EFFECTS OF MONDAY MALWARE EXPLAINED.

Hey guys this is yash aka yinsain here,if you are reading this then you are surely not infected with it. I was getting a bit curious about all this news i was getting from my friend about a new malware hitting the web, well as i looked into it, it looks nothing new, just the old skool technique to redirect victims to a malicious server for there own good.

Methods are still the same but the techniques to achieve that has really evolved from years till now. As this name is a bit eye catchy you might be interested but do you really know what it is and what will it do.

Lets start with the name, Monday malware was given to it because it will knock you off the internet on monday that is today 9/7/2012 as most of the agencies are saying.

Well its actual name is still not defined but people have given its so many names, and some are from gov agencies also to classify it.

Other name is 'Alureon/DNS Changer bot'.

So lets dig into its working, as i dont hold a working executable or its source code. So i will be demonstrating the effect of this malware in a controlled enviroment via some network tools.

To understand the basic working of this malware you should be aware of some of the working principles of internet. The one we are focusing on in this blog post is DNS. For a basic explanation, this is the service which manages the juggling of ip addresses and the host names, wrong info of ipaddress will lead you to a wrong page, that is what that malware do but in a stealthy manner, most probably redirecting the victim to thr own server for malicious purposes. for further details you can read this.


Here i am using a virtual machine to depict a victim and using a linux(ubuntu) host machine to create an infected scenario.
Tools :: dsniff-suite, Virtualbox.


Setup ::

Getting the softwares,
------------------------------------------------------------------------------------------------------------------------------------

apt-get install dsniff

for virtualbox

either download a installer file for your o.s. or follow the linux way.

-------------------------------------------------------------------------------------------------------------------------------------



This suite consists of many great tools, the ones we will be using are

>> arpspoof
>> dnsspoof

NOTE :: arpspoof requires packet forwarding on the host system.


So first we need to enable packet forwarding on your linux host.



-------------------------------------------------------------------------------------------------------------------------------------

# echo 1 > /proc/sys/net/ipv4/ip_forward

please note you will require root priviledges to do this.
-------------------------------------------------------------------------------------------------------------------------------------

And now for the dnsspoof, this tool reads out the domains from a file which we can provide.


edit it the way you feel, just maintain the structure it recognizes.


here is mine.

so we are ready..

i have just added three entries for the common sites that people open.
>> paypal
>> facebook
>> google

So the setup for the tool is ready,

 Now you need a victim, here in our example we are using a virtual victim
so you can google it to get a detailed instruction to get a virtual machine all set with o.s. of your choice for this.

Our victim here is windows xp user.

NOTE :: THIS DEMO WORKS ON ALL THE O.Ss INCLUDING WINDOWS, MAC OS AND LINUX. BUT THE REAL MALWARE WAS REPORTED TO JUST WORK ON WINDOWS  AND MAC OS TILL NOW. LINUX STILL SURVIVES HUH.


So lest fire up our virtual machine.

lets open up our websites....

as you can see, all the three seems to opening fine..

and even the dns_cache is fine.

So lets start the attack to create an infected scenario....


I will try to keep it least complicated so open up three different instances of terminal.

and issue these commands.

-------------------------------------------------------------------------------------------------------------------------------------

I terminal

# arpspoof -i eth0 -t 192.168.1.16 192.168.1.14
                                 victim ^          gateway^

II terminal

# arpspoof -i eth0 -t 192.168.1.14 192.168.1.16
                                            gateway^       victim^

-i [ interface name ]
-t specify targets

and start them


III terminal

#dnsspoof -i eth0 -f int.txt  host 192.168.1.16 and udp port 53
                                ^file with host names we created earlier

-------------------------------------------------------------------------------------------------------------------------------------

so this is how it may look

So lets open up a browser on the victim machine,,

here i am opening facebook..

As you can see the url was valid, but due to the infected victim machine,
 request got redirected to the host mentioned in the spoof file for dnsspoof.

Be careful while logging in any of your accounts or buying any stuff online, if you are infected you may endup in a bad situation.

This is how a dns spoofing can occur, this is extremely dangerous for day to day users, as they may get redirected to fake pages and innocently give up their login credentials without any suspicion.

PREVENTIVE MEASURES::

>> do get your system cleaned by a valid tool like avira dnschanger bot remover if your windows or mac is infected.

>> contact your isp to get a valid list of dns servers' ipaddresses which are owned by the isps.

Again thanks for reading.
plz leave comments or message me for any query.

How safe is your Android device

Hi guys this is yash aka yinsain again with a duly awaited post.

THIS IS FOR EDUCATIONAL PURPOSES, I STAND NO INVOLVEMENT IN WHAT YOU DO WITH THE INFORMATION PROVIDED.

Nowdays most of the people around us are in favour of using an android device in the name of a smartphone well after all its a smart choice too.

First thing that people think of while using a smart phone is staying online and updated.
But how safe is it, people are scribbling down their credentials on this tiny device to stay in contact but till date nothing has changed, every app or even a system requires a lookup file to authenticate whether the true user is thr or not.

passwords still are the strongest and the weakest security link in whole infosec thing.

Whenever even a kid even hears about hacking first thing that comes to his/her heart is password of an email-id, well here i will show you how to get in one without using a password.

So we will focus our this post on the same and then we will blend into other security aspects of what can be risky and what cant.

Two possible scenarios are there
--> either you have a brand new phone or a phone that you use as a casual guy nothing hardcore or test-head and by mistake you install a malicious apk that roots your phone for gainig priviledges, this is how most of these things are working.
the infamous GINGERBREAK exploit that created a chaos because of it being used in other malicious apk.

--> or you might be having a rooted phone like me, that you rooted down for your experiments,,

but how aware are you, of all possible dangerous factors.

So lets start with a rooted phone because in both of the cases above end point is this only.

I will be using my real phone only, no emulator to show this, so in this post,
my details will be visible.

Lets plug this phone in debugging mode and spawn the shell.

 layout is pretty standard.

now lets move towards the attractive folder data and again in data inside the previous one.

now issue ls command it will show you a long list of installed apk's data folders.

now we can easily navigate to our folder of our desired app.

Our grapes reside inside the  com.google.android.gm folder so go into that and then into databases again issue ls command.

As you can see my email id is thr in a folder name.

but the useful db file is downloads.db for android 2.1 and for my specific cyanogemod7rc2 its mailstore.ydeep18@gmail.com.db, we will copy that out to sdcard for further inspection.

cp  mailstore.ydeep18@gmail.com.db /sdcard

as this phone is rooted so acces denied problem will be there just like it wont cause a problem for any attacker who has gained root shell on your device.

now we have our db file, now how to open it, well i did this while is was in kota in a hostel so i had no pc around me for an year, so i downloaded an app on my phone only to perform this.
APP :: aSQLiteManager


Lets start first with the phone
so open up your aSQLiteManager

open db file, the mailstore one.

 select whichever you wanna view, but i kno the juicy one is messages. so lets open that

and with all your guts click on data to kno thr truth....

and there it is all your synchronised email, now say who needs a password.
and continously scrolling sideways

'

As you can see, how lethal this can be.

PREVENTIONS
:: please check permissions needed by your application before installing
:: never leave your unattented. This works 90% of the time.

I will soon post other stuff for android forensics

THanks for reading
B-)

Argument passing to main() function explained

I have seen many people put up videos tutoring about c programming and stuff,
but most of those videos lack some of the major concepts important for practical
programming.
So i thought why not cover this topic too, this is also an outcome of requests from friends, having problems in same topic.

A prior knowledge of string constants, argument passing, pointers, pointers to pointers is necessary in any programming language, helps you to get eased up for it, if you know c then its even better,

lest start with a simple code that is so popular that even a non programmer who ever wanted to learn programming but lost interest must have also seen before throwing the book, yeah u got me right its the oldskool HELLO WORLD eg

+--------------------------------------------------------------------------------------------------------------------------------+

#include <stdio.h>

main(){

printf("hello world");
}

+---------------------------------------------------------------------------------------------------------------------------------+

when you compile this code snippet, you get the usual hello world output on screen, but this is constraining our will to program the way we want, in this example hello world string will get hard coded into the executable generated after compiling.

One question arises commonly, why cant it be dynamic??
ans is simple, it can be made dynamic, creators of c were not so foolish to leave such a thing. This can be achieved with parameter passing just like any other function, but the only difference between this type of argument passing is that arguments are passed from the enviroment of your os not inside your program.

With a slight modification in the code above you can achieve it,

+--------------------------------------------------------------------------------------------------------------------------------+

#include <stdio.h>

main(int argc, char *argv[])
// sometimes also seen as main(int argc, char **argv)
{

printf("%s",argv[1]);
}

+--------------------------------------------------------------------------------------------------------------------------------+

now the explanation bit,

structure of your main has changed to

main(INT, CHAR POINTER TO STRING POINTERS)
{ 
   }


lets start with the first argument

argc --> its an integer data type,
        --> keeps the count of total arguments

in a standalone program with no parameters, vaue of argc is always 1,
this facility can be used for error checking
IF (parameters less than 2)
PRINT plz check the usage or plz pass correct number of arguments.

this variable increments with your no of parameters you pass.

lets say your compiled program is helloworld.

so on a linux box

$./helloworld hello this is a parameter passing example

or a windows machine

>helloworld.exe hello this is a parameter passing example

value of argc will increment this way

+-----------------------------------------------------------------------
| execution| helloworld| this| is | a | parameter
|----------------+------------------------------------------------------
| argc         |          1      |  2   | 3  | 4      5
+-----------------------------------------------------------------------

and goes on.

now lets get onto next parameter,

char *argv[] or **argv


--> this is a pointer to an array of pointer

this is the portion where it gets confusing for some people, but i will start from the base and we can build our way up,

so the concept of an array

what is an array??

it is a contiguous block of memory which can be used to store data in a rightly order.
main points about it.

--> array name is a pointer itself,
basically it points to the first memory block of the array.

so this code is also fairly legal,

-------------------------------------------------------------------
int *p , egarray[2];
 p = egarray;
//then
printf() for egarray[0] and *p will output the
same value.
----------------------------------------------------------------------

 arrays can be created for all possible datatypes depending on your needs, int ,char n struct arrays are common in and same is with array of pointers.

think of it as a registers which stores the starting point of another array

pointer to pointer can be explained like this,

array ar;
                      ar0 | p1| -->q1
                      ar1 | p2| -->q2
                      ar2 | p3| -->q3
                      ar3 | p4| -->q4
                      ar4 | p5| -->q5

and these q pointers can be anything,,
but in this case we are talking about parameter passing which generally is in form of a statement/string.

so these q are all themselves  in  a form of

q="your parameter for the no. respectively";

so i hope this clears out the two parameters of main()

i have also uploaded a video to show you a jist of it, for gaining practical
confidence,, here.

there is one more minute query left which people get stuck with it, dont worry i will cover that too,

why is thr no " " in system() while using argv[]????

simple, these functions also take input as a string constant, which argv[] supplies to them as a pointer leading to it.

thanks for reading,
i hope this clears out some clouds for you.
B-)