Sunday, November 19, 2006

Wireless Trifecta.

The Trifecta is now Completed! ;-)


The NetGear MA521 wireless adapter (PCMCIA) ships with a version of MA521nd5.SYS that is vulnerable to a memory corruption condition. This issue may lead to arbitrary kernel-mode code execution (1). When a specific malformed 802.11 frame (beacon or probe response) is received by the wireless interface under active scanning mode, the MA521nd5.SYS driver attempts to write to an attacker-controlled memory location. The vulnerability is triggered by an invalid supported rates information element. NetGear was NOT contacted about this flaw.


This flaw along with the Macbook and Broadcom wireless flaws makes the
third potentially really big wireless bug. Thanks Guys for completing the trifecta.


Saturday, November 18, 2006

A Most Complex Botnet

This is an amazingly well thought out and planned out software. The weak point of botnets is hat is referred to as the C&C server. This a central machine used to issue commands to the botnet. Normally, if you close this channel of communication you effectively cut the head off of the beast.

I always thought it was severe stupidity on the bot herders part not to have backup methods of communication. This struck me as odd as stupidity is not usually attributed to people who have the skills to make a living off of cyber crime. Hackers are generally very intelligent individuals.

This software not only has an easy method of hanging the C&C server, but also scans its victims with Kaspersky AV in order to remove competing malware. I ts nice to see that Russian hackers support Russian software ;-)

The recent surge in e-mail spam hawking penny stotcks and penis enlargement pills is the handiwork of Russian hackers running a botnet powered by tens of thousands of hijacked computers.

Internet security researchers and law enforcement authorities have traced the operation to a well-organized hacking gang controlling a 70,000-strong peer-to-peer botnet seeded with the SpamThru Trojan.

According to Joe Stewart, senior security researcher at SecureWorks, in Atlanta, the gang functions with a level of sophistication rarely seen in the hacking underworld.

For starters, the Trojan comes with its own anti-virus scanner—a pirated copy of Kaspersky's security software—that removes competing malware files from the hijacked machine. Once a Windows machine is infected, it becomes a peer in a peer-to-peer botnet controlled by a central server. If the control server is disabled by botnet hunters, the spammer simply has to control a single peer to retain control of all the bots and send instructions on the location of a new control server.

The bots are segmented into different server ports, determined by the variant of the Trojan installed, and further segmented into peer groups of no more than 512 bots. This allows the hackers to keep the overhead involved in exchanging information about other peers to a minimum, Stewart explained.

PointerClick here to read more about a malicious Trojan that comes with its own anti-virus scanner.

Stewart, a reverse engineering expert with expertise in deconstructing malware samples, gained access to files from a SpamThru control server and found evidence that the attackers are meticulous about keeping statistics on bot infections around the world.

For example, the SpamThru controller keeps statistics on the country of origin of all bots in the botnet. In all, computers in 166 countries are part of the botnet, with the United States accounting for more than half of the infections.

The botnet stats tracker even logs the version of Windows the infected client is running, down to the service pack level. One chart commandeered by Stewart showed that Windows XP SP2 (Service Pack 2) machines dominate the makeup of the botnet, a clear sign that the latest version of Microsoft's operating system is falling prey to attacks.

Another sign of the complexity of the operation, Stewart found, was a database hacking component that signaled the ability of the spammers to target its pump-and-dump scams to victims most likely to be associated with stock trading.

Monday, November 13, 2006

Metasploit morphs into Autosploit

Its not quite finished, bui its off to an impresive start. If someone wanted to destroy a network from the inside, I think one instance of this running inside the border could pretty much destroy the domain if they were just a little out of date with their patches.

This certainly speakes volumes about the importance of patch management.


The db_autopwn command is where the exploitation magic happens. This command will scan through the database tables and create a list of modules that match up to specific vulnerabilities. This matching process can happen in two different ways. The first method involves analyzing the list of vulnerability references for every exploit and matching them up with the references in every imported vulnerability record. This cross-referencing method is fairly accurate and depends on standard identifiers, such as OSVDB, Bugtraq, and CVE to match exploits with their targets. The second method uses the default port associated with each exploit module to locate targets running the same service. While this will work in most cases, it can cause a fair amount of collateral damage and is likely to miss vulnerabile services running on non-default ports.

At this point, you have a few options. You can either import an existing Nessus NBE file using the db_import_nessus_nbe command, import an existing Nmap XML output file using the db_import_nmap_xml command, or use the db_nmap command to populate the database. The benefit of using a Nessus NBE file is that it provides data for the cross-referencing mode (-x) of db_autopwn. The benefit of using Nmap data is that you can quickly attack a large group of systems without having to run a complete vulnerability scan, but you will miss vulnerabilities that are not on the default port of the associated Metasploit module.

Sunday, November 12, 2006

Finally, Cow-Human Hybrids!


Scientists in the UK applied on Monday for permission to create part-cow, part-human embryos for research aimed at treating diseases such as Parkinson's and Alzheimer's.

The procedure would involve inserting human DNA into cows’ eggs that have had their own genetic material removed. The embryos created from this process would then be almost entirely “human”, with the only cow DNA being outside the cells’ nuclei.

If they manage to pull off the feat, the human-bovine embryos would not be allowed to develop for more than a few days, the researchers say.

The hybrid embryos would be used to produce embryonic stem cells, which have huge potential for treating disease. At present, embryonic stem cells have to be obtained from unwanted early stage human embryos left over from in-vitro fertilisation treatments. Using cow eggs would potentially give researchers a far greater supply of stem cell material.


I have been waiting for this, a real live Perfectly Normal Beast (HHG2G reference for those who havent read Douglas Adams)!

I cant wait for the Christian public reaction, this is gonna be a fun story to follow, and I will try and keep my faithful readers posted ;-)


Wednesday, November 08, 2006

Virginia Decides to Pull an Ohio

As you will see by comparing my previous post to the data on the link below, Virginia has changed the percentage reporting from

Precincts Reporting: 2437 of 2443 (99.75%)


Precincts Reporting: 2464 of 2599 (94.81%)

Now it seems to me that they have enough provisional ballots to have added 156 precincts to the state of Virginia. I have no clue how provisional ballots work but I am going to figure it out right now.

A provisional ballot is used to record a vote when there is some question in regards to a given voter's eligibility. A provisional ballot would be cast when:

* The voter refuses to show a photo ID (in regions that require one)
* The voter's name does not appear on the electoral roll for the given precinct.
* The voter's registration contains inaccurate or out-dated information such as the wrong address or a misspelled name.
* The voter's ballot has already been recorded

A provisional ballot is counted contingent upon the verification of that voter's eligibility.

Ok, so provisional ballots were formed because somepeople dont have ID and becaue electoral rolls get SNAFU'ed. Sounds fair to me... So why am I worried?

Arguments over the use and misuse of the criteria for determining the eligibility of provisional ballots were one of the greatest controversies of the 2004 US Presidential Election - many allege the discrepancies relating to these, particularly in Ohio, may have been a deciding factor in the outcome of the election.

Oh right..

Either way, this is going to be ANOTHER long and annoying process in order for the repubs to get their seat, just like in 2000 and 2004. I know thats cynical, but thats the way it is. Even when its obvious America wants a change, those in power have ways of preventing it.

This is my final election coverage post, this stuff is too annoying.


P.s.: Prediction: Va goes to the repubs

Virginia Goes to the Democrats

OK, lets do the numbers. I will write this so that you can follow along. First go to Virginia's official website, then click on "Real-Time Election Results". This will take you to

The default statistics displayed are the U.S. Senate race, which lists the following facts:

Total registered voters: 4,555,672
Total registered voters that got off their ass and voted: 2,361,441

Votes for the Democratic challenger: 1,170,686
Votes for the Republican incumbent : 1,162,327
This means that J H Webb Jr has 8,359 more votes than G F Allen

Now the total Precincts Reporting is: 2437 of 2443 (99.75%)

This means that .25% is left to be tallied, but with 1% of the voters who showed up is 23,614. Now a quarter of that 1% is 5,903 and a half voters are left to be counted.

As you can see the Republican needs more votes than are left to be counted, so I call Virginia for the Democrats.

(I removed this paragraph which was me being whiney about the recount, which I didnt want, but was unaware that it is legally required if the candidates are less than 1% apart)

Ok, math and early morning dont mix well, so if my math is off please just let me live in my little delusional happy world for a little longer :-)

Ok, I am off to look up the data from Montana..


Tuesday, November 07, 2006

Summary of Super Tuesday

People in Ohio have sent in hundreds of thousands of absentee voter ballots in order to prevent Diebold from globally managing the elections systematically for rebuplicans.

Early voting has revealed that these machines have a nasty habit of leaning to the right, even when a pundit votes straight down the left. This has lead me to coin a phrase "Red Balling" . You dont think that Diebold is capable of red-balling the electorate? Link away:
The touch-screen gizmo's seem strangely attracted to Republican candidates. One voter needed assistance from an election official, and even then, needed three tries to convince the machine that he wanted to vote for Democrat Jim Davis in the gubernatorial race, not his Republican opponent Charlie Crist.
"He touched the screen for gubernatorial candidate Jim Davis, a Democrat, but the review screen repeatedly registered the Republican, Charlie Crist."
Joan Marek, 60, a Democrat from Hollywood, was also stunned to see Charlie Crist on her ballot review page after voting on Thursday. "Am I on the voting screen again?" she wondered. "Well, this is too weird."

Well, even though NBC is projecting that Republican Charlie Crist will win the Florida governor race the Democrats have taken over the hose for the first time in 12 years.

The rebups it seems will keep the senate, but despite help from Diebold, the house belongs to the Democrats for the first time in 12 years. Hopefully this will stem the tide of lost liberties from flowing into nonexistence.

It is reassuring that it only took:

Absolute proof of severe moral corruption

Absolute proof of lobbying corruption

Absolute proof of campaign funds corruption

Absolute proof of the inability to lead an army

Absolute proof of the inability to be fiscally responsible

Absolute proof of their disdain for the constitution

Absolute proof of them spying on us for political motives

I could go on, but I am getting more depressed with each link added. I am astounded that this is not enough for the voters to give the senate to the democrats, but at least we have the House. I will take solace in that much, and hope for more in the future.

Democrats suck, but they are a damn sight better than what I have seen happening with our leadership the last 6 years.



bwa ha ha ha ha... yes sir, funny stuff there.. :-p

I have been toldf I messed up some Netiquette by not posting the link to the original author of this artoon so here it is, and sorry for the lapse :-)

Month of Kernel Bugs

You may remember the Month of Browser Bugs (MoBB) that H.D. Moore did a few months ago where a new bug was posted every day for the month of July ( Well LMH has taken that idea and collected a months worth of kernel bus to be released every day this month, dubbed MoKB./

The first one was huge; an exploit got macbook's internal wireless card that affected every macbook manufactured from 1998 to 2003. LMH has not gone the popular route that most security researchers take today, but rather released a lot of exploits for non-microsoft operating systems, including solaris, BSD, linux and macintosh OS's.

I advise everyone to use the rss feed and to keep a close eye on this site for the next twenty three days


Thursday, November 02, 2006

Conversation with HD Moore on the 5 month old "0-day"

I was lucky enough to get to speak with HD Moore in order to try and gain a better understanding of the "0-day" that has been packaged with Metasploit since August 2006.

Apparently HDM found a vulnerability in an ActiveX control in IE, then discovered he could apply that same exploit to several MS Products. For those who think HD doesnt follow responsible disclosure guidelines, read on:

The Background posts on FD

Offline Conversation (reprinted with permission):

JP): I laughed my ass off
JP): Guess their massive focus on security doesnt
JP): involve looking at Metasploit every month or two lol

JP): Hey man,
JP): I may have not gotten enough sleep,(but)
JP): MS sez WmiScriptUtils.dll is the faulting module for the
JP): Visual studio bug, but you sent a link to an IE exploit..
JP): Whats up with that?

HDM): That patched a completely unrelated ActiveX.
HDM): The type of vulnerability is almost generic -- thats
HDM): why the exploit is called ie_createobject and isn't
HDM): speciifc to that patched vulnerability.

JP): ahh, I see, you take the generic vuln and applied it
JP): to many dll's that have that function, including the
JP): -WMIScriptUtils.WMIObjectBroker 2.1 in the module.
JP): While MS fixed it inthe IE component, they neglected the
JP): others and now it came and bit them in the @$$

HDM): Yup. They fixed the older one, but did not take
HDM): action when I reported this to them 5 months ago.

And here is HD explaining how this could be cross platform to a layman
Quick summary:

The MS06-014 bug was just one instance of a pretty common vulnerability in
ActiveX Objects. Some objects expose a method that allows new objects to
be created through them. If any of these objects are marked as safe for
scripting, its possible to create abtrirary COM instances through
a 'safe' object (leading to pwnage).

I went to write the MS06-014 exploit and realized I had a bunch of other
ways to exploit the same type of flaw. I added the WMI bug to the list
and then followed it by a set of usually-restricted COMs that have the
same feature. If the system is misconfigured or is using an old version
of Office, almost any of those 'targets' in the exploit can be used to
run arbitrary code :-)
JP): Gotcha! (Finally!)
JP): thanks for the explanation, this is the kind of s#!t that I learn from!

HDM): Glad I can help :-)


(Reprinted with Permission of HD Moore)