If you want to keep up with the latest criminal exploits without having to collect malware yourself, take a look at SRI International's Cyber-Threat Analytics BotHunter Malware Analysis Web page. Reporting on information and statistics collected from a research honeynet, the BotHunter Malware Analysis page makes daily infection logs from high-interaction honeypots available for anyone to view. Although the scale of the project and information collected is fairly small, this is a useful site for gaining more insight into crimeware and the world of bots.
[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]
Each captured malware program is run against 28 to 32 antivirus engines. Try browsing the daily reports to see how many times none of the antivirus scanners detected the malware. Surprisingly, this happens roughly one third of the time -- not a comforting statistic.
The honeynet automatically extracts plain text strings and tries to determine which executable packer was used. It decodes each executable and provides code traces. It appears that complete assemblies and packet traces are available upon request. A short summary forensic log can be obtained for each malware attack. Here's a sample:
Listen Ports Opened:
Registry Entries Modified or Created:
Cain & Abel update
Like many leading-edge technology companies, one of my favorite hacking utilities, Cain & Abel, is constantly updating itself. For years it’s been the hacker utility with the most built-in features of any GUI tool. It can crack at least 28 different password hashes, conduct ARP spoofing and man-in-the-middle attacks, and sniff more than a dozen different passwords off the wire. When converting password hashes to passwords, it can use several different cracking methods, including dictionary, brute force, and rainbow tables. It’s not the fastest (get John the Ripper for that), but it’s the easiest and most versatile tool available. The program's single downside is that it is only available for Windows.
I’ve been aiming to test Cain & Abel on Windows Vista since Vista came out almost a year ago. Although Cain & Abel must be started in elevated mode, many of the key features don’t work, as I suspected might be the case. Protected Storage, RDP, and Credential Dumper didn’t work, although a local LSAdump of custom service account passwords and wireless preshared keys and hashes did. I couldn’t get any of the man-in-the-middle attacks to work, and none of the tools for sniffing passwords off the network provided any usable data.
I was happy to see that the local password hash dump only discovered the harder-to-crack NT hashes with no super vulnerable LM hashes available. This reflects Microsoft’s decision to finally disable LM password hashes by default in Vista, a decision overdue by at least five years.
Some security administrators ask me why I promote the use of tools like Cain & Abel that make hacking so easy. Shouldn't I be afraid of putting dangerous tools into the hands of the script kiddies? My reply is always the same: Hackers don’t need Cain & Abel. They can do what they need to do without the easy-to-use GUIs. Cain & Abel is for the rest of us to make hacking easier to demonstrate. One good Cain & Abel demo to management can say more than a hundred computer security articles. And besides, most malicious hacking today is done by professional criminals … and they don’t use Cain & Abel either.
I often encourage system administrators to run Cain & Abel, with appropriate permission of course, to ferret out weak and plain text passwords on their own local system and on their networks. Most first-time users are surprised to find that plain text passwords abound on networks they believed were relatively secure.
Who am I kidding? Every system administrator I know thinks their network is like Swiss cheese. But Cain & Abel gives you a way to document the problem, and to begin doing something about it.