ARPwner is a tool to do ARP poisoning and DNS poisoning attacks, with a simple GUI and a plugin system to do filtering of the information gathered, also has a implementation of sslstrip and is coded 100% in python and on Github, so you can modify according to your needs.

This tool was released by Nicolas Trippar at BlackHat USA 2012.

For the tool to work you need pypcap, so assuming are using a Debian derivative OS (like all sane people do) – you’ll need to do this first:

“apt-get install python-pypcap”

Download: ARPwner.zip

Read More: ARPwner @ GitHub

The home Trojan-banker known as Shylock has just been updated with new functions. According to the CSIS Security Group, during an investigation, researchers found that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype.

The program was discovered in 2011 that steals online banking credentials and other financial information from infected computers. Shylock, named after a character from Shakespeare’s “The Merchant of Venice”.

Shylock is active in only a few parts of the world. The epicenter of infections is primarily located in the UK.

The Skype replication is implemented with a plugin called “msg.gsm”. This plugin allows the code to spread through Skype and adds the following functionality:

– Sending messages and transferring files
– Clean messages and transfers from Skype history (using sql-lite access to Skype%smain.db )
– Bypass Skype warning/restriction for connecting to Skype (using “findwindow” and “postmessage”)
– Sends request to server: https://a[removed]s.su/tool/skype.php?action=…

Besides from utilizing Skype it will also spread through local shares and removable drives. Basically, the C&C functions allow the attacker to:

– Execute files
– Get cookies
– Inject HTTP into a website
– Setup VNC
– Spread through removable drives
– Uninstall
– Update C&C server list
– Upload files

Shylock is one of the most advanced Trojan-banker currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.

As always for this type of Trojans antivirus detection is low.

Yahoo is investigating the claims of a hacker who is selling an exploit that apparently hijacks Yahoo mail accounts.

The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a cross-site scripting (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users.

Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Demonstrating an apparent flair for marketing, the hacker, under the alias “TheHell” also posted a video on YouTube, providing a demo for potential customers. He claims it works with all browsers and does not require a bypass of XSS filters in either Chrome or Internet Explorer. He also says the exploit will be sold only to trusted individuals who are not likely to turn it over to Yahoo, which would undoubtedly develop a patch that will foil the attack.

“TheHell” claims that his exploit attacks a “stored” XSS flaw. This type of attack injects a code that is permanently stored on targeted servers until it is found and deleted. The malicious code is then passed to the victim’s machine when that particular server is accessed for legitimate download.

A standard phishing attempt is used to access the user’s cookies, from which the attacker can access the person’s email, or take full control of the account.

As of Tuesday morning, Yahoo was in the process of trying to identify the infected URL. Once the identification is successful, the malicious portion of code will be deleted.

A new Distributed Denial of Service (DDoS) crimeware bot known as “Zemra” and detected by Symantec as Backdoor.Zemra. Lately, this threat has been observed performing denial-of-service attacks against organizations with the purpose of extortion. Zemra first appeared on underground forums in May 2012 at a cost of €100.

This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. This allows it to issue commands to compromised computers and act as the gateway to record the number of infections and bots at the attacker’s disposal.

Similar to other crimeware kits, the functionality of Zemra is extensive:

• 256-bit DES encryption/decryption for communication between server and client
• DDoS attacks
• Device monitoring
• Download and execution of binary files
• Installation and persistence in checking to ensure infection
• Propagation through USB
• Self update
• Self uninstall
• System information collection

However, the main functionality is the ability to perform a DDoS attack on a remote target computer of the user’s choosing.

Initially, when a computer becomes infected, Backdoor.Zemra dials home through HTTP (port 80) and performs a POST request sending hardware ID, current user agent, privilege indication (administrator or not), and the version of the OS. This POST request gets parsed by gate.php, which splits out the information and stores it in an SQL database. It then keeps track of which compromised computers are online and ready to receive commands.

Inspection of the leaked code allowed us to identify two types of DDoS attacks that have been implemented into this bot:

• HTTP flood
• SYN flood

Symantec added detection for this threat under the name Backdoor.Zemra, which became active on June 25, 2012. To reduce the possibility of being infected by this Trojan, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed.

Most popular open source network discovery and security auditing tool Nmap has reached version 6.0.

The new code hit the Net last Monday, complete with a message from coder Gordon Lyon, aka Fyodor, that the new version represents “almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009.”

Fyodor recommends all users upgrade to the new version, so they can get their hands on 289 new scripts and a host of new features.

Top Improvements:

• Enhanced Nmap Scripting Engine (NSE)
• Better Web Scanning
• Full IPv6 Support
• New Nping Tool
• Better Zenmap GUI and Results Viewer
• Faster Scans

Download:
Linux: nmap-6.00.tar.bz2
Windows: nmap-6.00-win32.zip