So now that the first real piece of Botnet malware (http://www.computerworld.com/s/article/9141354/New_iPhone_worm_steals_online_banking_codes_builds_botnet?taxonomyId=17) for a mobile phone is in the wild, I wonder what took it so long really. The default root password for the iPhone has been published all over for quite a while.
I continue to believe the mobile devices will be a target for malware authors especially since the networks continue to get faster. Let's face it, much of the botnet economics is based on bandwidth. What I think is the interesting fallout of this is for the users who jailbreak for various reasons the main way to prevent the malware infections is to change the root password. This now creates a problem for those performing forensics on iPhones, since it was fairly easy to make a dd of a jailbroken iPhone. Now we have the potential of password to deal with.
How to deal with the password issue, if the user doesn't provide it?
My approach in testing so far has been:
1. Get a logical data dump if possible. There is always the change of the other passcode to deal with.
2. Index the logical data to create a dictionary file
3. Attempt to use THC Hydra to brute force SSH using the dictionary file created from the logical.
Still playing with it.
Tuesday, November 24, 2009
Saturday, May 2, 2009
Torpig / Mebroot MBR rootkit uses Twitter to calculate C&C domains
The Torpig Botnet is using Twitter search trends to retrieve a seed value.
http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html
Incredibly interesting.
http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html
Incredibly interesting.
Wednesday, March 4, 2009
Intersting post on the Chicago Electronic Discovery Blog about YAFFS2.
http://chicago-ediscovery.com/android-forensics/android-yaffs2-silly.html
As the original poster notes it will take more research but it appears that the data beyond that object header would be deleted data.
http://chicago-ediscovery.com/android-forensics/android-yaffs2-silly.html
As the original poster notes it will take more research but it appears that the data beyond that object header would be deleted data.
Friday, February 20, 2009
Windows FE
A bunch of posting have crept up on Troy Larson's WindowsFE. The build is fairly straight forward, but diskpart isn't the most fun to work with once it's built and one starts working with it.
http://www.twine.com/item/113421dk0-g99/windows-fe
http://blogs.eweek.com/cheap_hack/content/hacking/do_windows_forensics_in_windows_fe.html
http://grandstreamdreams.blogspot.com/2009/02/windows-fe-details-teased-out-of-web.html
http://www.twine.com/item/113421dk0-g99/windows-fe
http://blogs.eweek.com/cheap_hack/content/hacking/do_windows_forensics_in_windows_fe.html
http://grandstreamdreams.blogspot.com/2009/02/windows-fe-details-teased-out-of-web.html
Thursday, February 19, 2009
Gmail Offline
I'm not sure if anyone has played with it much yet, but Gmail now has a
offline mode for use when there is no connectivity available. I've
played with it some in Google's Chrome since it needs Google Gears to
work. A decent posting on it is here:
http://news.cnet.com/8301-17939_109-10152019-2.html?tag=mncol;title
What's cool from a forensics standpoint is that as we would expect since
it caches locally it would finally create some decent artifact since
Gmail normally doesn't leave much.
For Chrome at least it creates a series of folders under \Documents and
Settings\%userprofile%\Local Settings\Application
Data\Google\Chrome\User Data\Default\Google Gears\mail.google.com
It will create files titles mail[{some number}] for each email, and then
extract any attachments in the same folders with a reference back to the
original email. Example sompeicture[{some number}].jpg
What I found is the coolest part is it uses the same format as
documented by John McCash's here:
http://sansforensics.wordpress.com/2008/09/19/forensic-gmail-artifact-an
alysis/
Since it follows the format, his scripts work on the cached files also.
offline mode for use when there is no connectivity available. I've
played with it some in Google's Chrome since it needs Google Gears to
work. A decent posting on it is here:
http://news.cnet.com/8301-17939_109-10152019-2.html?tag=mncol;title
What's cool from a forensics standpoint is that as we would expect since
it caches locally it would finally create some decent artifact since
Gmail normally doesn't leave much.
For Chrome at least it creates a series of folders under \Documents and
Settings\%userprofile%\Local Settings\Application
Data\Google\Chrome\User Data\Default\Google Gears\mail.google.com
It will create files titles mail[{some number}] for each email, and then
extract any attachments in the same folders with a reference back to the
original email. Example sompeicture[{some number}].jpg
What I found is the coolest part is it uses the same format as
documented by John McCash's here:
http://sansforensics.wordpress.com/2008/09/19/forensic-gmail-artifact-an
alysis/
Since it follows the format, his scripts work on the cached files also.
Tweeting in an emergency
A really cool concept when you think about it. There are so many ways to access Twitter in addition to the ability to aggregate information from a bunch of people.
Monday, January 8, 2007
Themida and Malware
After seeing some malware packed with Themida, I found this posting at the Sans Internet Storm Center. Above is a screen shot of a piece of malware discovering Vmware during analysis.
Subscribe to:
Posts (Atom)