Saturday, August 25, 2007

DIY Pharming Tools

In a previous post I discussed pharming from the perspective of abusing a DNS server and starting a wide-scale pharming attack. However, it's also vital to discuss the second perspective, namely the malware infected PCs whose hosts files could be abused to faciliate MITM phishing attack for instance. Consider the following DIY pharming tool that basically allows a list of anti virus software's update locations IPs to be added, and consequently blocked, as well as complete take control over the infected user's perception of where exactly is she online. The second version is lacking the "add a list" feature, and is entirely phishing attacks centered, and the way lists of the process names/files for every anti virus software have been used by malware shutting down the software, in this very same way, the online update locations for multiple AVs are also easily obtainable -- a topic I covered in a previous post.

Panda 2007.08.25 Suspicious file
Prevx1 2007.08.25 Generic.Malware
File size: 623616 bytes
MD5: 4ab0d055bee708dd0046af0b8800594a
SHA1: 41b93e16127964b89bb9e34af8d12411323e631f

An old friend recently approached me asking for my opinion on man-in-the-middle phishing attacks, and whether or not I'm aware of any such DIY type of functions. Simultaneously, PandaSecurity released a very good screenshot of a feature within a botnet's C&C interface, worth seeing for yourself too. Despite that the current "push" phishing model seems to be fully working, and keylogging started evolving into "form grabbing", MITM phishing attacks I think would remain at the bottom of the attack model for the pragmatic and efficiency-centered phisher,who would otherwise have to either build a botnet on her own, or request access to such on demand.

No comments:

Post a Comment