Irregular Expressions


May 29, 2011  1:31 AM

Another great isc blog post

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

http://isc.sans.org/diary.html?storyid=10933

May 29, 2011  1:26 AM

Video break

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

It does not matter what your opinion is, you just need to watch this.

http://video.pbs.org/video/1946795242


May 29, 2011  12:47 AM

Zeus code walkthrough – Part 4

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Next we need to build our bot, and configure it.

This is the zsb.exe file, point it at the config.txt.  The IP address of the server will need to be set, and the key configured.

For bonus points, you can use the zsb.exe to check if the host you are running it on is infected.  But you will need to know it’s key.

Time for some clickity click.

Uploaded with ImageShack.us

To call this easy is insulting, a monkey can set this up.

So, DON’T DO IT.

This will get you in lots of trouble if you try to use it.
But it’s very educational and fun for our purposes.
JUST DON’T USE IT.


May 29, 2011  12:15 AM

Zeus code walkthrough – Part 3

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

If all has gone well you should be able to get the install screen.

Uploaded with ImageShack.us

We need to setup the admin user and password, and provide login details to the SQL db. The encryption key also needs to be set at this point.

Hit install and time for more beer!

Here is the completed install screen.

Uploaded with ImageShack.us

Now we can login to the control panel and start to have some fun!

Uploaded with ImageShack.us

I can say that I am impressed with the interface, simple and very effective.
Part 4 will be the infection of the first host.


May 28, 2011  12:44 AM

Zeus code walkthrough – Part 2

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

If you are following at home you are going to need to install some webby stuff on your “server”.

I am going to use XAMPP.

Also your machines are going to need to be able to talk, so make sure you are all setup.  Using VMWare I setup a network that only the server and the machine that is called infect can talk.

I will not go into the setup of XAMPP, just remember to configure your apache and any needed security settings to run the php.

At this point you should be able to connect to your new web server and we can now start installing the C2.


May 25, 2011  10:25 PM

Zeus code walkthrough – Part 1

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I am going to step through the Zeus bot source code.  I will start with the PHP stuff, which should be pretty light.  There is about 44 PHP files to go over.

> find . -type f -name "*.php"
./cp.php
./gate.php
./index.php
./install/index.php
./system/botnet_bots.lng.en.php
./system/botnet_bots.lng.ru.php
./system/botnet_bots.php
./system/botnet_scripts.lng.en.php
./system/botnet_scripts.lng.ru.php
./system/botnet_scripts.php
./system/fsarc.php
./system/global.php
./system/index.php
./system/jabberclass.php
./system/lng.en.php
./system/lng.ru.php
./system/reports_db.lng.en.php
./system/reports_db.lng.ru.php
./system/reports_db.php
./system/reports_files.lng.en.php
./system/reports_files.lng.ru.php
./system/reports_files.php
./system/reports_jn.lng.en.php
./system/reports_jn.lng.ru.php
./system/reports_jn.php
./system/stats_main.lng.en.php
./system/stats_main.lng.ru.php
./system/stats_main.php
./system/stats_os.lng.en.php
./system/stats_os.lng.ru.php
./system/stats_os.php
./system/sys_info.lng.en.php
./system/sys_info.lng.ru.php
./system/sys_info.php
./system/sys_options.lng.en.php
./system/sys_options.lng.ru.php
./system/sys_options.php
./system/sys_user.lng.en.php
./system/sys_user.lng.ru.php
./system/sys_user.php
./system/sys_users.lng.en.php
./system/sys_users.lng.ru.php
./system/sys_users.php
./theme/index.php

Then we got a whole wack of c to go through.

Also if you are following at home you may need to install the Russian lang pack for your OS.

First thing we need to do is install this stuff, and we will start to get an idea of what does what.


May 24, 2011  10:02 PM

Zues packing list

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

So what was in the Zues rar?

7z.exe – Looks clean, nothing reported on it.

bt.exe – Listed as suspicious but nothing specific by any vendor.

upx.exe – Nothing reported.

FASM.exe – Listed as suspicious but nothing specific by any vendor.

php.exe – Nothing reported.

zip.exe – Nothing reported.

zsb.exe – Reported as Trojan-Spy:W32/Zbot, everything reports this as the main exe for the Zeus botnet.

zsbcs.exe – Backdoor, Backdoor.Generic.653241

Lots of PHP, cpp, xml, a few txt and a GeoIP lookup csv.

If you do not know what that one is, it’s a list of IP’s ranges with the assigned country code.  This list can be purchased online and is frequently updated with changes.

More to come.


May 18, 2011  11:40 PM

More Mac fake AV stuff

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

http://nakedsecurity.sophos.com/2011/05/18/malware-on-your-mac-dont-expect-applecare-to-help-you-remove-it/


May 18, 2011  11:11 PM

Not to be left out

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

http://www.macrumors.com/2011/05/02/new-macdefender-malware-threat-for-mac-os-x/

You can now get your very own fake AV for your Mac.

So far no one has reported anything deeply malicious, it just installs and wants a credit card.  Now if it had some sort of rootkit or trojan payload along with it, that would be bad.  Its using a feature in Safari that will automagically open a “safe” file once it has been downloaded to your machine.  It then will execute the installer and just happen to ask you send $99 via paypal.

Man if that paypal account was linked to wikileaks it would already be down.


May 17, 2011  10:53 PM

Surprised?

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

It’s really nice to have someone that is truly honest.

http://www.theregister.co.uk/2011/05/12/fbi_protects_isps/

That quote from the FBI agent will stay with me for a long time.

This will be interesting to follow, I really think that information should be like this.  I can see how a company could have a problem with this, but last time I checked government is for people not corporations.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: