Nov 30 2012

HoneyDrive – Honeypots In A Box

Honeydrive HoneypotHoneyDrive is a virtual appliance (OVA) with Xubuntu Desktop 12.04 32-bit edition installed. It contains various honeypot software packages such as Kippo SSH honeypot, Dionaea malware honeypot, Honeyd low-interaction honeypot and more. Additionally it includes useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, and much more. Lastly, many other helpful security, forensics and malware related tools are also present in the distribution.

Features:

  • Virtual appliance based on Xubuntu 12.04 Desktop
  • Distributed as a single OVA file, ready to be imported
  • Full LAMP stack installed (Apache 2, MySQL 5), plus tools such as phpMyAdmin
  • Kippo SSH Honeypot, plus Kippo-Graph, Kippo2MySQL and other helpful scripts
  • Dionaea malware honeypot, plus phpLiteAdmin and other helpful scripts
  • Honeyd low-interaction honeypot, plus Honeyd2MySQL, Honeyd-Viz and other helpful scripts
  • LaBrea sticky honeypot, Tiny Honeypot, IIS Emulator, INetSim and SimH
  • A full suite of security, forensics and anti-malware tools for network monitoring, malicious shellcode and PDF analysis, such as ntop, p0f, EtherApe, nmap, DFF, Wireshark, ClamAV, ettercap, Automater, UPX, pdftk, Flasm, pdf-parser, Pyew, dex2jar and more
  • Firefox plugins pre-installed, plus extra helpful software such as GParted, Terminator, VYM, Xpdf and more

Download: Honeydrive_0.1_Santa_edition.ova

Installation: After downloading the file, you simply have to import the virtual appliance to your virtual machine manager/hypervisor (suggested software: Oracle VM VirtualBox).

More Info: HoneyDrive – BruteForce Lab’s Blog

Nov 28 2012

Yahoo Account Exploit Selling on Black Market

Yahoo ExploitYahoo is investigating the claims of a hacker who is selling an exploit that apparently hijacks Yahoo mail accounts.

The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a cross-site scripting (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users.

Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Demonstrating an apparent flair for marketing, the hacker, under the alias “TheHell” also posted a video on YouTube, providing a demo for potential customers. He claims it works with all browsers and does not require a bypass of XSS filters in either Chrome or Internet Explorer. He also says the exploit will be sold only to trusted individuals who are not likely to turn it over to Yahoo, which would undoubtedly develop a patch that will foil the attack.

“TheHell” claims that his exploit attacks a “stored” XSS flaw. This type of attack injects a code that is permanently stored on targeted servers until it is found and deleted. The malicious code is then passed to the victim’s machine when that particular server is accessed for legitimate download.

A standard phishing attempt is used to access the user’s cookies, from which the attacker can access the person’s email, or take full control of the account.

As of Tuesday morning, Yahoo was in the process of trying to identify the infected URL. Once the identification is successful, the malicious portion of code will be deleted.