Cyb0rn™

Using MiTM  with driftnet to View the Target's Images In each of our previous MiTM attacks, we have been able to place ourselves between two users and to view their traffic. This traffic can been seen by using such tools as Wireshark and other packet sniffers. As we can see below, Wireshark shows us with great detail each packet going over the wire.  We can use Wireshark to capture these packets for later detailed analysis. When we use the Wireshark filter for "HTTP", we can see only the HTTP traffic and we know that this traffic has images in the packets. The problem is that we can't see them or reconstruct them as the images are often fragmented across multiple packets. The problem comes when we want to see pictures, photos, jpg, png and other graphic files in this stream of traffic. By using Wireshark and other sniffing tools we can see that pictures and other graphic files are passing over the wire or air, but we can't  see what those images are. Our

This post was co-authored by David Sánchez and Jérôme Segura We recently came across a campaign targeting the Saudi Arabia Government via a malicious Word document which at first reminded us of an attack we had previously described on this blog. In our previous research , we detailed how an information stealer Trojan was deployed via a Word macro, in order to spy on its victims (various parts of the Saudi Government). The stolen information was transmitted back to the threat actors' infrastructure in an encrypted format. This new threat also uses a macro to infect the target's computer, but rather than retrieving a binary payload, it relies on various scripts to maintain its presence and to communicate via hacked websites, acting as proxies for the command and control server. The malicious script fingerprints the victim's machine and can receive any command that will run via PowerShell. In this blog post, we will describe the way this threat enters the system and ma

AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go network intrusion detection system engine with capabilities of learning without any human intervention, DNS domain classification, Spam detection, network collector, network forensics and many others. It also helps network/security professionals to identify traffic and develop signatures for using them on NIDS, Firewalls, Traffic classifiers and so on. The main functionalities of AIEngine are: Support for interacting/programming with the user while the engine is running. Support for PCRE JIT for regex matching. Support for regex graphs (complex detection patterns). Support five types of NetworkStacks (lan,mobile,lan6,virtual and oflow). Support Sets and Bloom filters for IP searches. Supports x86_64, ARM and MIPS architecture over operating systems such as Linux, FreeBSD and MacOS. Support for HTTP,DNS and SSL Domains matching. Support for banned domains and hosts for HTTP,