Attack Vector - Information & Network Security

ZeuS source code, anyone?

Posted: 12th May 2011 by Matt in code
Tags: botnet, code, download, example, leak, ZeuS

If you’d like to take a look at the ZeuS/SpyEye botnet source code and see how it ticks, you can download it below. I’m not sure how long this will be up (for obvious reasons), so get it while it’s hot.

ZeuS 2.0.8.9

Enjoy..

PS – I am in no way responsible for the use of this software. I am distributing it purely for it’s educational value. It’s a really good example of the science behind the bot networks and will, hopefully, help us combat them.

PPS – I just noticed that it includes the binaries.. I would uh, recommend not running those unless you know what you’re doing. Like, say, in a virtual machine that you don’t care about, for example. If you find anything neat, let me know. I’m just starting to go through it myself.

Lets see if I still remember how to do this…

Posted: 10th March 2011 by Matt in security
Tags: ACL, botnet, Chrome, crime, information, Java, Krebs, network, squid, worm, ZeuS, ZeusTracker

Do I still have any regular readers left? I hope so, even though I’ve greatly neglected you. I wont even bother with excuses. BUT, here’s a post to prove that I still know what I’m doing!

So, if you’ve been following some of the other blogs (specifically, Krebs), you’ve probably seen the hubbub about ZeusTracker. If not, I highly recommend you click on that previous link and go read. It’s long, but quite interesting.

ZeuS, if you’re unaware, is a big botnet that’s used heavily in cyber crime. You don’t want to get infected by this. To those who manage networks: You don’t want your users to get infected by this.

Read the rest of this entry »

No, I’m not dead.

Posted: 4th November 2010 by Matt in news

OK, so I’ve received a couple of emails from different people wondering if I was abducted by the NSA, assassinated, or if I’m on the run with Julian Assange.

No, no, and.. no. Though, that’d be pretty sweet. Minus being assassinated. That would suck.

Honestly, right now, I’m being pulled in like, 73 different directions. which doesn’t leave me with much time for anything else, including a social or blogging life.

But! I expect that I will be able to begin blogging again within the next few weeks and hopefully will return to my regular production level.

I don’t want you guys to fall behind, though.. so let me summarize the past few weeks in the security world:

Microsoft 0day
Microsoft 0day
Stuxnet
Adobe 0day
Java 0day
Microsoft 0day
Adobe 0day
Adobe 0day
…Adobe 0day
Facebook privacy
Julian Assange

There, consider yourself up to date.

Geolocation Using BSSID

Posted: 22nd September 2010 by Matt in code, hacks, news, security
Tags: attack, BSSID, DefCon, demo, Geolocation, GPS, mac, Skyhook, SSID, war, WiFi

This was discussed at DefCon 18 in a talk by Sammy Kamkar, but as far as I know, Sammy didn’t release his code, so I had to come up with something on my own.

First, one big difference. His version of this uses the Google Location Services API. I’ve opted to use the Skyhook service instead because there’s far more documentation and sample code that exists using this API, whereas I was unable to find anything too terribly helpful when it came to using the GLS API for this particular purpose. If anyone has any insight on this, please, please, let me know. I’d like to incorporate that into this script for comparison data.
Read the rest of this entry »

Really, Adobe?

Posted: 20th September 2010 by Matt in code, hacks, news, security
Tags: 0day, Acrobat, Adobe, cooltype, corporate, dll, exploitation, information, own, PDF, penetration, SING, software, strncat, SumatraPDF, vulnerability, Xpdf

So, I’ve come across a lot more information regarding the no-longer-0day Adobe vulnerability (oh, wait, that’s right.. there have been like, 12 in the last 30 days.. I’m referring just to the SING table one).

Anyway, a penetration testing company named Ramz Afzar has released an unofficial patch to fix the Adobe vulnerability, because apparently Adobe has had a difficult time figuring one out on their own.

After reading their analysis of the vulnerable code, this jumped out at me the most:
Read the rest of this entry »

Anti-US Hacker Takes Credit For “Here you have” Worm

Posted: 13th September 2010 by Matt in news
Tags: Anna Kournikova, hacker, here you have, Joe Stewart, malware, Robert McMillan, Terry Jones

(Source: Computer World)

IDG News Service – A hacker who claims he was behind a fast-spreading e-mail worm that crippled corporate networks last week said that the worm was designed, in part, as a propaganda tool.

The hacker, known as Iraq Resistance, responded to inquiries sent to an e-mail address associated with the “Here you have” worm, which during a brief period early Thursday accounted for about 10 percent of the spam on the Internet. He (or she) revealed no details about his identity, but said, “The creation of this is just a tool to reach my voice to people maybe… or maybe other things.”

He said he had not expected the worm to spread as broadly as it had, and noted that he could have done much more damage to victims. “I could smash all those infected but I wouldn’t,” said the hacker. “I hope all people understand that I am not negative person!” In other parts of the message, he was critical of the U.S. war in Iraq.

On Sunday, Iraq Resistance posted a video echoing these sentiments and complaining, through a computer-generated voice, that his actions were not as bad as those of Terry Jones. Jones is the pastor at a small Florida church who received worldwide attention this week for threatening to burn copies of the Koran.
Read the rest of this entry »

0day “Here you have” Worm – Prevention at the Gateway

Posted: 10th September 2010 by Matt in code, hacks, news, security
Tags: gateway, infect, INPUTMSG, mimedefang, perl, Prevention, protect, rule, rules, script, sendmail, spam, virus, worm

“…that we all feared might happen someday…”? Where has this chick been? ANYWAY…..

Whenever I hear about an email worm going around an infecting people left and right, I kind of chuckle to myself. These are absurdly easy to block, yet no one seems to do it. I’m in charge of all the network operations at the company that I work for and it’s a relatively small company, yet we’ve never been hit by any of the major email worms that have surfaced over the years. Why?

Well, it’s simple.. just like spam, there are certain characteristics that are static across all of the emails that are being generated. Yes, sometimes they’re more difficult to pinpoint than others, but usually (as is the case here), it’s trivial.
Read the rest of this entry »

Vendor Response to Backdoor in Accton Switches Post

Posted: 10th September 2010 by Matt in news, security
Tags: Accton, Accton-based, attack, backdoor, fix, hack, hacked, lan, network, owned, password, passwords, risk, secure, security, SNMP, vlan, vulnerable, workaround

A few days ago I posted an article that was circulating regarding a backdoor in to Accton based switches. You can read that post here. Shortly after, a person by the name of “CK”, who apparently works for the vendor, responded with the company’s side of the story.

I then issued my response, and CK commented with the steps to take to help to secure your router/switch that is vulnerable to this backdoor. Thanks CK!

Here’s the exchange plus the fix:

Read the rest of this entry »

Sponsored Links

Archives

Recent Posts

Blogroll

matt@attackvector.org