• Last News (22/01/2008 )
    Blog discontinued...1000 sorry! Hope that visitors have enjoyed the stuff... Visit kareldjag.over-blog for more news in a near futur :)
  • Rootkit test 3 (30/12/2007 publié dans : METHODOLOGY )
    Rootkit technologies detection and prevention:- with Rootkit Demo1.2: this russian demo uses is designed to hide its presence and to make speakers beeps.RKDemo does not use particular hidding method, but take advantage of Windows functions (returs an "error control " to the system).More...
  • METHODOLOGY Part 2 (30/12/2007 publié dans : METHODOLOGY )
      PART 2: IN THE WILD WITH REAL MALWARES 7) Boot Sector/Bios/MBR protection: MBR virus When a computer is not protected with a Bios password, and neither by an antivirus (only HIPS), an ill-intentioned person can easly boot the computer from external drives...
  • Why some tests are done with HIPS disabled (30/12/2007 publié dans : METHODOLOGY )
    For some tests, we consider the HIPS as disabled.These tests cover scenario where ill-intentioned person wants to install a malware (backdoor, spy tools like keyloggers etc) in a computer directly with a physical access.We consider that this person:- have no access to the admin. account (logged...
  • METHODOLGY Part 3 (30/12/2007 publié dans : METHODOLOGY )
    CLIENT/SERVER SIDE ATTACKS and other tests: here we distinguish attacks which occur via browser from malwares which infect the system:NB.As some vulnerabilities could be patched as soon as possible, the tests are run on Windows XP2 updated until the end of 2005 only.11.URL obfuscation: at...
  • METHODOLOGY Part 1 (30/12/2007 publié dans : METHODOLOGY )
    FIRST PART based on the behaviour (more screenshots here)1a.Execution protection-with the TaskManager launched via Ctrl+Alt+Del-via start and execute menu-with srip32 launched by explorer.exe-with shellcode for running notepad.exe: and calc.exe  (2 toolls used for this test) -...
  • Oddysee Rootkit Test (08/10/2006 publié dans : METHODOLOGY )
    This rootkit is a pure "hider" (intrusion or hacker tool): it acts as an hidden service/driver.But it does not hide its registry keys, that makes it easy to detect for users who know their system well.In this example, we purposefully take the side and point of view of classical users...
  • data theft tests 2 (20/08/2006 publié dans : METHODOLOGY )
    Data theft via sniffing:f. with a command line sniffer (currently detected by none antivirus on Virus Total):We run (locally) the sniffer and connect to the web mail.g. with Sniffer (Renamed, not detected by antivirus on Virus Total):We run (locally) the sniffer and connect to the web mail.Here...
  • Data theft tests (07/08/2006 publié dans : METHODOLOGY )
    Here we illustrate some data theft attacks which can really be used in the wild.a. with trojan demo:This demo illustrates an "in the fly data theft attack" : once executed, it launches calc.exe, lists My Documents folder files and reports them (HTML) to Trustware servers. b. with...
  • DefenseWall Test -- Overall (27/06/2006 publié dans : HIPS TESTS )
                                                     &nb...
  • DefenseWall Test Part 3 Suite (27/06/2006 publié dans : HIPS TESTS )
    15° Man-in-the-middle (MIM) attack test :a. SSLSpoofer test:Since the file needs a service to work, it is stopped by DefenseWall.The spoofer has to be installed 'trusted to create and launch it's service, and to work; but as doing, DefenseWall is not supposed to prevent it. If we take only in...
  • DEFENSEWALL TEST Part 3 (27/06/2006 publié dans : HIPS TESTS )
    Part III Client/server side attacks and other tests 11° URL obfuscation DefenseWall doesn’t claim to protect against URL obfuscation. Failed. 12° Internet Explorer exploits a) WMF exploits Note : DefenseWall doesn’t claim to prevent exploits themselves, but...
  • DefenseWall Test Part 2 - suite - (27/06/2006 publié dans : METHODOLOGY )
    ...
  • DEFENSEWALL TEST Part 2 (27/06/2006 publié dans : HIPS TESTS )
        ...
  • DEFENSEWALL TEST Part 1 (27/06/2006 publié dans : HIPS TESTS )
    ...
  • DEFENSEWALL TEST **INTRO** (27/06/2006 publié dans : HIPS TESTS )
                                                  TESTS DEFENSEWALL    ...
  • ROOTKIT Test 2 (24/06/2006 publié dans : METHODOLOGY )
    For the purpose of this test, we use two demonstrations  which illustrate some rootkits methods, technology or behaviour.a.The first demonstration illustrates an hidden process method via Eprocess  (physical memory access, ntoskrnl mapping etc).We use a file which can let us to hide...
  • GASPAR Hooker Test (22/06/2006 publié dans : METHODOLOGY )
    Result of online scans: the original file is detected by none AV on Virustotal, and the next image is related to the recompiled file as an .exe:This file is a Proof of Concept trojan designed to illustrate some firewall evasion methods: it hooks via OpenProcess, VirtualAllocExe, WiteProcessMemory...
  • PRESENTATION Part 2 (20/06/2006 publié dans : METHODOLOGY )
    Presentation of threats used in these tests:As said previously, we can't be as exhaustive as possibe: only samples of malwares and attacks are used.It is really statistically enough to test the efficiency of an HIPS.-adware/spyware: classical spywares like BHO are used, with some prevalent ones...
  • MSN TEST 2 (19/06/2006 publié dans : METHODOLOGY )
    With MSN Pass Sender:We configure this password stealer (here named roberto) and launch it:Here the fake process crss.exe is launched:Now the fake crss.exe install its windows hooks via msvbvm60.dll:hijack.exe launched via cmd trie to modify lsass.exe:The fake crss.exe trie to connect to the net...
  • ROOTKIT TEST (18/06/2006 publié dans : METHODOLOGY )
    Here we just illustrate some rootkit behaviours and show detection by some well known or not anti-rootkit tools.For more information, it can be suited to take a look at the next version of my article which will be updated this summer.NB.Srip32.exe is shown as kareldjag.over.blog.exe in some...
  • MAN in the MIDDLE TEST with SSLAGY (R) (14/06/2006 publié dans : METHODOLOGY )
    This tool designed by a french specialist is a Proof of Concept wich illustrates HTTPS Man in the Middle attack via Internet Explorer.This tool has been renamed for TOS reasons, and is currently not detected by antivirus (false positives on the next screenshot): SSLAGY uses code injection in...
  • MSN TESTS (13/06/2006 publié dans : METHODOLOGY )
    With MSN to CGI:This tool uses a kind of social engineering attack in order to delude the user.Firstly it terminates the real Messenger, and replaces it by a fake one; then the user is prompted to type its MSN ID (mail, password) which can after be sent to a preconfigured list of web server. ...
  • HOOKDUMP Requests (05/06/2006 publié dans : METHODOLOGY )
    NB.This old keylogger is designed for 16 bits and not win32 system, that's why  ntdvm.exe is required.In red, the creation of the log.#    Time sent    Dur.    Process    Thread ID    DeviceObject   ...
  • PCFlank Leaktest part 2 (05/06/2006 publié dans : METHODOLOGY )
    Processes:PID    ParentPID    User    Path    --------------------------------------------------272    1476    POSTE2:Administrateur    C:Documents and SettingsAdministrateur.POSTE2Mes...
  • PCFlank Leaktest (04/06/2006 publié dans : METHODOLOGY )
    This is the new version of the PCFlank Leaktest.Since there's no "allow/permit" rule for the browser (in our case Internet Explorer), we can't consider that it bypasses firewalls.In fact this leaktest just demonstrates a classical method of spying via browsers by using legitimate...
  • FIREFOX DoS exploit (26/05/2006 publié dans : METHODOLOGY )
        Time sent    Dur.    Process    Request    IRP Flags    FsContext    Path    Status    More info    1   ...
  • DLL Injection in Firefox.exe (25/05/2006 publié dans : METHODOLOGY )
    NB. The tool has been renamed for T.O.S reasons, but can be easily found for free.We launch the injector tool via CMD: We launch the command "kareldjagdll firefox hookdll_heap.dll" If we check the loaded modules of Firefox, we distinguish the new dll: For the...
  • HAXSPY Profiling (21/05/2006 publié dans : METHODOLOGY )
    The scan on VirusTotal: Creation of objects (service/driver, dll and registry entry) : Process memory injection in explorer.exe: Hooks in ntdll: Network connections: Some other actions:-the loaded driver and service: A summarize of the actions: The...
  • Postcard.gif profiling (29/04/2006 publié dans : METHODOLOGY )
    Processes:PID    ParentPID    User    Path    --------------------------------------------------380    512       C:Documents and SettingsInternet2Mes...
  • Virus Profiling (29/04/2006 publié dans : METHODOLOGY )
    Processes:PID    ParentPID    User    Path    --------------------------------------------------3328    1252        C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes...
  • IE Text Range Exploit (07/04/2006 publié dans : METHODOLOGY )
    #    Time sent    Dur.    Process    Request    IRP Flags    FsContext    Path    Status    More info    1   ...
  • REGISTRATOR ACTIONS (04/04/2006 publié dans : METHODOLOGY )
    #    Time sent    Dur.    Process    Request    IRP Flags    FsContext    Path    Status    More info    1   ...
  • PRESENTATION (02/04/2006 publié dans : METHODOLOGY )
     Introduction, disclaimer and other informationsThere's no radical and ultimate method for testing HIPS.For evident reasons, we can't submit each product to all available malwares and try all possible attacks.Finally, we choose to submit the HIPS to various examples of malwares, malwares...
  • FINJAN TEST: crashing IE (01/04/2006 publié dans : METHODOLOGY )
        Process    Request    IRP Flags    FsContext    Path    Status    More info    1    15:20:31.593    0   ...
  • ICMP Sniffing (via CMD) (31/03/2006 publié dans : METHODOLOGY )
    NB: IP source and destination have been removed:ICMP datagram sniffer v1.0Alpha5 compiled on Wed Dec 10 04:52:06 1997 PST.loading winsock...winsock version 2.2 (ws2_32.dll) loaded.starting Async window...starting detector......now sniffingMar 17 20:00:27 :Bytes recieved: 68***************** IP...

Calendrier

Juillet 2008
L M M J V S D
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      
<< < > >>

 

Articles récents

liste complète

 

Recherche

 

Blog : Gay sur over-blog.com - Contact - C.G.U. - Rémunération en droits d'auteur avec TF1 Network - Signaler un abus