Posts Tagged ‘Cyber Crime’

tv-justice

Here is some help for you guys and gals that are looking for some forensic tools, they can also be good fun to mess around with.

1. Disk tools and data capture

————————————————————————————————————–
Arsenal Image Mounter :
Mounts disk images as complete disks in Windows, giving access to Volume Shadow Copies, etc.
https://www.arsenalrecon.com/apps/image-mounter/
————————————————————————————————————–
DumpIt :
Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive.
http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/
————————————————————————————————————–
EnCase :
Create EnCase evidence files and EnCase logical evidence files
http://www1.guidancesoftware.com/Order-Forensic-Imager.aspx
————————————————————————————————————–
Encrypted Disk Detector :
Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes
http://info.magnetforensics.com/encrypted-disk-detector
————————————————————————————————————–
EWF MetaEditor :
Edit EWF (E01) meta data, remove passwords (Encase v6 and earlier)
http://www.4discovery.com/our-tools/
————————————————————————————————————–
FAT32 Format :
Enables large capacity disks to be formatted as FAT32
http://www.ridgecrop.demon.co.uk/index.htm?fat32format.htm
————————————————————————————————————–
Forensics Acquisition of Websites :
Browser designed to forensically capture web pages
http://www.fawproject.com/en/default.aspx
————————————————————————————————————–
FTK Imager :
Imaging tool, disk viewer and image mounter
http://www.accessdata.com/support/product-downloads
————————————————————————————————————–
Guymager :
Multi-threaded GUI imager under running under Linux
http://guymager.sourceforge.net/
————————————————————————————————————–
Live RAM Capturer :
Extracts RAM dump including that protected by an anti-debugging or anti-dumping system. 32 and 64 bit builds
http://forensic.belkasoft.com/en/ram-capturer
————————————————————————————————————–
NetworkMiner :
Network analysis tool. Detects OS, hostname and open ports of network hosts through packet sniffing/PCAP parsing
http://sourceforge.net/projects/networkminer/
————————————————————————————————————–
Nmap :
Utility for network discovery and security auditing
http://nmap.org/
————————————————————————————————————–
Magnet RAM :
Captures physical memory of a suspect’s computer. Windows XP to Windows 10, and 2003, 2008, 2012. 32 & 64 bit
http://www.magnetforensics.com/ram-capture/
————————————————————————————————————–
OSFClone :
Boot utility for CD/DVD or USB flash drives to create dd or AFF images/clones.
http://www.osforensics.com/tools/create-disk-images.html
————————————————————————————————————–
OSFMount :
Mounts a wide range of disk images. Also allows creation of RAM disks
http://www.osforensics.com/tools/mount-disk-images.html
————————————————————————————————————–
Wireshark :
Network protocol capture and analysis
https://www.wireshark.org/
————————————————————————————————————–
Disk2vhd :
Creates Virtual Hard Disks versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V VMs
https://technet.microsoft.com/en-gb/sysinternals/ee656415.aspx

————————————————————————————————————–
2. Email analysis

————————————————————————————————————–
EDB Viewer :
Open and view (not export) Outlook EDB files without an Exchange server
http://www.nucleustechnologies.com/exchange-edb-viewer.html
————————————————————————————————————–
Mail Viewer :
Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files
http://www.mitec.cz/mailview.html
————————————————————————————————————–
MBOX Viewer :
View MBOX emails and attachments
http://www.systoolsgroup.com/mbox-viewer.html
————————————————————————————————————–
OST Viewer  :
Open and view (not export) Outlook OST files without connecting to an Exchange server
http://www.nucleustechnologies.com/ost-viewer.html
————————————————————————————————————–
PST Viewer  :
Open and view (not export) Outlook PST files without needing Outlook
http://www.nucleustechnologies.com/pst-viewer.html
————————————————————————————————————–
3. General tools

————————————————————————————————————–
Agent Ransack :
Search multiple files using Boolean operators and Perl Regex
http://www.mythicsoft.com/page.aspx?type=agentransack&page=home
————————————————————————————————————–
Computer Forensic Reference Data Sets :
Collated forensic images for training, practice and validation
http://www.cfreds.nist.gov/
————————————————————————————————————–
EvidenceMover :
Copies data between locations, with file comparison, verification, logging
http://www.nuix.com/Nuix-evidence-mover
————————————————————————————————————–
FastCopy :
Self labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc.
http://ipmsg.org/tools/fastcopy.html.en
————————————————————————————————————–
File Signatures :
Table of file signatures
http://www.garykessler.net/library/file_sigs.html
————————————————————————————————————–
HexBrowser :
Identifies over 1000 file types by examining their signatures
http://www.hexbrowser.com/
————————————————————————————————————–
HashMyFiles :
Calculate MD5 and SHA1 hashes
http://www.nirsoft.net/utils/hash_my_files.html
————————————————————————————————————–
MobaLiveCD :
Run Linux live CDs from their ISO image without having to boot to them
http://mobalivecd-en.mobatek.net/
————————————————————————————————————–
Mouse Jiggler :
Automatically moves mouse pointer stopping screen saver, hibernation etc.
http://mousejiggler.codeplex.com/
————————————————————————————————————–
Notepad ++ :
Advanced Notepad replacement
http://notepad-plus-plus.org/
————————————————————————————————————–
NSRL :
Hash sets of ‘known’ (ignorable) files
http://www.nsrl.nist.gov/Downloads.htm
————————————————————————————————————–
Quick Hash :
A Linux & Windows GUI for individual and recursive SHA1 hashing of files
http://sourceforge.net/projects/quickhash/
————————————————————————————————————–
USB Write Blocker :
Enables software write-blocking of USB ports
http://dsicovery.com/dsicovery-software/usb-write-blocker/
————————————————————————————————————–
Volix :
Application that simplifies the use of the Volatility Framework
http://www.it-forensik.fh-aachen.de/projekte/volix/13
————————————————————————————————————–
Windows Forensic Environment :
Guide by Brett Shavers to creating and working with a Windows boot CD
http://winfe.wordpress.com/
————————————————————————————————————–
4. File and data analysis

————————————————————————————————————–
Advanced Prefetch Analyser :
Reads Windows XP,Vista and Windows 7 prefetch files
http://www.ash368.com/
————————————————————————————————————–
analyzeMFT :
Parses the MFT from an NTFS file system allowing results to be analysed with other tools
https://github.com/dkovar/analyzeMFT
————————————————————————————————————–
bstrings :
Find strings in binary data, including regular expression searching.
https://binaryforay.blogspot.co.uk/2015/07/introducing-bstrings-better-strings.html
————————————————————————————————————–
CapAnalysis :
PCAP viewer
http://www.capanalysis.net/site/
————————————————————————————————————–
Crowd Reponse :
Windows console application to aid gathering of system information for incident response and security engagements.
http://www.crowdstrike.com/community-tools/
————————————————————————————————————–
Crowd Inspect :
Details network processes, listing binaries associated with each process. Queries VirusTotal, other malware repositories & reputation services to produce “at-a-glance” state of the system
http://www.crowdstrike.com/community-tools/
————————————————————————————————————–
DCode :
Converts various data types to date/time values
http://www.digital-detective.net/digital-forensic-software/free-tools/
————————————————————————————————————–
Defraser :
Detects full and partial multimedia files in unallocated space
http://sourceforge.net/projects/defraser/
————————————————————————————————————–
eCryptfs Parser :
Recursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original file size, signature used, etc.
http://sourceforge.net/projects/ecryptfs-p/
————————————————————————————————————–
Encryption Analyzer :
Scans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file
http://www.lostpassword.com/encryption-analyzer.htm
————————————————————————————————————–
ExifTool :
Read, write and edit Exif data in a large number of file types
http://www.sno.phy.queensu.ca/~phil/exiftool/
————————————————————————————————————–
File Identifier :
Drag and drop web-browser JavaScript tool for identification of over 2000 file types
http://www.toolsley.com/
————————————————————————————————————–
Forensic Image Viewer :
View various picture formats, image enhancer, extraction of embedded Exif, GPS data
http://www.sandersonforensics.com/forum/list.php?category/46-Free-Software
————————————————————————————————————–
Ghiro :
In-depth analysis of image (picture) files
http://www.getghiro.org/
————————————————————————————————————–
Highlighter :
Examine log files using text, graphic or histogram views
http://www.mandiant.com/products/free_software/highlighter/
————————————————————————————————————–
Link Parser :
Recursively parses folders extracting 30+ attributes from Windows .lnk (shortcut) files
http://www.4discovery.com/our-tools/
————————————————————————————————————–
LiveContactsView :
View and export Windows Live Messenger contact details
http://www.nirsoft.net/utils/live_messenger_contacts.html
————————————————————————————————————–
PECmd :
Prefetch Explorer
https://binaryforay.blogspot.co.uk/2016/01/pecmd-v0600-released.html
————————————————————————————————————–
PlatformAuditProbe :
Command Line Windows forensic/ incident response tool that collects many artefacts. Manual
https://appliedalgo.com/
————————————————————————————————————–
RSA Netwitness Investigator :
Network packet capture and analysis
http://www.emc.com/security/rsa-netwitness.htm#!freeware
————————————————————————————————————–
Memoryze :
Acquire and/or analyse RAM images, including the page file on live systems
http://www.mandiant.com/products/free_software/memoryze/
————————————————————————————————————–
MetaExtractor :
Recursively parses folders to extract meta data from MS Office, OpenOffice and PDF files
http://www.4discovery.com/our-tools/
————————————————————————————————————–
MFTview :
Displays and decodes contents of an extracted MFT file
http://www.sandersonforensics.com/forum/list.php?category/46-Free-Software
————————————————————————————————————–
PictureBox :
Lists EXIF, and where available, GPS data for all photographs present in a directory. Export data to .xls or Google Earth KML format
http://www.mikesforensictools.co.uk/MFTPB.html
————————————————————————————————————–
PsTools :
Suite of command-line Windows utilities
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx
————————————————————————————————————–
Shadow Explorer :
Browse and extract files from shadow copies
http://www.shadowexplorer.com/
————————————————————————————————————–
SQLite Manager :
Firefox add-on enabling viewing of any SQLite
https://addons.mozilla.org/en-US/firefox/addon/sqlite-manager/
————————————————————————————————————–
Strings :
Command-line tool for text searches
http://technet.microsoft.com/en-gb/sysinternals/bb897439.aspx
————————————————————————————————————–
Structured Storage Viewer :
View and manage MS OLE Structured Storage based files
http://www.mitec.cz/ssv.html
————————————————————————————————————–
Switch-a-Roo :
Text replacement/converter/decoder for when dealing with URL encoding, etc
http://www.mikesforensictools.co.uk/MFTSAR.html
————————————————————————————————————–
Windows File Analyzer :
Analyse thumbs.db, Prefetch, INFO2 and .lnk files
http://www.mitec.cz/wfa.html
————————————————————————————————————–
Xplico :
Network forensics analysis tool
http://www.xplico.org/
————————————————————————————————————–
5. Mac OS tools

————————————————————————————————————–
Audit :
Audit Preference Pane and Log Reader for OS X
https://github.com/twocanoes/audit
————————————————————————————————————–
ChainBreaker :
Parses keychain structure, extracting user’s confidential information such as application account/password, encrypted volume password (e.g. filevault), etc
http://forensic.n0fate.com/?page_id=412
————————————————————————————————————–
Disk Arbitrator :
Blocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration
https://github.com/aburgh/Disk-Arbitrator
————————————————————————————————————–
Epoch Converter :
Converts epoch times to local time and UTC
https://www.blackbagtech.com/resources/freetools/epochconverter.html
————————————————————————————————————–
FTK Imager CLI for Mac OS :
Command line Mac OS version of AccessData’s FTK Imager
http://accessdata.com/product-download/digital-forensics/mac-os-10.5-and-10.6x-version-3.1.1
————————————————————————————————————–
IORegInfo :
Lists items connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can locate partition information, including sizes, types, and the bus to which the device is connected
https://www.blackbagtech.com/resources/freetools/ioreg-info.html
————————————————————————————————————–
PMAP Info :
Displays the physical partitioning of the specified device. Can be used to map out all the drive information, accounting for all used sectors
https://www.blackbagtech.com/resources/freetools/pmap-info.html
————————————————————————————————————–
Volafox :
Memory forensic toolkit for Mac OS X
http://forensic.n0fate.com/?page_id=412
————————————————————————————————————–
6. Mobile devices

————————————————————————————————————–
iPBA2 :
Explore iOS backups
http://ipbackupanalyzer.com/
————————————————————————————————————–
iPhone Analyzer :
Explore the internal file structure of Pad, iPod and iPhones
http://sourceforge.net/projects/iphoneanalyzer/
————————————————————————————————————–
ivMeta :
Extracts phone model and software version and created date and GPS data from iPhone videos.
http://www.csitech.co.uk/ivmeta-iphone-metadata/
————————————————————————————————————–
Last SIM Details :
Parses physical flash dumps and Nokia PM records to find details of previously inserted SIM cards.
http://lastsimdetails.blogspot.co.uk/p/downloads.html
————————————————————————————————————–
Rubus :
Deconstructs Blackberry .ipd backup files
http://www.cclgroupltd.com/Buy-Software/rubus-ipd-de-constructor-utility.html
————————————————————————————————————–
SAFT :
Obtain SMS Messages, call logs and contacts from Android devices
http://www.signalsec.com/saft/
————————————————————————————————————–
7. Data analysis suites

————————————————————————————————————–
Autopsy :
Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below)
http://www.sleuthkit.org/autopsy/
————————————————————————————————————–
Backtrack :
Penetration testing and security audit with forensic boot capability
http://www.backtrack-linux.org/
————————————————————————————————————–
Caine :
Linux based live CD, featuring a number of analysis tools
http://www.caine-live.net/
————————————————————————————————————–
Deft :
Linux based live CD, featuring a number of analysis tools
http://www.deftlinux.net/
————————————————————————————————————–
Digital Forensics Framework :
Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items
http://www.digital-forensic.org/
————————————————————————————————————–
Forensic Scanner :
Automates ‘repetitive tasks of data collection’. Fuller description here
https://github.com/appliedsec/forensicscanner
————————————————————————————————————–
Paladin :
Ubuntu based live boot CD for imaging and analysis
http://www.sumuri.com/
————————————————————————————————————–
SIFT :
VMware Appliance pre-configured with multiple tools allowing digital forensic examinations
http://computer-forensics.sans.org/community/downloads/
————————————————————————————————————–
The Sleuth Kit :
Collection of UNIX-based command line file and volume system forensic analysis tools
http://www.sleuthkit.org/sleuthkit/
————————————————————————————————————–
Volatility Framework :
Collection of tools for the extraction of artefacts from RAM
http://www.volatilityfoundation.org/
————————————————————————————————————–

8. Internet analysis

http://www.nirsoft.net/utils/mzcv.html
————————————————————————————————————–
MozillaHistoryView :
Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page
http://www.nirsoft.net/utils/mozilla_history_view.html
————————————————————————————————————–
MyLastSearch :
Extracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace)
http://www.nirsoft.net/utils/my_last_search.html
————————————————————————————————————–
PasswordFox :
Extracts the user names and passwords stored by Mozilla Firefox Web browser
http://www.nirsoft.net/utils/passwordfox.html
————————————————————————————————————–
OperaCacheView :
Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache
http://www.nirsoft.net/utils/opera_cache_view.html
————————————————————————————————————–
OperaPassView :
Decrypts the content of the Opera Web browser password file, wand.dat
http://www.nirsoft.net/utils/opera_password_recovery.html
————————————————————————————————————–
Web Historian :
Reviews list of URLs stored in the history files of the most commonly used browsers
http://www.mandiant.com/resources/download/web-historian
————————————————————————————————————–
Web Page Saver :
Takes list of URLs saving scrolling captures of each page. Produces HTML report file containing the saved pages
http://info.magnetforensics.com/web-page-saver
————————————————————————————————————–

9. Registry analysis

————————————————————————————————————–
AppCompatCache Parser :
Dumps list of shimcache entries showing which executables were run and their modification dates. Further details.
http://binaryforay.blogspot.co.uk/p/software.html
————————————————————————————————————–
ForensicUserInfo :
Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file
http://www.woanware.co.uk/forensics/forensicuserinfo.html
————————————————————————————————————–
Process Monitor :
Examine Windows processes and registry threads in real time
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
————————————————————————————————————–
RECmd :
Command line access to offline Registry hives. Supports simple & regular expression searches as well as searching by last write timestamp. Further details.
http://binaryforay.blogspot.co.uk/p/software.html
————————————————————————————————————–
Registry Decoder :
For the acquisition, analysis, and reporting of registry contents
http://www.digitalforensicssolutions.com/registrydecoder/
————————————————————————————————————–
Registry Explorer :
Offline Registry viewer. Provides deleted artefact recovery, value slack support, and robust searching. Further details.
http://binaryforay.blogspot.co.uk/p/software.html
————————————————————————————————————–
RegRipper :
Registry data extraction and correlation tool
http://regripper.wordpress.com/
————————————————————————————————————–
Regshot :
Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software
http://sourceforge.net/projects/regshot/files/
————————————————————————————————————–
ShellBags Explorer  :
Presents visual representation of what a user’s directory structure looked like. Additionally exposes various timestamps (e.g., first explored, last explored for a given folder. Further details.
http://binaryforay.blogspot.co.uk/p/software.html
————————————————————————————————————–
USB Device Forensics :
Details previously attached USB devices on exported registry hives
http://www.woanware.co.uk/forensics/usbdeviceforensics.html
————————————————————————————————————–
USB Historian :
Displays 20+ attributes relating to USB device use on Windows systems
http://www.4discovery.com/our-tools/
————————————————————————————————————–
USBDeview :
Details previously attached USB devices
http://www.nirsoft.net/utils/usb_devices_view.html
————————————————————————————————————–
User Assist Analysis :
Extracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes from UserAssist keys
http://www.4discovery.com/our-tools/
————————————————————————————————————–
UserAssist :
Displays list of programs run, with run count and last run date and time
http://blog.didierstevens.com/programs/userassist/
————————————————————————————————————–
Windows Registry Recovery :
Extracts configuration settings and other information from the Registry
http://www.mitec.cz/wrr.html
————————————————————————————————————–
10. Application analysis

————————————————————————————————————–
Dropbox Decryptor :
Decrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using Dropbox
http://info.magnetforensics.com/dropbox-decryptor
————————————————————————————————————–
Google Maps Tile Investigator :
Takes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context
http://info.magnetforensics.com/google-maps-tile-investigator
————————————————————————————————————–
KaZAlyser :
Extracts various data from the KaZaA application
http://www.sandersonforensics.com/forum/list.php?category/46-Free-Software
————————————————————————————————————–
LiveContactsView :
View and export Windows Live Messenger contact details
http://www.nirsoft.net/utils/live_messenger_contacts.html
————————————————————————————————————–
SkypeLogView :
View Skype calls and chats
http://www.nirsoft.net/utils/skype_log_view.html
————————————————————————————————————–

tv crime2
Government CIO says National Research Council was hit by intrusion from ‘sophisticated’ state-sponsored actor

The Canadian government has said it will take it a year to build a more secure IT infrastructure after the National Research Council (NRC) was hit by a recent cyber attack it’s blaming on Beijing.

In a brief statement, the NRC said that intelligence agency the Communications Security Establishment had recently “detected and confirmed” an intrusion into its infrastructure.

“Following assessments by NRC and its security partners, action has been taken to contain and address this security breach, including protecting its information holdings and notifying the Privacy Commissioner. NRC has also taken steps to inform its clients and stakeholders about this situation,” it added.

“NRC is continuing to work closely with its IT experts and security partners to create a new secure IT infrastructure. This could take approximately one year however; every step is being taken to minimize disruption.”

A separate statement by the Government of Canada CIO went further, claiming the attack was perpetrated by a “highly sophisticated Chinese state-sponsored actor”.

“While the National Research Council’s networks do not currently operate within the broader Government of Canada network, since the detection and confirmation of the cyber intrusion, the National Research Council’s networks have been isolated from the broader Government of Canada network as a precautionary measure,” it added.

“We have no evidence that data compromises have occurred on the broader Government of Canada network.

China appears to have assumed its typical stance in response to such allegations – outright denial.

Yang Yundong, a Chinese embassy spokesman in Ottowa, emailed Bloomberg to angrily refute what he described as “groundless allegations”.

The question now remains whether, after potentially a whole year, the NRC’s newly fortified security systems will be up to the task of defending against the next generation of advanced attacks no doubt currently being developed by nation states.

Amichai Shulman, CTO of security firm Imperva, argued that any “meaningful change” to IT infrastructure takes time.

“It is quite obvious today that adopting a technology across a large organization takes more time than it takes for the next technology to emerge,” he told Infosecur

“This is the reality and we should embrace it. Organizations find different ways to handle this risk in the general IT domain and particularly in the IT security domain.”

Planning infrastructure changes with “visionary consultants” and installing products from vendors who have capabilities “on top of market requirements” are just two ways to future-proof systems, he added.

“Moreover, by working with vendors who provide holistic solutions rather than niche products and system integrators who provide the integration between products of different domains the organization is better fitted for the unforeseen challenges of the day after deployment ends,” claimed Shulman.

Richard Cassidy, senior solutions architect at Alert Logic, argued that auditing and continual review of “security systems, practices and data” can help organizations stay one step ahead of more advanced threats.
“It is positive that the need to review existing infrastructure and practices has been identified, but more importantly for NRC is in the understanding on why the incident occurred and how they can assure they put in place processes around existing available technologies to continually monitor, review and respond to anomalies, suspicious activity or unauthorized access attempts to critical assets once the new infrastructure is implemented,” he added

Reported by Infosecurity

tv crime2
Wanna buy a botnet? It will cost you somewhere in the region of $700. If you just want to hire someone else’s botnet for an hour, though, it can cost as little as $2.

Maybe you’d like to spy on an ex — for $350 you can purchase a Trojan horse that lets you see all incoming and outgoing texts. Or maybe you’re just in the market for some good old-fashioned spamming — that will cost you $10 for someone to send a million e-mails on your behalf.

These are the going rates in Russia’s underground cybercrime market — a vibrant community of ne’er-do-wells offering every conceivable service at dirt-cheap prices — as profiled in security firm Trend Micro’s report, Russian Underground 101, which provides insight into the workings of the hidden economy.
Russia’s cybercrime market is “very mature,” says Rik Ferguson, Trend Micro’s director of security research and communications. “It’s been in place for quite some time. There are people offering niche services, and every niche is catered for.”

The report details a range of products offered in the underground, including ZeuS, a hugely popular Trojan horse that’s been around for at least six years. ZeuS creates botnets that remotely store personal information gleaned from users’ machines, and has been discovered operating on everything from home-based computers to the networks of large organizations such as Bank of America, NASA and Amazon. In 2011, the source code for ZeuS was released into the wild, which has made it “a criminal open source project,” Ferguson says. Variants of ZeuS now sell for $200-$500.

Cybercrime techniques go in and out of fashion like everything else — and in that sense, ZeuS is unusual for its longevity. Its success in large part is due to the fact that viruses and Trojans can be easily adapted to take advantage of whatever hot story is in the news — presidential elections, hurricane Sandy — in order to make fraudulent messages and spam emails seem more legitimate to users.

DNSChanger is another popular Trojan horse that operated from 2007-2011. It altered the DNS settings on machines to redirect a victim’s browser to a webpage with ads that earned the scammers affiliate revenue. One prominent DNSChanger crime ring called Rove Digital was busted in Estonia in 2011 following a six-year FBI investigation. During that time, it is estimated the scammers earned around $14 million.

As a result of the bust, the FBI was left with a lot critical web infrastructure on its hands that controlled infected machines, including machines at major organizations. Victim machines could only access the web through the Rove Digital servers. So authorities spent months warning computer users to check their computers for DNSChanger infections so that when the Estonian servers were finally taken offline, it wouldn’t affect the ability of victims to surf the web.

So-called “ransomware” is an example of a more recent cybercrime trend, whereby the victim’s computer is locked down, and the hard drive is encrypted by a remote attacker. All the user sees on the screen is a message that tells them that local law enforcement has detected child pornography or pirated software on their PC. In order to unlock their machine, the message instructs victims to send money to a certain bank account. No payment, no unlocked hard drive.

Some victims who have paid the “fine” actually report getting their information back, says Ferguson. “But you’ve labeled yourself as an easy mark, and there’s no telling if they haven’t left behind a backdoor which will let them come back and try again,” he says.
The most recent trends in cybercrime are focused on mobile — particularly Android devices — Ferguson says.
We’ve seen so far 175,000 malicious threats for Android, and we expect that to be a quarter of a million by next year,” he says. “Those threats come from malicious apps — if you want to stay safe, stick to official channels like Google Play, don’t just download from any site.”

Prices are going down across the Russian underground, Ferguson says.
“The bad guys are using technologies to drive down costs in the same way businesses are,” he says, noting the person who recently claimed online to have bought the personal information of 1.1 million Facebook users for just $5.
While hackers and other cyber criminals can save by buying in bulk, the cost to the individual, or the business, that falls victim to one of these techniques is much higher.

The following is a survey of current prices on the Russian underground market:
• Basic crypter (for inserting rogue code into a benign file): $10-$30
• SOCKS bot (to get around firewalls): $100
• Hiring a DDoS attack: $30-$70/day, $1,200/month
• Email spam: $10 per one million emails
• Email spam (using a customer database): $50-$500 per one million emails
• SMS spam: $3-$150 per 100-100,000 messages
• Botnet: $200 for 2,000 bots
• DDoS botnet: $700
• ZeuS source code: $200-$500
• Windows rootkit (for installing malicious drivers): $292
• Hacking Facebook or Twitter account: $130
• Hacking Gmail account: $162
• Hacking corporate mailbox: $500
• Winlocker ransomware: $10-20
• Unintelligent exploit bundle: $25
• Intelligent exploit bundle: $10-$3,000

Other articles:
Study supports economic approach to tackling cybercrime

Source: http://www.wired.com

 

tv crime2

Ever wondered what the numbers on your credit card mean? Well wonder no longer

CrackingCreditCode

tv crime2

Here is a list of my favorite old & new school information security & hacking tools: 

Burpsuite

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an applications attack surface, through to finding and exploiting security vulnerabilities.

Cain & Abel

Cain & Abel is a password-cracking juggernaut that runs on Windows. This amazing software, created by Mass-imiliano Montoro, features more than a dozen different useful capabilities for cracking passwords and various encryption keys. For starters, Cain can dump and reveal various encrypted or hashed passwords cached on a local Windows machine, including the standard Windows LANMAN and NTLM password representations, as well as application-specific passwords for Microsoft’s Outlook, Internet Explorer and MSN Explorer. Organizations can use Cain to test individual passwords and the effectiveness of their password policies. Cain & Abel can crack passwords for over a dozen different OS and protocol types. Just for the Windows operating system alone, Cain handles the LANMAN and NTLM password representations in the SAM database, as well as Windows network authentication protocols such as LANMAN Challenge and Response, NTLMv1, NTLMv2 and Micro-soft Kerberos. Its integrated sniffer monitors the LAN, grabbing challenge-and- response packets and cracking passwords using a built-in dictionary of more than 306,000 words. Beyond Windows passwords, Cain also cracks various Cisco passwords, routing proto-col hashes, VNC passwords, RADIUS Shared Secrets, Win95/98 Password List (PWL) files, and Micro-soft SQL Server 2000 and MySQL passwords. It can also crack IKE pre-shared keys in order to penetrate IPSec VPNs that use IKE to exchange and to update their cryptography keys. Beyond password cracking, Cain includes a wireless LAN discovery tool, a hash calculator and an ARP cache-poisoning tool (which can be used to redirect traffic on a LAN so that an attacker can more easily sniff in a switched environment)–all bound together in a sophisticated GUI.

DNSiff

DNSiff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.).

Ettercap

Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis. Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN.

Fast-track 

Fast-track is an open source security tool aimed at helping penetration testers conduct highly advanced and time consuming attacks in a more methodical and automated way. Fast-Track is now included in Backtrack version 3 onwards under the Backtrack –> Penetration category. In this talk given at Shmoocon 2009, the author of Fast-Track Dave Kennedy runs us through a primer on the tool and demonstrates 7 different scenarios in which he breaks into systems using the Fast-Track tool. These scenarios include automated SQL injection, MSSQL brute forcing, Query string pwnage, Exploit rewrite, Destroying the Client and Autopwnage.

Fport

fport identifies all open TCP/IP and UDP ports and maps them to the owning application.

GFI LANguard

GFI LANguard Network Security Scanner (N.S.S.) automatically scans your entire network, IP by IP, and plays the devil’s advocate alerting you to security vulnerabilities.

Hping

hping is a command-line oriented TCP/IP packet assembler/analyser. The interface is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features. Kind of like the ping program (but with a lot of extensions).

IP Filter

IP Filter is a software package that can be used to provide network address translation (NAT) or firewall services.

John the Ripper

John the Ripper is a fast password cracker, currently available for many flavours of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.

Kismet

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and (with appropriate hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also supports plugins which allow sniffing other media such as DECT.  It separates and identifies different wireless networks in the area.

Metasploit Community Edition

Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners. This helps prioritize remediation and eliminate false positives, providing true security risk intelligence. Metasploit provides useful information to people who perform penetration testing, IDS signature development, and exploit research. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only.

Ncat

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.

Nessus

The Nessus Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner for Linux, BSD, Solaris, and other flavours of Unix.

Netcat

Netcat has been dubbed the network Swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol

NetFilter

NetFilter and iptables are the framework inside the Linux 2.4.x kernel which enables packet filtering, network address translation (NAT) and other packet mangling.

NexPose Community edition 

The Nexpose Community Edition is a free, single-user vulnerability management solution. Nexpose Community Edition is powered by the same scan engine as Nexpose Enterprise and offers many of the same features.

Nikto2

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.

Nmap

Nmap (Network Mapper) is a free and open source (license) utility for network discovery and security auditing. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

OpenPGP

OpenPGP is a non-proprietary protocol for encrypting email using public key cryptography. It is based on PGP as originally developed by Phil Zimmermann.

OpenSSH

OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools, which encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.

Paros Proxy

Many custom Web apps are vulnerable to SQL injection, cross-site scripting, session cloning and other attacks. Attackers often rely on a specialized Web proxy tool designed to manipulate Web applications to reveal and exploit such flaws–and so must you. A Web app manipulation proxy sits between the attacker’s browser and the target Web server. All HTTP and HTTPS requests and responses are channelled through the proxy, which gives the attacker a window to view and alter all of the information passed in the browsing session, including any variables passed by the Web app in cookies, hidden form elements and URLs. Paros Proxy, which runs on Windows or Linux (with a Java Run-time Environment), is the best of these proxies, chock-full of Web app assessment widgets that make it a versatile and powerful hacking tool:

  1. Recorder. Paros goes be-yond similar tools by maintaining a thorough history of all HTTP requests and responses. Later, the attacker can review all of the actions, with every page, variable and other element re-corded for detailed analysis.
  2. Web spider. An automated Web spider surfs every linked page on a target site, storing its HTML locally for later inspection, and harvests URLs, cookies and hidden form elements for later attack.
  3. Hash calculator. Attackers sometimes have a hunch about the encoding or hashing of specific data elements that are returned. Using the Paros calculator, a hacker can quickly and easily test such hunches. Paros Proxy has a GUI tool for calculating the SHA-1, MD5 and Base64 value of any arbitrary text typed in by its user or pasted from an application.
  4. SSL-buster. While most other Web app attack and assessment proxies handle server-side SSL certificates, Paros can also probe apps that require client-side SSL certificates.

Paros also includes automated vulnerability scanning and detection capabilities for some of the most common Web application attacks, including SQL injection and cross-site scripting. Paros even scans for unsafe Web content, such as unsigned ActiveX controls and browser ex-ploits sent by the target Web server.

Pf

OpenBSD Packet Filter

SAINT

SAINT network vulnerability assessment scanner detects vulnerabilities in your network’s security before they can be exploited.

Snort

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.

Sqlmap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

TCPdump

TCPdump is the most used network sniffer/analyser for UNIX.

TCPTrace

analyses the dump file format generated by TCPdump and other applications.

THC-Hydra

A very fast network logon cracker which support many different services.

TripWire

Tripwire is a tool that can be used for data and program integrity assurance.

W3af

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

Webscarab

WebScarabhas a large amount of functionality, and as such can be quite intimidating to the new user. But, for the simplest case, intercepting and modifying requests and responses between a browser and HTTP/S server, there is not a lot that needs to be learned.

Wellenreiter

A Passive WLAN detector. While numerous tools detect wireless LANs, one of the very best is Wellenreiter. Traditional war driving tools, such as the popular NetStumbler, send a barrage of probe request packets to find wireless access points. But, NetStumbler can’t locate an access point that’s configured to ignore probe requests from clients that don’t know the WLAN SSID. Max Moser’s Wellenreiter can. Wellenreiter is completely passive; instead of sending probe requests, it puts a wireless card into so-called “rfmon mode,” so that it sniffs wireless traffic, capturing all data sent, including the entire wireless frames of all packets with their associated SSIDs, displaying the discovered access points in its GUI. It then listens for ARP or DHCP traffic to determine the MAC and IP addresses of each discovered wireless device. Wellenreiter can store wireless packets in a tcpdump or Wireshark packet capture file for later detailed analysis. An attacker or wireless penetration tester can fire up Wellenreiter, let the tool run passively for an hour or so, and return to find a nifty inventory of nearby wireless devices. It can also interface with GPS devices; storing the physical location of each war-driving computer when wireless LANs are detected. Wellenreiter runs on Linux and supports Prism2, Lucent and Cisco wireless cards.

Wikto

You need a solid Web server vulnerability scanner if you’re going to find flaws before attackers do. Internet-facing Web apps open enormous business opportunities–and dangerous holes for malicious and criminal hackers. In the last year, thousands of sites running vulnerable phpBB Web forum scripts, and countless others hosting the AWStats CGI script for gathering access statistics from log files, have fallen victim to attackers. Beyond those notable examples, vulnerabilities in various Web scripts are discovered on a regular basis. To help find such flaws in your network, turn to Wikto, an impressive Web server scanning tool. Written by Sensepost, a security services firm based in South Africa, Wikto builds on the popular command-line Nikto Web scanner Perl script with an easy-to-use Windows GUI and extended capabilities. Like Nikto, Wikto searches for thousands of flawed scripts, common server misconfigurations and unpatched systems. Wikto adds HTTP fingerprinting technology to identify Web server types based on their protocol behaviour’s, even if administrators purposely disguise Web server banner information to deceive attackers. For white hats, it’s a powerful inventory feature. What’s more, attackers are increasingly turning to well-crafted Google searches to look for vulnerable sites. Security researcher Johnny Long maintains the Google Hacking Database (GHDB) list of more than 1,000 Google searches that can locate vulnerable systems. Wikto can import the latest GHDB vulnerability list, and then query Google for such holes in your domain.

Winfingerprint

A Windows configuration harvester. Windows systems contain a treasure trove of sensitive configuration information that’s accessible in a variety of ways. Attackers and assessment teams typically extract as much information as possible from Windows systems to help refine and augment their vulnerability scans. Winfingerprint, written by Vacuum, is an invaluable tool for harvesting Windows configuration information, using a variety of mechanisms, including Windows domain access, Active Directory and Windows Manage-ment Instrumentation (WMI), Microsoft’s comprehensive framework for analysing system configurations. Winfingerprint pulls lists of users, groups and security settings from a single Windows machine or a network range. The tool also grabs information about the local hard drives of target machines, local system time and date, registry settings, and event logs. Rounding out its features, this handy tool includes a Simple Network Management Protocol (SNMP) scanner, as well as a TCP and UDP port scanner, all accessible from a single GUI

Wireshark

Wireshark is a network protocol analyser. It lets you capture and interactively browse the traffic running on a computer network.

botty

Click to enlarge

tv crime2Security researchers from Webroot, have spotted a new updated version of DIY (do it yourself) botnet kit Coded in Visual Basic Script 6.0, available for sale at selected underground communities. DIY is a very user-friendly tools allowing anyone an easy entry into the world of cybercrime, and securing their revenue streams thanks to the active advertisements of these tools across closed cybercrime friendly Web communities. The bot has a built-in pharming feature, a bit of an outdated approach for stealing accounting data compared to modern crimeware releases, but still highly effective on hosts where the user isn’t aware of how the process actually works.

tv crime2OSForensics updated to version 2.0. OSForensics allows you to identify suspicious files and activity with hash matching, drive signature comparisons, e-mails, memory and binary data. It lets you extract forensic evidence from computers quickly with advanced file searching and indexing and enables this data to be managed effectively. New version having ability to capture pages from web sites and add them to a case and Support for multiple drives & folders when indexing, searching multiple set of index files in a single search, Faster search times of indexes (up to 500% faster) ,Much improved E-mail browser, Dozens of other improvements and bug fixes. You can download the latest version of OSForensics here.

osforensics