Ubuntu root

Con un enfoque paternalista Ubuntu de entrada no da acceso a la cuenta de  root, sino que los comandos privilegiados se deben ejecutar usando sudo. Since most Ubuntu documentation asks you to use sudo even with graphical applications, Why recommend gksudo or kdesudo for graphical applications instead of sudo. For example, a lot of guides […]

Con un enfoque paternalista Ubuntu de entrada no da acceso a la cuenta de  root, sino que los comandos privilegiados se deben ejecutar usando sudo. Since most Ubuntu documentation asks you to use sudo even with graphical applications, Why recommend gksudo or kdesudo for graphical applications instead of sudo.

For example, a lot of guides (including the first book ever published about Ubuntu) will ask you to type this sort of command:

sudo gedit /etc/apt/sources.list

I will always recommend, however, that people use instead this sort of command:

gksudo gedit /etc/apt/sources.list

And reserve sudo for command-line applications, like so:

sudo nano /etc/apt/sources.list

Why is it an issue?
Well, to be perfectly honest, most of the time it isn’t. For a lot of applications, you can run them the improper way—using sudo for graphical applications and see no adverse side effects.

1. There are other times, though, when side effects can be as mild as Firefox extensions not sticking or as extreme as as not being able to log in any more because the permissions on your .ICEauthority changed. You can read a full discussion on the issue here.

These errors occur because sometimes when sudo launches an application, it launches with root privileges but uses the user’s configuration file.

Referencias

LISP

Lisp (historically, LISP) is a family of computer programming languages with a long history and a distinctive, fully parenthesized Polish prefix notation.[1] Originally specified in 1958, Lisp is the second-oldest high-level programming language in widespread use today; only Fortran is older (by one year). Like Fortran, Lisp has changed a great deal since its early […]

Lisp (historically, LISP) is a family of computer programming languages with a long history and a distinctive, fully parenthesized Polish prefix notation.[1] Originally specified in 1958, Lisp is the second-oldest high-level programming language in widespread use today; only Fortran is older (by one year). Like Fortran, Lisp has changed a great deal since its early days, and a number of dialects have existed over its history. Today, the most widely known general-purpose Lisp dialects are Common Lisp and Scheme.

Lisp was originally created as a practical mathematical notation for computer programs, influenced by the notation of Alonzo Church‘s lambda calculus. It quickly became the favored programming language for artificial intelligence (AI) research. As one of the earliest programming languages, Lisp pioneered many ideas in computer science, including tree data structures, automatic storage management, dynamic typing, conditionals, higher-order functions, recursion, and the self-hosting compiler.[2]

The name LISP derives from “LISt Processing”. Linked lists are one of Lisp language’s major data structures, and Lisp source code is itself made up of lists. As a result, Lisp programs can manipulate source code as a data structure, giving rise to the macro systems that allow programmers to create new syntax or even new domain-specific languages embedded in Lisp.

The interchangeability of code and data also gives Lisp its instantly recognizable syntax. All program code is written as s-expressions, or parenthesized lists. A function call or syntactic form is written as a list with the function or operator’s name first, and the arguments following; for instance, a function f that takes three arguments might be called using (f arg1 arg2 arg3).

Lisp was invented by John McCarthy in 1958 while he was at the Massachusetts Institute of Technology (MIT). McCarthy published its design in a paper in Communications of the ACM in 1960, entitled “Recursive Functions of Symbolic Expressions and Their Computation by Machine, Part I”[3] (“Part II” was never published). He showed that with a few simple operators and a notation for functions, one can build a Turing-complete language for algorithms.

Information Processing Language was the first AI language, from 1955 or 1956, and already included many of the concepts, such as list-processing and recursion, which came to be used in Lisp.

McCarthy’s original notation used bracketed “M-expressions” that would be translated into S-expressions. As an example, the M-expression car[cons[A,B]] is equivalent to the S-expression (car (cons A B)). Once Lisp was implemented, programmers rapidly chose to use S-expressions, and M-expressions were abandoned. M-expressions surfaced again with short-lived attempts of MLISP[4] by Horace Enea and CGOL by Vaughan Pratt.

After having declined somewhat in the 1990s, Lisp has recently experienced a resurgence of interest. Most new activity is focused around open source implementations of Common Lisp, and includes the development of new portable libraries and applications. A new print edition of Practical Common Lisp by Peter Seibel, a tutorial for new Lisp programmers, was published in 2005.[20]

Many new Lisp programmers were inspired by writers such as Paul Graham and Eric S. Raymond to pursue a language others considered antiquated. New Lisp programmers often describe the language as an eye-opening experience and claim to be substantially more productive than in other languages.[21] This increase in awareness may be contrasted to the “AI winter” and Lisp’s brief gain in the mid-1990s.[22]

Dan Weinreb lists in his survey of Common Lisp implementations[23] eleven actively maintained Common Lisp implementations. Scieneer Common Lisp is a new commercial implementation forked from CMUCL with a first release in 2002.

The open source community has created new supporting infrastructure: CLiki is a wiki that collects Common Lisp related information, the Common Lisp directory lists resources, #lisp is a popular IRC channel (with support by a Lisp-written Bot), lisppaste supports the sharing and commenting of code snippets, Planet Lisp collects the contents of various Lisp-related blogs, on LispForum users discuss Lisp topics, Lispjobs is a service for announcing job offers and there is a weekly news service, Weekly Lisp News. Common-lisp.net is a hosting site for open source Common Lisp projects.

50 years of Lisp (1958–2008) has been celebrated at LISP50@OOPSLA.[24] There are regular local user meetings in Boston, Vancouver, and Hamburg. Other events include the European Common Lisp Meeting, the European Lisp Symposium and an International Lisp Conference.

The Scheme community actively maintains over twenty implementations. Several significant new implementations (Chicken, Gambit, Gauche, Ikarus, Larceny, Ypsilon) have been developed in the last few years. The Revised5 Report on the Algorithmic Language Scheme[25] standard of Scheme was widely accepted in the Scheme community. The Scheme Requests for Implementation process has created a lot of quasi standard libraries and extensions for Scheme. User communities of individual Scheme implementations continue to grow. A new language standardization process was started in 2003 and led to the R6RS Scheme standard in 2007. Academic use of Scheme for teaching computer science seems to have declined somewhat. Some universities are no longer using Scheme in their computer science introductory courses.[citation needed]

There are several new dialects of Lisp: Arc, Nu, and Clojure.

The two major dialects of Lisp used for general-purpose programming today are Common Lisp and Scheme. These languages represent significantly different design choices.

Common Lisp is a successor to MacLisp. The primary influences were Lisp Machine Lisp, MacLisp, NIL, S-1 Lisp, Spice Lisp, and Scheme.[26] It has many of the features of Lisp Machine Lisp (a large Lisp dialect used to program Lisp Machines), but was designed to be efficiently implementable on any personal computer or workstation. Common Lisp has a large language standard including many built-in data types, functions, macros and other language elements, as well as an object system (Common Lisp Object System or shorter CLOS). Common Lisp also borrowed certain features from Scheme such as lexical scoping and lexical closures.

Scheme (designed earlier) is a more minimalist design, with a much smaller set of standard features but with certain implementation features (such as tail-call optimization and full continuations) not necessarily found in Common Lisp.

Scheme is a statically scoped and properly tail-recursive dialect of the Lisp programming language invented by Guy Lewis Steele Jr. and Gerald Jay Sussman. It was designed to have exceptionally clear and simple semantics and few different ways to form expressions. A wide variety of programming paradigms, including imperative, functional, and message passing styles, find convenient expression in Scheme. Scheme continues to evolve with a series of standards (Revisedn Report on the Algorithmic Language Scheme) and a series of Scheme Requests for Implementation.

Clojure is a recent dialect of Lisp that principally targets the Java Virtual Machine, as well as the CLR, the Python VM, the Ruby VM YARV, and compiling to JavaScript. It is designed to be a pragmatic general-purpose language. Clojure draws considerable influences from Haskell and places a very strong emphasis on immutability.[27] Clojure is a compiled language, as it compiles directly to JVM bytecode, yet remains completely dynamic. Every feature supported by Clojure is supported at runtime. Clojure provides access to Java frameworks and libraries, with optional type hints and type inference, so that calls to Java can avoid reflection and enable fast primitive operations.

In addition, Lisp dialects are used as scripting languages in a number of applications, with the most well-known being Emacs Lisp in the Emacs editor, AutoLisp and later Visual Lisp in AutoCAD, Nyquist in Audacity. The small size of a minimal but useful Scheme interpreter makes it particularly popular for embedded scripting. Examples include SIOD and TinyScheme, both of which have been successfully embedded in the GIMP image processor under the generic name “Script-fu”.[28] LIBREP, a Lisp interpreter by John Harper originally based on the Emacs Lisp language, has been embedded in the Sawfish window manager.[29] The Guile interpreter is used in GnuCash. Within GCC, the MELT plugin provides a Lisp-y dialect, translated into C, to extend the compiler by coding additional passes (in MELT).

Lisp was the first homoiconic programming language: the primary representation of program code is the same type of list structure that is also used for the main data structures. As a result, Lisp functions can be manipulated, altered or even created within a Lisp program without extensive parsing or manipulation of binary machine code. This is generally considered one of the primary advantages of the language with regard to its expressive power, and makes the language amenable to metacircular evaluation.

The ubiquitous if-then-else structure, now taken for granted as an essential element of any programming language, was invented by McCarthy for use in Lisp, where it saw its first appearance in a more general form (the cond structure). It was inherited by ALGOL, which popularized it.

Lisp deeply influenced Alan Kay, the leader of the research on Smalltalk, and then in turn Lisp was influenced by Smalltalk, by adopting object-oriented programming features (classes, instances, etc.) in the late 1970s. The Flavours object system (later CLOS) introduced multiple inheritance.

Lisp introduced the concept of automatic garbage collection, in which the system walks the heap looking for unused memory. Most of the modern sophisticated garbage collection algorithms such as generational garbage collection were developed for Lisp.

Largely because of its resource requirements with respect to early computing hardware (including early microprocessors), Lisp did not become as popular outside of the AI community as Fortran and the ALGOL-descended C language. Because of its suitability to complex and dynamic applications, Lisp is currently enjoying some resurgence of popular interest.

Emacs (pron.: /ˈmæks/) and its derivatives are a family of text editors that are characterized by their extensibility. The manual for one variant describes it as “the extensible, customizable, self-documenting, real-time display editor.”[2] Development began in the mid-1970s and continues actively as of 2013. Emacs has over 2,000 built-in commands and allows the user to combine these commands into macros to automate work. The use of Emacs Lisp, a variant of the Lisp programming language, provides a deep extension capability.

The original EMACS was written in 1976 by Richard Stallman and Guy L. Steele, Jr. as a set of Editor MACroS for the TECO editor.[3][4][5][6] It was inspired by the ideas of the TECO-macro editors TECMAC and TMACS.[7]

Emacs became, along with vi, one of the two main contenders in the traditional editor wars of Unix culture. The word “emacs” is often pluralized as emacsen by analogy with boxen and VAXen.[8]

The most popular, and most ported, version of Emacs is GNU Emacs, which was created by Stallman for the GNU Project.[9] XEmacs is a common variant that branched from GNU Emacs in 1991. Both of the variants use Emacs Lisp and are for the most part compatible with each other.

SLIME, the Superior Lisp Interaction Mode for Emacs, is an Emacs mode for developing Common Lisp applications. SLIME originates in an Emacs mode called SLIM written by Eric Marsden and developed as an open-source project by Luke Gorrie and Helmut Eller. Over 100 Lisp developers have contributed code to SLIME since the project was started in 2003. SLIME uses a backend called SWANK that is loaded into Common Lisp.

SLIME works with the following Common Lisp implementations:

Some implementations of other programming languages are using SLIME:

There’s a remarkable amount of Emacs Lisp programs out there, and they do just about everything, from providing handy mail quoting utilities to providing an Emacs interface to IMDB and more! And while many such elisp hacks come bundled with Emacs, there are even more out there on the Internet, just waiting for you to try them out. The Emacs Lisp List and the EmacsWiki are both great resources for finding interesting and useful elisp.

So, you’ve gone and downloaded some elisp file (foo.el, say). Now, what do you do with it? Well, the community convetion on the matter is to toss .el files in, say, ~/elisp/ (an elisp directory in your home directory). Once you have such a directory you need to ensure that it’s present in Emacs’ load-path variable. This is typically done by adding something like this to your ~/.emacs file:

(add-to-list 'load-path "~/elisp")

Next, you’ll need to configure Emacs to load the new file. Most of the time, you should be able to add (require 'foo) to ~/.emacs (where foo means foo.el).

Simplify! Use install.el

That’s often all you have to do, but there are lots of exceptions. Fortunately, Stefan Monnier’s install.el handles the vast majority of elisp files you’ll run into, and is very easy to use itself. Install it by following my directions above. Now, whenever you’d like to install an elisp file, simply invoke the install-file command (via M-x install-file RET). That’s it!

NEWS: EMACS 24.3 is finally available!

– emacs24 will be updated only when I change the build process or when new emacs24 versions are realeased
– emacs-snapshot are updated between once a week and once every two weeks on average. These versions are created from those of Julien Danjou for Debian unstable: http://emacs.naquadah.org/.

To build this PPA, I created this script: https://gist.github.com/2360655

Please report bugs to https://bugs.launchpad.net/emacs-snapshot/, but before reporting, please follow these steps that will ensure a clean installation:

$ sudo apt-get update
$ sudo apt-get install
$ sudo apt-get purge emacs-snapshot-common emacs-snapshot-bin-common emacs-snapshot emacs-snapshot-el emacs-snapshot-gtk emacs23 emacs23-bin-common emacs23-common emacs23-el emacs23-nox emacs23-lucid auctex emacs24 emacs24-bin-common emacs24-common emacs24-common-non-dfsg

To add this PPA:
$ sudo add-apt-repository ppa:cassou/emacs
$ sudo apt-get update

Then, for emacs-snapshot:
$ sudo apt-get install emacs-snapshot-el emacs-snapshot-gtk emacs-snapshot

*Or*, for emacs24:
$ sudo apt-get install emacs24 emacs24-el emacs24-common-non-dfsg

Adding this PPA to your system

You can update your system with unsupported packages from this untrusted PPA by adding ppa:cassou/emacs to your system’s Software Sources. (Read about installing)

USB drive Ubuntu install using VirtualBox

There are many ways to create a live USB drive carrying an operating system like Ubuntu, but the method I will describe further is mainly based on using SUN’s VirtualBox. While the method described on the Ubuntu documentations implies installing a Live CD image on a USB flash drive, which would then need to extract […]

There are many ways to create a live USB drive carrying an operating system like Ubuntu, but the method I will describe further is mainly based on using SUN’s VirtualBox.

While the method described on the Ubuntu documentations implies installing a Live CD image on a USB flash drive, which would then need to extract and load the operating system in the RAM, the method described on this page implies installing a fresh operating system on a bootable flash drive that will work the same way as from a real HDD (except the speed, of course). Thus, you should have a good bootable USB 2.0, with decent I/O data processing speeds, with at least 4GB (considering that the operating system itself weighs ~2GB, Karmic Koala).

(assuming you’ve already installed guest additions)

Click on Settings for your virtual machine, go to USB tab. Check the two boxes, since you do want USB 2.0 support. In theory, this is all, but there’s one step we will need to do afterwards to get this really working. True for Windows, Linux needs a bit more sweat.

You also need to set USB filters so that the USB devices get sent to the guest OS. USB filter is a nice feature that allows you to automatically connect USB devices to your virtual machine. Any device listed in the filter box will be plugged in when you power the guest operating system. Other devices will require that you manually connect them.

From the main Virtualbox window open the Settings dialog, then the USB section, then click the little “add filter” button on the right side of the screen. You should be able to create a filter from any currently connected USB devices.

Much like VMware Tools for VMware products, the Guest Additions expose additional functionality in the virtual machine, boost performance, enhance sharing, and more. We’ve had a long tutorial, which explains how to achieve this in both Windows and Linux virtual machines. You will need to add your user to the VirtualBox group to be able to share USB resources. You can do this from the command line or try the GUI menus.

All right, so we’re running Ubuntu with Gnome desktop. Therefore, go to System > Administration > Users and Groups. In the menu that opens, click on Manage Groups. Scroll and look for the vboxusers group. Click on the Properties button. Make sure your user is listed and checked in the Group Members field. You will need to logout and login back into the session for the effects to take change. Now, power on the virtual machine once more and see what happens.

I had the same problem and fixed it by clicking in the VirtualBox group of my user. You can access it installing gnome-system-tools (it does not come with Ubuntu 12.04 Precise Pangolin), either via the Ubuntu Software Center, Synaptic or by typing in the terminal:

sudo apt-get install gnome-system-tools

Then you head to your Dash home and type users. You will see two applications. The good one is Users and Groups.

You then have to click on Advanced settings for your user and enter your password.

Now you will be shown a window with three tabs. Click on User Privileges. Find the line that says Use Virtualbox virtualization solution and then OK.

After you’ve done this (maybe restart to be sure the host OS isn’t capturing any of the USB devices for itself–Ubuntu will try to automount the flash drive so you might also want to check and make sure that it is unmounted too) then boot into the guest OS and you should see your USB devices.

Good luck.

Edit: note on USB filters

It’s my understanding that a device being used by a guest OS with a USB filter will not be accessible by the host OS while the guest OS is running. Therefore, one should choose carefully what usb devices to create filters for.

You should create USB filters for things that you plan on only using with the guest OS (often peripherals that don’t work with the host OS and will only work with the guest OS) and when you won’t require being able to access the device from the host OS while the guest OS is running. For example I have a USB banking dongle from my bank, ICBC, that is not compatible with Linux so I use a virtualized installation of Windows XP for banking and use a USB filter to grab the USB dongle.

Examples of good devices to create filters for:

  • USB banking dongles that only work with guest OS
  • e-readers (Kindle,Nook,etc.) that you plan on using only (or primarily) with the guest OS.
  • external soundcards that only work with the guest OS or require the guest OS for full functionality

Examples of bad devices to create filters for:

  • USB input devices (mouses or keyboards) that you would like to use with the host and guest OSes. Virtualbox will allow the guest OS access to these devices by default so there is no need for the guest OS to directly control them (well, I could think of some specialized reasons but I will digress…).
  • USB storage devices that you want the guest and the host OSes to both be able to access at the same time. Instead, mount the drive on the host OS and use shared folders to share the drive to the guest OS.

Remember that to paste in the terminal you have to use CTRL+SHIFT+V, as opposed to CTRL+V

You will probably have to enter your password to allow the installation and add a Y (as in yes) to finish installing the packages.
Press alt-f2 and type ccsm (do you have compiz settings manager installed?) Scroll to the bottom and find the “move windows” icon and click on it. There is an option “constrain Y”; uncheck this and you can pull the windows where you want. If you are useing “advanced desktop settings” and dont have compiz-config-settings installed open a terminal and digit;

sudo apt-get install compizconfig-settings-manager

More reading

For a whole library full of tutorials, guides, howtos, tips and tricks on virtualization, feel free to click on any of the links below, preferably all.

VirtualBox 3 overview

Compiz Fusion in VirtualBox 3

DirectX in VirtualBox 3

Seamless mode in VirtualBox

VirtualBox desktop shortcuts

Portable VirtualBox

How to add new hard disks in VirtualBox – Tutorial

How to clone disks in VirtualBox – Tutorial

How to shrink/expand disks in VirtualBox – Tutorial

How to install VirtualBox Guest Additions – Tutorial

Network & sharing in VirtualBox – Tutorial

How to boot from CD-ROM in newer versions of VirtualBox – Tutorial

the Interceptor

the Interceptor What is the Interceptor? The Interceptor is a wireless wired network tap. Basically, a network tap is a way to listen in to network traffic as it flows past. I haven’t done extensive research but all the ones I found when looking passed the copy of the traffic onto a specified wired interface […]

the Interceptor

What is the Interceptor?

The Interceptor is a wireless wired network tap. Basically, a network tap is a way to listen in to network traffic as it flows past. I haven’t done extensive research but all the ones I found when looking passed the copy of the traffic onto a specified wired interface which was then plugged into a machine to allow a user to monitor the traffic. The problem with this is that you have to be able to route the data from that wired port to your monitoring machine either through a direct cable or through an existing network. The direct cable method means your monitor has to be near by the location you want to tap, the network routing means you have to somehow encapsulate the data to get it across the network without it being affected on route.

The Interceptor does away with the wired monitor port and instead spits out the traffic over wireless meaning the listener can be anywhere they can make a wireless connection to the device. As the data is encrypted (actually, double encrypted, see how it works) the person placing the tap doesn’t have to worry about unauthorized users seeing the traffic.

See here for more information on how it works.

What Hardware Is Required

This project has been built and tested on a Fon+ but should in theory work on any device which will run OpenWrt and has at least a pair of wired interfaces and a wireless one.

OpenWrt is an operating system primarily used on embedded devices to route network traffic. The main components are the Linux kernel, uClibc and BusyBox. All components have been optimized for size, to be small enough to fit the limited storage and memory available in home routers.

OpenWrt is configured using a command-line interface (ash), or a web interface (LuCI). There are about 3500 optional software packages available for install via the opkg package management system.

OpenWrt can be run on CPE routers, residential gateways, smartphones (e.g. Neo FreeRunner), pocket computers (e.g. Ben NanoNote), and small laptops (e.g. One Laptop per Child (OLPC)). But it is also possible to run on ordinary computers (e.g. x86). Many patches are being included upstream in the Linux mainline kernel.

Possible Uses

This isn’t intended to be a permanent, in-situ device. It is designed for short term trouble shooting or information gathering on low usage networks, as such, it will work well between a printer and a switch but not between a switch and a router. Here are some possible situations for use:

  • Penetration testing – If you can gain physical access to a targets office drop the device between the office printer and switch then sit in the carpark and collect a copy of all documents printed. Or, get an appointment to see a boss and when he leaves the room to get you a drink, drop it on his computer. The relative low cost of the Fon+ means the device can almost be considered disposable and if branded with the right stickers most users wouldn’t think about an extra small box on the network.
  • Troubleshooting – For sys-admins who want to monitor an area of network from the comfort of their desks, just put it in place and fire up your wireless.
  • IDS – If you want to see what traffic is being generated from a PC without interfering with the PC simply add the Interceptor and sit back and watch. As the traffic is cloned to a virtual interface on your monitoring machine you can use any existing tools to scan the data.

I’m sure there are plenty more uses, if you come up with any good ones, let me know.

Download

The Interceptor comes as a single tarball which can be downloaded from here.

It also requires a number of extra packages to be installed on a base OpenWrt install, they can be found on the OpenWrt download page.

Install Notes

There are two sets of install notes, a basic set and a detailed walk-through set. The basic set is the standard set of notes that comes with most packages, the detailed set is a full walk through from flashing the Fon+, installing dependencies, installing Interceptor, starting up and monitoring traffic and finally shutting it down. Most people should find the basic set sufficient but the detailed set are useful if you have any problems.

Limitations

The main limitation is bandwidth, the wired network can get up to 100Mb/s but the top speed of the wireless is 54Mb/s, add on to that the overhead of encryption and that rate drops down further. This is why the Interceptor won’t work well on high traffic parts of the network.

From tests I’ve done, under high load the network seems to stay up and stable but not all traffic ends up on the monitor interface. I haven’t done any research to find out where the traffic is being dropped, it could be DaemonLogger, the AP or at the VPN. This is good as it means the device doesn’t affect the smooth running of the network but obviously means you may miss some important data. Be aware of this when working with the device.

The software has no fail safe in case of problems. If the hardware or software fails the network connection being tapped will probably be lost. Don’t use the Interceptor in situations where uptime is critical without knowing what you are doing.

Support

If you have any problems or questions you can either drop me an email or visit the Hak5 forums.

Licence

The Interceptor is released under a Creative Commons licence, view the terms for more information.

 

the fonosfera

Here is the place to download and commit source code into the Fonera 2.0 firmware (aka fon-ng) and report bugs. It is also the place that will host fon-ng Documentation. End user documentation of the Fonera 2.0 is on the Wiki:  Fonera 2.0n and  Fonera 2.0g

Resources

Getting Started with fon-ng

Ubuntu Malware Removal Toolkit

Ubuntu Malware Removal Toolkit is an Ubuntu-based LiveCD focused on Windows malicious software removal. The purpose of this distribution is to create a portable environment that will make it easier to remove malware from infected Windows systems. Features Detect and clean Windows malware directly from the LiveCD using the best free tools Easy to use […]

Ubuntu Malware Removal Toolkit is an Ubuntu-based LiveCD focused on Windows malicious software removal. The purpose of this distribution is to create a portable environment that will make it easier to remove malware from infected Windows systems.

Features

Detect and clean Windows malware directly from the LiveCD using the best free tools
Easy to use even for Linux novice users
Custom Nautilus scripts to make easier tasks like scanning or hashing multiple files or folders
Find online informations surfing the web with Firefox directly from the LiveCD
Windows network protocols support: Ubuntu MRT can browse Windows networks, resolve Windows hostnames, mount Windows shared folders and use RDP to remotely control Windows Servers
Easily create an Ubuntu MRT Persistent LiveUSB directly from the LiveCD
Browse and query the Windows registry files, detect NTFS timestamp artifacts and much more…
Easily search online for multiple file hashes with a single mouse clic (Virustotal.com, Team Cymru MHR and others services)
Analyze network traffic using preinstalled tools like ntop and BotHunter

Identificare e rimuovere malware con Ubuntu MRT

Lo scopo di questo articolo è quello di mostrarvi come utilizzare i principali strumenti inclusi in Ubuntu MRT, nello specifico tratterò:

AVG Virus Scanner, aggiornamento via Internet e scansione
Reglookup Common Startup Locations (Script)
MiTec Windows Registry File Viewer
VirusTotal e Simple Malware Check Tool
Hashing con MD5Sum
I preferiti di Firefox
Alcuni dei comandi rapidi inclusi nel file manager “Nautilus”

Il paziente

Il sistema preso come esempio è stato infettato con un Bot-Rootkit che sembra programmato per spedire spam e sottrarre credenziali di accesso a varie tipologie di servizi Internet.
Come potete vedere nella seguente immagine il sistema non mostra particolari segni di infezione, non ci sono processi sospetti in esecuzione o in avvio automatico

Clear code that works

A partir de una visión clara e intima del proceso de desarrollo de software, Kent Beck a creado un enfoque metodológico que  a primera vista pareciera contra intuitivo pero que ha resultado exitoso y ampliamente aceptado en la comunidad de programadores. En Test Driven Development: By Example (Addison-Wesley Signature Series), el libro seminal de TDD, […]

A partir de una visión clara e intima del proceso de desarrollo de software, Kent Beck a creado un enfoque metodológico que  a primera vista pareciera contra intuitivo pero que ha resultado exitoso y ampliamente aceptado en la comunidad de programadores.

En Test Driven Development: By Example (Addison-Wesley Signature Series), el libro seminal de TDD, Beck aplica el refrán de divide y vencerás al precepto de calidad en la producción de código:  Clear code that works.

Beck propone contracorriente que es posible separar las consideraciones de calidad de código, desde la perspectiva de ingeniería de software, de la verificación de la funcionalidad, y que el primer paso en cada iteración del proceso de desarrollo es definir y aplicar las pruebas de funcionalidad.

Beck utiliza un proceso de refactorización para pasar de código funcional a código limpio, utilizando la eliminación de redundancia o duplicidad  como guía metodológica.

Haciendo una analogía con un semáforo,  Beck describe un proceso iterativo de 3 pasos:

  1. Rojo. Empezar con una prueba que debe fallar, tal ves ni compilar siquiera.
  2. Verde. Hacer que el código pase la prueba de la manera más expedita y simple, sin consideración alguna a normas y patrones de calidad de código.
  3. Refactorizar. Eliminar redundancia en código, pruebas, y datos.

De tan sencillo enfoque Beck elabora la metodología de desarrollo dirigido por pruebas.

Sysinternals

The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications. Get up to speed fast! Read the official […]

The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications.

Get up to speed fast!

Sysinternals Live

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolname> or  \live.sysinternals.comtools<toolname>.

You can view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com.

looking for all of the executables on a drive

Miss Identify is a program to find Win32 applications. In its default mode it displays the filename of any executable that does not have an executable extension (i.e. exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb). The program can also be run to display all executables encountered, regardless of the extension. This […]

Miss Identify is a program to find Win32 applications. In its default mode it displays the filename of any executable that does not have an executable extension (i.e. exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb). The program can also be run to display all executables encountered, regardless of the extension. This is handy when looking for all of the executables on a drive. Other options allow the user to record the strings found in an executable and to work recursively. See the manual page for more information.

Alternate Operating System Scanner

What is PC Tools’ Alternate Operating System Scanner? Once a system is infected with malware it becomes difficult to remove that malware as it is already embedded in the system and has control over many components which are key to the system’s operations. Malware, like rootkits, use system components to hide themselves and prevent other […]

What is PC Tools’ Alternate Operating System Scanner?

Once a system is infected with malware it becomes difficult to remove that malware as it is already embedded in the system and has control over many components which are key to the system’s operations. Malware, like rootkits, use system components to hide themselves and prevent other software from detecting or removing them. This is often the case of who gets there first; if the malware is able to get control of the system earlier on then it also has control over any software that may be run later. Besides just hiding, malware can also block the execution of other security applications. If you cannot install or run a security application in the first place then you cannot scan and detect the malware. The best time to remove this malware is when it is not running, but malware often starts with the Operating System, so we would have to stop the Operating System to stop the malware. On a shutdown OS nothing is running and malware like rootkits cannot hide themselves and so it would be easy to find and remove them.

REMnux

REMnux is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser. John H. Sawyer March 22, 2012 In my last blog about Linux Live Environments, I mentioned REMnux, an environment specifically built for malware analysis. I’d spent a little time […]

REMnux is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.

John H. Sawyer March 22, 2012

In my last blog about Linux Live Environments, I mentioned REMnux, an environment specifically built for malware analysis. I’d spent a little time with REMnux when it first came out, but decided to take the latest version (3.0) for a test drive.

Since I just received the new “Practical Malware Analysis” book from No Starch Press, the detailed lab exercises seemed like a perfect way to test out the tools included in REMnux. While most of the tools in the book are Windows-based, there are Linux-based equivalents found on REMnux.

The first task was downloading the lab files linked from http://practicalmalwareanalysis.com/labs and extracting them.

If you have issues try https://sourceforge.net/projects/labs-encryptzip/ for an encrypted zip download.

WARNING: The lab binaries contain malicious code and you should not install or run these programs without first setting up a safe environment.

Compatibility: The labs are targeted for the Microsoft Windows XP operating system. Many of the labs work on newer versions of Windows, but some of them will not. The labs are designed to mimic realistic malware. Some of them are well-written code that runs reliable and some of them (just like real malware) are poorly written code that may crash, contain memory leaks, or otherwise behave unexpectedly.

Practical Malware Analysis Labs Web Site

My plan to solely use REMnux was immediately thwarted by the self-extracting Windows executable that contained the lab files. There was a EULA (end user license agreement) wrapper as part of the executable that had to be accepted before the files could be extracted — a problem solved with a quick boot of a Windows XP virtual machine. Ideally, the authors will replace or supplement the self-extracting executable with a standard zip file.

After a quick and easy read through the first few chapters, I started to dig into the lab examples using REMnux’s tools. Chapter 1′s labs want you to upload the example binaries to VirusTotal to see whether any antivirus products detect them as possible malware. While I could have used Firefox to upload the files, I chose to use pyew’s “vt” plugin that searches VirusTotal using the MD5 hash of the file instead of uploading the actual file.

Searching just using the MD5 could have backfired if no one had uploaded the file to VirusTotal yet, but given the popularity of the book, the lab files had already been uploaded many times. It doesn’t appear that REMnux currently comes with a command-line tool to upload files to VirusTotal, so here are a couple of options (#1 and #2) that simply require that you get a free API key from VT first.

A few other tasks in the first few “Practical Malware Analysis” labs include looking at executables’ import/export functions, compile date, and packer identification. Pescanner works pretty well to figuring out those answers, but not all of them. For example, pescanner identifies suspicious import functions but does not list them all, and it incorrectly identified some of the executables as having been packed when they weren’t. Pyew faired better by being able to list all imports and exports and correctly identifying the packer, but it did not have an obvious way to show the compile date. But when used together, you can get the exact answers you need.

The last lab in Chapter 1 asks you to use Resource Hacker to look for resources that are stored in the file. To accomplish the same task on Linux, a command-line tool can be used called hachoir-subfile. Running hachoir-subfile against the Lab 1-4 executable will extract the embedded in PE file.

I’m looking forward to digging into the book more and using REMnux further to see just what I can do without having a Windows virtual machine. It’s not that I have anything against Windows — I just like to find alternative Linux-based tools that do the same thing as Windows-based tools. There’s definitely an advantage to having both platforms available for analysis with the plethora of tools to use.

I highly recommend taking a look at the “Practical Malware Analysis” if you’re interested in the topic, as it is one of the best books I’ve seen on subject and the labs are great. I suspect I’ll have more blogs in the future about the book and tools as I spend more time with it and find alternative tools to use for the analysis.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com and found on Twitter @johnhsawyer.