Move over Stuxnet, Say Hello to the new Cyberweapon: “Flame”

(Screenshot of Iran CERT warning for “Flame” Malware)

Yesterday Iran’s Computer Emergency Response Team released a warning about a new modular malware that resembled Stuxnet and Duqu. Dubbed “Flame”, the new cyberweapon is causing quite a stir in the media with it’s “advanced features and complexity”.

But looking at the malware’s features disclosed by Iran’s CERT team, it doesn’t seem very game stopping:

  • Distribution via removable medias
  • Distribution through local networks
  • Network sniffing, detecting network resources and collecting lists of vulnerable passwords
  • Scanning the disk of infected system looking for specific extensions and contents
  • Creating series of user’s screen captures when some specific processes or windows are active
  • Using the infected system’s attached microphone to record the environment sounds
  • Transferring saved data to control servers
  • Using more than 10 domains as C&C servers
  • Establishment of secure connection with C&C servers through SSH and HTTPS protocols
  • Bypassing tens of known antiviruses, anti malware and other security software
  • Capable of infecting Windows Xp, Vista and 7 operating systems
  • Infecting large scale local networks

All of these “threats” have been seen before. I especially liked the “bypassing tens of known anti-viruses…” line.

But there are several features that do set “Flame” apart from the pack. First of all the malware is very large, a whopping 20MB. Also, it contains several files and seems to be able to attack using swappable modules. But there is more.

According to an article on The Register, Flame has the following features:

  • It has been active for at least 2 years, but possibly 5-8 years
  • Contains exploits for known and fixed vulnerabilities
  • Uses open source libraries
  • Uses a SQLlite database
  • Uses some Scripts written in Lua (of Angry Birds fame)

All the big name security companies that have analyzed it seem to agree that with it’s complexity, it was most likely written by a Nation State and not individuals or small groups.

The malware could have been created by Israel (and possibly the US) as many of the countries that have detected infection would be logical targets for them.

As according to Symantec:

Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear.”

I am not sure of it’s “CyberWeapon” title, as it seems to be an information gatherer. Definitely worth keeping an eye on, but as with “APT” and “Stuxnet”, I am sure the media will beat this topic to death.


p/s: Credit to

Mapping Network Drive in OSX


1 – 
Click on the “Finder” icon in the dock at the bottom of the screen.

2 – 
Open the “Go” menu at the top of the screen and choose the “Connect to Server” option.

3 – 
Enter the address of the network drive that you want to map in the text field at the top of the pop-up window. If you plan to map this network drive on a regular basis, you can click on the plus symbol to add it to your list of favorite servers.

4 – 
Press the “Connect” button to initiate a session with the specified server.

5 – 
Enter your domain, username and password in the appropriate fields and then click “OK” to log in to the server.

 – Double-click on the network drive icon that appears on your desktop to access the shared folder through the Finder application

Extra Repositories on N900


Maemo, the operating system of Nokia N900, has 3 repositoriesof applicationsRepositories are ExtrasExtras-Devel, and Extras-Testing and in each are grouped the applications according to their compatibility and the result of the test in Maemo.

Repository Extra.

In the N900 the repository Extras is pre-configured but is not compatible with the current firmware. The user has to allow this repository before use. Extras is a repository where they are applications that are tested properly and compatible, with a perfect functionality.

If you erase this repository you can return to install it. In applications manager we create the catalogue with the following information:

Also you can do click here on your N900 to install it automatically.

Repository Extra-Testing.

Extra testing Repositories Extras, Extras Devel and Extras Testing for Nokia N900

This repository adds manually. Extras-Testing contains the new applications that have not yet been tested and verified.

In applications manager we created the catalog:

Also you can do click here on your N900 to install it automatically.

Repository Extra-Devel.

Extra devel Repositories Extras, Extras Devel and Extras Testing for Nokia N900

This repository also adds manually. In Extras-Devel we find applications in the early stages of development or version “alpha”. This repository is the least indicated for the end users, since its operation can have too many problems.

To install the repository Extras-Devel we are going to applications manager and created the catalog with the following information:

Also you can do click here on your N900 to install it automatically.

Have a nice day!!!

Nokia N900 is a pentest device

The Nokia N900 has a lot of pentesting potential thanks to the numerous pentest software that has been ported to Maemo. Today I will be doing a guide on how to fully equip your N900 so that it becomes a must-have device for every pentester. Everything that your going to read is for testing only, you should NOT use it on computers you don’t own. Anything you do with this software is your own fault. You have been warned.

Before continuing you should first enable the extras-devel repository on your phone – go to Application Manager and Add this catalogue:

 Catalogue name: Extras-Devel
 Web address:
 Distribution: fremantle
 Components: free non-free

To begin with, I will start with aircrack-ng. It is one of the most popular pentesting programs out there and it serves the purpose of breaking wep/wpa/wpa2 keys and gaining access to a wireless network. To get it, you need to follow these instructions:

apt-get install aircrack-ng

However, so far you will not be able perform packet injection, which will slow down WEP cracking and will make wpa handshake capture much harder. So next thing to do is go tolxp’s blog and get the patched wireless driver and carefully follow the instructions. If you find the driver useful donate at his blog! It adds much more than just packet injection, but you can read all about that on his blog.

As of May,2011 you can now install successfully mdk3, genpmk and cowpatty. You need to have updated your aircrack-ng to version 1.1. To install them follow this post. You can further install wessid-ng ,kiptun and airolib by placing them in /usr/bin and chmod them.

A great addition to aircrack-ng are one of the two available GUI’s. If you are a Backtrack user, you have most probably gotten used to GrimWepa. Luckily for you, a N900 version exists. Here is the actual file. To install it follow these instructions:

apt-get install libgif4

apt-get install icedtea6

java -jar grimwepa-n900.jar

However, I personally don’t like how it works on the N900 and I prefer wifite v2. To install it,use :

– wget

– chmod +x

– ./

The biggest change from version 1 is support for “reaver”, a Wifi-Protected Setup (WPS) attack tool. Reaver can compromise the PIN and PSK for many routers that have WPS enabled, usually within hours.

Other changes include a complete code re-write with bug fixes and added stability. Due to problems with the Python Tkinter suite, the GUI has been left out of this latest version. Most of the new router now got WPS. For example,the default configuration in UniFi router- Dlink Dir-615 – got WPS enabled. Instead of attacking WPA key,wifite attack WPS pin. And have tested using wifite v2, i can crack wpa password without using WPA dictionary. Wifite v2 use pyrit + cowpatty to attacking WPA key.

And for your info wifite just for LINUX, not working in windows or mac…so put yourself with LINUX.

Next thing on the list is getting nmap – apt-get install nmap – easy as that. Quite a useful ip/port scanner that is needed for many exploits. You can run it from terminal by typing ‘nmap’.

My favorite tool of them all is ettercap-ng. It is used to poison a network, redirect traffic,sniff packets and even for DoS attacks. Installing it is a bit harder,but thanks to colin.stephane, who build it into deb packages, it is quite easy if you follow the commands. The files and instructions can be found in this post.

If you want to get the gui working you should also do “dpkg -i ettercap-gtk_0.7.3-1.2.armel.deb”. DO NOT install it via xterm from the repositories as the package uploaded there is completely broken.

A great tool combination for ettercap is sslstrip – it basically turns https links to http and allows you to steal passwords from secured sites.It is quite hard to notice even for a person thats familiar with this exploit. Installation here is a bit harder. First you need to get python-twisted-web and iptables – “apt-get install python-twisted-web iptables python-pyopenssl”. Next you need to download the latest sslstrip package at . Unpack it with “tar zxvf sslstrip-0.x.tar.gz”, then cd into that directory “cd sslstrip-0.x” and do a “python build” & “python install”. If you get any dependency errors, install the missing packages first (sometimes you will have to install a different package – for example if you are missing package ABC you will have to type in the Xterminal “apt-get install python-ABC”, not just “apt-get install ABC”.) If you have any issues with installing make a comment and I will try to help you.

Another cool program that you can get is Wireshark – “apt-get install Wireshark”. It can be used for packet sniffing or for examining files created by ettercap for example. The gui is a bit messed up,but it is useable.

The famous metasploit framework can also be run on the N900 and the instructions + the actual file can be found HERE. Everything works flawlessly and I have successfully exploited my Virtual Machine’s Windows XP through the phone. However, some people have had issues with the official metasploit installation guide – so here is a second one with optified ruby packages : .

The Online password cracker tool – THC-Hydra. Ported by SuperDumb. To download Install by doing a dpkg -i hydra_6.3-src-1_armel.deb.

That is it for today. If you have any issues/recommendations please make a comment.