Opinion: Cool tools for hacker trackers

By Roger A. Grimes

September 28, 2007 12:00 PM ET

Comments

(1)

InfoWorld - If you want to keep up with the latest criminal exploits without having to collect malware yourself, take a look at SRI International's Cyber-Threat Analytics BotHunter Malware Analysis Web page

Reporting on information and statistics collected from a research honeynet, the BotHunter Malware Analysis page makes daily infection logs from high-interaction honeypots available for anyone to view. Although the scale of the project and information collected is fairly small, this is a useful site for gaining more insight into crimeware and the world of bots.

Clicking on any of the daily reports presents dozens of pieces of information on each day's attacks. It starts off with time and date of each bot attack, and the honeypot platform type (e.g., Windows XP, Windows 2000 and so on). It reveals the Snort rules used to detect incoming malware and how many antivirus companies detected the malicious code.

Each captured malware program is run against 28 to 32 antivirus engines. Try browsing the daily reports to see how many times none of the antivirus scanners detected the malware. Surprisingly, this happens roughly one-third of the time -- not a comforting statistic.

The honeynet automatically extracts plain text strings and tries to determine which executable packer was used. It decodes each executable and provides code traces. It appears that complete assemblies and packet traces are available upon request. A short summary forensic log can be obtained for each malware attack.

Cain & Abel update Like many leading-edge technology companies, one of my favorite hacking utilities, Cain & Abel, is constantly updating itself. For years, it's been the hacker utility with the most built-in features of any GUI tool. It can crack at least 28 different password hashes, conduct ARP spoofing and man-in-the-middle attacks, and sniff more than a dozen different passwords off the wire. When converting password hashes to passwords, it can use several different cracking methods, including dictionary, brute force and rainbow tables. It's not the fastest (get John the Ripper for that), but it's the easiest and most versatile tool available. The program's single downside is that it is only available for Windows.

I've been aiming to test Cain & Abel on Windows Vista since Vista came out almost a year ago. Although Cain & Abel must be started in elevated mode, many of the key features don't work, as I suspected might be the case. Protected Storage, Remote Desktop Protocol and Credential Dumper didn't work, although a local LSAdump of custom service account passwords and wireless preshared keys and hashes did. I couldn't get any of the man-in-the-middle attacks to work, and none of the tools for sniffing passwords off the network provided any usable data.

Reprinted with permission from

For more enterprise computing news, visit Infoworld.com
Story copyright 2006 InfoWorld Media Group, Inc. All rights reserved.

Comment Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

network administrator

Additional Resources

Xerox

Win a color printer!

By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer!

Microsoft

Upgrade to Internet Explorer 8 today.

Save time and mitigate security risk. Deploy it now.

Sybase

NEXT-GENERATION MOBILITY PLATFORMS

In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.