How To Use Thc-Hydra [video]

 

Description: In this video I show how to use the brute forcer hydra.

Download: http://www.insecurestuff.in/2011/10/thc-hydra-v71-released.html

If u have any Problem then Contact me on Twitter: http://twitter.com/#!/insecurestuff
Read More...

DevilRobber Mac OS X Trojan horse spies on you, uses GPU for Bitcoin mining

Yesterday, users of Sophos's security products (including our free anti-virus for Mac home users) had their protection automatically updated to protect against a new Mac OS X Trojan horse that has been distributed via torrent sites such as PirateBay.

Copies of the legitimate Mac OS X image editing app GraphicConverter version 7.4 were uploaded to file-sharing networks. However, they came with an unexpected addition.

Hidden inside the download was a copy of the OSX/Miner-D (also known as 'DevilRobber') Trojan horse.

If your Mac computer was infected by the malware, the first thing you might notice is performance becoming sluggish.

That's because OSX/Miner-D tries to generate Bitcoins, the currency of the anonymous digital cash system, by stealing lots of GPU (Graphics Processing Unit) time.
GPUs are much better than regular CPUs at performing the mathematical calculations required for Bitcoin mining.
Yes, this Mac malware is stealing computing time as well as data.

In addition to Bitcoin mining, OSX/Miner-D also spies on you by taking screen captures and stealing your usernames and passwords. In addition, it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history, and .bash_history.

Curiously, the Trojan also hunts for any files that match "pthc". It's unclear whether this is intended to uncover child abuse material or not (the phrase "pthc" is sometimes used on the internet to refer to pre-teen hardcore pornography).
To complete the assault - if the malware finds the user's Bitcoin wallet it will also steal that.


Of course, the producers of GraphicConverter have done nothing wrong themselves - they are victims of the criminals who are using their popular software as a trap to infect Mac users who download software from unofficial sources.

It's possible that other apps have also been distributed via torrent sites infected by the malware, or that the cybercriminals will use other methods to distribute their Trojan horse.

Clearly, Mac users - like their Windows cousins - should practice safe computing and only download software from official websites and legitimate download services. But, in addition to that, it's becoming clearer every week that Mac users need to take malware protection more seriously by running anti-virus software.
There may be a lot less malware for Mac OS X than there is for Windows, but many Mac users are making themselves an unnecessarily soft target by imagining that they are somehow magically protected from threats.

There are a number of anti-virus products available for Mac, including Sophos's free version for home users, so there's really no excuse.

Read More...

Android Malware Spreads Through QR Code

Last week, there was quite a buzz in the mobile-malware researchers community about a new Android malware. It came to light not because of its sophistication or complexity but due to the simple method that it uses to spread.

Most Android malware we have witnessed are repackaged malicious apps made available in black markets or third-party markets. This latest Android malware follows the same repacking path as its precursors. The only difference with this malware is that it uses quick response (QR) code to distribute the malicious link. We have already discussed in a recent blog that QR code can be used by attackers to spread malicious files.

A QR code is a type of matrix barcode to store information. These codes are increasingly found on product labels, billboards, and business cards. Why are QR codes so popular? The amount of data they hold. QR codes can carry 7,089 numeric characters or 4,296 alphanumeric characters and can store up to 2KB of data.

All one needs is a smart phone with a camera and QR reader application to scan these codes. The codes can direct users to websites or online videos, and send text messages and emails.

 

QR code points to McAfee.com

If you scan the QR code above with any QR code reader using your smart phone, it will redirect you to our site http://www.mcafee.com Attackers use these codes to redirect users to URLs that ask users to download malicious applications.

Malicious QR code

Analyzing the payload

Once users download a malicious application onto their mobile devices, they need to install it. This malicious app is the Trojanized Jimm application, which is a mobile ICQ client. The payload is nothing new, as we have already seen these behaviors in the past with other Android malware such as Android/FakePlayer.A and Android/HippoSMS.A. The latter sends SMS’s to premium numbers.

 

This malicious application requires the following user permissions:

User permission request by the application

Once installed, the malware sends an SMS to a premium number that charges users. The application has the following icon:

The application icon

We have also seen the JAR version of this application; it targets the J2ME mobile phones and sends SMS’s to premium numbers. When I installed the malicious .jar package in a test environment, it displayed the following message:

 

Installing the malicious application

It prompted me to select a country and then displayed the next message:

Finally the malware tries to send messages to premium numbers from the infected mobile. Because I was executing this application in a controlled environment, it told me I didn’t have a sufficient balance in my account to send the message. But I did confirm that it tried to send messages, as seen below:

In the recent blog about QR codes by my colleague Jimmy Shah, he suggested how to stay away from such attacks. Our advice has not changed: Use a mobile QR code-/barcode-scanning app that previews URLs, and avoid scanning suspicious codes.

McAfee products detect these malware in our latest DATs as Android/SMS.gen and J2ME/Jifake.a. Read More...

Satanbot Employs VBScript to Create Botnet

Malware is on the rise. At the beginning of 2008, our malware collection had 10 million samples. Today we have already surpassed 70 million. Most of the malicious samples are Trojans (backdoors, downloaders, fake alerts), but there are also a lot of viruses, worms, and bots that in a short time can infect many computers without user interaction. Usually the malicious code comes in a form of an executable or DLL, but sometimes malware authors opt to use alternate languages such as VBScript (Visual Basic Scripting Edition), a lightweight Active Scripting language that is installed by default in most Microsoft Windows versions since Windows 98. One example of this kind of malware is Satanbot: a fully functional VBScript botnet that uses the Remote Desktop Connection to connect to infected systems.

VBScript files are usually in clear text because they are interpreted at runtime, rather than being compiled previously by the author. However, for cases in which the user wants to avoid allowing others to view or modify the source code, Microsoft provides a command-line tool, Script Encoder, which will encode the final script by generating a .vbe file. This file looks like a normal executable, but it can be decoded to its original form. Once that file is decoded, we can look at the bot’s source code, which is divided by sections. Each section specifies a different function of Satanbot, most of which we’ve already seen in AutoRun worms like Xirtem. Here is a description of these functions:

1.  Enable CMD and REGEDIT: To perform all the changes in the system (modify the registry and execute BAT files), the edition of the registry (regedit) or the use of the command line (cmd) will be enabled by changing the values “DisableRegistryTools” and “DisableCMD” to 0. In addition, one AutoRun feature is configured by creating the value “Update” in the “Run” key with the path of the script, along with hiding files and file extensions in the system.
2. Disable UAC: The value “EnableLUA” is checked to verify whether it is necessary to disable the User Account Control in Windows Vista, Windows Server 2008 and Windows 7. If it is enabled, the script will create on the fly another script and a BAT file to disable UAC. Another modification in the registry is done to perform operations that require elevation of privileges without consent or credentials. At the end, all the temporary files used to do the modifications in the system will be deleted.
3. Take ownership of folders: The command TAKEOWN (in Windows Vista and 7) runs to take ownership and enable the modification of folders including Application Data, Cookies, and Local Settings
4. Self-Install and spread: Another BAT file in the %TEMP% path is created. It first changes the icon of .vbe files to the one used by Windows pictures so the user will think that it is a picture and not the malware. Also the original .vbe, along with a shortcut file, will be copied in several locations, including network shares and peer-to-peer shared folders from popular clients like eMule, LimeWire, and Ares. Another spreading vector this malware uses is infecting removable drives by creating autorun.inf files along with a copy of the original .vbe and a shortcut (.lnk) file.
5. Worm test: This may seem a confusing term, but it is another spreading method. The original .vbe will be copied to other folders such as Startup and %Userprofile%\ Microsoft with the name “System File [Not Delete]” to trick the user to not delete the file.
6. Worm.s@tan: Contains a loop that will trigger the execution of the code every 60 minutes
7. Backdoor: Using another temporary BAT file, the malware will enable Remote Desktop Access by making the following changes to the system:

• Allow unsolicited remote assistance and full control
• Allow the use of blank passwords
• Enable multiple concurrent remote desktop connections (with a maximum of five)
• Automatically start the Terminal Service
• Open port 3389 in the Windows firewall
• Add an administrator user to the system
• Start the Remote Desktop Services UserMode port redirector service
• Create a file in the bot’s path with an “OK” inside
• The foregoing commands execute on reboot while the message “Windows repare quelques fichiers, patientez …” (Windows is repairing some files, wait …) appears to the user at the command prompt.

Another interesting part of the code is the section Compt.Bot, from which the malware sends an HTTP POST request with a specific user agent to the URL of the botnet command server. With that request, the server can get the public IP address of the infected machine, which probably has Remote Desktop Access enabled with the required specifications so the bad guys can connect. By opening that URL in the browser, we can see the IP address of the machine that is connected to the control panel and the number of compromised machines, which can grow very quickly. Take a look at this 24-hour comparison:



Other functionalities of the botnet:

• Delete browser and user histories of some common software: Internet Explorer, Firefox, Chrome, Thunderbird, and Skype
• Terminate processes of security software by downloading and executing a batch file that can be easily updated with more processes
• Download an .exe file from another URL (currently offline). We need to examine this file more thoroughly, but one of its purposes seems to be updating the malware by executing a different embedded .vbe.

Even if VBScript is not the best language to hide malicious activities (using encryption, obfuscation, packers, antidebuggers, or anti-virtual machine features), it is pretty effective when we take into account the rate of infection in just one day. In addition, those scripts can build a botnet of infected machines that can be controlled by using a Remote Desktop connection, which allows the attacker to perform any action in the system. The malicious files related to this threat are detected by McAfee products as VBS/Satanbot. Read More...

Facebook Letting Users Designate 'Guardian Angel' Friends To Restore Locked Accounts

Social networking giant Facebook said on Thursday that it is testing a feature that will allow users to designate certain friends as 'guardian angels' entrusted with helping the user to recover a locked or hijacked account.

The company, which has already experimented with forms of "social authentication," such as using photos of Facebook friends to help users prove they are the rightful owners of locked accounts, said in a blog post that it is testing a feature allowing users to designate "three to five" of their Facebook friends to receive a recovery code in the event that they are locked out of their account. Friends who receive the code can pass it along to the account holder, providing a way for them to get back into their account.

The company has preiodically struggled with account lock-outs. In November, 2010, a software error resulted in a small percentage of Facebook's userbase to be locked out of their account.

Account takeovers are a small problem for the company as measured against legitimate traffic. Facebook estimates that just .06% of account logins each day represents compromised accounts. But, with 750 million users and one billion logins each day, that small percentage still represents a large number - 600,000 - to contend with.

The new feature comes as part of a host of security upgrades scheduled to coincide with national Cybersecurity Awareness Month. The company also announced a new "App Passwords" feature that will enable users to set application specific passwords for their Facebook applications.

Company data, released on Thursday, suggest that Facebook is doing well in its quest to limit spam, malware and account hijacking - at least compared to the larger Internet. Spam is just 4% of the content shared on the social network, compared with anywhere from 85% to 95% of e-mail traffic. (Estimates vary depending on the source.)

However, Facebook's success in quelling malicious traffic hasn't kept privacy advocates from raising red flags about the implications of one company owning so much personal data on its users. At the Black Hat Briefings in Las Vegas in August, researcher Alessandro Acquisti showed how how cloud computing, facial recognition technology and freely available data hosted on Facebook and other Web sites could be used to match faces in a crowd to detailed online profiles.The company released an infographic that depicts the evolution of its security features and to provide other useful, security-related insights. Read More...