KSpynix ::: the Unix version of KSpyware? (Proof Of Concept)

Discussion:

(too old to reply)

khaalel

2005-05-06 09:27:58 UTC

Since KSpyware was on the net, i received some mails of people who
wanted to know if spywares under Unix systems could be coded. I did
some search on the net to find an unix spyware, but i found nothing.
So i launch my freebsd box and i started to code an unix spyware :
like under windows systems, spywares under Unix systems can be easily
coded but its long (i coded KSpynix during 5 hours) because we have to
find the right conf files.

So KSpynix is only a proof of concept but it work well : i tested it
under FreeBSD 5.3 (like i don't use Linux i can't tell you if all the
code work under Linux but i know it will work well under Gentoo Linux
that use the system of ports like the BSD systems).

For the moment, KSpynix can list all the installed programs, can spy
the web sites the victim visited, can obtain a list of e-mail
adresses, cookies, can hijack Opera's main page and can do the things
you want if the victim have root powers (like copy the /etc/htpasswd
file).

All the glaned informations are put in a repertory, to send the
repertory, the spyware could create a shell script that would use sftp
or other tools.

Well, here is KSpynix's code cource (in Python) :
http://nzeka-labs.com/hacking/KSpynix.htm

KSpynix is under GPL so:
"You may copy and distribute verbatim copies of the Program's source
code as you receive it, in any medium, provided that you conspicuously
and appropriately publish on each copy an appropriate copyright notice
and disclaimer of warranty; keep intact all the notices that refer to
this License and to the absence of any warranty; and give any other
recipients of the Program a copy of this License along with the
Program." BUT DON'T TRY IT ON THE WEB.

- Nzeka Gilbert aka Khaalel
- www.nzeka-labs.com
- Author of the french security book: "La protection des sites
informatique face au hacking".
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Day Jay

2005-05-06 17:40:51 UTC

Permalink

That's gotta be the most half assed piece of code
offered as something for spyware I've ever seen! All
of the directories are like hardcoded and statically
linked! that is no where near any spyware
sophistication I have seen in windows spyware
programs.

d

Post by khaalel
Since KSpyware was on the net, i received some mails
of people who
wanted to know if spywares under Unix systems could
be coded. I did
some search on the net to find an unix spyware, but
i found nothing.
So i launch my freebsd box and i started to code an
like under windows systems, spywares under Unix
systems can be easily
coded but its long (i coded KSpynix during 5 hours)
because we have to
find the right conf files.
So KSpynix is only a proof of concept but it work
well : i tested it
under FreeBSD 5.3 (like i don't use Linux i can't
tell you if all the
code work under Linux but i know it will work well
under Gentoo Linux
that use the system of ports like the BSD systems).
For the moment, KSpynix can list all the installed
programs, can spy
the web sites the victim visited, can obtain a list
of e-mail
adresses, cookies, can hijack Opera's main page and
can do the things
you want if the victim have root powers (like copy
the /etc/htpasswd
file).
All the glaned informations are put in a repertory,
to send the
repertory, the spyware could create a shell script
that would use sftp
or other tools.
http://nzeka-labs.com/hacking/KSpynix.htm
"You may copy and distribute verbatim copies of the
Program's source
code as you receive it, in any medium, provided that
you conspicuously
and appropriately publish on each copy an
appropriate copyright notice
and disclaimer of warranty; keep intact all the
notices that refer to
this License and to the absence of any warranty; and
give any other
recipients of the Program a copy of this License
along with the
Program." BUT DON'T TRY IT ON THE WEB.
- Nzeka Gilbert aka Khaalel
- www.nzeka-labs.com
- Author of the french security book: "La protection
des sites
informatique face au hacking".
_______________________________________________
Full-Disclosure - We believe in it.

http://lists.grok.org.uk/full-disclosure-charter.html

Post by khaalel
Hosted and sponsored by Secunia -
http://secunia.com/

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

khaalel

2005-05-06 18:07:01 UTC

Permalink

For the sophistication, KSpynix is not the right code, but the
directory are hardcoded because, unlikely windows where regedit and
other tool exist, under BSD for knowing the installed ports there is
only one path : /var/db/pkg/, for the emails i scan all the files
from /home/<username>/, for the password there is only one path :
/etc/passwd , and for opera to obtain informations about the user,
there are only the files i gave:: here are the only hardcoded
directories, but how would I have to make to obtain the
informations i quoted whithout openning the files i quoted?

I writed KSpynix because i didn't find an unix spyware, do you have
one? i am interesting by seeing its code. And do you have a better
code for KSpynix, I do not say not to see it i will surely learn
something if you have a better mean to obtain the informations i
quoted.

khaalel

Post by Day Jay
That's gotta be the most half assed piece of code
offered as something for spyware I've ever seen! All
of the directories are like hardcoded and statically
linked! that is no where near any spyware
sophistication I have seen in windows spyware
programs.
d

http://lists.grok.org.uk/full-disclosure-charter.html

Post by khaalel
Hosted and sponsored by Secunia -
http://secunia.com/

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

bkfsec

2005-05-06 19:03:59 UTC

Permalink

Post by khaalel
I writed KSpynix because i didn't find an unix spyware, do you have
one?

I wonder, though, is this an ethical act?

Don't get me wrong, I have no problem with Proof of Concept code --
however, there's a difference between writing a POC for a buffer
overflow and writing a trojan horse or a worm. I think that most people
would class a spyware application as being malware outright, not a POC.

Regarding a spyware POC: I don't think that one's really necessary.
Only an idiot would question whether or not files that the user has
write access to can be modified by running code. The answer is pretty
obvious.

So I really don't see a legitimate use for this package except for
hijacking portions of a user's system.

I don't begrudge you the right to do what you wish, but I question the
validity of an ethical argument for this package.

-Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

2005-05-10 21:51:48 UTC

Permalink

I totally agree with Barry. What a pathetic attempt... what for. Spyware
and viri were one of the reason to switch to linux for me. I think it's
kinda sad seeing people here wasting their time trying to code spyware
for linux/unix. Get a life and do something constructive.

my2bits

me

Post by bkfsec

Post by khaalel
I writed KSpynix because i didn't find an unix spyware, do you have
one?

I wonder, though, is this an ethical act?
Don't get me wrong, I have no problem with Proof of Concept code --
however, there's a difference between writing a POC for a buffer
overflow and writing a trojan horse or a worm. I think that most
people would class a spyware application as being malware outright,
not a POC.
Regarding a spyware POC: I don't think that one's really necessary.
Only an idiot would question whether or not files that the user has
write access to can be modified by running code. The answer is pretty
obvious.
So I really don't see a legitimate use for this package except for
hijacking portions of a user's system.
I don't begrudge you the right to do what you wish, but I question the
validity of an ethical argument for this package.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

James Tucker

2005-05-11 01:52:26 UTC

Permalink

Firefox was safe(r) for a time, now exposure has driven it to become a
viable and "timeworthy" market for the spyware and malware
communities. The same will come of operating systems and any other
highly pervasive applications.

Post by me
I totally agree with Barry. What a pathetic attempt... what for. Spyware
and viri were one of the reason to switch to linux for me. I think it's
kinda sad seeing people here wasting their time trying to code spyware
for linux/unix. Get a life and do something constructive.
my2bits
me

Post by bkfsec

Post by khaalel
I writed KSpynix because i didn't find an unix spyware, do you have
one?

I wonder, though, is this an ethical act?
Don't get me wrong, I have no problem with Proof of Concept code --
however, there's a difference between writing a POC for a buffer
overflow and writing a trojan horse or a worm. I think that most
people would class a spyware application as being malware outright,
not a POC.
Regarding a spyware POC: I don't think that one's really necessary.
Only an idiot would question whether or not files that the user has
write access to can be modified by running code. The answer is pretty
obvious.
So I really don't see a legitimate use for this package except for
hijacking portions of a user's system.
I don't begrudge you the right to do what you wish, but I question the
validity of an ethical argument for this package.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

bkfsec

2005-05-11 16:39:58 UTC

Permalink

Post by James Tucker
Firefox was safe(r) for a time, now exposure has driven it to become a
viable and "timeworthy" market for the spyware and malware
communities. The same will come of operating systems and any other
highly pervasive applications.

Well, yeah, but I still wouldn't be throwing away GNU/Linux just yet on
that front. I would argue that it's still entirely possible to build a
GNU/Linux system that is more secure than a MS Windows system,
relatively speaking. (Note: I am not saying that GNU/Linux doesn't have
its share of security issues and I am not saying that one can't create a
well-secured Windows server.)

However, that's getting off track. That would be getting into system
configuration and design as they relate to vulnerabilities. That's
another discussion altogether.

Going back on track, I wouldn't support the creation of packages such as
this for any OS. I just don't think it's ethical. Like I said, there's
a big difference between a POC and a worm. Coding POCs is just fine, if
it's done ethically. Coding worms as an example, however, is where you
cross the line from just creating a proof of concept and into turning
that proof onto others in order to harm them. Also, I'm not getting
into rights here, I'm just talking about the ethics of the situation.

In the case of spyware, no proof of concept was needed because anyone
with any knowledge of systems at all could tell you that it could be done.

-Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

khaalel

2005-05-11 17:08:16 UTC

Permalink

Hi,

before sending me such emails, read Kspynix before: Firefox is not
attacked by the POC,
and such malware already exists for Unix systems although their code
are not public... that's why I code this "small" malwares (if they can
be called malware...)

About the ethic, it's your problem if you think it's not ethical to
publish such code, Besides don't be afraid Unix systems are always
secure.

And i "waste" my time with what I want !!!
What's an ethical act for you? I wanted to publish a windows rootkit
this week, is it ethical?

Hi,
before sending me such emails, read Kspynix before: Firefox is not
attacked by the POC,
and such malware already exists for Unix systems although their code
are not public... that's why I code this "small" malwares (if they can
be called malware...)
About the ethic, it's your problem if you think it's not ethical to
publish such code, Besides don't be afraid Unix systems are always
secure.
And i "waste" my time with what I want !!!
What's an ethical act for you? I wanted to publish a windows rootkit
this week, is it ethical?

Post by bkfsec

Well, yeah, but I still wouldn't be throwing away GNU/Linux just yet on
that front. I would argue that it's still entirely possible to build a
GNU/Linux system that is more secure than a MS Windows system,
relatively speaking. (Note: I am not saying that GNU/Linux doesn't have
its share of security issues and I am not saying that one can't create a
well-secured Windows server.)
However, that's getting off track. That would be getting into system
configuration and design as they relate to vulnerabilities. That's
another discussion altogether.
Going back on track, I wouldn't support the creation of packages such as
this for any OS. I just don't think it's ethical. Like I said, there's
a big difference between a POC and a worm. Coding POCs is just fine, if
it's done ethically. Coding worms as an example, however, is where you
cross the line from just creating a proof of concept and into turning
that proof onto others in order to harm them. Also, I'm not getting
into rights here, I'm just talking about the ethics of the situation.
In the case of spyware, no proof of concept was needed because anyone
with any knowledge of systems at all could tell you that it could be done.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

James Tucker

2005-05-11 17:47:33 UTC

Permalink

Post by bkfsec
Well, yeah, but I still wouldn't be throwing away GNU/Linux just yet on
that front. I would argue that it's still entirely possible to build a
GNU/Linux system that is more secure than a MS Windows system,
relatively speaking. (Note: I am not saying that GNU/Linux doesn't have
its share of security issues and I am not saying that one can't create a
well-secured Windows server.)

I can understand that this is drifting off track, but as part of the
community, how can you relaibly justify this? I don't mean to be
facetious, but I have never seen any such justification in existence,
furthermore if other aspects are considered such as average required
development time to a 'secure' system the argument can be easily
swung. Such a comment may have been more acceptable if one were to
use openbsd as an example, arguably. Again there are aspects which
must be considered, but if we are refering to the operating system
alone then should we consider the default install, the number of
discrete settings which must be changed? the length of a script which
performs these actions automatically? such judgements are hardly
quantifiable - due to scalar issues.

Remember, if the choice was clear, someone would have 'won' already.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

bkfsec

2005-05-11 21:08:20 UTC

Permalink

Post by James Tucker

I can understand that this is drifting off track, but as part of the
community, how can you relaibly justify this? I don't mean to be
facetious, but I have never seen any such justification in existence,
furthermore if other aspects are considered such as average required
development time to a 'secure' system the argument can be easily
swung. Such a comment may have been more acceptable if one were to
use openbsd as an example, arguably. Again there are aspects which
must be considered, but if we are refering to the operating system
alone then should we consider the default install, the number of
discrete settings which must be changed? the length of a script which
performs these actions automatically? such judgements are hardly
quantifiable - due to scalar issues.
Remember, if the choice was clear, someone would have 'won' already.

*sigh*

I know it because I've done it before. Having access to the code means
that you can change things you don't like and also that you can
construct them from the ground up to meet your needs. Dependancies can
be removed. Packages and services can never be installed if you don't
need them.

Obviously, if you're going to create a system that is very difficult to
get into, it's going to take some time. However, having access to the
code and the will to modify the system you can do some very good things.

Just by that fact one can construct a more secure system with a Free
Software OS than any other proprietary system.

Keep in mind, I'm not talking about getting Red Hat and turning off all
of the services. I'm referring to building a custom system from source
packages - although, you can, if you want, reverse any GNU/Linux
distribution in the same way, if you so chose, but sometimes it's better
to start from the ground up.

I don't need statistics to tell me that it can be done.

Incidentally, the very acts that I'm referring to are the ones that put
OpenBSD into existance. And, if it makes you feel better, I'd include
OpenBSD in the statement.

-Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

V***@vt.edu

2005-05-12 06:06:44 UTC

Permalink

Post by James Tucker
Remember, if the choice was clear, someone would have 'won' already.

Not if one of the contestants has been cheating, and convicted of it
in both the US and EU justice systems.....

bkfsec

2005-05-11 20:38:17 UTC

Permalink

Post by khaalel
Hi,
before sending me such emails, read Kspynix before: Firefox is not
attacked by the POC,
and such malware already exists for Unix systems although their code
are not public... that's why I code this "small" malwares (if they can
be called malware...)

I'm quite well aware that such malware exists on Unix/Linux systems.
Nor was I saying that firefox was attacked by your spyware.

But then, that's even less of a reason to publish it, seeing as there
really is nothing new here.

Post by khaalel
About the ethic, it's your problem if you think it's not ethical to
publish such code, Besides don't be afraid Unix systems are always
secure.

Sure... whatever you say...

No fear here, buddy. But, seeing as this is an open list, I'm free to
question the ethical nature of your release. I think that if you'll
take the time to look through the archive, you'll see that I'm a staunch
advocate of full disclosure, but if there's no real gain from publishing
code that can assist in harming others, chances are pretty damn good
that it's unethical to publish that code.

Post by khaalel
And i "waste" my time with what I want !!!

No argument there.

Post by khaalel
What's an ethical act for you? I wanted to publish a (snip malware type)
this week, is it ethical?

That depends. What's the purpose of publishing the code? Is there any
new or interesting technique used that hasn't been charted before? If
so, then I'd say it might be ethical.

If it's just "because you could"... then I'd say that it would most
likely be unethical to publish that code. Not to mention illegal in
certain countries (I'm not advocating that it should be illegal, it just
could be considered illegal..)

-Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

William Warren

2005-05-06 20:45:27 UTC

Permalink

ok that is as rot. What if the user is non-privledged?

Post by khaalel
Since KSpyware was on the net, i received some mails of people who
wanted to know if spywares under Unix systems could be coded. I did
some search on the net to find an unix spyware, but i found nothing.
like under windows systems, spywares under Unix systems can be easily
coded but its long (i coded KSpynix during 5 hours) because we have to
find the right conf files.
So KSpynix is only a proof of concept but it work well : i tested it
under FreeBSD 5.3 (like i don't use Linux i can't tell you if all the
code work under Linux but i know it will work well under Gentoo Linux
that use the system of ports like the BSD systems).
For the moment, KSpynix can list all the installed programs, can spy
the web sites the victim visited, can obtain a list of e-mail
adresses, cookies, can hijack Opera's main page and can do the things
you want if the victim have root powers (like copy the /etc/htpasswd
file).
All the glaned informations are put in a repertory, to send the
repertory, the spyware could create a shell script that would use sftp
or other tools.
http://nzeka-labs.com/hacking/KSpynix.htm
"You may copy and distribute verbatim copies of the Program's source
code as you receive it, in any medium, provided that you conspicuously
and appropriately publish on each copy an appropriate copyright notice
and disclaimer of warranty; keep intact all the notices that refer to
this License and to the absence of any warranty; and give any other
recipients of the Program a copy of this License along with the
Program." BUT DON'T TRY IT ON THE WEB.
- Nzeka Gilbert aka Khaalel
- www.nzeka-labs.com
- Author of the french security book: "La protection des sites
informatique face au hacking".

--
Computer House Calls, Networks, Security, Web Design:
http://www.emmanuelcomputerconsulting.com
What businesses are in Brunswick, Maryland? Check Brunswick First!
http://www.checkbrunswickfirst.com
My "Foundation" verse:
Isa 54:17 No weapon that is formed against thee shall prosper;
and every tongue that shall rise against thee in judgment thou
shalt condemn. This is the heritage of the servants of the LORD,
and their righteousness is of me, saith the LORD.

-- carpe ductum -- "Grab the tape"
CDTT (Certified Duct Tape Technician)

Linux user #322099
Machines:
206822
256638
276825
http://counter.li.org/

khaalel

2005-05-07 05:40:22 UTC

Permalink

If the user is non-priviledge the spyware will work too without using
the function ifroot.

khaalel

Post by William Warren
ok that is as rot. What if the user is non-privledged?

Post by khaalel
Since KSpyware was on the net, i received some mails of people who
wanted to know if spywares under Unix systems could be coded. I did
some search on the net to find an unix spyware, but i found nothing.
like under windows systems, spywares under Unix systems can be easily
coded but its long (i coded KSpynix during 5 hours) because we have to
find the right conf files.
So KSpynix is only a proof of concept but it work well : i tested it
under FreeBSD 5.3 (like i don't use Linux i can't tell you if all the
code work under Linux but i know it will work well under Gentoo Linux
that use the system of ports like the BSD systems).
For the moment, KSpynix can list all the installed programs, can spy
the web sites the victim visited, can obtain a list of e-mail
adresses, cookies, can hijack Opera's main page and can do the things
you want if the victim have root powers (like copy the /etc/htpasswd
file).
All the glaned informations are put in a repertory, to send the
repertory, the spyware could create a shell script that would use sftp
or other tools.
http://nzeka-labs.com/hacking/KSpynix.htm
"You may copy and distribute verbatim copies of the Program's source
code as you receive it, in any medium, provided that you conspicuously
and appropriately publish on each copy an appropriate copyright notice
and disclaimer of warranty; keep intact all the notices that refer to
this License and to the absence of any warranty; and give any other
recipients of the Program a copy of this License along with the
Program." BUT DON'T TRY IT ON THE WEB.
- Nzeka Gilbert aka Khaalel
- www.nzeka-labs.com
- Author of the french security book: "La protection des sites
informatique face au hacking".

--
http://www.emmanuelcomputerconsulting.com
What businesses are in Brunswick, Maryland? Check Brunswick First!
http://www.checkbrunswickfirst.com
Isa 54:17 No weapon that is formed against thee shall prosper;
and every tongue that shall rise against thee in judgment thou
shalt condemn. This is the heritage of the servants of the LORD,
and their righteousness is of me, saith the LORD.
-- carpe ductum -- "Grab the tape"
CDTT (Certified Duct Tape Technician)
Linux user #322099
206822
256638
276825
http://counter.li.org/