Monday, February 21, 2011

HAWALA: THE FINE


Black money is the curse of India shining. A dummy’s guide to informal banking

Source: Times Of India

When the Directorate of Revenue Intelligence (DRI) detained Pakistani singer Rahat Fateh Ali Khan for allegedly carrying a huge amount of undeclared foreign exchange, it created “disorder” in India’s well-ordered hawala world. For years, hawala has been the preferred choice of traders, industrialists, criminals, drug lords and politicians. This is how they stash unaccounted currency in safe havens or conceal a tainted money trail. Deals are sealed cutting across continents, in cash, and no financial records are maintained. The operation is based on trust and is considered foolproof.

Khan’s detention has now put the spotlight on the hawala trail. In the last week, at least half-a-dozen Mumbai dealers were raided by revenue intelligence sleuths; more than Rs 60 lakh has been confiscated. Many traders have changed their phone numbers and gone underground.
According to informal Enforcement Directorate estimates “at least 500 hawala dealers are operating in Delhi alone with a similar number in Mumbai, followed by Kolkata, Chennai and Hyderabad — which are significant among cities emerging as major business centres in the country.”
In fact, many believe that with its large transaction values and ability to transfer money rapidly, the hawala network is more widespread than India’s formal financial system. The magnitude of transactions could put some of the world’s biggest banks to shame. The monthly transactions executed by Delhi’s roughly 500 hawala operators is believed to be somewhere around Rs 30,000 crore or Rs 3,60,000 crore per annum. That’s almost as much as the government’s total direct tax collection in 2009-10 or nearly 6% of the country’s GDP that year. And that hypothetical calculation is only for Delhi!
Till a few years ago, New Delhi was the major centre for political hawala deals. But the presence of a multitude of enforcement agencies, forced them to move base to Kolkata. The quantum of money transferred from political bribes can be gauged from the fact that two of every 10 hawala operators are busy helping politicians stash away their ill-gotten wealth.
Whilst on the trail of two such major kickbacks, income tax officials recently discovered Savage Island in New Zealand. On the tiny island, they found that Indians had opened banks with relatively small amounts of capital — sometimes, just Rs 4.5 lakh. The purpose of these banks appeared to be clear — entering into legitimate transactions with other financial institutions across the world. One of the many trails led to a political kickback of more than Rs 7,500 crore, which arrived at one of these Indianowned banks from a tax haven. The money was moved to another bank on Savage Island; eventually both banks were shut down, ending the trail.
Another trail had a major Indian airline receiving money from a clutch of companies in Mauritius. Followed back, the trail led to a bank on Savage Island. The bank in question apparently received its last cheque from another bank on the same island. Before the bank authorities could be tracked down, both banks had ceased to exist.
It was a classic case of the vanished hawala trail. Unsurprisingly, hawala traders are enormously rich. In February 2006, an income tax investigation found that Rs 1,540 crore of unaccounted money had been stashed at the Fatehpuri branch of the Federal Bank in Delhi. Three people, sans business antecedents, were responsible for the entire transaction. These
agents were estimated to earn anywhere between Rs 5 and 10 crore each, every year. A similar drive in Maharashtra and Gujarat that year unearthed more than Rs 1,000 crore without any identifiable source. The modus operandi of these hawala dealers was identical. For domestic deals, they created bogus bills and discounted bank drafts on behalf of traders who dealt in cash. Or, they gave loans to industrialists in return for cash, charging them a commission of 1% of the total transaction. In offshore deals, money was delivered to people named by the beneficiary at any location in the world. The commission was a maximum of 2%.
Domestic hawala is small change compared to the big sums that politicians put away offshore. A big chunk of this money is received in tax havens such as the Isle of Man, British Virgin Islands, Switzerland, Dubai etc. The Central Board of Direct Taxes recently concluded a Tax Information Exchange Agreement with at least four offshore jurisdictions famous as tax havens — the Virgin Islands, Isle of Man, Bermuda and the Bahamas. It is trying to sign a similar agreement with 20 others.

Thursday, September 4, 2008

ReIgniting the War of the Browsers

With a new web browser entering the Internet Scene : Google Chrome and with Microsoft being already ready with Internet Explorer 8 Beta 2 the scene is definitely getting hot.Very soon both Firefox and Chrome would be ported for mobile devices as well.Both IE 8 and Google Chrome provide with Private browsing.Google calls it as Incognito mode.IE 8 auto deletes cookies and Temporary Internet Files as soon as you leave the Private Browsing mode.

Google Chrome version 0.2.149.27

First View :

1 ] Looks very feminine

2 ] Fast and  Quick

3 ] Private Browsing - Incognito Pages

4 ] Has an advanced Gogole Chrome Task manager and memory statistics (about:memory)

5 ] Good view-source:http://www.hp.com/ (View Source Option) with line numbers

6 ] Doesn't save webpages (full) as .mht but saves it like the legacy IE way.

7 ] Has chrome-source (Inspect Element) option to examine every component on the page

8 ] Keeps on contacting im-YY-fXXX.google.com where X = some number and YY = country      Short Prefix eg. im-uk-f123.google.com

9 ] On every GET request the User-Agent sent is

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.1

10] Has stolen "Duplicate Tab" option from opera but doesn't duplicate in the same window,  instead opens a new Window

11] Lacks a good Full Screen View Option

 

There are already 2 publically disclosed bugs available to test for Chrome:

Google Chrome Browser Automatic File Download - 

http://www.milw0rm.com/exploits/6355

And Google Chrome Crashes with All Tabs - 

http://evilfingers.com/advisory/google_chrome_poc.php

Google Chrome is available at :

 http://www.google.com/chrome

 Microsoft Internet Explorer Beta 2 is available at : 

http://www.microsoft.com/windows/internet-explorer/beta/

http://www.microsoft.com/windows/internet-explorer/beta/worldwide-sites.aspx

Take your Pick !

cr3d1t : q4k3rd00m3r

Tuesday, July 29, 2008

Evilgrade - What Next ?

Francisco Amato of Infobyte Security Research just announced ISR-evilgrade v1.0.0, a toolkit for exploiting products which perform online updates in an insecure fashion. This tool works in conjunction with man-in-the-middle techniques (DNS, ARP, DHCP, etc) to exploit a wide variety applications. The demonstration video uses the CAU/Metasploit DNS exploit in conjunction with the Sun Java update mechanism to execute code on a fully patched Windows machine. For more information, see the README and slide deck. The first release includes exploits for Sun Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit

http://www.infobyte.com.ar/developments.htm
http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt

Tuesday, June 17, 2008

==== Google Talk and Password Saving Feature's Security ====

Do you save Passwords ?

This is a WRITEUP about Google Talk Application and its Password Saving facility.
Tested on Google Talk 1.0.0.104 GTalk when set to save password, hashes and stores it like any other application for convenience but in a very secured manner.

I've developed a small application (Client-Server) which when executed by the target sends you its login name and hashed (/ encrypted) password string.When successfully dropped into and executed from C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ the application tricks Windows Firewall and doesn't ask with the unblock / cancel popup box.

The application running on the attacker's end will obtain the hash sent to it and will display the hash string on its side. The attacker can then replace/create his password hash with the target's hash.After this, when the attacker launches Google Talk we expect the (asterisked) password to be the same as the target's.
A password unhider tool can now aide the attacker to reveal (unmask) what the actual password of the target is.

[ Demonstration ]
 

 Save svch0st.exe(attached) to C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Execute CollectGTPass.exe(attached)
- CollectGTPass.exe opens port 2803 on Localhost and will wait for signal from its Target/s (In our case the Target will connect to 127.0.0.1 since the Client and Server both are running on 127.0.0.1, locally) Note that the The target IP and Attacker Connection IP have been hardcoded in the exe since this is not a malware (trojan-tool) for everyone and is just for demonstration purpose.
- In the demonstration video(attached) XP Firewall prompted for the CollectGTPass.exe (GPWS2.exe) and the application has been unblocked in the XP Firewall now.
- When you will test this, Firewall won't popup any alert since the Target is connecting to loopback. In remote scenario, to avoid the alert svch0st.exe adds itself in List of AuthorisedApplications residing in HKLM before trying to connect remotely (Successfully Tested as shown in Video)
- Execute svch0st.exe
- svch0st.exe sends the encrypted password to Target:2803
- CollectGTPass.exe will now receive the encrypted Password and will wait for the next one.
- CollectGTPass waits forever to collect more password hashes from other sources.
- This tool has been successfully tested to obtain a target's hash remotely both in a local network as well as over public IPs.
- Screenshots and a Video of a successful local and remote respective retrieval attempt are attached.

[ Question ]
So does it work ? Do we get the Target's Password ?
[ Answer ]
NO !!
We get the hash and using a password unmasking tool we view the password. 
But the hashing algorithm is still unknown to me.
[ Moral of the Story ]
Don't save passwords. Everything isn't GTalk.

[ What's Next ? ]
Skype.
Video..>http://senduit.com/96f520

.:credit:. .=.QuakerD00mer.=.

Tuesday, June 3, 2008

Built-in Windows commands to determine if a system has been hacked

1) WMIC: A world of adventure awaits

C:\> wmic process
C:\> wmic process list brief
C:\> wmic process list full
C:\> wmic startup list full
C:\> wmic process list brief /every:1
Hitting CTRL+C will stop the cycle.

2) The net command: An oldie but a goodie

3) Openfiles: Deep scrutiny

C:\> openfiles /local on
C:\> openfiles /query /v
C:\> openfiles /local off

4) Netstat: Show me the network

C:\> netstat -nao
C:\> netstat –s –p icmp
C:\> netstat –na 2

5) Find: Searching output for useful stuff

C:\> wmic process list brief /every:1 | find "cmd.exe"
C:\> wmic startup list brief | find /i "hklm"

Researching output


With these five tools, users can get a great deal of information about the configuration and security state of a Windows machine. To use each command in identifying a compromise, however, a user needs to compare the current settings of the machine under analysis to a "normal," uninfected machine.
For detailed use of the commands and interpreting outputs read this

Friday, May 30, 2008

Pen_Testing_Tools.xls

One of the bigger challenges for anyone getting into penetration testing is the amount of tools available and their purpose in the overall penetration test.This excel sheet was the first step for me to get to know and understand the tools available for penetration testers. Each tools is grouped, ordered and rated (based on my own personal rating). This excel sheet also lists the website to download the tool and which OS/environment the tool runs under.The PenTools.xls file can be downloaded from the URL below, and is approximately 40KB
http://www.shanedevane.net/PenTools.xls

Taken from: www.governmentsecurity.org

Tuesday, May 27, 2008

Manual Patching of Malware Binaries

The basic idea behind malware patching is to make it undetectable to anti-virus softwares.Remember that an antivirus signature is nothing but a specific value at a specific address.

Signature = Value x Address

So if we are able to change either the value or the address or a combination of both, we would sucessfully bypass most of the anti-viruses (i am talking about the regular AV's not the one's with the Heuristic Scanning capabilities).This technique has been around for quite some time now and can be divided into two methods

A) Hex editing the malware binary (Alter the value)

Signature = Value x Address

This would involve opening the binary in a hex editor and then trying to find the signature.Assuming that we have the signature present in the bottom half of the binary we open up the binary in a hex editor,scroll to the middle (note the address)then fill the remaining bytes with zero.Now save the binary as top.exe.Again open the orignal binary and fill the upper half with zeroes and save it as bottom.exe.Now scan both halves and you will have the anti-virus triggering at the bottom.exe.Repeat the same procedure with bottom.exe till you are able to locate the signature.Alter the values that are triggering the AV and you have your binary undetected.Repeat the procedure for multiple AV's.You mite have guessed that not only is the procedure time consuming but there is a high probability that you will tender your binary useless.

B) Manual patching of the malware binary (Alter the address)

First let us have a look at the basics of XOR

If A XOR B = c
Then C XOR B = A

Open the bianry in Olly and you will find that it takes you straight to the entry point(EP).An entry point is the first instruction that a processor will execute once you run the binary.Now if there was some way for us to encrypt the bnary contents so that they are undetectable to the AV and at the same time can be understood by the processor we would achieve our goal.I assume you have a functional knowledge of Olly.This can be done as

Assumptions
  • EP is at address 467EB6
  • The last instruction is at 567EB6


  • Copy the first few instructions after the EP to a notepad
  • Execute a jump to the Encryption routine
  • Note the EP address
  • scroll to the bottom of the code until you find an empty space for your code
  • Now put an encryption routine here

667EB6
  • MOV EAX, 467EB7 (i.e we start encrypting from the 'Address of EP + 1'
  • XOR BYTE PTR[EAX,0B] (XOR the contents for of the address with a 'key' '0B')
  • INC EAX
  • CMP EAX, 567EB7 (End of the Address)
  • JNZ 667EB6 (IF not reachd the end then jump to start)

Now run the exexutable and copy changes to the executable.Now we have something that is like

A ( Orignal Malware in our case) XOR B (key '0B' in our case) = C (Encrypted Malware Binary)

Now try scanning the file with the AV and you will find the file is no longer detected by the AV.When you run the file again the encryption routine will run agin.

C (Encrypted Malware Binary) XOR B (key '0B' in our case) = A (Orignal Malware Code)

This will be decrypted in memory and the malware will go unnoticed, some will detect it in the memory as well(Rem i am only talking about the regular AV's ). I will be doing a video tut on this soon.