Jan 29 2011

Nmap 5.50 Released with Gopher protocol support

Nmap 5.50
A primary focus of this release is the Nmap Scripting Engine, which has allowed Nmap to expand up the protocol stack and take network discovery to the next level. Nmap can now query all sorts of
application protocols, including web servers, databases, DNS servers, FTP, and now even Gopher servers! Remember those? These capabilities are in self-contained libraries and scripts to avoid bloating Nmap’s core engine.

This release isn’t just about NSE. The Nping packet probing and analysis tool (http://nmap.org/nping/) is also added in 5.35DC1. Version 5.50 improves Nping further with an innovative new echo mode (http://bit.ly/nping-echo).

Also added 636 OS fingerprints and 1,037 version detection signatures to Nmap since 5.21, bringing the totals to 2,982 and 7,319, respectively. No other tool comes close.

Download: nmap-5.50-setup.exe

Jan 24 2011

Mausezahn – fast traffic generator

Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet. It is mainly used to test VoIP or multicast networks but also for security audits to check whether your systems are hardened enough for specific attacks.

Mausezahn can be used for example:

  • As traffic generator (e. g. to stress multicast networks)
  • To precisely measure jitter (delay variations) between two hosts (e. g. for VoIP-SLA verification)
  • As didactical tool during a datacom lecture or for lab exercises
  • For penetration testing of firewalls and IDS
  • For DoS attacks on networks (for audit purposes of course)
  • To find bugs in network software or appliances
  • For reconnaissance attacks using ping sweeps and port scans
  • To test network behaviour under strange circumstances (stress test, malformed packets, …)

…and more. Mausezahn is basically a versatile packet creation tool on the command line with a simple syntax and context help. It could also be used within (bash-) scripts to perform combination of tests.

Currently Mausezahn is only available for Linux platforms.

As of version 0.38, Mausezahn supports the following protocols:

  • ARP
  • BPDU or PVST
  • CDP
  • LLDP
  • IP
  • IGMP
  • UDP
  • TCP (stateless)
  • ICMP (partly)
  • DNS
  • RTP optionally RX-mode for jitter measurements
  • Syslog

Download: mz-0.40.tar.gz

Jan 20 2011

First DOS-based malware celebrates silver jubilee

The first virus capable of infecting DOS-based PCs celebrates its silver jubilee this month.

The Brain Virus, written by Pakistani brothers Basit and Amjad Alvi, was relatively harmless. The Alvis claimed the malware was there as a copyright protection measure to protect their medical software from piracy, an article by CIO magazine on the anniversary recalls.

Brain replaced the boot sector of an infected floppy disk with malicious code, moving the real boot sector to another part of the disc. The malware had the effect of slowing down disk access and, more rarely, making some disks unusable.

Any other floppies used on a machine while the virus was in memory would get infected, but the malware did not copy itself to hard disk drives, as explained in a write-up here.

The Lahore-based Alvi brothers were fairly upfront about their questionable actions, going as far as embedding their names and business address in the malware code. Although intended only to target copyright violators, the malware infected machines in the US and UK among other places.

It’s hard to believe now, but the very few computer viruses prior to Brain infected early Apple or Unix machines.

It is highly unlikely any of today’s generation of VXers would do the same. Instead of curios such as the Brain virus, security threats these days take the more ominous form of Zombie botnet clients.

The Alvi brothers could never have imagined we’d get here, even though they arguably helped pave a small part of the way towards a world of Windows malware.

Jan 12 2011

Excess2 – Webmail XSS Tester

Here is a script to automate testing of webmail systems for cross-site scripting. It uses XSS Cheat Sheet to generate the injection strings. Compared to the previous version this version downloads XSS cheat sheet on the fly (instead of having it hard-coded) and supports SMTP authentication.

Name:
excess2 – A script for testing webmail systems for cross-site scripting problems.

Description:
This script sends a number of HTML-formatted email messages to a specified email address. In order to test a webmail system you need to have an email account on the system, run this script to send messages to that account, and then view the received messages through the webmail interface. If you get a popup box saying “XSS!” it means that your webmail system failed to block the attack.

Try viewing the messages in several different browsers, including Internet Explorer and Mozilla Firefox. Some attacks work in one browser, but don’t work in another.

The script downloads RSnake’s XSS Cheat sheet from http://ha.ckers.org/xssAttacks.xml. This way we always have the latest and greatest XSS attacks. Thanks, RSnake.

Options:
-t you@webmail.example.com The destination email address
-f return-address@example.com From email address. Replies and
rejects will go to that address.
-s mymailserver.example.com SMTP server to use for sending
messages.
-u SMTP server username (if it requires authentication)
-p SMTP server password (if it requires authentication)

Download: Excess2

Jan 09 2011

Facebook virus spreads via photo album chat messages

A new social networking worm in the vein of Koobface is currently doing the rounds.

Unlike the majority of Facebook scams, this one actively infects your computer with malware instead of simply tricking you into taking surveys and passing on messages to other users.

The link in his Facebook chat from a friend pointed to an app.facebook.com/CENSORED link. Typically when you go to a Facebook app page it prompts you to add the application and grant it permission to post on your behalf or read your profile data. The scary part about this one is that it immediately prompts you to download a “FacebookPhotos#####.exe” file with no prompting or clicking required.

Facebook Photo Virus

The screen reads “Photo has been moved. This photo has been moved to other location. To view this photo click View Photo.” If your computer has not already downloaded the malware, the “View Photo” button will download the virus for you.

It is really unfortunate that Facebook scams are moving back towards spreading malware. Fortunately, users of Sophos Anti-Virus had proactive protection from this threat with both our HIPS and suspicious file detection technologies; this particular strain is now identified by Sophos as W32/Palevo-BB.

The good news is that, Facebook removed the malicious application from its service. But there are probably many more applications like this one making the rounds, so, as always, beware of unusual messages from friends whether they are in email, on their walls, or in an instant message.