Why not take a look at another secure browser that meets commonly used standards and is running on any operating system?
On February 7th, 2011 a hacker found its way into my SSH honey pot (http://code.google.com/p/kippo/) and downloaded, while being logged into the honeypot, a couple of files:
As my honeypot does not offer any helpful tools the unfortunate hacker could not harm my actual system. Trying to be smart he removed the downloaded files, but -- again -- unfortunately the honey pot faked the deletions and now I have some text files and binaries to play with in a virtual machine.
If you are interested in what the hacker has done exactly, you can have a look at the shell history.
This little nice .tar archive contains a directory called .access.log. In the directory we find a series of text-files, another directory with text-files and two binaries
This is aparently a flooding tool.
When called without arguments a informative Usage message is shown. When called correctly with a host and port the program starts to send UDP packets to the specified host and port.
Remember: Nobody likes to be attacked by a flooder! So, run attacks on yourself. But be careful thing can get ugly!
The content of the UDP packets look like this:
No. Time Source Destination Protocol Info 21626 0.578938 192.168.56.101 192.168.56.1 UDP Source port: 33337 Destination port: smtp Frame 21626 (57 bytes on wire, 57 bytes captured) Arrival Time: Feb 25, 2011 16:11:00.759229000 [Time delta from previous captured frame: 0.000010000 seconds] [Time delta from previous displayed frame: 0.000010000 seconds] [Time since reference or first frame: 0.578938000 seconds] Frame Number: 21626 Frame Length: 57 bytes Capture Length: 57 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:data] [Coloring Rule Name: UDP] [Coloring Rule String: udp] Ethernet II, Src: CadmusCo_74:d8:16 (08:00:27:74:d8:16), Dst: 0a:00:27:00:00:00 (0a:00:27:00:00:00) Destination: 0a:00:27:00:00:00 (0a:00:27:00:00:00) Address: 0a:00:27:00:00:00 (0a:00:27:00:00:00) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) Source: CadmusCo_74:d8:16 (08:00:27:74:d8:16) Address: CadmusCo_74:d8:16 (08:00:27:74:d8:16) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 192.168.56.101 (192.168.56.101), Dst: 192.168.56.1 (192.168.56.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 43 Identification: 0xfa42 (64066) Flags: 0x02 (Don't Fragment) 0.. = Reserved bit: Not Set .1. = Don't fragment: Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x4ec8 [correct] [Good: True] [Bad : False] Source: 192.168.56.101 (192.168.56.101) Destination: 192.168.56.1 (192.168.56.1) User Datagram Protocol, Src Port: 33337 (33337), Dst Port: smtp (25) Source port: 33337 (33337) Destination port: smtp (25) Length: 23 Checksum: 0xbd25 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Data (15 bytes) 0000 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 0123456789ABCDE Data: 303132333435363738394142434445 [Length: 15]
The program syslogd opens a port for UDP in the non-privileged range. Any further "features" of this program is a mystery to me at the moment.
This archive contains a folder called inetd. In this folder one finds quite a lot files and further subfolders. Among those files are two binaries and many shell scripts. Calling the script inetd finally runs the program -bash which opens an UDP port. Somehow this seems to be related to the previously mentioned syslogd program.
This archive contains a folder called .b. As it seems it's a customized version of psyBNC.
Obviously, the start program starts the psyBNC program. The autorun program defines a new cronjob for auto-starting the start program.