchase the full version.

Malwarebytes Free Version:
Download

Malwarebytes Full Version:
Download

Note: I’ll be adding this program into my future post, “Your Computer : A Fresh Start” This will be a complete guide from a clean install, into completely securing your Windows desktop (The best you can!).

Firefox 1.5.0.3 – DoS / PoC / Simple Fix

3
Filed under Downloads, Security News, Windows

Firefox Process

Introduction:
Another successful day for the script kiddies. The firefox community has been blessed with another exploit released for the latest version of firefox (1.5.0.3). Once again this is more of an annoyance than anything. If you enjoy your browser crashing random as you surf unsafely through the internet, I recommend you do nothing differnet and don’t waste your time researching anything that has to do with security. Seriosuly, there are simple solutions to these types of “exploits.” Please read on for ‘Proof of Concept’ (meaning you can test and see if your browser will crash) and recommended solution.

Exploit:
Firefox 1.5.0.3 Denial of Service – Test me! (Note: Link will crash browser)

Recommended Solution:

No Script Logo

NoScript [info] [download] (exstension for Firefox)

IE 6.0 SP2 – DoS Exploit (Released 05/10/06)

4
Filed under Downloads, Security News, Windows

I was wondering how long we’d make it before being blessed with another delicious exploit for Internet Explorer. Atleast it was the day after Microsoft released the round of ‘May-Day’ patches. No need to panic this is more of an annoyance then a real problem….or is it?

Error & Debug:
Debug

Affected:
IE 6.0 SP1/SP2

Not Affected:
IE 7 beta 1/beta 2
Mozilla (all)

Exploit:
Enjoy (IE 6.0 only)

If this exploit affects you, it’s time to start thinking about the big move. Let go of Microsofts hand and learn to walk on your own. On a serious note, I use IE 7 SP2 for trusted sites only (Banking, etc…) and everything else I use Mozilla w/ Noscript.

Recommended Solution:
Mozilla Firefox 1.5.0.3 Final [ download ] w/ NoScript [ info] [download]

Icesword 1.16 English & Darkspy 1.0.4 (1.0.2 English)

2
Filed under Downloads, Security Programs, Windows

IceSword 1.2

Anti-Rootkit programs are becoming a necessity in keeping your computer secure. I know Anti-Virus vendors are trying to implement rootkit detection. Personally I never believed in an “all-in-one” product for security. To be successful in preventing rootkits, you have to stay current with the latest leaders of this task. As of now, the leaders seem to be IceSword & Darkspy. Both of which just released new versions this month. My advice to anyone trying to get a handle on rootkits, would be to test them all. See which ones you feel comfortable with and which ones give you the best results.

IceSword 1.16 EN
http://www.xfocus.net/tools/200604/IceSword116en.rar

DarkSpy 1.0.2 EN (Test Evaluation)
http://lu0s1.3322.org/Utilitys/DarkSpy_En.rar

DarkSpy 1.0.4 CN
http://www7.spread-it.com/dl.php?id=5a7a4d6079e30f17270815bd2caac23231b08ae9

Note:
DarkSpy Author CardMagic says,
“sorry,i havent made a English version of DarkSpy 1.0.4.because this is a temporary version and will be updated soon.The new Engish version of DarkSpy will be pubished when some new functionalities are added.”

So We’ll be keeping an eye out for the latest version of DarkSpy as it’s released to the public. Just because these are the only two rootkit solutions I mention in this article, please don’t assume these are the only two out.

Other Anti-Rootkit Solutions:
Rootkit Revealer by Sysinternals
Blacklight by F-Secure

0-Day Exploit : MS/IE – WMF Remote Code – Fix!

2
Filed under Downloads, Security News, Security Programs, Windows

A little spice to the end of 2005… Christmas was nice spending it with family, securing their computers, the usual for holidays with the family. Only if it was that easy this year, as of this morning a new exciting exploit was released. The good news is my current configuration wasn’t affected by this annoyance. So, we’re going to list the advisory released by FrSIRT and let you review that, then we’ll move forward to steps to take for protecting yourself. Also, look at the end for references.

Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-28

Technical Description

A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to an error in the rendering of Windows Metafile (WMF) image formats, which could be exploited by attackers to remotely take complete control of an affected system by convincing a user to open a malicious WMF file using a vulnerable application (e.g. Windows Picture and Fax Viewer), or visit a specially crafted Web page that is designed to automatically exploit this vulnerability through Internet Explorer.

Note : This unpatched vulnerability is currently being exploited in the wild.

Exploits

http://www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php

Affected Products

Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition

Solution

The FrSIRT is not aware of any official supplied patch for this issue.

References

http://www.frsirt.com/english/advisories/2005/3086

http://www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php

Credits

Vulnerability reported in the wild by noemailpls

ChangeLog

2005-12-28 : Original Advisory

Tech-Security Explains:
As shown by FrSIRT, there is no real solution for this until we receive a patch to fully resolve the issue. However, there are steps you can take in protection yourself. I’m running Firefox 1.5 Final w/ NoScript extension and configured browser settings (mentioned in an early thread) and when I went to one of the infected site, I wasn’t hit by the exploit.

Want to start thinking about secure browsing?? Good it’s about time…

Update your anti-virus software 1-3 times a day, this way if you do get infected by this exploit, you’ll have protection shortly afterwards. not good enough? I agree…

Tech-Security Recommended Fix:
For safe browser…I would recommend installed VMWARE and install a fresh copy of Windows. This enables you to browser within the VMWARE isntance of Windows, allowing nothing to enter into your production OS version. This is a great idea for browsing and testing exploits/infected programs. Just be sure you keep your VMWARE Workstation updated too.

Protect yourself:
VMWARE Workstation 5.5
[ more info ] . [ download ]

Easiest Fix:
Windows Media File Viewer | [disable] . [enable]

This is more of a temp solution, which is why we recommend VMWARE, it might seem like a hassle at first, but no more than if you get infected with a serious virus. Atlease VMWARE is a one-time deal.

IceSword…The Best Rootkit Defender?

42
Filed under Downloads, Security News, Security Programs, Windows

IceSword 1.2

Look out people! Over the past few months people have heard more and more about rootikits. I’ve been dealing with rootkits for some time now and after having numerous friends infected by Sony’s rootkit, I decided it’s time to help educate the prey. Now, hopefully you’re not sitting there saying, “Prey?? I use Norton Internet Security and if your suggestion that a rootkit can bypass that, I have news for you!” My response would be a standard “laugh out loud” followed by blocking your IP from my website. No, seriously regardless of your current protection, it’s not enough. Rootkits change on a regular basis to bypass AntiVirus software along with the popular antirootkit software.

I recommend using 3 useful rootkit utilties in your hunt for the invisable rootkit. I do not recommend only using one of the three, or even two of the three. I say three, for the fact that incase the nifty rootkit infecting your system was updated to bypass one or two of my recommendation, you would have a 3rd opinion. Now that I’ve explained myself and hopefully conveinced you to install, update, and run these utilties on a weekly basis we’ll move forward with testing.

Note: Click links below to download software.

Our Test Enviornment:
- Windows XP SP2 (fully updated)
- Sygate Personal Firewall Professional (.dll injection detection)
- Kaspersky AntiVirus Professional (script detection)
- All-Seeing Eye (Best system monioring tool around)
- Spyware and other tools not listed.

Programs under the spotlight:
- Rootkit Revealer [info] | [download]
- BlackLight [info] | [download]
- IceSword English [info] | [download]

Rootkit under oath:
Lil Rob’s album “Twelve Eighteen” released by Upstairs Records.

Results:
All 3 softare programs detect the rootkit, however none of them removed it. Blacklight allows you to rename the files, but the junk is still there. Rootkit Revealer lets you know where all the files are so you can manually remove the files in DOS and the registry entries using PSEXEC. Finally my personal favorite IceSword, this program displays a lot more information than the other two, however it’s for more advance users. On this note, exactly why I recommend using ALL three for detection and IceSword for advance removal.

I’m interested to hear what others think about IceSword and your techniques for battling rootkits!

Ophcrack 2.1 – LiveCD (Linux) & 2.1 Install (Win)

65
Filed under Downloads, Security Programs

Ophcrack LIVE CD & Ophcrack 2.1

Rainbow Table

A Windows password cracker based on the faster time-memory trade-off using rainbow tables. This is an evolution of the original Ophcrack 1.0 developed at EPFL. Ophrack 2.0 comes with a GTK+ Graphical User Interface and runs on Windows as well as on Linux.

Brute Force a windows password… forget it, that’s based on a list of possible passwords and can take forever. Use NT Offline Reset to reset the password… sure that’s great and all, except what if you just want to know the current password w/o erasing the original?

I tested both the LIVECD version and the Windows installer. Both of them have benefits; LiveCD is a must if the computer is offline or shutdown when you want to test your password security. However, the LiveCD is version 0.9a so it’s a little outdated. The Windows installed was just updated to 2.1 and released on 12/06/05, so it’s really nice to have the latest. If you’re truly testing your password security the Windows Installer is the way to go, however if you can’t get into your computer and need to crack that password, the LIVE CD is the way to go. Either way, it cracked a random password within 5 minutes.

Live CD: This is a great option, it’s a linux bootable cd on Ubuntu distro. All you have to do is burn this ISO image to a CD reboot your computer, go into BIOS and make sure you have your computer to check for CDROM before HD. Now, it will load the distro and if a SAM file is found start cracking right away. When I tested this way it took less than 5 minutes to crack my brothers administrator password.

Download: Ophcrack 0.9a – Live CD ISO

Windows Installer Version: This is nice if you have a fast windows box around the house or office. Installer is 3MB however you have to select which tables you want to download. The larger table is around 700 MB download, so it takes a few minutes. Once it’s done you have options;

* encrypted SAM: dumps the hashes from the SAM and SYSTEM files retrieved from a Windows machine while booting on another disk. Note that in this case you do not need to know a Windows administrator password to get the hashes.
* local SAM (only for the Windows version of Ophcrack 2.0): dumps the hashes from the Windows machine the program is running on. You need to be administrator of your local machine for this to work.
* remote SAM (only for the Windows version of Ophcrack 2.0): dumps the hashes of a remote Windows machine, provided you know the username and password of an administrator and the name of a share.

Download: Ophcrack 2.1 – Windows Installer

Clean that computer!

0
Filed under Downloads, Windows

Today’s a good day to clean up all that junk left behind on your computer. Let me start with a program that will clean your tracks as well as optimize your system. This is a great program and prompts you to backup the registry before changes are made.

CCleaner is a freeware system optimization and privacy tool. It removes unused files from your system – allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history.

Note:
I recommend unchecking ‘old prefetch data.’ This setting will actually slow down your computer if you leave it checked. Also, don’t forget to run the registry cleaner under the Issues tab.

Download: CCleanerrecommended