A New York teenager used the fact that he (or someone using his Facebook username) had updated his Facebook status from his father' home during the time he was accused of committing a robbery at his apartment complex.
The investigators subpoenaed the Facebook records to verify that the update had been posted from the suspect’s father’s home. The charges were then dropped.
The concern here is that someone could have friends/accomplices post updates to a site like facebook and claim this as an alibi. For computer postings to be a reliable alibi – there needs to be more concrete authentication. A username and password are easily shared (or compromised).
This is the more techie/geeky side of my blog. This is where I will post about new tools I like, new ways to look at malware, some exploits -- stuff like that!
Friday, November 20, 2009
Thursday, November 12, 2009
INetSim
INetSim (http://www.inetsim.org/) is a linux tool that will simulate common internet services (i.e. FTP, DNS, HTTP) for a lab environment. You can use this tool while doing malware analysis to respond to most common internet communication that the malware might want. You can easily respond to web requests, DNS queries, FTP/TFTP, etc.
Once you get the too installed and working, it has a default set of files it will respond with as well. For example, if your malware requests an executable mybadsite.com/new_malware.exe, inetsim has a default executable that it will serve up in response.
In my environment, I have an Ubuntu 9 VM that I will use for this.
Step 1: get all the perl libraries
> perl -MCPAN -e shell
cpan> install Net::Server
cpan> install IO::Select
cpan> install IO::Socket
cpan> install Digest::SHA1
I tried to use cpan to install Net::DNS and IPC::Shareable, but kept getting errors
Installing by hand:
download the libraries Net::DNS and IPC::Shareable
> tar zxvf IPC-Shareable-0.60.tar.gz
> cd IPC-Shareable-0.60
> perl Makefile.PL
> make
> make test ** I got failed tests here, but installed anyway **
> make install
> tar zxvf Net-DNS-0.65.tar.gz
> cd Net-DNS-0.65
> perl Makefile.PL
> make
> make test ** I got failed tests here, but installed anyway **
> make install
downloaded inetsim (i put it in /usr/local)
> cd /usr/local/
> tar zxvf inetsim-1.1.tar.gz
> mv inetsim-1.1 inetsim
> cd inetsim
> groupadd inetsim
> sh setup.sh
that's it for the install!
I had to make a few minor changes to the conf/inetsim.conf file:
service_bind_address
dns_default_ip
finally, I changed my victim VMs DNS server address to the machine running inetsim.
After that, it's done. Very cool stuff -- this should cut down on the time it takes to get info from malware.
Once you get the too installed and working, it has a default set of files it will respond with as well. For example, if your malware requests an executable mybadsite.com/new_malware.exe, inetsim has a default executable that it will serve up in response.
In my environment, I have an Ubuntu 9 VM that I will use for this.
Step 1: get all the perl libraries
> perl -MCPAN -e shell
cpan> install Net::Server
cpan> install IO::Select
cpan> install IO::Socket
cpan> install Digest::SHA1
I tried to use cpan to install Net::DNS and IPC::Shareable, but kept getting errors
Installing by hand:
download the libraries Net::DNS and IPC::Shareable
> tar zxvf IPC-Shareable-0.60.tar.gz
> cd IPC-Shareable-0.60
> perl Makefile.PL
> make
> make test ** I got failed tests here, but installed anyway **
> make install
> tar zxvf Net-DNS-0.65.tar.gz
> cd Net-DNS-0.65
> perl Makefile.PL
> make
> make test ** I got failed tests here, but installed anyway **
> make install
downloaded inetsim (i put it in /usr/local)
> cd /usr/local/
> tar zxvf inetsim-1.1.tar.gz
> mv inetsim-1.1 inetsim
> cd inetsim
> groupadd inetsim
> sh setup.sh
that's it for the install!
I had to make a few minor changes to the conf/inetsim.conf file:
service_bind_address
dns_default_ip
finally, I changed my victim VMs DNS server address to the machine running inetsim.
After that, it's done. Very cool stuff -- this should cut down on the time it takes to get info from malware.
Subscribe to:
Posts (Atom)