VirtualBox & VMware on linux error – no source

2012.06.24

Well, sometimes things just stop working.

VirtualBox – error about modules not running + require to run as root:

 /etc/init.d/vboxdrv setup 

Well, Google will at 99% of places  recommend You to 

# yum install gcc kernel-devel kernel-headers

And it is help... But if not? 
Then it recommended to define KERNEL_DIR=
Well. sometimes it helps too, but what if not?

Well, let's cut here...
Here what I found as additional problem on RHEL & CentOS (& Fedora)
Nothing help? 

$ uname -a

Do Your kernel have .PAE ?
If Yes - then under root:

# yum install kernel-PAE-devel

and then

# /etc/init.d/vboxdrv setup 
Done.
Tags :     

wget thru tor network – how to? Easy!

2012.06.05

Looks like common task – run wget via tor. No? Just me?
Apparently, when You google it, it send You to forums, man pages, or whatever workarounds possible, because wget don’t support SOCKS proxy natively, and Tor is not HTTP\HTTPS proxy.
As a matter of fact, it’s easy 🙂
We’ll need tor and proxychains to accomplish our goal

1. Add Tor repository if You not done this yet:

https://www.torproject.org/docs/rpms.html.en

2. Then install tor and proxychains
$ sudo yum install tor proxychains

3. Start tor service
$ sudo service tor start

4. Check that proxychains config contain proper string for folowing data to Tor network
$ sudo nano /etc/proxychains.conf
in the bottom verify that line is present, if not – add it.
socks4  127.0.0.1 9050

5. test the config:
$ proxychains wget http://whoer.net/extended

and open extended page in any html viewer, check what IP logged. 🙂
Working.

Tags :     

How secure “AMMYY Admin” is – thoughts and results

2012.05.29

Another recent review of mine, about AMMYY Admin software – usually used for quick and easy remote access to computer.

Pros:

1. Fast [it is damn fast, indeed]

2. Simple for end user:  Click – Run – Spell – Approve.

3. No installation required (possible, but not have to) + free.

4. Embedded File Explorer to transfer files between computers (both ways)

5. Secure [so they say, at least!]  ….

Let’s see:

Read more…

Egged WiFi – Security review

2012.05.28

As You may noticed previously, I am frequent customer of Free WiFi from Egged\Mako.

Here is look of bored person to some minor (or not – who knows) configuration issues during the  trip on Egged bus, when there was a problem with Internet.

Read more…

Install jsunpack-n on Fedora\RHEL

2012.05.22

Suddenly, one day jsunpack.jeek.org became unavailable due some internal error, and I had few samples to decrypt.
So – Google found for me jsunpack-n project

Well, nice one, but as usual, installation instructions ported for Ubuntu (mainstream 🙂 )

Here is small guide for those who will need to use this awesome tool under Fedora\RHEL or even CentOS (not tested, update me if You did)

After You got all files in jsunpack-n folder, go and open INSTALL file, written by Blake Hartstein. I will  refer to this INSTALL file each time we can proceed with original install instructions.

1. Let’s install all packets required for successful compilation

# yum install libpcap-devel pkgconfig python-devel gtk2-devel libnet-devel  pcre-devel pcre gcc-c++ gcc

2. Good. Now we need to install libnids-1.24 (or – at least CONFIGURE and MAKE it) from folder  depends/pynids-0.6.1/libnids-1.24

$ cd depends/pynids-0.6.1/libnids-1.24

$ ./configure

$ make

# make install

p.s. If You will install libnids from Your repositories, pynids-0.6.1 will fail to setup itself – error:

gcc: error: libnids-1.24/src/libnids.a: No such file or directory

3. Install dependencies, as mentioned in INSTALL file, one by one.

4. Try to run

$ python jsunpackn.py  -u http://google.com

5. see result in temp/files

Known issues:

1. Yara error

In case You got message ImportError: libyara.so.0: when run jsunpackn.py, run the following commands:

# echo “/usr/local/lib” >> /etc/ld.so.conf
# ldconfig

2. ZLW error

In case You have error: ImportError: No module named lzw when run jsunpackn.py:

Go to website http://pypi.python.org/pypi/lzw/

Download, unpack and perform install of LZW  package:

$ cd lzw-0.01.11/
$ python setup.py build
# python setup.py install

Cheers!

Cleanup Flashback trojan from Mac – how to

2012.04.06

Actually, You have to be a bit technical to take a steps to check Your MacOS for resent major infection of BackDoor.Flashback or also known as FlashBack trojan.

Best way is to follow recommendation from F-Secure for how to detect and remove it from  Your Mac.

But in case you not a technical person, You can start with script that Michael Hertzberg  (thx for this!) posted on Mashable.com

Go to Applications > Utilities > Terminal
Paste this in:

cat ~/Library/LaunchAgents/* > /tmp/.hi && cat /Library/LaunchAgents/* >> /tmp/.hi && cat /tmp/.hi | grep -E ‘zeo|mkeeper’ | wc -l && rm -rf /tmp/.hi

If it replies back with “1″ then you’re infected. If it replies back with “0″ then you aren’t infected.

Basically, what this set of commands do, it check both user and global directories LaunchAgents for all files, paste it content in file /tmp/.hi and then search this file for keywords that refer to virus presence – in this case zeo & mkeeper.

Will check myself tomorrow at client’s machines, but for all those who looking to be sure – have Yourself checked + install AV for your Mac, even “there is no viruses for Mac” :))

upd: Free removal tool from DrWeb in iTunes Appstore – http://itunes.apple.com/us/app/dr.web-light/id471859438?mt=12

MS12-020 aka CVE-2012-0002 by Luigi Auriemma

2012.03.16

Well, here is the moment – at 16.03.2012 Luigi Auriemma, the researcher who discovered (or made it public) RDP RCE flaw in Microsoft Remote Desktop protocol, released the technical info.

There were few comments here and there, that strictly elite exploit for this flaw was known, but since no proof were released, lets assume this is a new threat.

Paper

Code

According to Mr. Auriemma, bug was discovered at 16.03.2011 (!) – wow, this is example of temper. About a year with critical all-modern-platform  MS bug in pocket, waiting for vendor to fix it. White Hat of the year 2011 – indeed.

Now – we can just wait for worm to come… And let’s hope it will not be like Sandworm from Duna 🙂

Patch CVE-2012-0002: Microsoft RDP Remote Code Execution Vulnerability

2012.03.14

Reported by Luigi Auriemma vulnerability in RDP till now was not widely exploited, but patch released, that mean it can be reversed. Since tomorrow,all Your Windows machines should be patched, otherwise You in trouble? List of vulnerable systems literally include all Windows machines, who can be reached via RDP, both clients and servers.

Best way – run Windows Update.

If You prefer manual patching, here is the list:

Clients:

Microsoft Windows 7 for x64-based Systems SP0

KB2621440

KB2667402

Microsoft Windows 7 for x64-based Systems SP1

KB2621440

KB2667402

Microsoft Windows 7 for 32-bit Systems SP0

KB2621440

KB2667402

Microsoft Windows 7 for 32-bit Systems SP1

KB2621440

KB2667402

Microsoft Windows XP Professional x64 Edition SP2

KB2621440

Microsoft Windows Vista x32 SP2

KB2621440

Microsoft Windows Vista x32 SP2

KB2621440

Servers:

Microsoft Windows Server 2003 Datacenter x64 Edition SP2

KB2621440

Microsoft Windows Server 2003 x64 SP2

KB2621440

Microsoft Windows Server 2003 x32 Standard Edition SP2

KB2621440

Microsoft Windows Server 2003 Itanium SP2

KB2621440

Microsoft Windows Server 2008 for 32-bit Systems SP2

KB2621440

Microsoft Windows Server 2008 for x64s SP2

KB2621440

Microsoft Windows Server 2008 R2 x64 SP1

KB2621440

KB2667402

Microsoft Windows Server 2008 for x64 SP2

KB2621440

Microsoft Windows Server 2008 for x64 R2

KB2621440

KB2667402

 Microsoft Windows Server 2008 R2 Itanium SP0

KB2621440

KB2667402

Microsoft Windows Server 2008 for Itanium SP2

KB2621440

Microsoft Windows Server 2008 R2 Itanium SP1

KB2621440

KB2667402

Google Chrome Extensions – 40% have vulnerabilities.

2012.03.01

Last week, University of California, Berkeley, released the paper by Nicholas Carlini, Adrienne Porter Felt, and David Wagner “An Evaluation of the Google Chrome Extension Security Architecture

Let me only add here a conclusion:

We performed a security review on a set of 100 Google Chrome extensions, including the 50 most popular, and found that 40% have at least one vulnerability. Based on this set of vulnerabilities, we evaluated the effectiveness of Chrome’s three extension security mechanisms: isolated worlds, privilege separation, and permissions. (p 12)

So, look at paper itself and, maybe, consider using something else, if you using Chrome 🙂

p.s. And  recommend to Your clients not to use Chrome as default browser…

 

 

Forensic Acquisition Utilities

2012.02.21

Found interesting set of tools by GMG Systems, Inc – FAU or Forensic Acquisition Utilities

It toolkit of few utilities for Windows systems (support from Windows 2000 till recent Windows 7 & Windows Server 2008), that provide basic tools for interacting with evidence machine. From  George M. Garner Jr. (author) website:

What’s included in this release:
Included in this release are x86 and x64 versions of the following modules:
1.      Dd.exe:  A completely new implementation inspired by the popular GNU dd utility program.
2.      Volume_dump.exe: An original utility to dump volume information and drive information and USN journals.
3.   FMData.exe: An original utility to collect files system metadata, to produce and verify security catalogs (cryptographic hash sets) using one or more cryptographic hash algorithms and to verify system binaries using the system file checker (SFC) API.
4.      Wipe.exe:  An original utility to sterilize media prior to forensic duplication.
5.      Nc.exe:  A completely new implementation of the popular Netcat utility inspired by the original version created by Hobbit.
6.      Zlib.dll:  The latest version of Jean-loup Gailly and Mark Adler’s Zlib (currently version 1.2.3).
7.   Bzip2.dll:   The latest version of J. Seward’s bzip2 library (currently 1.0.4).
8.   Boost_regex-vc80-mt-1_34_1.dll: Boost’s regular expression library.
9.   Fauerror_xxx.dll: A series of dynamic link libraries (dll’s) that contain the localized language strings for FAU output.  There is one dll for each locale supported by the FAU.

For those who looking for some special features (like no access to local drives by default from all presented tools) – see remarks on offsite.