Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Anti-Security and the Christmas Day Incident

On the morning of Dec. 25, yet another anti-security eZine was published, its contents this time targeting some well-known security professionals and projects.

The Anti-Security Movement isn't anything new, they have been around in various forms for a long time, with different names and different group affiliations, including ~el8, pHC (Phrack High Council), Fluffy Bunny, PR0J3KT M4YH3M, h0no, ZFO and others.

With the release of the "Owned and Exposed" eZine this particular Anti-Security group made claims of that they compromised several different web sites and security projects, providing evidence in the form of configuration files, directory listings, and password files gained mostly via web-server / web application attacks leveraged against the public web servers for these projects. In some cases they targeted other unrelated systems hosted on the same shared environment as their targets.

One of the claims made in the zine was that they compromised the popular ARP-Spoofing toolkit – Ettercap, and implied that the code had been altered several years ago. The implication was that a backdoor was placed in the code.

Now, the Ettercap project itself has been frozen for a few years, and is not currently maintained. So unlike some of the other projects that were "Owned and Exposed" the Ettercap project really doesn't have anyone to publicly post an analysis of the attack, the impact, and any response to the claims made in the zine.

As a result, this statement created a certain amount of FUD with various people suggesting that Ettercap project was backdoored by someone that hacked their website some years ago.

This anxiety is not exactly unfounded, in the past, different well known systems and applications such as Linux Kernel, OpenSSH and many others were attacked and backdoored, so these sorts of rumors are generally taken seriously in the information security community.

Wendel Henrique from the SpiderLabs PenTest team contacted Alberto Ornaghi (ALoR) who was one of the previous admins of the Ettercap project. Because this project is dead and its likely no details will be posted publicly, we are publishing the conversation with ALoR with his permission here.

SpiderLabs: The guys from backtrack gave a brief and polite answer to the incident, and I don't believe you guys will do the same since the project has been frozen for a few years.

ALoR: Exactly, we don't have time anymore to keep up with the project and its website.

SpiderLabs: News available in several blogs and on mail-lists is that Ettercap is backdoored from 5 years ago or so. The zine authors are not stating it outright or providing any evidence, but they suggest this is the case. As the project is frozen a lot of people are concerned about Ettercap now, which is a great tool.

ALoR: They got access to the web-server (not thru Ettercap, but thru another project) with id 'apache' and thus the only thing they had access to were the config file of the forum, then the mysql db and they dumped the content of it.

I've shut down the forum yesterday (you may have noticed it). It didn't work for long time anyway and was full of spam (five years without maintenance are hard to clean up) so not a real loss...

SpiderLabs: Could you provide a safe sum such as SHA of the good Ettercap files?

ALoR: The source code was not modified. They didn't had access to it in any way. The CVS is safe and so [are] the downloads.

These are the SHA1sum from my local copy:

206972046b7cfc4150e5d08eff18a93dd49b9574 ettercap-NG-0.7.0.tar.gz

13d1353daf97af03b7b72f40c5f6c51ef41d3b3d ettercap-NG-0.7.1.tar.gz

514760efdca27a45d6486c18679d2b6e9ba67452 ettercap-NG-0.7.2.tar.gz

7a2c3f848ca4f39c07fddeb0d6308641265bc4ff ettercap-NG-0.7.3.tar.gz

I've checked and [these] are the same as those on sourceforge.

Here at SpiderLabs we do not endorse the Anti-Security movement in any way, and we respect and appreciate Ettercap Project and Offensive Security Projects. In fact, even before SpiderLabs developed the tool Thicknet we considered simply resurrecting and modifying the Ettercap project for this purpose.

Our advice is to make sure that your copy of Ettercap has the SHA1sum provided by ALoR.

Latest SpiderLabs Blogs

Fare Thee Well ModSecurity: End-of-Life and Last Commercial Rules Update for June 2024

A Fourteen-Year Journey Comes to an End In June 2010, Trustwave acquired Breach Security, which brought with it the popular Open-Source Web Application Firewall ModSecurity for Apache. At that time,...

Read More

Secure Access Service Edge: Another Multi-Tool for the SOC

Over the years, several security defense architectures have merged into a single solution. Endpoint detection tools can perform sophisticated detections and correlations that used to require a...

Read More

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More