HOWTO : Metasploit on Ubuntu Desktop 12.04 LTS

Step 1 :

If the following packages not installed, you need to install them.

sudo apt-get install ruby1.9.1 build-essential

To download it.

For 64-bit systems :


chmod +x

sudo ./

For 32-bit systems :


chmod +x

sudo ./

Follow the instruction on the screen. You can choose your installed directory, default is /opt/metasploit. Select to install Metasploit as service.

Step 2 :

To register your community edition. If you don’t, you cannot update the Metasploit. Point your Firefox to the following url :


You need to wait for about 5 minutes for the initialization. Please be patient.

Fill in the blank and you will receive the license key for activation. Then, activate the copy.

Step 2a :

sudo update-rc.d metasploit disable

Step 3 :

To run it.

sudo -sH
/etc/init.d/metasploit start
cd /opt/metasploit/app
sudo msfconsole

Step 4 :

To update it.

sudo -sH
/etc/init.d/metasploit start
cd /opt/metasploit/app

*** Make sure you wait for at least 3 minutes before executing “msfupdate”. As it need time to load all the necessary modules after the Metasploit is started.

Remarks :

If you do not select to install as service, you need to do the following to start the Metasploit.

sudo /opt/metasploit/ start

Credit: samiux


Evasive Tactics: Terminator RAT

October 24, 2013
By  and 

FireEye Labs has been tracking a variety of advanced persistent threat (APT) actors that have been slightly changing their tools, techniques, and procedures (TTPs) in order to evade network defenses. Earlier, we documented changes to Aumlib, the malware used in the attack against the New York Times, and Taidoor, a malware family that is being used in ongoing cyber-espionage campaigns particularly against entities in Taiwan. In this post we will explore changes made to Terminator RAT (Remote Access Tool) by examining a recent attack against entities in Taiwan.

We recently analyzed a sample that we suspect was sent via spear-phishing emails to targets in Taiwan. As shown in Figure 1, the adversary sends a malicious Word document, “103.doc” (md5: a130b2e578d82409021b3c9ceda657b7), that exploits CVE-2012-0158, which subsequently drops a malware installer named “DW20.exe”. This particular malware is interesting because of the following:

  • It evades sandbox by terminating and removing itself (DW20.exe) after installing. Malicious behavior will only appear after reboot.
  • It deters single-object based sandbox by segregation of roles between collaborating malwares. The RAT (svchost_.exe) will collaborate with its relay (sss.exe) to communicate with the command and control server.
  • It deters forensics investigation by changing the startup location.
  • It deters file-based scanning that implements a maximum file size filter, by expanding the size of svchost_.exe to 40MB.

The ultimate payload of the attack is Terminator RAT, which is also known as FakeM RAT. This RAT does not appear to be exclusively used by a single APT actor, but is most likely being used in a variety (of possibly otherwise unrelated) campaigns. In the past, this RAT has been used against Tibetan and Uyghur activists, and we are seeing an increasing number of attacks targeting Taiwan as well.

However, these attacks use some evasive tactics that demonstrate the evolution of Terminator RAT. First, the attackers have included a component that relays traffic between the malware and a proxy server. Second, they have modified the 32-byte magic header that in previous versions attempted to disguise itself to look like either MSN Messenger, Yahoo! Messenger, or HTML code.

These modifications appear to be an attempt to evade network defenses, perhaps in response to defender’s increasing knowledge of the indicators of compromise associated with this malware. We will discuss the individual components of this attack in more detail.

Figure 1

Figure 1

1.   DW20.exe (MD5: 7B18E1F0CE0CB7EEA990859EF6DB810C)

DW20.exe was found to be the installation executable file. It will first create its working folders located at “%UserProfile%\Microsoft” and “%AppData%\2019”. The former is used to store the configurations and executable files (svchost_.exe and sss.exe) and the latter is used to store the shortcut link files. This folder “2019” was then configured to be the new start up folder location by changing the registry “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup” with the location of its path (see Figure 2).

Figure 2

Figure 2

The executable file “sss.exe” was found to be the decrypted form of the resource named 140 with type “ACCELORATOR” (likely misspelling of Accelerator – see Figure 3). This resource was decrypted using customized XTEA algorithm and appended with an encrypted configuration for the domains and ports.

Figure 3

Figure 3

After installation, DW20.exe deletes and terminates itself. The malwares will only run after reboot. This is one effective way to evade sandbox automatic analysis, as malicious activity will only reveal after a reboot.

2.   sss.exe (MD5: 93F51B957DA86BDE1B82934E73B10D9D)

sss.exe is an interesting malware component. As a researcher would analyze it independently, it is not considered a malicious program. This component plays the role as a network relay between the malware and the proxy server, by listening over port 8000. To achieve this, it first tries to identify the list of proxy servers that are used within the system using “WinHttpGetIEProxyConfigForCurrentUser”, and the discovered proxy servers and related ports are stored in the same directory in a file named “PROXY” (see Figure 4).

Figure 4

Figure 4

When there is a new incoming TCP connection over port 8000, it will attempt to create a local to proxy socket connection. With that, it will check connectivity with the CnC server. If the response is 200, it will then start to create a “relay link” between the malware and the CnC server (see Figure 5). The “relay link” was created using two threads, where one thread will transfer data from socket 1 to socket 2 (see Figure 6) and the other will do vice versa.

Figure 5

Figure 5

Figure 6

Figure 6

As depicted in Figure 7, the user agent is hard coded. It is a possible means to identify potentially malicious traffic, as Internet Explorer 6 is significantly outdated and “MSIE” is not a valid version token.

Figure 7
Figure 7

The configurations for the malicious domains and ports to use are located at the last 188 bytes of the executable file (see Figure 8). The first 16 bytes is the key (boxed in red) to decrypt the remaining content using modified XTEA algorithm (see Figure 9). The two malicious domains found were “” and “”

Figure 8

Figure 8

Figure 9

Figure 9

3.   Network Traffic

The Terminator sample we analyzed, “103.doc” (md5: a130b2e578d82409021b3c9ceda657b7) was not configured with fake HTML, Yahoo Messenger, or Windows Messenger traffic header as it had in past variants. However, the content is encrypted in exactly the same way as previous versions of Terminator RAT.

Figure 10

Figure 10

The decrypted content reveals that the malware is sending back the user name, the computer name and a campaign mark of “zjz1020”.

Figure 11

Figure 11

This particular sample is configured to one of two command and control servers:

  • /
  • /

We have located another malicious document that has a Taiwan-related decoy document that drops this same version of Terminator RAT.

Figure 12

Figure 12

The sample we analyzed (md5: 50d5e73ff8a0693ed2ee2d320af3b304) exploits CVE-2012-0158 and has the following command and control server:

  •  /

The command and control servers for both samples resolved to IP addresses in the same class C network.

4.   Campaign Connections

In June 2013, we investigated an attack against entities in Taiwan that used spear-phishing emails to deliver a malicious attachment.

Figure 13

Figure 13

The malicious attachment “標案資料.doc” (md5: bfc96694731f3cf39bcad6e0716c5746) exploited a vulnerability in Microsoft Office (CVE-2012-0158), however, the payload in this case was a different malware family known as WinData. The malware connected to the same command and control server,, but the callback is quite different:

XYZ /WinData.DLL?HELO-STX-1*1[IP Address]*[Computer Name]*0605[MAC:[Mac Address]]$

In a separate case where has been used as the command and control server, the payload was neither WinData nor Terminator RAT, but another type of malware known as Protux. The sample we analyzed in August 2012 for this case was “幹!.doc” (md5: 01da7213940a74c292d09ebe17f1bd01).

This particular threat actor has access to a variety of malware families and has been using them to target entities in Taiwan for more than a year.


Terminator RAT is an example of how malware are increasingly becoming more sophisticated and harder to detect. There is a need for continual research to understand various techniques, tactics, and procedures used by the adversaries. Detection of exploitation and identification of anomalous callbacks are becoming extremely critical in preventing the malware from installing into the system or phoning back to the command control servers.



October 2013 – rsa-fraud-report-102013

October marks the launch of National Cyber Security Awareness Month in the United
States, a time for the public and private sectors to come together to promote online
awareness about how to stay safe online. Last year, RSA launched the Online Identity Risk
Calculator in conjunction with the National Cyber Security Alliance (NCSA) to provide an
interactive tool for consumers to see how the activities they perform online could put
them at risk for identity theft and other cyber threats.
In the last year, we have received over 14,500 responses from consumers in more than
170 countries. Following are some of the highlights:
–– 67% of consumers access their online banking account at least once a week
–– 83% of consumers make a purchase online once a month or more often
–– 95% of consumers access one email account on a regular basis
– 40% access three or more email accounts on a regular basis
–– 77% of consumers access social networking sites on a regular basis
–– 74% of consumers have downloaded apps to a mobile device within the last year
–– 37% of consumers visit online gaming sites once a month or more often
–– 35% of consumers have been infected with a Trojan in the last year
So why are these statistics so important? Well take for example that 3 out of every 10
phishing emails are targeted at social networking sites1. When you consider that more
than three out of every four consumers uses a social networking site on a regular basis,
it makes the net that phishers are able to cast much wider.


LAB::Introduction to ARM

LAB::Introduction to ARM

ARM processors are becoming ubiquitous in mobile devices today with RISC processors making a comeback for their applications in low power computing environments. With major operating systems choosing to run on these processors including the latest Windows RT, iOS and Android, understanding the low level operations of these processors can serve to better understand, optimize and debug software stacks running on them. This class builds on the Intro to x86 class and tries to provide parallels and differences between the two processor architectures wherever possible while focusing on the ARM instruction set, some of the ARM processor features, and how software works and runs on the ARM processor.

In order to demonstrate these features, labs are made available as part of a virtual environment with an ARM emulator run using QEMU. These labs include:

– A simple fibonacci sequence generator in assembly that demonstrates use of recursion with the use of control flow instructions such as bl, beq, the cmp instruction, arithmetic operations such as add, subs and finally stack operation using push and pop.

– An ARM version of the CMU Bomb Lab from CMU’s Introduction to Computer Systems class that demonstrates the use of the GNU Debugger for reverse engineering binaries on the ARM platform.

– A simple Interrupts lab that demonstrates the implementation of an emulated irq interrupt handler in QEMU where we take keyboard input and add 1 to the character and then output it.

– A control flow hijack lab where we perform the same hijack demonstrated by Itzhak Avraham at Blackhat in 2012 using Return-Oriented-Programming (ROP) in the ARM emulator

– An Atomic instructions lab where we implement a sample mutex in conjunction with an application using threading to emulate atomic instructions that are included with the ARM instruction set.

Intro x86 is a pre-requisite to this class and will help in understand the similarities and differences between the two architectures as well as understand some of the basic program operations that work similarly on both platforms.

PGP, TrueCrypt-encrypted files CRACKED

efdd ElcomSoft has built a utility that forages for encryption keys in snapshots of a PC’s memory to decrypt PGP and TrueCrypt-protected data.

Forensic Disk Decryptor attempts to unlock information stored in disks and volumes encrypted by BitLocker, PGP or TrueCrypt. The tool is designed for criminal investigators, IT security bods and forensic specialists. PGP and TrueCrypt set the industry standard for whole-disk or partition encryption.

Normally, the unencrypted content of these data containers is impossible to retrieve without knowing the original passphrase used to encrypt the volume. Vladimir Katalov, chief exec of ElcomSoft, said encryption technology, in the right conditions, can be circumvented thanks to human laziness:

The main and only weakness of crypto containers is human factor. Weak passwords aside, encrypted volumes must be mounted for the user to have on-the-fly access to encrypted data.No one likes typing their long, complex passwords every time they need to read or write a file. As a result, keys used to encrypt and decrypt data that’s being written or read from protected volumes are kept readily accessible in the computer’s operating memory.

Obviously, what’s kept readily accessible can be retrieved near instantly by a third-party tool.


ElcomSoft’s gear can extract these decryption keys from a copy of the computer’s memory, typically captured using a forensic tool or acquired over Firewire. Once it has the key, the protected data can be unlocked.

If the computer is powered off, the analyser can retrieve the keys from a hibernation file on the disk, in which the operating system saves the state of the machine including its main memory.

“Algorithms allow us to analyse dumps of computers’ volatile memory, locating areas that contain the decryption keys. Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containers’ internal structures,” Katalov explains.

Encrypted drives must be mounted at the time a memory dump is taken or else the process will fail to work. For this, and other reasons, considerable skill is needed to use the tool properly.

“Our customers asked us for a tool like this for a long, long time,” said Katalov. “We’re finally releasing a product that’s able to access encrypted volumes produced by all three popular crypto containers.”

Simon Steggles, director of forensics at data recovery biz Disklabs, said ElcomSoft’s utility merely automates a process for retrieving decryption keys that is already used by computer forensics teams, if not the wider IT community.

“In forensics, we have known about this for years. It only works when the computer is switched on. Once it is powered down, the RAM memory is gone and you lose that key,” Steggles explained.

“Coincidentally, I looked at the Truecrypt website yesterday and noted that it said on the site that it does on-the-fly encrypting and decrypting, which means that the key must be in the RAM.”

The Forensic Disk Decryptor costs £299. ®

88% of corporate databases vulnerable to cybercrime

GreenSQL revealed that 88 percent of all companies participating in its December survey do not protect their databases from both external and internal threats, and almost one fifth do nothing to protect their databases at all.

IT professionals were asked: “How do you protect your data from SQL injection attacks?” Respondents said:

  • I improve code practices – 52%
  • I do not protect my database from SQL injection attacks – 18%
  • I use an application firewall – 18%
  • I use a database firewall – 12%

“The survey reveals that almost all companies are still vulnerable to internal and external threats. Simply improving code practices is not enough to protect databases from internal threats,” said Amir Sadeh, CEO, GreenSQL. “The vast majority risks damage to corporate reputations, fines, law suits, and loss of customers’ confidence and business by deploying no database protection whatsoever. This is tantamount to a corporate death wish.”

According to accepted industry figures, SQL attacks occur more than 70 times per hour. Cybercriminals attempt to inject malicious code into the database using online forms to either access or destroy the information within the database.

Man-In-The-Middle Attacks – DNS Spoofing

In the first installment of this series we reviewed normal ARP communication and how the ARP cache of a device can be poisoned in order to redirect machines network traffic through a another machine with possible malicious intent. This seemingly advanced man-in-the-middle (MITM) attack known as ARP Cache Poisoning is done easily with the right software. In this article we will discuss a similar type of MITM attack called DNS Spoofing.
DNS Spoofing
DNS spoofing is a MITM technique used to supply false DNS information to a host so that when they attempt to browse, for example, at the IP address XXX.XX.XX.XX they are actually sent to a fake residing at IP address YYY.YY.YY.YY which an attacker has created in order to steal online banking credentials and account information from unsuspecting users. This is actually done quite easily and here we will see how it works, how it is done, and how to defend against it.
Normal DNS Communication
The Domain Naming System (DNS) protocol is what some consider one of the most important protocols in use by the Internet. In a nutshell, whenever you type in a web address such as into your browser, a DNS request is made to a DNS server in order to find out what IP address that name resolves to. This is because routers and the devices that interconnect the Internet do not understand, they only understand addresses such as
A DNS server itself works by storing a database of entries (called resource records) of IP address to DNS name mappings, communicating those resource records to clients, and communicating those resource records to other DNS servers. The architecture of DNS servers throughout enterprises and the Internet is something that can be a bit complicated. As a matter of fact, there are whole books dedicated to DNS architecture. We will not cover architectural aspects or even all of the different types of DNS traffic, but we will look at a basic DNS transaction, seen in Figure 1.

Figure 1: A DNS Query and Response
DNS functions in a query/response type format. A client wishing to resolve a DNS name to an IP address sends a query to a DNS server, and the server sends the requested information in its response. From the clients’ perspective, the only two packets that are seen are this query and response.
This scenario gets a slight bit more complex when you consider DNS recursion. Due to the hierarchical nature of the DNS structure of the Internet, DNS servers need the ability to communicate with each other in order to locate answers for the queries submitted by clients. After all, it might be fair to expect our internal DNS server to know the name to IP address mapping of our local intranet server, but we can’t expect it to know the IP address correlated with Google or Dell. This is where recursion comes into play. Recursion is when one DNS server queries another DNS server on behalf of a client who has made a request. Basically, this turns a DNS server into a client itself, seen in Figure 3.

Figure 2: A DNS Query and Response Using Recursion
Spoofing DNS
There is definitely more than one method available for performing DNS spoofing. We will be using a technique called DNS ID spoofing. Every DNS query that is sent out over the network contains a uniquely generated identification number that’s purpose is to identify queries and responses and tie them together. This means that if our attacking computer can intercept a DNS query sent out from a target device, all we have to do is create a fake packet that contains that identification number in order for that packet to be accepted by that target.
This process will complete in two steps. First, we will ARP cache poison the target device to reroute its traffic through our attacking host so that we can intercept the DNS request, and then we will actually send the spoofed packet. The goal of this scenario is to get users on the target network to visit our malicious website rather than the website they are attempting to access. A depiction of this attack is seen in Figure 3.

Figure 3: The DNS Spoofing Attack Using the DNS ID Spoofing Method
Defending Against DNS Spoofing
DNS spoofing is difficult to defend against due to the attacks being mostly passive by nature. Typically, you will never know your DNS is being spoofed until it has happened. What you get is a webpage that is different than what you are expecting. In very targeted attacks it is very possible that you may never know that you have been tricked into enter your credentials into a false site until you receive a call from your bank. That being said, there are still a few things that can be done to defend against these types of attacks:
  • Secure your internal machines: Attacks like these are most commonly executed from inside the network. If your network devices are secure then there is less of a chance of those compromised hosts being used to launch a spoofing attack.
  • Don’t rely on DNS for secure systems: On highly sensitive and secure systems that you typically won’t be browsing the Internet on its often a best practice to not use DNS. If you have software that relies on hostnames to function then those can be specified manually in the devices hosts file.
  • Use IDS: An intrusion detection system, when placed and deployed correctly, can typically pick up on most forms of ARP cache poisoning and DNS spoofing.
  • Use DNSSEC: DNSSEC is a newer alternative to DNS that uses digitally signed DNS records to ensure the validity of a query response. DNSSEC is not yet in wide deployment but has been widely accepted as “the future of DNS”.
Wrap Up
DNS Spoofing is a very lethal form of a MITM attack when paired with the right skill level and malicious intent. Using this technique we can utilize phishing techniques to deceptively steal credentials, install malware with a drive-by exploit, or even cause a denial of service condition. In the next article in this series we will look at “pass the hash” attacks.