Saturday, 8 November 2014

Top 10 Worms of the past 10 years

I was asked at some point about worms and their exploits... so this is list to cover that subject. BTW that is MY list, not an official one or whatever.. those are the ones that caught my eye during my research on the matter. Also, I tried to mention the originals rather than the variants.. so for example.. no Duqu or Flame.. just Stuxnet.

Date: Jan 2004
Name: MyDoom
Exploit: n/a*
CVE-ID: n/a*
Method: Spam campaign / P2P shares
Description:  Spread through failed mail messages that propagate across the target's address-book when executed whilst sharing itself though other available p2p networks. Payload contains a backdoor on port 3127/tcp for remote control as well as a timed DoS attack on the SCO and Microsoft sites.
Infections: 33 million

Date: Feb 2004
Name: Sasser
Exploit: MS04-011
CVE-ID: 2003-0533
Method: Scan and exploit
Description:  Looks for vulnerable systems and exploits the LSASS bof when found. Opens a shell on port 9996/tcp and pulls the worm from the infected system via FTP. It will check to see if the system is infected and stop if the system is already compromised. Adds itself on autorun and creates an FTP server on port 5554/tcp to further spread the infection. Uses the local system IP to generate a list of targets, spawns 128 threads and gets to work(avoiding RFC 1918 addresses).
Infections: 250,000

Date: Jan 2006
Name: Nyxem
Exploit: n/a*
CVE-ID: n/a*
Method: Spam campaign / network shares
Description:  Mostly spreading via mail but also via locally mounted network shares. The payload is set disable a variety of AV products and use local shares and address-book records to propagate itself further. On the 3rd day of every month, the virus searches for files with the following 12 extensions .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, and .dmp on all available drives and replaces them with the text string "DATA Error [47 0F 94 93 F4 K5]".
Infections: 400,000 to 1 million

Date: Nov 2006
Name: Storm
Exploit: n/a*
CVE-ID: n/a*
Method: Spam campaign
Description:  Mass mailing worm which propagates itself using the address-book information harvested from the target system. Kills a variety of investigative utilities including AV (based on their window name). Installs itself in the registry and hides using the SDDT rootkit technique whilst pulling more malware from the net.
Infections: 2 to 50 million

Date: Aug 2008
Name: Koobface
Exploit: n/a*
CVE-ID: n/a*
Method: Social Networks
Description:  Infected systems become part of a p2p botnet which further spread itself via social networks. It manipulates searches to inject advertisements and can remotely install further pay-per-install malware, but also steal credentials and licenses, block access to sites or direct traffic to particular sites, act as a command&control server, break CAPTCHAs and even propagate itself via newly created blogspot accounts/pages.
Infections: 400,000 to 800,000

Date: Oct 2008
Name: Conficker
Exploit: MS08-067
CVE-ID: CVE-2008-4250
Method: Scan and exploit
Description: Exploit the RPC bof and connect to the source's HTTP server running on a random port (1024-10000) to download the worm's DLL.  Saves the DLL on the system folder and triggers it on system startup via svchost (saved in registry). It will attempt to attack local network systems and execute dictionary attacks to the password protected shares it detects. The latest variants even copy themselves in any removable media and take advantage of Windows AutoRun to further propagate themselves. In the meantime System Restore Points are reset, Error reporting, updating, diagnostic and antivirus tools are disabled watched for and terminated.
Infections: 9 to 15 million

Date: July 2009
Name: Daprosy
Exploit: n/a*
CVE-ID: n/a*
Method: Spam campaign / mapped, fixed, and removable drives
Description: Spreading through email, removable devices via autorun and fixed or mapped drives. Uses key-logging to extract target emails to further propagate itself and send sensitive information to the author. Disables System Restore, hides  folders and adds itself in the startup folder.
Infections: n/a

Date: Jun 2010
Name: Stuxnet
CVE-ID:CVE-2010-2568 / CVE-2008-4250 / CVE-2010-2729 / CVE-2010-3888 / CVE-2010-2743 / CVE-2012-3015
Method: USB Media / Scan and exploit
Description: Post exploitation the worm would look for Siemens software, if not found it will spread itself to up to three others and lay dormant until the 24th June 2012 when it was scheduled to erase itself.  A range of exploits were used to propagate the worm and yet another to deliver the payload to the target... which was SCADA systems. The worm also had rootkit capabilities using digitally signed certificates stolen from JMicron and Realtek. Two websites where used as command and control for the worm and to offload any industrial espionage information involved. There is a library worth of documentation for this one and its variations so I will not further attempt to "sum-up"  the brilliant work involved!
Infections: 6 million (minimum)

Date: Aug 2011
Name: Morto
Exploit: n/a*
CVE-ID: n/a*
Method: RDP Brute force
Based on a dictionary attack aimed to administrator accounts via Microsoft's RDP Service. After the initial infection the worm adds some registry entries, files and injects its DLL to svchost.exe and removes its initial file; then the scanning begins. Using a list of around 100 common passwords the worm performs a dictionary attack to all available RDP targets (starting with the local network).
Infections:  1,000 - 2,000

Date: Apr 2013
Name: Kelihos
CVE-ID: CVE-2013-0422
Method: Spam campaign
Description: Using a drive-by attack via a spam campaign based on the Boston Marathon attacks, users are lead to pages that exploit the Java Security Manager Bypass Vulnerability and download a malware onto the system. The worm steal financial information,  monitors web traffic, steals bitcoins and any credentials are stored in a variety of applications whilst hiding itself, use the target's contact to further propagate whilst providing remote p2p command and control capabilities.
Infections:  110,000

Th-Th-Th-Th-Th-... That's all, folks!

* Some of the worms mentioned do not take advantage of a particular vulnerability yet they employ social engineering techniques to convince their victims to execute the initial malicious code.

Saturday, 1 November 2014

CPU Scalling Kali linux

Making sure that fancy laptop wont crash n burn when you leave it overnight to crack something. Overheating is a common problem with quite a few laptops which is expected when you have QuadCore CPU with disks and GFX cards all crammed up in a tinny little space.. but I digress. What worked for me is scaling down the CPU to a level that even with max utilization temperature did not go higher than 75 degrees Celsius (less fan noise as well). The following was done on a Kali box so Debian and Ubuntu should be applicable as well.

Required tools:
apt-get install cpufrequtils
(will allow you to change polices and governors etc etc)
apt-get install lm-sensors
(will allow you to monitor temperature from the CPU sensors via command line)
apt-get install htop
(top version that is colorful and supports scrolling and multiple CPU graphs via command line)
(comes out of the box with kali)

Check out what your current settings are:

The line we are looking for is
available frequency steps: 2.67 GHz, 2.67 GHz, 2.53 GHz, 2.40 GHz, 2.27 GHz, 2.13 GHz, 2.00 GHz, 1.87 GHz, 1.73 GHz, 1.60 GHz, 1.47 GHz, 1.33 GHz, 1.20 GHz

While we can also see in the current policy that the maximum is defined
current policy: frequency should be within 1.20 GHz and 2.67 GHz.
You should also notice how many cores your system has at this point so time to scale it back a bit
cpufreq-set -r -g ondemand --max 1.73GHz -c 0
cpufreq-set -r -g ondemand --max 1.73GHz -c 1
cpufreq-set -r -g ondemand --max 1.73GHz -c 2
cpufreq-set -r -g ondemand --max 1.73GHz -c 3

We can run cpufreq-info to confirm and we will see the policy has changed
current policy: frequency should be within 1.20 GHz and 1.73GHz.
The governor "ondemand" may decide which speed to use within this range.
Now to make something for john to play with (I am assuming that you have changed your password from toor and john will actually have a challenge!)
unshadow /etc/passwd /etc/shadow > john-test

Almost there... you need to prep the sensors now so you can make sure to monitor the temperature... we want to test... not burn!
(will detect the sensors you have in place.. the default options are fine)

Finally open up two more terminals, each of them should run
watch sensors
john john-test
Kick off john and find the sweet-spot for your laptop's CPU :) (give it a couple of minutes to reach maximum temp)
(you can stop john and watch with Crtl-C and exit htop by typing "q")

When you have you can add your settings on /etc/rc.local so they are applied at boot time.

Enjoy :)