Friday, October 12, 2012

Analyzing the Phalanx 2 Rootkit with Volatility

Andrew Case has written a great blog post in which he analyzes  the Linux rootkit Phalanx2 with Volatility.


He explains all the common steps:
  • Dump the memory with lime .
  • List hidden processes.
  • File descriptors opened by the hidden process ( open sockets!).
  • Network connections.
  • Hooked system callas
  • Recover

At the end of the post, Andre Case makes a complete forensic analysis of the kernel modules and the binaries used to inject the rootkit

Monday, October 8, 2012

Attacking XMPP connections

XMPP is a well known protocol used for real-time chat. There are many companies using it, but you already know Facebook and Google because they are the bigger ones.

This protocol has been there for many years, but it seems that just lately (or I was not aware of) some people has started coding tools to perform MITM attacks.

Few weeks ago I came across this nice tool called XMPPloit that is specially written for Google Talk, even though it is not platform specific.  Its main purpose is to proxy the connection between the user and the legitimate server (once we have already performed the MITM e.g. DNS poisoning)  and force the use of a non-encrypted channel with also the option to force plain-text authentication.

Below you can find a nice demonstration in Youtube:




Last week I also came across a similar tool called xmppmitm (via /r/netsec ), but there is not a lot of information and I have not tested it yet.