2007-12-24

Apples for the Army

Forbes Article

In an effort to reduce vulnerability exposure the US Army is adding Mac OS X into the mix of possible targets.  There's nothing wrong with this approach.  These days different organizations apply various methods to reduce the risk of incidents.

In my younger and innocent days I was under the impression that the government utilized custom applications running on custom operating systems designed by them for them.  I guess the government doesn't have enough budget and resources to maintain teams of engineers and support staff to design and implement custom information technology infrastructure.

Most think and will say that this is a complicated issue with many pros and cons.  However, if one really thinks about it then it's not that complicated.  Investment into custom code will outweigh all the cons in the long term.  Look at all the recent reports about cyber warfare attacks and their success.  It was largely due to known vulnerabilities in the common software products.

2007-12-07

Neosploit exploit toolkit

The Neosploit toolkit is an advanced exploit framework to compromise web site visitors. It was written by "grabarz". It is unknown if this is a group or an individual. There's some information which suggests it is an individual.

It's not as popular as the Mpack toolkit but is gaining popularity steadily. It was written in the C language and is used as a CGI script. It can support multiple users from the same script. The exploit code will be the same from all users but the delivered executables can be different.

Similar to other toolkits this one provide various statistics too. Instead of using a database as the means to store them Neosploit uses several files with specific internal structures. The following information about the visitor is logged: Operating System, Web browser and its version, IP address, and the Referer.

Delivered exploit code is obfuscated using custom Javascript decoding function. The function name and all local variables are random in order to avoid detection by Network IDS. Often, several layers of obfuscation with anti-decoding tricks are used to deter the faint-hearted.

Toolkit's URL scheme is designed in such a way which will prohibit thecurious of obtaining the executables even if the same one is used from previous exploits.

Perhaps the reason for its slow adoption is its high price. It ranges, depending on version, from $1500 to $3000. Common version seen today in the wild is 1.5.x, with 2.0.x in beta mode. First detected version was 1.0.x early this year.

More in-depth analysis will follow.