Sunday, November 19, 2006

Wireless Trifecta.

The Trifecta is now Completed! ;-)


The NetGear MA521 wireless adapter (PCMCIA) ships with a version of MA521nd5.SYS that is vulnerable to a memory corruption condition. This issue may lead to arbitrary kernel-mode code execution (1). When a specific malformed 802.11 frame (beacon or probe response) is received by the wireless interface under active scanning mode, the MA521nd5.SYS driver attempts to write to an attacker-controlled memory location. The vulnerability is triggered by an invalid supported rates information element. NetGear was NOT contacted about this flaw.


This flaw along with the Macbook and Broadcom wireless flaws makes the
third potentially really big wireless bug. Thanks Guys for completing the trifecta.


Saturday, November 18, 2006

A Most Complex Botnet

This is an amazingly well thought out and planned out software. The weak point of botnets is hat is referred to as the C&C server. This a central machine used to issue commands to the botnet. Normally, if you close this channel of communication you effectively cut the head off of the beast.

I always thought it was severe stupidity on the bot herders part not to have backup methods of communication. This struck me as odd as stupidity is not usually attributed to people who have the skills to make a living off of cyber crime. Hackers are generally very intelligent individuals.

This software not only has an easy method of hanging the C&C server, but also scans its victims with Kaspersky AV in order to remove competing malware. I ts nice to see that Russian hackers support Russian software ;-)

The recent surge in e-mail spam hawking penny stotcks and penis enlargement pills is the handiwork of Russian hackers running a botnet powered by tens of thousands of hijacked computers.

Internet security researchers and law enforcement authorities have traced the operation to a well-organized hacking gang controlling a 70,000-strong peer-to-peer botnet seeded with the SpamThru Trojan.

According to Joe Stewart, senior security researcher at SecureWorks, in Atlanta, the gang functions with a level of sophistication rarely seen in the hacking underworld.

For starters, the Trojan comes with its own anti-virus scanner—a pirated copy of Kaspersky's security software—that removes competing malware files from the hijacked machine. Once a Windows machine is infected, it becomes a peer in a peer-to-peer botnet controlled by a central server. If the control server is disabled by botnet hunters, the spammer simply has to control a single peer to retain control of all the bots and send instructions on the location of a new control server.

The bots are segmented into different server ports, determined by the variant of the Trojan installed, and further segmented into peer groups of no more than 512 bots. This allows the hackers to keep the overhead involved in exchanging information about other peers to a minimum, Stewart explained.

PointerClick here to read more about a malicious Trojan that comes with its own anti-virus scanner.

Stewart, a reverse engineering expert with expertise in deconstructing malware samples, gained access to files from a SpamThru control server and found evidence that the attackers are meticulous about keeping statistics on bot infections around the world.

For example, the SpamThru controller keeps statistics on the country of origin of all bots in the botnet. In all, computers in 166 countries are part of the botnet, with the United States accounting for more than half of the infections.

The botnet stats tracker even logs the version of Windows the infected client is running, down to the service pack level. One chart commandeered by Stewart showed that Windows XP SP2 (Service Pack 2) machines dominate the makeup of the botnet, a clear sign that the latest version of Microsoft's operating system is falling prey to attacks.

Another sign of the complexity of the operation, Stewart found, was a database hacking component that signaled the ability of the spammers to target its pump-and-dump scams to victims most likely to be associated with stock trading.