Last year, there was discussion of Google Code, a site which allows developers to host their projects, being used to spread malware. zScaler research found yet another case where Google Code is being used to spread malware. According to Google Code site,

“Project Hosting on Google Code provides a free collaborative development environment for open source projects. Each project comes with its own member controls, Subversion/Mercurial repository, issue tracker, wiki pages, and downloads section. Our project hosting service is simple, fast, reliable, and scalable, so that you can focus on your own open source development”.

The malicious project in question has about 50+ executable stored in the download section of the project.

Most of the files are executable files along with zipped “.rar” files. The time stamps show that the files have been uploaded over the course of the last month. This suggests that an attacker is actively using this free service to spread malware. Virustotal results for the first file, show that only 8 antivirus vendors out of 43 flagged the file as malicious. The detection ratio for second file is slightly better than that of the first file.

Analysis of all files shows that they are all malicious threats including Trojans horses, backdoors, password stealing Keyloggers for online games such as “World of Warcraft” etc. Analysis of the file resources from ThreatExpert report indicates the possible country of origin is China. Interestingly, Google Code FAQ page says they will take down the whole project if they find malware being hosted on the project.

UPDATE: 2 September 2010
Google has immediately taken down the project and URL to that project is no longer accessible.
Source: zScaler Research

SkipFish is a fully automated, active web application security reconnaissance tool.

Key Features:

• High Speed: Pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
• Ease of Use: Heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
• Cutting-Edge Security Logic: High quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

The tool is believed to support Linux, FreeBSD 7.0+, MacOS X, and Windows (Cygwin) environments.

Download: skipfish-1.13b.tgz

More Info: SkipFish – Project Home

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more.

Ncrack was started as a “Google Summer of Code” Project in 2009. While it is already useful for some purposes, it is still unfinished, alpha quality software. It is released as a standalone tool.

Ncrack is available for many different platforms, including Linux, *BSD, Windows and Mac OS X. There are already installers for Windows and Mac OS X and there is a universal source code tarball that can be compiled on every system.

Example: A representative Ncrack scan

Downloads:
http://nmap.org/ncrack/dist/ncrack-0.01ALPHA.tar.gz
http://nmap.org/ncrack/dist/ncrack-0.01ALPHA-setup.exe
http://nmap.org/ncrack/dist/ncrack-0.01ALPHA.dmg

Ncrack Man Page: http://nmap.org/ncrack/man.html

Ncrack Home: http://nmap.org/ncrack

inSSIDer is an award-winning free Wi-Fi network scanner for Windows Vista and Windows XP. Because NetStumbler doesn’t work well with Vista and 64-bit XP, an open-source Wi-Fi network scanner designed for the current generation of Windows operating systems.

What’s Unique about inSSIDer?

• Use Windows Vista and Windows XP 64-bit.
• Uses the Native Wi-Fi API.
• Group by Mac Address, SSID, Channel, RSSI and “Time Last Seen”.
• Compatible with most GPS devices (NMEA v2.3 and higher).

How can inSSIDer help me?

• Inspect your WLAN and surrounding networks to troubleshoot competing access points.
• Track the strength of received signal in dBm over time.
• Filter access points in an easy to use format.
• Highlight access points for areas with high Wi-Fi concentration.
• Export Wi-Fi and GPS data to a KML file to view in Google Earth.

Download: Inssider_Installer.msi

More Info: inSSIDer Wi-Fi Scanner | Metageek

How I cross-site scripted Twitter in 15 minutes, and why you shouldn’t store important data on 37signals’ applications
“Today the Ruby on Rails security team released a patch for a cross-site scripting issue which affected multiple high-profile applications, including Twitter and Basecamp. If you’re concerned about the issue and would like to see the patch, please read the advisory from the Rails security team. In this post, I discuss the overall process of finding the issue, and the reason why I’d suggest that no important information be stored on the 37signals applications (Basecamp, Highrise, Backpack, and Campfire).

My attention quickly turned to Twitter, the only web application I had open at that moment. A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of twitter.com. Bingo! Cross-site scripting, the stuff that Twitter worms are made of. But was this a Twitter-specific issue, or did it affect other sites too?”
- Brian Mastenbrook

Source: Brian Mastenbrook