HB Gary Emails

http://hbgary.par-anoia.net/greg/

Yawn.

They talk about Justin Beiber.

For Example: you are such a bad ass, i hate to see the mamby pamby – On 2/5/11, Aaron Barr barr@me.com

Cloud computing. And Discovery of a password sniffer…

Stu,
HBGary found this on multiple machines at BH, I don't remember exactly
how many.  The sample is attached.  BTW, the attacker who was in BH
was Chinese and coming from Chinese addresses - we saw him on the
webservers and also he was using direct VPN connections - but I don't
have the logs or anything to prove that to you - it was just what I
picked up in conversation while our guys were down there.  The author
of this sniffer is LZX, a chinese hacker who, BTW, is also the author
of ZXSHELL.

here is a snippit of my email to Rich --->

Rich,
Logger.DLL is a gold mine.

Your boy is chinese.  The tool he is using was developed for those
chinese haxor's.  The key is the call to "LsaApLogonUserEx2".  This is
part of the login cracking scheme, and the file "logger.dll" is
actually a copy of  "pluginWinPswLogger.dll" - do a search on that.
You can load the DLL using:
regsvr32 /n /i:c:\xxx.log c:\logger.dll

Attached is the original release.  Password is infected.  It was
written by LZX and released in August of last year.

The dll will log credentials to a text file.  Use encase to search for
files that contain patterns like this:

[03/17/2010 15:16:13]
LogonType: 2, MessageType: 2
Domain:   HBGARY-QA-01
User:     qa
Password: 123qwe

That will be the creds that were captured with that tool.  The guy is
probably stashing those somewhere, probably deleting the file once he
grabs it, etc.

Still working on shit...
-Greg

--- another followup email --->

The author, LZX, hosts the password sniffer at t00ls.net.  If you want
to get technical for the customer, the tool places a function hook on
LsaApLogonUserEx2 in the DLL msv1_0.dll.  That is how the tool steals
logon credentials.  The hook will work for all of the following logon
types:

- remote over the network IPC$, explains the ePO domain credential
- runsa command
- port 3389 remote desktop connections
- local logon at the workstation

nasty little bugger...

Cheers when an article makes the Mainstream press. Like…

Good morning, This morning, we still see opinion/news stories responding to NYT Stuxnet article, most of them criticizing the reporters i.e. John Markoff for using confidential sources, questioning the story’s findings, etc. In addition, the new Microsoft tool announced yesterday at BlackHatDC is getting nice, mostly positive coverage on twitter. I’d like us to put out at least 1 blogpost this week. Jim, please let me know if you or your team have any availability to do a government focused blogpost since we are heading to DOD Cybercrime next week. We can discuss topics. Thanks Karen

HBGary Intelligence Report

January 19, 2011

ZDNET: When Bots Chat With Social Network Participants

http://blog.zeltser.com/post/2822651353/bots-chatting-on-social-network

Everything except but important things. They are comparable to the Iraqi intel service. A bunch of people scanning the internet and collecting cash from the clueless.   I did like the Topiary screen cap that sent them in threat defense mode to the FBI.

 

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s