EDITORIAL
Hello Hakers,
Hope you all are doing great! This time we came with lot of interesting topics. This month’s issue features the hot news in India. The famous Bit torrent websites ThePirateBay,KickAssTorrents and Pastebin, Viemo are blocked. However these websites retrieved after few hours of blackout, still some of the private ISPs in India are blocking some of these websites. We have added a new chapter to this magazine named “HAKER BYTES!” which features trendy one line news of the month. Enjoy this month’s issue. - Gowtham
FYI: For the past three months we had encountered some problems with publishing the magazine, due to the problems we could not publish the March, April and May month issue and we are apologize for the delay. We are happy to present the current [June-2012] issue!
2 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
CONTENTS
What is inside ?! Haker Events [ 04 ]
Mastermind of Bredolab gets jail time ! [ 06 ]
Network Vulnerability HITBSECCON 2012, Scanning with Nmap Amsterdam [ 08 ] [ 12 ] Flamer to Heat-up the Impact of the Middle East DNSChanger [ 16 ] [ 26 ] Time for Anonymous?* [ 30 ]
Facebook Timeline Removal Scam [ 38 ]
Goole Docs - As Phishing Weapon [ 42 ]
PureView 808 & Galaxy SIII [ 46 ]
Geek Jokes [ 48 ]
Haker Bytes ! [ 50 ]
3 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
[*Cover Story]
HAKER EVENTS BSides Detroit When: 1 June -3 June, 2012 Where: Detroit, Michigan USA Website: http://www.securitybsides.com/
EVENTS OF THE MONTH
Techno Security Conference 2012
Recon 2012
When: 3 June - 7 June, 2012
When: 14 June - 17 June, 2012
Where: Myrtle Beach, SC USA
Where: Montreal, Canada
Website: http://www.techsec.com/
Website: http://recon.cx/
IFIP International Information Security and Privacy Conference
24th Annual FIRST Conference 2012
When: 4 June-6 June, 2012 Where: Heraklion, Greece Website: http://www.sec2012.org/
When: 17 June - 22 June, 2012 Where: Malta Website: http://conference.first.org/
SummerCon
SANS WhatWorks in Forensics and Incident Response Summit
When: 8 Jun - 11 Jun, 2012
When: 20 June - 28 June, 2012
Where: Brooklyn, NY USA
Where: Austin, Texas USA
Website: http://www.summercon.org/
Website: https://www.sans.org/
World Congress on Internet Security 2012
Hackademic
When: 10 June-12 June 2012
When: 29 June - 2 July, 2012
Where: University of Guelph, Ontario, Canada
Where: Newark, Delaware USA
Website: http://www.worldcis.org/
Website: http://hackademic.info/
TRUST 2012
SANSFIRE 2012
When: 13 June-15 June 2012
When: 6 July - 15 July, 2012
Where: Vienna University of Technology, Austria
Where: Washington, DC
Website: http://www.trust.sba-research.org/
Website: http://www.sans.org/
4 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
OWASP AppSec Research 2012
BlackHat Las Vegas
When: 10 July-13 July 2012
When: 21 July - 26 July,2012
Where: University of Athens, Greece
Where:Las Vegas, USA
Website: http://www.appsecresearch.org/
Website: http://blackhat.com/
Symposium On Usable Privacy and Security 2012
SECRYPT 2012
When: 11 July - 14 July, 2012
When: 24 July-27 July 2012
Where: Washington, DC USA
Where: Rome, Italy
Website: http://cups.cs.cmu.edu/soups/
Website: http://secrypt.icete.org/
HOPE
DEFCON 20
When: 13 July - 16 July, 2012
When: 26 July - 29 July, 2012
Where:New York, NY USA
Where: Las Vegas, NV
Website: http://hope.net/
Website: http://www.defcon.org/
OSCON 2012
THE HACKER CONFERENCE 2012
When: 16 July - 20 July, 2012
When: 29 July, 2012
Where: Portland, Oregon
Where: New Delhi, India.
Website: http://www.oscon.com/
Website: http://www.thehackersconference.com/
Data Protection & Privacy Compliance When: 17 July-19 July 2012 Where: Arlington, VA, USA Website: http://www.marcusevansch.com/
LASER 2012 When: 18 July - 20 July, 2012 Where:Arlington, VA USA Website: http://www.cert.org/laser-workshop/
. WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 5
HAKER NEWS
Mastermind behind BredoLab Botnet gets Jail Time ! Hijacked the PCs of more than 30 million people
The BredoLab Botnet, also known by its alias Oficla, was a Russian-founded botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of 143 command and control servers, it was estimated to consist of around 30 million zombie computers. Georg Avanesov, who was in command of the botnet, Bredolab, controlling some 30 million computers worldwide, has been sentenced to four years jail in Armenia. According to prosecutors, Georg Avanesov was earning 100,000 Euros (£80,000 or $125,000) a month from his Bredolab botnet business, renting out access to the compromised computers to criminals who wanted to send out spam, and spread malware and fake anti-virus attacks, At its peak, it is estimated that Avanesov’s botnet was spewing out more than 3 billion infected emails every day. Often, attacks 6 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
designed to recruit new computers into the botnet would be spammed out, pretending to come from the likes of Facebook, Skype and Amazon with an attached HTML file, luring users into clicking and being ultimately infected by a compromised thirdparty website. “It’s easy to see how such a large network of infected PCs was created, as people clicked on seemingly legitimate attachments and websites, oblivious to the infection that would go on to take control of their PC, and in some cases steal passwords and usernames,” said Graham Cluley, Senior Technology Consultant at Sophos. Legitimate websites were hacked to spread the malicious payloads that infected and recruited visiting computers into the botnet, and further malware would be installed which stole usernames and passwords to FTP accounts.
(There’s an important lesson for website administrators to learn here. Don’t tell your FTP software to remember your passwords, because if they are not held securely they could be scooped up by malware). This would inevitably result in even more websites becoming infected, and the botnet multiplying in size. Bredolab began operating in 2009 and Mr Avanesov used a variety of techniques, including automated attacks and phishing messages, to expand it. A network of hijacked machines run in this way is known as a botnet and they have become the staple of many hi-tech criminals. The criminal income allowed the hacker to live a pretty lavish lifestyle by all reports, as he jetted off to the Seychelles with his attractive girlfriend and fancied himself as a DJ. Avanesov was arrested in October 2010 at Zvartnots airport in Yerevan, Armenia; a day after the Dutch High Tech Crime Unit disrupted the Bredolab botnet and seized 143 servers that were used to control it. The Bredolab botnet was primarily used to send spam emails and launch DDoS attacks. The Dutch authorities estimated that over 30 million computers had been infected with the malware.
One of the key features of the Bredolab botnet was the closely repeating cycle the botnet used to build up its zombie networks, in which infected computers subsequently infected websites, which in turn infected new victim computers. Lawyers defending Avanesov were quoted as claiming that their client “did not intend to deliberately harm anyone” with his activities, but clearly that argument didn’t find much support at the district court in Yerevan which sentenced him to four years in jail for “computer sabotage”. The judgment is something of a historic event in Armenia - as it is the first such computer crime-related sentence to be handed out in the country.
.
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 7
HAKER LAB
NETWORK VULNERABILITY SCANNING BASIC PORTS SCAN USING NMAP
Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/ firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Port States NMAP will categorize ports as being in one of the following states: Open – The port is accepting TCP connections and UDP packets. This means that an application is running that is using this port. Closed – The port responds to NMAP probe requests but no application is using this port. 8 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
Filtered – The port state cannot be determined because packet filters prevent NMAP probes from reaching the port. Unfiltered – The port is accessible but NMAP cannot determine if it is open or closed Open | Filtered – NMAP cannot determine if the port is open or filtered Closed | Filtered – NMAP cannot determine if the port is closed or filtered Download and install Nmap from official website: http://nmap.org/download.html First, we’ll sweep the network with a simple Ping scan to determine which hosts are online. To scan the entire domain use: nmap 192.168.96.* [or] nmap 192.168.96.1/24
Caution: When it comes to running port-scans you should be careful to run them only against hosts you control. Many people consider a port-scan an active attack scan, and as such a malicious act. Whilst a port scan itself isn’t terribly dangerous, in general, some of the “aggressive” scanning modes can cause unpleasant side effects.
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 9
HAKER LAB Basic usage of nmap is simple; simply invoke it with a hostname, or IP address. use: nmap 192.168.96.69
It scans the host and results list of opened ports. More complex examples include identifying the version number of running services with the -sV flag (for software version). As an example of the difference here’s the previous scan repeated with that enabled. use the following command: nmap -sV 192.168.96.69
As you can see this run took significantly longer to finish & you can see the above screenshot which results in Telnet software version Billion or D-Link router. 10 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
There are a lot of different options you can invoke nmap with, and several of them will require the use of root privileges, such as the remote operating system detection. To attempt to identify the remote operating system running as root and add the -O flag. Use nmap -O 192.168.96.69
As an example of Nmap running against the router:
As you see the MAC Address of the router is visible. You can export all the scan results into a file by using the command: nmap 192.168.1.* -oX scanresult.xml
.
To unleash the power of Nmap, you’ll need to read this book “Secrets of Network Cartography” by James Messer.
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 11
HAKER LIVE !
HITBSECCONF 2012
Information Security Conference
HITBSecConf is an information security conference featuring deeply technical talks and hands-on lab sessions.HITBSecConf 2012 has introduced a brand new attack and defense Capture the Flag game run as always by the HITB.nl CTF crew. “Capture the Flag Bank0verflow” has also for the very first time combine forces with the OWASP Netherlands team (OWASP.NL). The organizers had added a CommSec village – an area aiming to bring together not only the various Benelux hackerspaces, but also participation from the open source communities (Ubuntu, OWASP, Mozilla, Gentoo etc). Members of TOOOL Netherlands are as always being on hand with their Lock Picking Kung f00. They also arranged a 2 days hand on training featuring various titles. The pictures of the conference are available online at : http://conference.hitb.org/hitbsecconf2012ams/ All the other media files including videos and presented materials are also available for download at the site.
12 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
Ivo Pooters, Senior Digital Forensics InvesLgator, Fox-IT, during his talk “Turning Android Inside Out”.
Itzhak ‘zuk’ Avraham (Founder, zimperium) and Nir Goldshlager (Senior Researcher, zimperium), during their talk “Killing a Bug Bounty Program.
“With great power, comes great responsibility” Vivek Ramachandran in action.
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 13
HAKER LIVE !
Attendees were able to learn lock picking under the watchful eye of TOOOL Netherlands.
Capture the Flag.
Audiences watching keenly.
14 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
During a discussion.
Presentations going on.
During the lunch break.
. WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 15
MALWARE
FLAMER TO HEAT-UP THE MIDDLE EAST ! Flamer also known as Skywiper/Flame
Security researchers from the Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted malware attack attacking the country, they warned that it was one of the most sophisticated worms to date, and believe that this time, the worm may be the work of a nation-state rather than hackers. Which has been dubbed Flame (also known as Flamer or Skywiper). In a statement, researchers say that they believe the malware is “a close relation” to Stuxnet, and claim that Flame is not detected by any of 43 anti-virus products it tested against, but that detection was issued to select Iranian organisations and companies at the beginning of May. According to Kaspersky, Flame is capable of stealing “computer display contents, information about targeted systems, stored files, contact data and even audio conversations”. The worm appears to be targeted to specific computers, likely indicating its creators are searching for specific information. Unique to Flame is its usage of Bluetooth. In theory, any Bluetooth-enabled device nearby could also be at risk, as the worm also attempts to collect data via file transfer from those mobile devices. 16 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
“One of the most alarming facts is that the Flame cyber-attack campaign is currently in its active phase, and its operator is consistently shrivelling infected systems, collecting information and targeting new systems to accomplish its unknown goals”, Kaspersky Lab chief security expert Alexander Gostev says. Flame is quite large in size -- about 20 megabytes. This would make it over 40 times the size of the Stuxnet worm. Given that Flame appears to be targeting Middle Eastern governments, suspicion that this may be the work of hackers connected to the Israeli government is high.
Flame evaded detection for two years as it was successfully able to morph itself by attempting to detect what antivirus software was running. From there, it would hide itself in files that the antivirus software would not expect to be holding malicious code. Firstly, The Laboratory of Cryptography and System Security (CrySyS) at the Budapest University of Technology and Economics has published an indepth analysis on the malware, which it has named “Skywiper”. CrySyS’s 63-page PDF report at “http://www.crysys.hu/skywiper/skywiper.pdf” says that it began to analyse the malware earlier this month, and hypothesises that it was “developed by a government or nation state with significant budget and effort, and may be related to cyber warfare activities.” It is worth noticing that CrySyS received information about computers being infected with Skywiper in various countries, not just the Middle East. WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 17
MALWARE In fact, CrySyS noted that it had even received evidence of infections in it home country of Hungary. One aspect of interest in CrySyS’s report is how Skywiper attempts to evade detection by anti-virus products by storing its code in .OCX files (not usually checked by anti-virus products in their default configuration). However, if the malware detects the presence of McAfee’s on-access scanner (McShield) it stores its code in .TMP files instead: Other tricks that Skywiper/Flame might have up its sleeve may take some time to ascertain. It’s code more than twenty times larger than Stuxnet, which means it could take substantial effort to analyse it all. Fortunately, complete code analysis is not necessary to add detection.
The above illustration shows the modules of flamer, *.OCX, *.TMP and *.SYS file contents of the malware.
Screenshot Source: Naked Security.
18 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
The program code inside the malware, that checks for the “ mcshield.exe “ ( McAfee Virus Scan Engine) and changing the file extension from *.ocx to *.tmp. That is the biggest problem here, say experts. Traditional antivirus techniques failed, and Flame is successfully exploiting these holes. The discovery of Flame follows other alleged cyber warfare attacks on Iran, including Stuxnet, Duqu and mysterious Stars virus. Meanwhile, the media has gone crazy about the Flame worm, Sophos Researcher Graham Cluley made a blog post on Flame as follows, The Flame Worm has been called “the most complex threat”, the world’s “most sophisticated cyber weapon”, and we’ve even been told it’s “much bigger than Stuxnet”. But what does that actually mean? Yes, Flame is bigger than Stuxnet. If you’re counting bytes. Flame, with all of its modules and libraries, can come in at close to 20MBytes. That’s about 40 times larger than Stuxnet - which was itself portly by malware standards. So, yes, Flame is much bigger. But that number of bytes wasn’t mean that the malware is complex or more dangerous. After all, as we should always remind ourselves, size doesn’t matter. What matters to most computer users is whether they are likely to become infected by the malware or not, and how many computers it has infected. Screenshot Source: Naked Security.
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 19
MALWARE
Kaspersky, which made the biggest media splash regarding Flame, has only discovered a few hundred computers infected by the malware. That’s not that big. Certainly, it’s pretty insignificant when you compare it to the 600,000 Mac computers which were infected by the Flashback malware earlier this year.
20 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
Flashback malware installation screen in Macintosh Computers. In fact, there were said to be 274 Flashback-infected computers in Apple’s home town of Cupertino alone - that’s more infections than there have been found of Flame in *all* of Iran! And let’s not forget other malware outbreaks of past years - Conficker, Sasser, Sobig, and Code Red - all much more significant in terms of number of infections than Flame. Every day, we see approximately 100,000 new pieces of malware and most of them have the ability to steal information (by grabbing keypresses, taking screenshots, stealing your files) just like Flame. Of course, Flame doesn’t really represent much of a threat anymore. Every anti-virus worth its salt now detect it and protect against it. Whoever was behind it will likely be feeling pretty grumpy or working hard on a new version which they hope will be able to skirt past defences. So let’s keep things in perspective. Chances are that your computer is more at threat from some of the many other examples of malware that are in existence out there. Sophos products protect users against the Flame threat, identifying it as W32/Flame-A, says Mr Graham Cluley. However we should have an eye on this new malware to prevent future cyber disasters.
.
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 21
MALWARE
FLAME’0PEDIA ! FAQ ABOUT FLAME MALWARE What exactly is the Flame Malware ? Flame is an attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.
What are all the actions of Flame Malware after infection ? Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers. Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.
How sophisticated is Flame and how is it different from other malwares Malware ? Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a LUA virtual machine. LUA is a scripting (programming) language, which can very easily be extended and interfaced with C code. Many parts of Flame have high order logic written in LUA (the use of LUA is uncommon in malwares) -- with effective attack subroutines and libraries compiled from C++.The effective LUA code part is rather small compared to the overall code. 22 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
Kaspersky’s estimation of development ‘cost’ in LUA is over 3000 lines of code, which for an average developer should take about a month to create and debug. There are internally used local databases with nested SQL queries, multiple methods of encryption, various compression algorithms, usage of Windows Management Instrumentation scripting, batch scripting and more. Another surprising element is the Flame package’s large size. The practice of concealment through large amounts of code is one of the specific new features in Flame.
What are the ways it infects computers? Flame can infect computers through USB sticks, Autorun Infector, local networks, printer vulnerabilities etc. Flame appears to have two modules designed for infecting USB sticks, called “Autorun Infector” and “Euphoria”. Kaspersky Labs haven’t seen use of any zero-days till now; however, the worm is known to have infected fully-patched Windows 7 systems through the network, which might indicate the presence of a high-risk zero-day.
How does Flame steal information? Flame appears to be able to record audio via the microphone, if one is present. It stores recorded audio in compressed format, which it does through the use of a public-source library. Recorded data is sent to the C&C through a covert SSL channel, on a regular schedule.
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 23
MALWARE The malware has the ability to regularly take screenshots; and interestingly will take screenshots when certain “sensitive” applications are run, for instance, IM’s. Screenshots are stored in compressed format and are regularly sent to the C&C server -- just like the audio recordings. Another curious feature of Flame is its use of Bluetooth devices. When Bluetooth is available and the corresponding option is turned on in the configuration block, it collects information about discoverable devices near the infected machine. Depending on the configuration, it can also turn the infected machine into a beacon, and make it discoverable via Bluetooth and provide general information about the malware status encoded in the device information.
What type of data and information are the attackers looking for and who gets affected? Kaspersky, from its initial analysis, derives that motive of Flame is to look for any kind of intelligence -- e-mails, documents, messages, discussions inside sensitive locations etc. Flame appears to be much, much more widespread than Duqu, with probably thousands of victims worldwide. The targets are also of a much wider scope, including academia, private companies, specific individuals and so on.
24 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
Does Flame have any similarities with Duqu or Stuxnet? Is the same group the created them behind Flame? Flame has no major similarities with Stuxnet/Duqu. Flame appears to be a project that ran in parallel with Stuxnet/Duqu, and it doesn’t use the Tilded platform unlike Duqu. However the presence of some links can indicate that the creators of Flame had access to technology used in the Stuxnet project -- such as use of the “autorun.inf” infection method, together with exploitation of the same print spooler vulnerability used by Stuxnet. It’s possible that the authors of Flame used public information about the distribution methods of Stuxnet and put it to work in Flame. According to Kaspersky’s research, the operators of Flame artificially support the quantity of infected systems on a certain constant level. This can be compared with a sequential processing of fields -- they infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that aren’t interesting, leaving the most important ones in place. After which they start a new series of infections.
What Can Flame self-replicate like Stuxnet? The replication part appears to be operator commanded, like Duqu, and also controlled with the bot configuration file. Most infection routines have counters of executed attacks and are limited to a specific number of allowed attacks.
.
The FAQ has been compiled with the help of inputs from Aleks Gostev, Chief Security Expert, Global Research and Expert Analysts Team (GrEAT), Kaspersky Lab. [SOURCE: NetworkWorld.]
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 25
MALWARE
IMPACT OF THE DNSCHANGER TROJAN
HAS GOOGLE SAID YOUR COMPUTER IS INFECTED ?
Google is embarking on an effort to notify Internet users if their computers or home routers are still infected with the DNSChanger Trojan, a piece of sophisticated malware that has compromised an estimated 500,000 systems. The outreach campaign comes a little more than a month ahead of July 9, the date on which the FBI is set to take all computers corrupted with the malware offline. Until November last year, a group of cybercriminals were using a bunch of rogue DNS servers to redirect PCs infected with a family of malware called DNS Changer to webpages and adverts that helped them make money. The FBI seized control of the servers, and made them harmless. But hundreds of thousands of affected computers continue to use them. As we’ve described before, the FBI is going to shut down the servers on July 9th - meaning that those computers, if their owners do nothing about it, could lose access to the internet. The best solution is for those affected to fix the DNS settings on their computers, but a method has to be found to inform those internet users who are impacted. And that’s why Google is joining the awareness campaign 26 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
If your computer is among the affected crop, Google will alert you via special messages that will appear at the top of search results, reading, “Your computer appears to be infected,” Google security engineer Damian Menscher explained in a May 22 blog post. Google’s hope is to directly warn as many as 500,000 affected users within the week, although Menscher admitted, “We realize we won’t reach every affected user.”
A notification from Google about the DNSChanger malware affected computer system. If your computer shows signs of DNSChanger corruption, you will receive, along with the notification, recommendations from Google as to how to purge the malware from your devices. Although Google cannot guarantee its tips will fully excise the Trojan, Menscher said, “If more devices are cleaned and steps are taken to better secure the machines against further abuse, the notification effort will be well worth it.” The fear surrounding DNSChanger, and the possibility that people would lose their Internet access, began last November, when the FBI’s “Operation Ghost Click” took down an Estonian cybercrime ring that had infected 4 million computers and routers worldwide (and at least 500,000 computers in the U.S.) with the Trojan. DNSChanger (DNS is short for Domain Name System) enabled the crooks to hijack Web traffic and reroute it to compromised sites under their control, a process from which they netted $14 million in fraudulent advertising revenue. Following the November bust, the FBI set up temporary DNS “surrogate” servers to keep the systems infected with the dangerous malware online while they were scrubbed of the malicious software. On March 5, a federal judge granted the government 120 days to keep the proxy servers running; a subsequent order pushed the deadline back to July 9. WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 27
MALWARE
If the Google alert tells you that your computer or router is affected, there are three things you need to do. First, you’ll have to change some technical settings on your computer. Use https://developers.google.com/speed/public-dns/docs/using for instructions on how to do so. That will make sure you still have Internet access when the fateful day comes. The second thing to do will be to update and run strong anti-virus software that will clean up your machine, because these particular malware infections are pretty nasty. You’ll probably have to pay for the software. The third step is to check it again once you’ve done the first two. If you’re still seeing the Google alert, Use DNS Changer Check-Up at http://dns-ok.us/ If that’s red, your router may be infected. Check the manufacturer’s website for a firmware update. At worst, you may have to buy a new router. The resulting numbers are the DNS servers, write them down and compare them to the known malicious DNS settings. 28 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
According to DNSChanger Working Group, if your DNS falls between these ranges, your system is likely affected by the Trojan. Between this IP and this IP 064.028.176.001 – 064.028.191.254 067.210.000.001 – 067.210.015.254 077.067.083.001 – 077.067.083.254 085.255.112.001 – 085.255.127.254 093.188.160.001 – 093.188.167.254 213.109.064.001 – 213.109.079.254 Anti-viruses will detect various variants of the DNS Changer malware under names such as Troj/DNSChan-A. Furthermore, if your computer is one of the ones whose DNS settings have been meddled with - identifying them as CXmal/ DNSCha-A, and help repair the damage. And, if you want to be proactive and see if your computer is one of those which might be affected on July 9th, you can check via the DNS Changer Working Group website (DCWG). The FBI also has a look-up form on its own site. https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS
But, sadly and inevitably, in a blog post of Naked Security says that, there is clearly the potential for cybercriminals to mimic the Google warning and direct users to dangerous downloads and scams. The danger is that many people may know what their own anti-virus software looks like when it displays a warning, but may be less familiar with how the Google warning presents itself, and where it links to .
.
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 29
COVER STORY
TIME FOR ANONYMOUS ?!
Hacktivist collective Anonymous has turned its attention to India against censorship in high gear on 26 May 2012 when they hacked into the servers of Reliance Communications. The problem it seems Reliance has decided to go up and block The Pirate Bay, Vimeo and Pastebin. Not only did they block these sites, they also managed to put up a large and highly friendly “This site has been blocked as per instructions from the Department of Telecom (DoT)” sign which is rather odd because no other ISP in India has blocked The Pirate Bay – especially the state run Bharat Sanchar Nigam Limited (BSNL). After few days other private ISPs including Zylog Wi5, Airtel also blocked the websites. On May 26th 2012, People who have internet connections provided by the company could not access popular sites, and were diverted to a page with a stronglyworded message from Anonymous. 30 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
They says that “We have proof that Reliance is blocking websites other that specified in court orders. That’s why we targeted Reliance,” Anonymous India told. The group has so far been media-shy, preferring to operate in a shadowy manner, but it seems to have upped the ante following the actions of internet service providers (ISPs). TWITTER MESSAGE FROM @Operation India
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 31
COVER STORY The web sites of the Department of Telecoms, the IT ministry, the BJP and INC parties and the Supreme Court, among others, were all hit in time-honoured Anonymous tradition by DDoS attacks presumably made possible thanks to the group’s preferred weapon: the low orbit ion cannon.
32 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
TWITTER MESSAGE FROM THE ANONYMOUS:
The group first signalled its intent to launch #OpIndia in a YouTube message posted over a week ago, which said the following:
“
We have come to the conclusion that the Indian government has failed. It is time that we all rise and stand against the corrupt government. The Department of Telecommunications has ordered Internet Service Providers to block file-sharing sites in India. We cannot let this happen.
”
Watch the video on YouTube at:
Image Source: YouTube.
http://www.youtube.com/watch?v=52zwjkSVx2k WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 33
REAL TIME TWITTER MESSAGE AFTER DoT TAKEDOWN:.
Image Source: Google.
While some sites, such as those of the two parties and the Supreme Court, appear to be retrieved soon, the Department of Telecoms and the Ministry of IT sites were taken some time to up and run. Also down for ‘maintenance’ was the site of Copyright Labs, the Chennai-based anti-piracy firm which obtained the original John Doe injunction (via ArsTechnica) against sites such as Vimeo, DailyMotion and The Pirate Bay to prevent illegal sharing of local films Dammu and 3.
Image Source: Scribd
34 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
The John Doe order for the blackout can be views at: http://www.scribd.com/doc/93879417/John-Doe-order-to-block-sites Though the order doesn’t contain any specific websites to be blocked, Anonymous has listed the websites to be blocked as per the court order. Check out the list of blocked sites here: http://pastehtml.com/view/bywiha3f9.txt This list includes sites blocked by the government and Reliance. Eventually, some of these sites were unblocked by the ISP soon after the news spread. The group says that the blocks are implemented again. Note: The documents shared in the link may not available after some days, Any legal action by the government or website may delete these docments at any time. Anonymous India also announced that they were organising a protest on June 9, and released a YouTube video urging people to join them.
Image Source: YouTube.
Watch the video at : http://www.youtube.com/watch?v=R0VN7QSg2oE WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 35
COVER STORY A FLYER FROM THE SUPPORTERS OF ANONYMOUS :
36 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
An image from anonymous supporters.
When asked whether they would risk exposing themselves, Anonymous said, “Anonymous is a collective. There are some of us who haven’t broken any laws. You can’t say who among us hackers are. No one here knows the real identity of each other. So even if we protest, we protest as citizens of India. And on top of that we even don’t know what nationality the users here have.” It is one of the kinds, biggest protest against India Government on Internet censorship. As Govt trying to control more and more the Internet, the protest is becoming stronger. “Today they took away your right to use a few websites... day after tomorrow they will take away your freedom of speech and no one will be there to speak for you. Speak Now or Never,” the message read. The hackers said that people should print out or buy Guy Fawkes Masks and wear them while protesting against web censorship in Bangalore, Mangalore, Kochi, Chennai, Vizag, Delhi, Mumbai and Hyderabad on June 9.
Anonymous India first made news last year when they took down National Informatics Centre’s website in order to show support for the anti-corruption protests by Anna Hazare and Baba Ramdev. This is, however, the first time they have issued a press release or interacted with the media. Despite some predicting that the hacktivist group was on its knees after high profile arrests of alleged members last year, it has made something of a comeback of late, launching well publicised attacks on the Kremlin, Virgin Media and even the ICO. In the other hand the internet is open and very difficult to monitor. The internet users already prepared to tackle these problems via a Proxy or a VPN. Sometimes the ISP decides to be rather silly and only remove a DNS entry for these sites from their DNS servers, you can easily get access back to the servers by using a different DNS service, such as Google’s free DNS: 8.8.8.8 or 8.8.4.4. Yet another common way they chose is to use the mirrored sites provided by torrent tracking websites.
.
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 37
REAL TIME
FACEBOOK TIMELINE REMOVAL SCAM MALICIOUS BROWSER ADDONS!
Image Source: Google.
Not everyone is a fan of Facebook’s Timeline feature. And that’s a fact of which spammers and scammers are happy to take advantage. Now a days spammers use the “Timeline Removal” topic to attract the users. Take a look at the spam mail shown below,
38 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
If you click on the link you are taken to a website like the one below,
If you take a look at the website, you’ll see that it encourages you to install a Firefox or Chrome add-on to remove the Facebook Timeline from your account.
Should you install it? Well, Think before you do, but hopefully - at the very least - you would check the terms of use first.
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 39
REAL TIME
You may get surprised about the line “If you are not living in Turkey don’t use this plugin, this is for only users who living in Turkey”. What you think all this about? I believed that this add-on may be malicious, and targeted to the Turkish users. Malicious programmers use this kind of dirty tricks to target specific users for spam & even try DoS attacks using their system. These malicious add-ons may contain Trojan or adware to make money for the programmer. This also used to violate the privacy of the user. For example the browser history can be easily sent to a remote server using this malware. At the same time sensitive information like your credit card PIN number and others can be collected by these malicious add-ons and they can be easily sent to the malicious programmer without the infected users concern. For example on last year February, Two malicious add-ons disabled by Mozilla. They are Sothink Web Video Downloader which contained Win32.LdPinch.gen, and Master Filer contained the Win32.Bifrose Trojan. Mozilla also said that both the malicious add-ons has been active since 2009 [Source: ZDNet]. So that we need to understand that a malicious add-on may take some time to be detected and removed from the web and source. We should read reviews by other users regarding to the add-on before downloading and installing.
40 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
When we take a deep analysis of these suspicious add-ons, we noticed that it contains some potentially dangerous functions in the JavaScript files. Take a look at the example code below,
This was a piece of code grabbed from a JavaScript file inside a suspicious addon (*.xpi) file. The eval() is used to encode a html or php content, this contents cannot be read by the users, they should be decoded. Even the add-on may not malicious we cannot believe that is legitimate one. So before installing these kinds of suspicious add-ons take some time to think and go further. We have some tips for you as well to avoid malicious add-ons.
. . . .
Do not install add-ons from third party websites without a verifying its trustworthiness. Read the Terms and information and Licence before accepting and installing. Take time to read the reviews about the add-on from others users.
.
Use security add-ons such as WOT in the browser to be notified about the malicious websites before it’s too late.
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 41
REAL TIME
GOOGLE DOCS - AS PHISHING WEAPON Scammers use online google forms for phishing
It’s an easy thing for everyone to create a Google account, and use the Google Docs facility to host an online form. Maybe you’d want to use it for sharing public documents with your friends. Collaborative documents with multiple users can also be possible with Google Docs. One of the top reasons we like Google Docs a lot is because it is super easy to setup a web form for quick data collection. In fact, this is the feature we use the most out of the entire suite of services Google Docs has to offer.
42 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
Sure there are a lot of ways to setup a simple data collection form (like surveys etc) but where Google Docs shines is that it actually collects the data in the form of a spread sheet so you can apply any sort of data processing which you please. Setting up a form is very quick and easy. There are many controls available at our disposal, covering a broad range of input options. But if you’re a scammer - you can equally use Google Docs to phish for passwords and sensitive information.
Here is an email that, attempting to trick users into handing over their confidential data.
the email asks the recipient to confirm their email account details or risk having it shut down. As you can see the link points to a page on Google Docs (docs.google. com). That gives the link a false aura of legitimacy. But what the link can’t do is tell you whether the Google account holder is legitimate or up to no good. In this case, as you’ll see if you click on the link, it’s clearly an attempt to phish information from internet users. As the screenshot below shows, the page falsely claims that your email account will be shut down in three days and the only way it claims you can resolve the situation is by entering your username and password. Before you know it, your email account will be compromised. And if that username/ password combination is being used elsewhere on the web or if - as is the case with Google - your details unlock a variety of services, then the security breach is compounded. Here is another example of phishing via Google Docs:
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 43
REAL TIME If you do make the mistake of clicking on the link then you are taken once again to a page hosted on Google Docs (don’t be fooled by the different colour scheme).
Using Google Docs for phishing ‘surveys’ benefits the crooks in several ways. 1.The web hosting for the phishing forms and the fraudulently-collected data is provided, free of charge, by Google. 2.The Google Docs user interface provides a simply and snazzy front end for designing the form. 3.Google Docs can automatically generate emails to prospective victims inviting them to click through to the phishing form. 4.The results are automatically and conveniently collected into a password-protected spreadsheet, which can be retrieved from anywhere. 5.The URL uses HTTPS, which gives it an aura of security. 6.The URL takes you to a google.com domain, which gives it an aura of legitimacy. 44 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
Of course, anyone can create a Google account, create surveys and collect results. So, the security and legitimacy of the https://docs.google.com/ URL is important for legitimate users of Google’s services, but it doesn’t, by itself, vouch for the honesty and integrity of the account holder. Nevertheless, despite the safe-looking URLs, phishes of this sort are easy to spot, and just as easy to avoid. The safety tips explained on Naked Security are listed below: 1. Don’t click on links in emails which could have come from anywhere. If they could have come from anywhere, they probably did. 2. Even if it looks legitimate, never use any URLs, phone numbers or other ‘calls-to-action’ provided in a security-related email. Find your own way to the company’s website or support line. 3. If you’re a native English speaker, take a careful look for grammatical and spelling errors. Scammers often make give-away mistakes. If you find yourself on a form which you suddenly realise is bogus, you can easily report it so Google can take some action.
Naturally, this raises the question, how do you know the Report Abuse link is legitimate? you can check that by the two steps given below, Firstly, if you copy the link and paste it into the address bar yourself, it will link back into Google’s cloud, something like this: https://docs.google.com/spreadsheet/reportabuse?formkey=xxxxx...
.
Secondly, when you report a dodgy link to Google, you won’t be asked to do anything except to categorise it. You won’t be asked for a username, password, email address, or any other personal information. WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 45
TECHNO
NOKIA 808 PUREVIEW THE MOTHER OF MOBILE PHONES
Nokia 808 PureView Released on February 2012. This Mega Mobile nick named as “The Mother of Mobile phones”. As because, It features 41 Mega Pixel (38MP effective) Carl Zeiss optics camera with auto focus and Xenon flash which can take pictures at 7152 x 5368 dimensions and also record videos up to 1080p @30fps. For the sound effect enhancement it has “Dolby Digital Plus” feature. The other features are WiFi, Bluetooth v3.0, Face detection, USB OTG and HDMI Port. Nokia 808 runs ARM11 1.3Gz CPU. It features 1GB ROM,16GB inbuilt memory and Micro SD expansion slot up to 32GB. The possible drawback will be the operating system, that is Nokia Belle FP1 with 512MB RAM. But it will be a good choice for the Digicam lovers who wish to have a 41MP camera inside their compatible smart phone. Price in India: 29,999 - 32,000 Rupees.
.
46 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
SAMSUNG GALAXY SIII THE ULTIMATE ICS MOBILE PHONE
Samsung Galaxy SIII also known as i9300 Released on May 2012. This Ultimate mobile phone supports 4G LTE and also features 8 Mega Pixel auto focus camera with LED flash which can take pictures at 3264x2448 dimensions and also record videos up to 1080p @30fps.This awesome camera can simultaneously record HD video and take HD photos. For the Graphics enhancement it has “Mali-400MP” GPU. The other features are Corning Gorilla Class 2 protection, Bluetooth v4.0, Smile-detection, USB OTG and Micro SIM Support. Samsung Galaxy SIII runs Cortex-A9 1.4Gz Quad core CPU with Exynos 4212 Quad Chipset. It features 16/32/64GB inbuilt memory and Micro SD expansion slot up to 64GB. It is operated by all new Android 4.0.4 ICS. The possible drawback will be the price. This feature rich ultimate mobile will cost you 43,180 Indian Rupees.
.
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 47
GEEK JOKES !
48 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
. WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 49
HAKER BYTES !
50 | JUNE | IMHAKER MAGAZINE | WWW.IMHAKER.COM
TOP MALWARE TRENDS
SOURCE: McAfee
SOURCE: Sophos
.
WWW.IMHAKER.COM | IMHAKER MAGAZINE | JUNE | 51
FROM IMHAKER TEAM
INVITING ALL THE READS TO
WRITE FOR IMHAKER! If you think, you can write articles for ImHaker? Don’t hesitate! Act now. Send us your article before 25th of the month; it will be published in the next issue. Just follow the simple rules given below, (*) The article must be “genuine” & limited to 2 to 4 pages. (*) Do not write articles on illegal/cracking/keygen/patch titles. (*) The articles are not limited to any specific topic. (*) Only one article per author will be published. (*) Please send your articles in Ms-word *.doc or *.docx format (include images, if any) to “submit@ imhaker.com“& also include your profile information which to be published along with your article.
WaNt to advertise on ImHaker? Send your probes to “ads@imhaker.com”
Disclaimer The entire information shared in this magazine are strictly for educational purpose & to improve the security defence attitude to prevent hacker attacks. Do not abuse any information provided by ImHaker magazine. If you cause any damage to your own or any others properties directly or indirectly by the information provided, ImHaker Magazine and the authors are not responsible for that. Hacking is a crime, if it is implemented illegally. Secure yourself and help others
.