Sep 24 2010

wifite – Mass Wifi WEP / WPA Cracker

wifiteTo attack multiple WEP and WPA encrypted networks at the same time. this tool is customizable to be automated with only a few arguments. wifite can be trusted to run without supervision.

Features :

  • sorts targets by power (in dB); cracks closest access points first
  • automatically deauths clients of hidden networks to decloak SSIDs
  • numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
  • customizable settings (timeouts, packets/sec, channel, change mac address, ignore fake-auth, etc)
  • all WPA handshakes are backed up to wifite.py's current directory
  • smart WPA deauthentication — cycles between all clients and broadcast deauths
  • stop any attack with Ctrl+C — options: continue, move onto next target, skip to cracking, or exit
  • switching WEP attack methods does not reset IVs
  • intel 4965 chipset fake-authentication support; uses wpa_supplicant workaround
  • SKA support (untested)
  • displays session summary at exit; shows any cracked keys
  • all passwords saved to log.txt
  • built-in updater: ./wifite.py -upgrade

Requirements:

  • linux operating system (confirmed working on Ubuntu 8.10 (BT4R1), Ubuntu 10.04.1)
  • tested working with python 2.4.5 and python 2.5.2; might be compatible with other versions,
  • wireless drivers patched for monitor mode and injection: backtrack4 has many pre-patched drivers,
  • aircrack-ng (v1.1) suite: available via apt: apt-get install aircrack-ng
  • xterm, python-tk module: required for GUI, available via apt: apt-get install python-tk
  • macchanger: also available via apt: apt-get install macchanger
  • pyrit: not required, optionally strips wpa handshake from .cap files

Download : wifite.py

More Info : wifite – Project Hosting on Google Code

Sep 13 2010

Security firm warns of commercial, on-demand DDoS botnet

IMDDOS, which is mainly based in China, has grown to become one of the largest active botnets.

The security firm Damballa is warning of a large and fast growing botnet created specifically to deliver distributed denial of service (DDoS) attacks on demand for anyone willing to pay for the service.

The IMDDOS botnet is operated out of China and has been growing at the rate of about 10,000 infected machines every day for the past several months, to become one the largest active botnets currently, Damballa says.

Gunter Ollman, vice president of research at Damballa, said that what makes IMDDOS significant is its openly commercial nature. The botnet’s operators have set up a public Web site potential attackers can use to subscribe for the DDoS service, and to launch attacks against targets.

The site offers various subscription plans and attack options, and provides tips on how the service can be used to launch effective DDoS attacks. It even provides customers with contact information for support and customer service.

Anyone with knowledge of Chinese can essentially subscribe to the service and use it to initiate DDoS attacks against targets of their choice, anywhere around the globe and with next to no effort, Ollman said.

Paid subscribers are provided with a unique alias and a secure access application which they download on to their systems. Users wishing to launch an attack use the application to log into a secure area on the Web site where they can list the hosts and servers they want to attack and submit their request.

The command and control-server behind the botent receives the target list and instructs the infected host machines, or botnet agents, to start launching DDoS attacks against the target site. “Depending on your level of subscription you will be provided a commensurate number of DDoS agents to use” in launching at attack, he said.

A vast majority of the infected machines that are part of the IMDDOS botnet are based on China, however, a significant number of infected machines in the U.S are part of it as well, Ollman said. Law enforcement authorities in the U.S. have been notified of the problem, he added.

The IMDDOS botnet provides another example of what many analysts say is the open and easy availability of sophisticated malware tools and services in China these days.

Source: ComputerWorld

Sep 10 2010

Email Worm Spreading Like Wildfire – W32.Imsolk.B@mm

A fast-moving email worm that began spreading on Thursday has been able to affect hundreds of thousands of computers worldwide, anti-virus provider Symantec warned.

The email arrives with the subject “Here you have.” An executable screensaver that’s disguised as a PDF document then tries to send the same message to everyone listed in the recipient’s address book. The .scr file is a variation of the W32.Imsolk.A@mm worm Symantec discovered last month.

In addition to spreading through email, it can propagate through mapped drives, autorun and instant messenger. It also has the ability to disable various security programs.

The worm is a throwback to attacks not seen in almost a decade, when the Anna Kournikova and I Love You attacks wreaked havoc on email systems worldwide. The Here You Go worm appears to different in that the malicious payload is downloaded from a page on members.multimania.com, rather than being attached to the email. That could make efforts to eradicate the worm easier.

Then again, McAfee said multiple variants of the worm appear to be spreading, so it’s not yet clear that the malicious screensaver is hosted by a single source.

Source: The Register
More Info: New Round of Email Worm, “Here you have”

Sep 01 2010

Google Code Discovered Serving Malware

Last year, there was discussion of Google Code, a site which allows developers to host their projects, being used to spread malware. zScaler research found yet another case where Google Code is being used to spread malware. According to Google Code site,

“Project Hosting on Google Code provides a free collaborative development environment for open source projects. Each project comes with its own member controls, Subversion/Mercurial repository, issue tracker, wiki pages, and downloads section. Our project hosting service is simple, fast, reliable, and scalable, so that you can focus on your own open source development”.

The malicious project in question has about 50+ executable stored in the download section of the project.

Most of the files are executable files along with zipped “.rar” files. The time stamps show that the files have been uploaded over the course of the last month. This suggests that an attacker is actively using this free service to spread malware. Virustotal results for the first file, show that only 8 antivirus vendors out of 43 flagged the file as malicious. The detection ratio for second file is slightly better than that of the first file.

Analysis of all files shows that they are all malicious threats including Trojans horses, backdoors, password stealing Keyloggers for online games such as “World of Warcraft” etc. Analysis of the file resources from ThreatExpert report indicates the possible country of origin is China. Interestingly, Google Code FAQ page says they will take down the whole project if they find malware being hosted on the project.

UPDATE: 2 September 2010
Google has immediately taken down the project and URL to that project is no longer accessible.
Source: zScaler Research