Opinion: Cool tools for hacker trackers

InfoWorld - If you want to keep up with the latest criminal exploits without having to collect malware yourself, take a look at SRI International's Cyber-Threat Analytics BotHunter Malware Analysis Web page

Reporting on information and statistics collected from a research honeynet, the BotHunter Malware Analysis page makes daily infection logs from high-interaction honeypots available for anyone to view. Although the scale of the project and information collected is fairly small, this is a useful site for gaining more insight into crimeware and the world of bots.

Clicking on any of the daily reports presents dozens of pieces of information on each day's attacks. It starts off with time and date of each bot attack, and the honeypot platform type (e.g., Windows XP, Windows 2000 and so on). It reveals the Snort rules used to detect incoming malware and how many antivirus companies detected the malicious code.

Each captured malware program is run against 28 to 32 antivirus engines. Try browsing the daily reports to see how many times none of the antivirus scanners detected the malware. Surprisingly, this happens roughly one-third of the time -- not a comforting statistic.

The honeynet automatically extracts plain text strings and tries to determine which executable packer was used. It decodes each executable and provides code traces. It appears that complete assemblies and packet traces are available upon request. A short summary forensic log can be obtained for each malware attack.

Cain & Abel update Like many leading-edge technology companies, one of my favorite hacking utilities, Cain & Abel, is constantly updating itself. For years, it's been the hacker utility with the most built-in features of any GUI tool. It can crack at least 28 different password hashes, conduct ARP spoofing and man-in-the-middle attacks, and sniff more than a dozen different passwords off the wire. When converting password hashes to passwords, it can use several different cracking methods, including dictionary, brute force and rainbow tables. It's not the fastest (get John the Ripper for that), but it's the easiest and most versatile tool available. The program's single downside is that it is only available for Windows.

I've been aiming to test Cain & Abel on Windows Vista since Vista came out almost a year ago. Although Cain & Abel must be started in elevated mode, many of the key features don't work, as I suspected might be the case. Protected Storage, Remote Desktop Protocol and Credential Dumper didn't work, although a local LSAdump of custom service account passwords and wireless preshared keys and hashes did. I couldn't get any of the man-in-the-middle attacks to work, and none of the tools for sniffing passwords off the network provided any usable data.