Thursday, November 29, 2007

DrProtection old-new misleading software

Famous interface+new engine = DrProtection 2.1
"DrProtection is a misleading application that may give exaggerated reports of threats on the computer. "
"DrProtection 2.1 is a latest clone of well known DrAntispy rogue antispyware. It generates false positives to trick users into buying full commercial version of this useless program..."
Fix Computer Problem
Removal tool with free scan - Spyware Doctor can easily remove DrProtection

Wednesday, November 28, 2007

Adware.BndDrive infection - how to remove

Adware.BndDrive is a new adware program that will install meileading browser helper object and show "Internet Speed Monitor" popups.
Download Spyware Doctor with free scan to get rid of this malware.

Monday, November 26, 2007 updates

Several updates have been made to the site, please stop by and help us continue to test the site.


InProtect Beta 0.80.2

In the interest of continuing a good thing (although this post is a bit late), we have released a new bugfix version of InProtect 0.80.x. This version is 0.80.2 and can be found at our sourceforge download location.

We hope to have an official release out on or about the new year and are working hard to meet this deadline. I would like to thank all of the users for their feedback and continued support of this project. It is always refreshing and energizing when there is good positive community usage and feedback!

As always, I invite you to join us in freenode or arcnet in #inprotect to tell us about your experiences, issues, bugs and the like.


FreeBSD jabberd port mysql bug

As a quick post (esp since I have not been posting much lately) I recently ran into another issue with jabberd on freebsd. I say another, if you will remember a previous post concerning sasl -

This has more to do with cleaning up some of the errors that seem to exist in the mysql schema. Specifically, if you install jabberd2 from the ports tree "/usr/ports/net-im/jabberd" and configure it to use mysql as it's storage engine, you will receive several errors in your stdout our log files (depending on your configuration). These errors are generated when a users status changes, i.e. login, logout, away etc... I have included a quick snapshot of the errors below.

Nov 26 14:48:48 secure2 jabberd/sm[1629]: mysql: sql delete failed: Table 'jabberd2.status' doesn't exist
Nov 26 14:50:26 secure2 jabberd/sm[1629]: mysql: sql delete failed: Unknown column 'collection-owner' in 'where clause'
Nov 26 14:51:10 secure2 jabberd/sm[1629]: mysql: sql select failed: Unknown column 'object-sequence' in 'order clause'
Nov 26 14:51:10 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'status' in 'field list'
Nov 26 14:52:17 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'show' in 'field list'
Nov 26 14:52:58 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'last-login' in 'field list'
Nov 26 14:55:46 secure2 jabberd/sm[1629]: mysql: sql insert failed: Unknown column 'last-logout' in 'field list'
Nov 26 14:59:46 secure2 jabberd/c2s[1631]: [7] [, port=3746] disconnect, packets: 15
Nov 26 14:59:46 secure2 jabberd/sm[1629]: session ended:
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] [, port=3932] connect
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] SASL authentication succeeded: mechanism=DIGEST-MD5;
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] bound:
Nov 26 15:00:05 secure2 jabberd/c2s[1631]: [7] requesting session:
Nov 26 15:00:05 secure2 jabberd/sm[1629]: session started:
To remediate this, simply run the following against your jabberd2 mysql database:

CREATE TABLE `status` (
`collection-owner` varchar(256),
`object-sequence` bigint,
`status` text NOT NULL,
`show` text,
`last-login` int DEFAULT '0',
`last-logout` int DEFAULT '0',
PRIMARY KEY (`collection-owner`));
This will get ya going, I'm not gonna go into what's wrong with the script that is included in the jabberd2 install, I think that it's pretty straight forward.

Also note, I will try to post more regularly now but it's been a hectic few weeks for me (new job, family visiting etc...)


Sunday, November 25, 2007

New Zlob hijacker -

Screenshot - new crap from Trojan.Zlob-x.a

is the latest browser hijacker that results from Zlob trojan infection. generates fake warnings about infection detected on your computer forcing user to purchase the paid version of rogue anti-spyware programs (VirusHeal, AntiVirGear, VirusProtect and others). may download and install additional spyware to track keystrokes, steal passwords and banking accounts. show deceptive pop-up ads that may appear as regular Windows tray baloon notifications" technical details removal tool (Spyware Doctor)

Saturday, November 24, 2007

DeusCleaner - aggresive pop ups. New misleading software

This application scans the system for privacy violations such as Internet cache files. The application frequently displays pop-up windows such as the above pay-for prompt. This prompt is also displayed after restarting the computer. The user must purchase the full version of the application to repair any violations it finds.
Technical details from Symantec
DeusCleaner Remover (Spyware Doctor)

Wednesday, November 21, 2007

ErrorInspector new rogue

New misleading soft:
"ErrorInspector is a new rogue anti-spyware that gives exaggarated reports about spyware detections and other security risks. ErrorInspector can be installed through system security holes or by trojan (usually Looksky or Zlob). This nasty application may steal your private data and download other spywares. ErrorInspector uses aggresive advertising in order to lure you to use its fake anti-spyware program."
Technical details

Tuesday, November 20, 2007

Zlob-x.a pop ups - new infection

Zlobbers developed new tactic, this parasite promote IEDefender:
"Trojan.Zlob-x.a displays an error message integrated in Google search results..."
Details on: Fix Computer Problem
and BleepingComputer forums

Monday, November 19, 2007

IEDefender fraud

The IE Defender infection is a Browser Helper Object installed in your Internet Explorer browser that hijacks searches you input into the Google and Yahoo search engines. These hijacked searches will state that you are infected and that you need to install the IE Defender rogue anti-spyware program. You will also receive popups that state you are infected when browsing the web. The reality is that all of these messages and alerts are fake and should be ignored.
Bleepeingcomputer forums - here you can find free removal instructions!
Download Spyware Doctor spyware remover - it will remove IEDefender automaticaly.

Monday, November 12, 2007

InProtect 0.80.1 Beta

Fixed a few of the issues that everyone was experiencing... also updated the following:
  • clean install - fixed bad syntax issues
  • clean install - set proper version in db
  • clean install - changed admin to Admin in user group data (Admin is the original user for conformity)
  • upgrade - set proper version in db
  • upgrade - changed admin to Admin in user group data (Admin is the original installed user and this setting must match the current user so that proper access is given to Admin)
Also added note that Admin password is "admin" in INSTALL, this is changed as of versions 0.80.x

new tarball can be found here:

We should have the sourceforge project site updated with this tarball at some point tomorrow. I will also be following up with upgrade instructions tomorrow, as the current instructions do not include details of upgrading to 0.80.x.


InProtect 0.80.0 Beta *fixed clean install sql*

My apologies for the issues that people have been experiencing with the new Beta of InProtect, but please remember that this is the purpose of a beta.

I appreciate all of the feedback in IRC and comments on this blog. Below is the URL to a version of InProtect with a cleaned up clean install sql script. Note that you may still have issues with the actual install script (not the .sql) and I am working on that right now, hopefully will have that out shortly for you.

InProtect 0.80.0 Beta **FIXED**


Thursday, November 8, 2007

InProtect 0.80.0 Beta Released!

So we have *finally* managed to get the 0.80.0 Beta out the door, unfortunately the new packaged does not include any of the new info for the install or upgrade (there are twelve of us working on this). I'll be covering some of these topics in follow up articles over the next day or so.

Get the InProtect 0.80.0 Beta Here!

For now, let's talk about some of the major changes that we have incorporated into this version.

  • Completely revamped menu system, access control driven.
  • User customizable dashboard.
  • Html and PDF report formats match.
  • Exportable xls reports.
  • Cleaned up excessive and unneeded sql queries to enhance speed.
  • Role-Based permissions.
  • Exception list for hosts.
  • Host specific lookup capabilities.
  • Cleaner interface.
  • All passwords are encrypted using user definable cryptographic standards such as blowfish.
  • Sensitive data is encrypted.
  • Database structure modified to allow for role-based permissions.
  • Database structure modified to enhance and improve large query response (including indexing).
  • Max server scans are now run in a single session rather than multiple individual sessions, this reduces the load on both the nessus scanner and the InProtect console server.
  • Encryption and decryption functions added for sensitive data.
  • Multiple unneeded queries removed to enhance performance.
  • Query function creation and destruction cleaned up to enhance performance.
That is basically a quick run-through of the new features (there are more.. but these are the big ones IMHO). There are a few additional perl libraries that are not yet mentioned in the documentation contained in the 0.80.0 tarball but are required in addition too those mentioned in the documentation, I'll list them here for you.

New Perl libraries:
  • Crypt::CBC
  • MIME::Base64
  • IO::Socket
  • Socket
This should be some good info to get you started for now, but as I said earlier, I will be posting some additional information (detailed info) for new installs and upgrades over the next few days. I will also try to update the official wiki and FAQ with these instructions.

So, for now feel free to download and play with it, let me know what you think, I can usually be found in #inprotect on freenode.


Monday, November 5, 2007

MySpace accont pwnage!

As the title indicates and as I have wanted to write about for some time now, ever since I noticed that the MySpace login page is not protected by any type of encryption, this posting is about sniffing MySpace passwords off of your network...

To test this theory, and have a little fun, I used snort to sniff some packets off of a ToR (The Onion Router) system that I built specifically for this purpose. The results below are fairly self-evident, though the names, dates, and locations have been changed to protect the guilty ^_^. As we can see from the below highlighted output, the username is and their password is password12345. I am both surprised and not surprised to see this on the internet today.

POST /index.cfm?fuseaction=login.process HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20071008 Firefox/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: MSCulture=IP=; SessionDDF1=933aa40e14c3e8ee00fd99a3ab029eea43bb704eb259248a

Content-Type: application/x-www-form-urlencoded
Content-Length: 586


HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 214
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
Set-Cookie: MYUSERINFO=;; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: MYUSERINFO=;; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: USER=;; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: USER=;; expires=Wed, 19-Jan-2005 08:28:17 GMT; path=/
Set-Cookie: MYUSERINFO=MIICtQYKKwYBBAGCN1gDlqCCAqUwggKhBgorBgEEAYI3WAMBoIICkTCCAo0CAwIAAQICZgMCAgDABAjl8wldaxuF7AQQzm1U8TfL0hIgLZm%2f%2baYNBwSCAmDFTCkutM5yyyvSN8vTANn5kgTYOPD3DWWxRcRQEx2ehj0nYpz3kqS0jJaAnb1PD7auiaNq8XMaipcAFbJbzntSKmLEwK7H%2brQknmAbEpo4YP3ofM9GcZb5ZYWzN2hj%2bclZDsJ4M%2fEPlqDElkLW7cWbUGcP2KMMcd%2bxJDxL3tcHHNaZymfryqMHpEibZtUEs%2bvHjbbQ8pcVNm%2bFyfO8yfnIJ20BCwebS7ZiseN0D0I8yWuZRwULf
XGghi9I70PnpFuWeEkzE11U2IkyX3jb6GP4uOAl4KEZtQoF8LSsezdXPjlBP%2f1Q0upnPXJTzy0RNTfZZ0bdOuqnC13%2fNXIL96aZKgo0KVILrKN7E2uJYGkavoYyeK7Efolb%2f%2fgLSrX%2bUoicGc2oLceCWhrVxXdZAVt%2b0c7YNUTQ%3d%3d;; path=/; HttpOnly
Set-Cookie: MSCulture=IP=;; expires=Mon, 12-Nov-2007 12:00:36 GMT; path=/
Set-Cookie: LASTUSERCLICK=%7bts+'2007-11-05+04%3a00%3a36'%7d;; path=/
Set-Cookie: GADC=EUD=0:0:YTVkMTA4OTQ5ZDg5ZWI0OekNaTFtgDI_S7P6H2jrQzkk4nPuDPBbmATsWT8Cbo-Vd3Hgs227A2MQcf3dzClR3nwSH5PPEg8uiygF6KzHRgPJYhvfCX0YsIcKZKOEwjO3;; expires=Fri, 05-Nov-2027 11:00:36 GMT; path=/
Set-Cookie: SplashDisplayName=j00r_myspace_pwned;; path=/
Set-Cookie: D
5LjM5LjExMC4yNycmc2NobD0wJnNjaGw9MCZzY2hsPTAmZ3JwPTAmZ3JwPTAmZ3JwPTAmY3VsdHVzZXJwcmVmPTEwMzM=;; path=/
Set-Cookie: MSCulture=IP=;; expires=Mon, 12-Nov-2007 12:00:36 GMT; path=/
Set-Cookie: Login=;; path=/
X-Server: ce28ca171d6578a0dad1823b61ec8978cabea8d4955341dd
Date: Mon, 05 Nov 2007 12:00:36 GMT

I am surprised because I know that MySpace receives a large amount of traffic and has quite the large user base, I would therefore think that they would provide SSL/TLS transport as a minimum to protect the authentication information of their user base. But I am also not surprised by the fact that this is yet another blaring sign pointing to the fact that many organizations, engineers and so on do not take security seriously, nor do they develop with security as even so much as an afterthought.

I also find it quite humorous that they actually have "Safety Tips" on their site. Probably the most humerus of which is their sixth tip on that page: "Don’t get hooked by a phishing scam. Phishing is a method used by fraudsters to try to get your personal information, such as your username and password, by pretending to be a site you trust. Click here to learn more." I suppose that they are right though...I mean, why submit your information to a phishing site/scam when they can just sniff your traffic and own your account!

Of course gaining access to the users account is only the beginning, this opens up the door to a whole realm of possibilities, given the fact that *most* users will use the exact same password for all of their accounts. Or they will at least use a basic derrivation of that password, an example would be adding a different number to the end in each instance i.e. password1, password2, password3. Compromising the email account associated with the MySpace account also makes it extremely easy to gain additional information about an individual and ultimately be able to steal various types of sensitive information or even to further breach their resources (corporate accounts and the like).

With the use of ToR and various anonymizers growing every day, and the level of expertise / knowledge of the basic ToR user not being that of a security minded individual, it is surprisingly easy to grab a number of MySpace user accounts in short-order. During my testing period (roughly two weeks) of running a ToR server and sniffing for the magic MySpace packet, I was able to build a database of over 20 accounts and their associated passwords. Conceivably I could create a network of ToR servers and be able to easily own accounts at a fairly rapid rate.

All of this said, I strongly urge MySpace to purchase an SSL cert or two and use them, if nothing more than for the login process "This is what google does with gmail, a user browses to and to logon is redirected to the https:// site, after authentication they are directed back to the http:// site".

For fun, I have included below a snort rule that should catch the magic MySpace packet ;-), this is from
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Myspace Login Attempt"; flow:established,to_server; content:""; uricontent:"/index.cfm?fuseaction=login"; classtype:policy-violation; sid:2002872; rev:2;)
I would like to thank Jeff for sending me some of his pcap data for analysis!


Sunday, November 4, 2007

Coming Soon - InProtect 0.80.0 Beta

I am excited to announce that we are on track for a beta/alpha release of InProtect 0.80.0 this coming week. You will see a great deal of enhancements in this version, including cleaner reports and graphs, user customizable dashboard, more efficient scan scheduler and controller...and much more!

I have included a "teaser" screenshot below. Note that the latest code is always available from the InProtect Sourceforge SVN repo (but that should be considered "alpha" only)...since we are consistently making changes, fixes, tests and updates...

I am also entertaining the idea of replacing / augmenting the nmap functionality with unicornscan (sice unicorns are fast! <3 Unicorns), let me know what your thoughts / concerns / comments are.
