Cool tools for hacker trackers

If you want to keep up with the latest criminal exploits without having to collect malware yourself, take a look at SRI International's Cyber-Threat Analytics BotHunter Malware Analysis Web page. Reporting on information and statistics collected from a research honeynet, the BotHunter Malware Analysis page makes daily infection logs from high-interaction honeypots available for anyone to view. Although the scale of the project and information collected is fairly small, this is a useful site for gaining more insight into crimeware and the world of bots.

Clicking on any of the daily reports presents dozens of pieces of information on each day’s attacks. It starts off with time and date of each bot attack, and the honeypot platform type (e.g. Windows XP, Windows 2000, etc.). It reveals the Snort rules used to detect incoming malware and how many antivirus companies detected the malicious code.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

Each captured malware program is run against 28 to 32 antivirus engines. Try browsing the daily reports to see how many times none of the antivirus scanners detected the malware. Surprisingly, this happens roughly one third of the time -- not a comforting statistic.

The honeynet automatically extracts plain text strings and tries to determine which executable packer was used. It decodes each executable and provides code traces. It appears that complete assemblies and packet traces are available upon request. A short summary forensic log can be obtained for each malware attack. Here's a sample:

FORENSIC LOG:

            Infection Source:
                        24.64.x.x
            Executables Delivered:
                        ftpupd.exe
                        keymmuda.exe
            Listen Ports Opened:
                        4166
                        4606
            Processes Created:
                        keymmuda.exe
                        MSMSGS.EXE
            Registry Entries Modified or Created:
                        HKEY_LOCAL_MACHINE@...Microsoft\Wireless

Cain & Abel update

Like many leading-edge technology companies, one of my favorite hacking utilities, Cain & Abel, is constantly updating itself. For years it’s been the hacker utility with the most built-in features of any GUI tool. It can crack at least 28 different password hashes, conduct ARP spoofing and man-in-the-middle attacks, and sniff more than a dozen different passwords off the wire. When converting password hashes to passwords, it can use several different cracking methods, including dictionary, brute force, and rainbow tables. It’s not the fastest (get John the Ripper for that), but it’s the easiest and most versatile tool available. The program's single downside is that it is only available for Windows.