Assalamu'alaikum dan salam sejahtera buat kita semua
ketemu agy ma ane yg newbie nie
kali ini ane akan memberikan sedikit tutor mengenai Scanning Wordpress dan
tanpa banyak bacot langsung ke topic utamanya ea
CEKIDOT !!!
1. Download software wordpress scanner disini wp-scan
==============================================================
-=- kita akan menjalankan wordpress scanner
setelah di download,, extract dulu file tersebut
buka terminal dan ketikkan command berikut ini :
cd Downloads
cd WP-SCAN
perl wp-scan.pl target.com
ex : perl wp-scan.pl www.webhostingiix.com
setelah proses scan selesai,,kalian bisa melihat hasilnya(proses nya ga nampak disana)
ntar ada report kalo udh finished, bisa dilihat hasilnya di sqli-bugs.txt di folder wp-scan tadi
selanjutnya kalian bisa melakukan penginjectkan terhadap target
===========================================================================
silahkan tunggu sampai selesai dari proses scanning
nantinya disana akan tertera mana saja yang vuln
setelah selesai semuanya,,kita tinggal nyari exploitnya saudara-saudara
untuk nyari exploitnya bisa cari dimana saja
sekian dulu tutor cupu dari ane
semoga bermanfaat buat kita semua
akhir kata dari ane, wassalam
nb : vba & ArRay
Read More...
-=WELCOME IN MY BLOG=-
20/11/11
Tutorial Wordpress Scanning
Tutorial Joomla Web Scanner 1.7
Assalamu'alaikum dan salam sejahtera buat kita semua
sudah lama tidak update blog
oke langsung saja,,kali ini ane akan memberikan sedikit maenan buat tmen2 semua
sesuai dengan judulnya "Joomla Web Scanner 1.7"
dengan melihat judulnya saja,pasti temen-temen sudah pada ngerti tools ini buat apa
CEKIDOT !!!
1. download dulu toolsnya Joomla-Scan
2. setelah di download mari kita extract file tersebut
3. kemudian kita akan menjalankan proses scanning target
pertama-tama kita lihat dulu command untuk tool ini
ketikkan = ./joomlascan/pl help
nantinya akan keluar seperti ini
Usage: ./joomlascan.pl -u <joomla_url> [options]
== Options ==
-p <string:int> = proxy:port
-a = Admin folder (default '/administration')
-v = Check version
-c = Check components
-f = Check firewall
-co = Check bugs in core (require -v)
-cm = Check bugs in components (require -c)
-all = Check all (default)
-ot = Output to text file
-oh = Output to html file
-update = Search for updates
-force-update = Force to download updates
-about = About joomlascan
-version = Print version info
-h, -help = This help
== Examples ==
To scan running joomla version and components:
$./joomlascan.pl -u www.host.com -v -c
To scan version and core bugs:
$./joomlascan.pl -u www.host.com -v -co
4. saatnya beraksi dengan mengetik command berikut ini
./joomlascan.pl -u www.target.com -v -co
tunggu sampai selesai proses scanning,,ngerokok dulu mas bro
setelah selesai akan seperti ini hasilnya
mungkin segitu dulu tutor cupu dari ane
semoga bermanfaat bagi kita semua
akhir kata dari ane,,wassalam
Read More...
12/11/11
Apple's iOS 5.0.1 is out - should you upgrade?
The new version bumps iOS5 up to 5.0.1, and is Apple's first OTA update.
OTA stands for "over-the-air", and means that you can download and apply the update directly from your iDevice.
You no longer need to download the entire firmware file to your computer - including yet another copy of everything which hasn't changed in iOS - and push it to your device.
(OTA updating isn't yet mandatory. If you prefer to keep full copies of each iOS firmware distro, you can still use the download-and-install-with-iTunes method.)
According to Apple, the highlights of the 5.0.1 update are that it:
* fixes bugs affecting battery life,
* adds Multitasking Gestures for the original iPad,
* resolves bugs with Documents in the Cloud, and
* improves voice recognition for Australian users using dictation.
Strewth! That last one's a bonzer boost for blokes and sheilas everywhere! Gives an Aussie something worth lifting a tinnie to after the Baggy Green got such a big hiding from the South Africans in the cricket!
Importantly, 5.0.1 also fixes a number of security flaws, including a remote code execution (RCE) vulnerability involving font handling, found by Erling Ellingsen of Facebook. RCE means that a cybercriminal might be able to trick your device into running software without asking you, even if you're just browsing the internet.
Interestingly, Charlie Miller's recent and controversial App Store hole has also been patched. Miller showed how to write an innocent-looking App which, once approved by Apple, could fetch and run unapproved software.
Miller was unceremoniously banned from the Apple Developer scene for at least a year; there's no word from Apple, however, on whether he'll be readmitted now the hole is fixed.
Jailbreakers will be pleased to note that devices suitable for running a jailbroken iOS5 - a list which sadly still excludes the iPhone 4GS and the iPad 2 - can happily run a jailbroken iOS5.0.1.
If you are a jailbreaker, however, note that there is not yet any way to go back to iOS5.0 once you've moved on to 5.0.1.
That means that you'll never be able to use Charlie Miller's code-signing vulnerability for jailbreaking purposes in the future, for example if an iPad 2 jailbreak appears which relies on it.
And that leaves us with one question: should you update?
Some reports suggest that 5.0.1 brings with it a raft of new problems, and that the update might not, after all, fix your battery issues.
But these complaints are still anecdotal and unscientific, so if you trust Apple and you're not into jailbreaking, I'd suggest updating to 5.0.1 as soon as you conveniently can.
Ellingsen's and Miller's vulnerabilities may not have made it to Apple's highlights list, but each of these bugs on its own can be considered sufficiently important to warrant a prompt update.
Free Android antivirus software is 'useless,' says testing firm
The malware scanners from minor players typically catch less than 10 percent of malicious software
Consumers and workers who install free Android antivirus scanners from relatively unknown developers are mostly wasting their time, an independent testing firm has found. "During our tests, we found out that the majority of free products are -- to make it short -- useless," says Andreas Marx, CEO of AV-Test. Of all the major mobile platforms, Android is at most risk for malware.
The German firm tested seven free antivirus applications for the Android platform and found that the best program detected only one-third of resident malware, and all others detected less than 6 percent. The best performer, Zoner Antivirus Free, detected 8 of 10 malicious programs during installation, while the other applications detected at most 1 of the 10 malicious programs, according to the firm's analysis (PDF).
The company tested Zrgiu's Antivirus Free, BluePoint Antivirus Free, GuardX Antivirus, Kinetoo Malware Scan, LabMSF Antivirus beta, Privateer Lite, and Zoner AntiVirus Free. Four of the free antivirus program did not detect any of the 172 resident malicious programs used as a test base; another detected only 2. The programs also had little success in detecting malware during installation, with three of the programs detecting no malware and three others detecting a single program. Zoner Antivirus Free was the only standout of the bunch, detecting 32 percent of resident malware and 80 percent of malware during installation.
The firm compared the results to antivirus offerings from established security firms F-Secure and Kaspersky, which detected more than 50 percent of resident malware and blocked all 10 malware samples during installation.
The company plans to widen the testing for its next report to include antivirus programs from commercial vendors as well.
Read More...
Anonymous and LulzSec trawl Google Code search for security holes
The report explains how a simple search on Google Code is all that's needed to uncover a wealth of information that can be used to break into websites, cloud-based services and secure networks.
Google's Code Search is a tool that makes it easy for those with technical know-how to search the vast amount of computer code that is publicly available online.
Researchers from IT security consultancy Stach & Lui report that hacking groups such as Anonymous and LulzSec are using Google Code search for a number of nefarious activities.
With a few well-crafted searches they can uncover passwords for cloud services, configuration files for Virtual Private Networks and find code that is vulnerable to common website hacking tactics such as SQL injection.
While the findings provide a much-needed wake up call to online businesses, admins and developers, they also offer a fascinating insight into the motivation of hacking collectives such as Anonymous and LulzSec.
According to Stach & Lui ‘Google Hacking’, as the technique is known, is believed to be Anonymous and LulzSec’s primary means of identifying potential targets.
Rather than being motivated by politics or injustice, hacking groups may simply be targeting organisations because Google Code search has turned up a vulnerability too tempting to ignore, making them less political action groups, more malicious 21st century Wombles.
So what can online businesses do to protect themselves from these online, evil Uncle Bulgarias?
The first line of defence is to make sure that developers are following established best practice and that executives are creating a culture where best practice is encouraged and supported. Including passwords in code has always been a bad idea and techniques to prevent and detect SQL injection vulnerabilities are well established.
Businesses should also prepare so that if they are successfully attacked after a data leak they don't lose their shirt. Data stored in the cloud can be rendered useless to attackers by the simple expedient of encrypting it.
Stach & Lui warn that in the businesses using cloud services should also take a close look at the small print; many cloud service providers state that they don't accept responsibility for leaks.
For more on this take a look at the Stach & Lui's Pulp Google Hacking presentation.
10/11/11
Adobe says goodbye to Flash for mobile platforms
From the security point of view, the biggest and the most welcome news is the announcement of the end of the development of Adobe Flash player for mobile platforms, except for critical security and bug fixes.
Unfortunately, even if the death of Flash for mobile platforms is imminent, Flash for desktop platforms is still very much alive. Adobe Flash vulnerabilities, together with Java virtual machine and Adobe Reader vulnerabilities, have been the most common causes for drive-by download malware infections.
It is yet uncertain what is the future of Flash on desktop, but let us hope that the widespread acceptance of HTML5 will drive Adobe in the right direction of killing Flash players on all remaining platforms.
The move comes after a pressure by iPhone and iPad users which have been frustrated by not being able to access websites built in Flash since Apple announced its decision to exclude Flash support from iOS based devices.
Was Steve Jobs right about Flash after all?
Adobe, Apple, Microsoft & Mozilla Issue Critical Patches
Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8.
The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7.
Adobe’s Shockwave update also fixes critical flaws, but users should check to see if they have this program installed before trying to update it. To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.
The vulnerabilities fixed by this update exist in versions of Shockwave 11.6.1.629 and earlier. The latest version, v. 11.6.3.633, is available here. As I noted earlier this year, I haven’t had Shockwave on my system for some time now and don’t seem to have missed it. I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, like Adobe’s Flash Player, Shockwave demands two separate installation procedures for IE and non-IE browsers.
Hat tip to the SANS Internet Storm Center for the heads up on the Java fix from Apple. This update, available via Software Update or Apple Downloads, essentially brings Snow Leopard and Lion up to date with the Oracle patches released last month in Java 6 Update 29 (Apple maintains its own version of Java).
If you use Mozilla Firefox or Thunderbird, you may have noticed that Mozilla is pushing out another major upgrade that includes critical fixes to these programs; both have now been updated to version 8. If you’re still running Firefox version 3.6.x, Mozilla has updated that to 3.6.24 (if anyone can help decipher Mozilla’s timeline for exactly how long it will continue to support this workhorse version of Firefox, please drop a line in the comments below). Perhaps I’m becoming a curmudgeon, but I’m growing weary of the incessant update prompts from Firefox. It seems that almost every time I start it up it’s asking to restart the browser or to remove plugins that no longer work with the latest version. I’ve been gradually transitioning more of my work over to Google Chrome, which seems faster and updates the browser and any installed plugins silently (and frequently patches oft-targeted plugins like Flash Player even before Adobe officially releases the update).
Read More...
Apple Bans Security Researcher Charlie Miller For Exposing iOS Exploit
The latest wave in the infosec world is that Apple has banned the well known security researcher – Charlie Miller – from it’s developer program for exposing a new iOS exploit.
It’s not really the smartest move as I’m pretty sure anyone as smart as Charlie Miller still has plenty of options – use another person’s account, sign up another account with a different identity, hack the phone without the developer program access and so on..
Really it’s quite a harsh move from Apple and it’s not going to make them any friends in the security industry.
Apple has banned well-known security researcher Charlie Miller from its developer program, for creating an apparently benign iOS app that was actually designed to exploit a security flaw he had uncovered in the firmware.
Within hours of talking about the exploit with Forbes’ security reporter Andy Greenberg, who published the details, Miller received an email from Apple: “This letter serves as notice of termination of the iOS Developer Program License Agreement … between you and Apple. Effective immediately.”
Based on Greenberg’s follow-up story, Apple was clearly within its rights to do so. Miller created a proof-of-concept application to demonstrate the security flaw and how it could be exploited by malicious code. He then hid it inside an apparently legitimate stock ticker program, an action that, according to Apple, “violated the developer agreement that forbid[s] him to ‘hide, misrepresent or obscure’ any part of his app,” Greenberg wrote.
He quoted Miller, who works for security consultancy Acuvant, “I’m mad. I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder.”
In a way though, you have to agree that Miller did violate the very specific developer program agreement by hiding the PoC inside a legitimate application. That probably wasn’t his smartest idea, but then again it’s helping Apple and he’s not doing it in a malicious way to infect people – he’s doing it as a security researcher.
Apple should be more proactive on working with people like this, people who are actually fixing bugs in their products for free and improving the user experience.
It’s the way Apple operates though, secretive, exclusive, domineering etc. If you don’t do things their way, screw you.
Miller, a former National Security Agency staffer, is a well-known “white hat” hacker (he made Network World’s recent list of “Security All Stars”), with expertise in Apple’s Mac OS X and iOS platforms, including the Safari browser, and in Android. Miller “has found and reported dozens of bugs to Apple in the last few years,” Greenberg noted. Miller reported the latest one barely three weeks ago, and it was Greenberg’s public account of it yesterday, in advance of a planned public presentation by Miller next week, that got the researcher kicked out of the developer program.
The vulnerability is a fascinating exercise in information security sleuthing. Miller uncovered a flaw introduced in Apple’s restrictions on code signing on iOS devices. Code signing is a process by which only Apple-approved commands run in device memory, according to Greenberg’s account.
Miller began to suspect a flaw when Apple released iOS 4.3 in March. He realized that to boost the speed of the mobile Safari browser, Apple for the first time had allowed javascript code from a website to run at a deeper level in memory. This entailed creating a security exception, allowing the browser to run unapproved code. According to Greenberg’s story, Apple created other security restrictions to block untrusted websites from exploiting this exception, so that only the browser could make use of it.
Miller wasn’t the only one to notice that Apple had done something different with Safari in iOS 4.3, but many didn’t understand what was actually happening. Various news sites and bloggers claimed that Web apps running outside of Safari, and its new Nitro javascript engine, were slower. Some suggested that Apple was deliberately slowing them down to make Web apps less attractive than native ones.
The way in which Miller uncovered the flaw once again shows his technical brilliance – something which Apple really should be harnessing rather than turning away.
A lot of people noticed changes with iOS 4.3, but couldn’t actually figure out what was going on. Well that’s what we know in the public realm anyway, no doubt the bad guys had their eyes on it and were digging in with much more malicious exploits.
It basically seems like a way to bypass any kind of code validation by Apple and execute arbitrary code from an attack server – dangerous indeed.
Read More...
06/11/11
Fresh Phish disguised as a PayPal Urgent Account Review Notification
Turning towards her monitor I see she has an email open inside her webmail account. The email has a pretty good sense of urgency written into it that compels the reader to follow the instructions provided and protect their information.
It begins:
"As of the 3rd of November 2011, our security system has blocked unusual charges to a credit card linked to your account."And concludes:
"Sincerely, PayPal Account Review Team"Unfortunately, the average person who does not read Naked Security might easily be duped of their PII (Personally Identifiable Information).
Phishing scams are nothing new. Hopefully, if people stopped falling for them, then perhaps the phishing scams might stop?
It really comes down to education and great protection (for when education fails).
The home use version of Sophos Endpoint Security and Control did a fantastic job of catching the attack as Mal/Phish-A.
The home use version is available to Sophos customer's employees. Check with your employer if the home use program is available at your organization before installing Sophos software willy nilly.
I spoke earlier in the week with a security professional who sent 500 spear phishing attacks internally to his colleagues. Of the 500 emails sent, 25 people responded by completing the form and surrendering their information.
While a 5% rate may seem small, he felt even 1% was too high. Education helped a lot, but not completely. Do you agree?
When read, this fresh phish posing as PayPal immediately puts the recipient into an emotional state that their account was compromised and their funds are in jeopardy which then clouds their judgement.
Since PayPal is a trusted name in the electronic payments industry, they of course have controls to prevent fraudulent transactions (but no one is perfect). This phish takes advantage of that trust by explaining that the breached account has been locked for your protection.
Now to regain access to your funds it's imperative to download the attachment and complete the form.
After downloading and opening the attachment it will open your web browser. As you can see, this web page looks very genuine and might lower your guard into believing it really came from PayPal.
There are a few mistakes in this poorly executed phish which caused education to prevail over emotion.
The most basic one is that there isn't a PayPal email address associated with the inbox which received this phish.
Another one to point out is that the (From: "PayPal") is really not from PayPal.
The phisher used a domain name pp-redacted-.com which based on a whois look up doesn't have anything to do with PayPal. It belongs to an instrumentation company out of Massachusetts that happens to have similar initials as PayPal.
While my wife isn't a security professional or an expert with computers, her education to not trust every email in her inbox (beyond spam) triggered a gut feeling to think more clearly.
If it doesn't feel right, then it's not. Go with your gut!
Until next time, stay safe and secure online.
Apple Security Chief Reportedly Leaves Company
Apple’s vice president of global security has reportedly stepped down roughly two months after the surface of news reports that an iPhone prototype had gone missing for the second time in less than two years.
According to reports, John Theriault, who came to Apple from Pfizer and was a former FBI agent, has retired in the wake of controversy regarding the device's disappearance and the subsequent efforts to track it down. Apple did not return a request for comment.
Nevertheless, Theriault’s departure follows a public relations dustup that began when an Apple employee left the prototype at a bar in San Francisco. The company's attempts to find the device led it to 22-year-old Sergio Calderon, who has said members of Apple's security team showed up at his home in San Francisco with police to search for the phone. According to Calderon, he only let the Apple investigators in because he thought they were police. However, the San Francisco Police Department - which initially denied involvement - has said that while there were officers at the scene, the search itself was conducted by the Apple employees.
The device, believed to have been a prototype of an iPhone 4S, was not found during the search. A lawyer for Calderon has reportedly threatened a lawsuit against Apple.
The latest case of the missing prototype echoes the disappearance of an iPhone 4 prototype in 2010. In that incident, an Apple employee left the phone at a bar called Gourmet Haus Staudt in Redwood City, Calif. When the phone was discovered, it was sold to the tech blog Gizmodo, which dissected the device and published pictures. This ultimately led investigators to raid the home of a Gizmodo editor. Two men were charged with selling the phone to Gizmodo and were sentenced to probation earlier this year. No one from Gizmodo was charged.
In the aftermath of the most recent incident, Apple was found to have posted job listings for a “product security manager” who would be responsible for “overseeing the protection of, and managing risks to, Apple’s unreleased products and related intellectual property.”
Read More...
Open 'Facebook killer' survives on cash donations
Diaspora, the social network that sells itself as a privacy-conscious alternative to Facebook, is relying on user donations instead of advertising to get it going.
And by contrast to its other competitor, Google+, Diaspora also allows pseudonyms. The decentralised service aims to address some of the multitude of privacy and content control issues that have dogged Facebook and, arguable to a lesser extent, Google+, while still giving users the ability share content and ideas with their friends online.
Users retain the copyright of uploaded photos and the like, which is only shared among groups that users actively define, not friends-of-friends or the whole network (often the default options on Facebook).
The service was launched in November 2010 and remains in alpha. However having signed up to try the invitation-only service months ago, El Reg finally received an invitation to try it on Thursday, so things appear to be moving (albeit slowly). The emailed invitation (extract below) was nothing if not enthusiastic:
Finally – it's here
The social network you have been waiting for has arrived. Revamped, more secure, and more fun, DIASPORA* is ready to help you share and explore the web in a whole new way.
Sign up now
Last month the developers behind the software – students at New York University's Courant Institute of Mathematical Sciences – began soliciting donations via PayPal. Diaspora's account was frozen for a short while by the eBay-owned payments biz, without explanation, but has since been restored. The site added other donation methods, including BitCoins, following the episode.
Once signed up to Diaspora, users are immediately invited to link their Diaspora and Facebook accounts to "speed things up a bit" and "enable cross-posting".
This may help populate a profile, but we can't help thinking that linking to Facebook creates privacy concerns all by itself and runs against Diaspora's aims to make "privacy controls both clear and straightforward". You can also add links between Diaspora and Twitter accounts or import contacts from email accounts into Diaspora.
Users are invited to use #hashtags to classify posts and find people who share their interests. They are presented with a "stream" populated with all of their contacts, tags they follow, and "posts from some creative members of the community" who have apparently chosen to share comments, video clips and pictures with everyone on the network. Contents are arranged in "aspects" – friends, family, work colleagues etc – on the site.
There's a lot of help for newbies as well as the facility to ask questions. The interface is clean and well-designed, perhaps partly because there's only one application on offer, Cubbi.es, which offers a way to collate photos. There's also a messaging feature. Overall the web interface is much closer in look and feel to Twitter than Facebook.
The site is useable but still a work in progress, as its alpha designation implies. Upcoming features promised include an ability for users to export their data and to create communities.
Diaspora is based on open-source technology. Early versions of its code were riddled with all manner of security holes, so cautious progress towards a full launch - adopting the open-source ethos of quickly fixing bugs as and when they arise - may be just as well.
There's also the capacity management issues to think about: after all, it's a site run on a modest budget, partially helped by T-shirt sales, and running as a not-for-profit concern.
Read More...
05/11/11
Anonymous abandons plan to expose Mexican drug cartel collaborators
Hacker group backs away from exposing people it believes are connected to Zetas cartel after alleged threat of killings
A plan by the international hacker movement Anonymous to expose collaborators of Mexico's notorious Zetas drugs cartel has come to an abrupt end. A US activist backed away from publishing the names after an alleged counter-threat of mass retaliatory killings.
"This moves the operation from being a risk to knowing that I would be murdering people," Anonymous participant Barrett Brown told the Guardian on Friday.
Brown's withdrawal from Operation Cartel puts an end to one of the most bizarre and confusing episodes in Mexico's drug wars.
It began with a video which appeared online in early October and promised to reveal the identities of people working with the Zetas unless the cartel released an Anonymous member kidnapped in the Mexican city of Veracruz.
The video prompted furious online debate: while Anonymous has previously targeted business and government websites and databases around the world, it was unclear how it could confront Mexico's amorphous – and deadly – drug trafficking organisations. Conflicting messages appeared on Twitter and other social networking sites, with some activists saying the operation had been cancelled while others pledged to continue.
This culminated in Mexico on Thursday when Spanish-speaking Anonymous participants, who had previously pledged to continue, announced that the Zetas had let the kidnapped member go.
They also said that she carried with her a message from the cartel threatening to kill 10 people for every person named and that they had decided to abandon their plans.
Brown, a prominent Texas-based activist and one of the few willing to be named, initially said Mexican hackers had promised to give him information on Zeta collaborators that they had taken from Mexican government sites and that it would be released in the next few days.
But while he said he was comfortable with running personal risks and "passing a death sentence" on those he identified, the wider retaliation threat had made him "rethink my position".
He added that Anonymous would continue to explore ways of using the internet to help spark some kind of mass response to "the near collapse" in Mexico, as he claims it did in Tunisia and Egypt.
Read More...
New Mac Malware Variants Found in Trojaned Apps Are Stealing Data
The new variants of DevilRobber, which has been making the rounds recently, appear to each have a different set of capabilities because they may have each been built for specific jobs, according to an analysis of the malware by researchers at F-Secure. Some of the variants appear to be looking for specific pornographic files on infected Macs and steals passwords from the machine in order to access any files that may be protected. All of the variants of DevilRobber have the ability to take data from the machine and upload it to a remote server.
The new variants were discovered in legitimate Mac applications that had been Trojaned and then shared on Pirate Bay.
"The specific port used by the web proxy depends on the variant. The specific FTP server for data stealing also varies between samples. And DevilRobber's data stealing routine is repeated on a fixed interval — every 43200, 60000, or 100000 seconds, depending on the sample," F-Secure says in its analysis.
Mac malware has been making some headlines in the last few months, as attackers have begun applying to OS X some of the tactics they've been using on Windows for decades. In September, a Trojan called Imuler was found packed inside malicious PDFs, a trick that attackers have been using to get their malware into the hands of users for years now. And earlier in the year the MacDefender malware made a big splash as the first Mac-specific rogue antivirus program to emerge.
Apple is beginning to take some steps to address the threats facing its users, including the announcement this week that all apps submitted to the Mac App Store will have to have a sandbox by March 2012.
Zero-Day Exploit Used for DUQU
We have been closely monitoring developments on the DUQU malware since our initial blog post when the threat broke the news. And just recently, the Hungary-based security laboratory that initially reported about DUQU released more information that sheds more light into the nature of the said threat.
Their report indicates that a Microsoft Word document that triggers a zero-day kernel exploit was identified as the dropper for DUQU. Upon successful exploitation, the Microsoft Word file drops the installer files that load the DUQU components that were initially reported a couple of weeks back.
The installer files are composed of a .SYS file detected as RTKT_DUQU.B, and a .DLL file detected as TROJ_DUQU.B. RTKT_DUQU.B loads TROJ_DUQU.B into the system. TROJ_DUQU.B, on the other hand, drops and decrypts the DUQU components, RTKT_DUQU.A, TROJ_DUQU.ENC, and TROJ_DUQU.CFG. Below is a simple behavior diagram of the threat.
Details regarding the zero-day exploit used have not yet been disclosed. However, Microsoft is expected to release information on it soon. As a member of the Microsoft Active Protections Program (MAPP), if Microsoft provides information on ways we can protect customers while a security patch is being developed, we will add these protections to our products as quickly as possible and update you with that information.
This new information allows us to have more educated theories of how the DUQU attack took place. Considering the usage of a Microsoft Word document, it is likely that this was initially deployed through email messages sent to employees in the targeted organization.This further verifies our earlier hypothesis that DUQU is part of a highly targeted attack aimed at exfiltrating information from targeted entities. For more information on DUQU and the nature of highly targeted attacks, please check the following reports:
We have created the proactive detections of TROJ_DUQUCFG.SME and RTKT_DUQU.SME to address future variants of DUQU component files. Also, the Threat Discovery Appliance (TDA) protects enterprise networks by detecting network activity and the malwares’ connection to the C&C server through the rules 473 TCP_MALICIOUS_IP_CONN, 528 HTTP_Request_DUQU, and 529 HTTP_Request_DUQU2.
Update as of November 3, 2011, 8:30 PM PST
Microsoft released a security advisory regarding the vulnerability used by DUQU.
The vulnerability exists in the Win32k TrueType font parsing engine and allows elevation of privilege. According to the advisory, a successful exploitation can allow an attacker to run arbitrary code in kernel mode.
We are currently collecting more information about this, and will update this blog entry with our findings as soon as possible.
Read More...
Rec Studio 4 – Reverse Engineering Compiler & Decompiler
REC Studio is an interactive decompiler. It reads a Windows, Linux, Mac OS X or raw executable file, and attempts to produce a C-like representation of the code and data used to build the executable file. It has been designed to read files produced for many different targets, and it has been compiled on several host systems.
REC Studio 4 is a complete rewrite of the original REC decompiler. It uses more powerful analysis techniques such as partial Single Static Assignment (SSA), allows loading Mac OS X files and supports 32 and 64 bit binaries.
Although still under development, it has reached a stage that makes it more useful than the old Rec Studio 2.
Features
Multihost: Rec Studio runs on Windows XP/Vista/7, Ubuntu Linux, Mac OS X.
Symbolic information support using Dwarf 2 and partial recognition of Microsoft’s PDB format.
C++ is partially recognized: mangled names generated by gcc are demangled, as well as inheritance described in dwarf2 is honored. However, C++ is a very broad and difficult language, so some features like templates won’t likely be ever supported.
Types and function prototype definitions can be specified in text files. Some standard Posix and Windows APIs are already provided in the Rec Studio package.
Interactivity is supported, limited to definition of sections, labels and function entry points. Will need to improve it to support in-program definition of types and function parameters.
Although REC can read Win32 executable (aka PE) files produced by Visual C++ or Visual Basic 5, there are limitations on the output produced. REC will try to use whatever information is present in the .EXE symbol table. If the .EXE file was compiled without debugging information, if a program data base file (.PDB) or Codeview (C7) format was used, or if the optimization option of the compiler was enabled, the output produced will not be very good. Moreover, Visual Basic 5 executable files are a mix of Subroutine code and Form data. It is almost impossible for REC to determine which is which. The only option is to use a .cmd file and manually specify which area is code and which area is data.
You can download Rec Studio 4 here:
Windows –
Ubuntu –
Mac –
Or read more .
Read More...
30/10/11
How To Use Thc-Hydra [video]
Download: http://www.insecurestuff.in/2011/10/thc-hydra-v71-released.html
If u have any Problem then Contact me on Twitter: http://twitter.com/#!/insecurestuff
Read More...
DevilRobber Mac OS X Trojan horse spies on you, uses GPU for Bitcoin mining
Copies of the legitimate Mac OS X image editing app GraphicConverter version 7.4 were uploaded to file-sharing networks. However, they came with an unexpected addition.
Hidden inside the download was a copy of the OSX/Miner-D (also known as 'DevilRobber') Trojan horse.
If your Mac computer was infected by the malware, the first thing you might notice is performance becoming sluggish.
That's because OSX/Miner-D tries to generate Bitcoins, the currency of the anonymous digital cash system, by stealing lots of GPU (Graphics Processing Unit) time.
GPUs are much better than regular CPUs at performing the mathematical calculations required for Bitcoin mining.
Yes, this Mac malware is stealing computing time as well as data.
In addition to Bitcoin mining, OSX/Miner-D also spies on you by taking screen captures and stealing your usernames and passwords. In addition, it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history, and .bash_history.
Curiously, the Trojan also hunts for any files that match "pthc". It's unclear whether this is intended to uncover child abuse material or not (the phrase "pthc" is sometimes used on the internet to refer to pre-teen hardcore pornography).
To complete the assault - if the malware finds the user's Bitcoin wallet it will also steal that.
Of course, the producers of GraphicConverter have done nothing wrong themselves - they are victims of the criminals who are using their popular software as a trap to infect Mac users who download software from unofficial sources.
It's possible that other apps have also been distributed via torrent sites infected by the malware, or that the cybercriminals will use other methods to distribute their Trojan horse.
Clearly, Mac users - like their Windows cousins - should practice safe computing and only download software from official websites and legitimate download services. But, in addition to that, it's becoming clearer every week that Mac users need to take malware protection more seriously by running anti-virus software.
There may be a lot less malware for Mac OS X than there is for Windows, but many Mac users are making themselves an unnecessarily soft target by imagining that they are somehow magically protected from threats.
There are a number of anti-virus products available for Mac, including Sophos's free version for home users, so there's really no excuse.
Android Malware Spreads Through QR Code
Last week, there was quite a buzz in the mobile-malware researchers community about a new Android malware. It came to light not because of its sophistication or complexity but due to the simple method that it uses to spread.
Most Android malware we have witnessed are repackaged malicious apps made available in black markets or third-party markets. This latest Android malware follows the same repacking path as its precursors. The only difference with this malware is that it uses quick response (QR) code to distribute the malicious link. We have already discussed in a recent blog that QR code can be used by attackers to spread malicious files.
A QR code is a type of matrix barcode to store information. These codes are increasingly found on product labels, billboards, and business cards. Why are QR codes so popular? The amount of data they hold. QR codes can carry 7,089 numeric characters or 4,296 alphanumeric characters and can store up to 2KB of data.
All one needs is a smart phone with a camera and QR reader application to scan these codes. The codes can direct users to websites or online videos, and send text messages and emails.
Analyzing the payload
Once users download a malicious application onto their mobile devices, they need to install it. This malicious app is the Trojanized Jimm application, which is a mobile ICQ client. The payload is nothing new, as we have already seen these behaviors in the past with other Android malware such as Android/FakePlayer.A and Android/HippoSMS.A. The latter sends SMS’s to premium numbers.
We have also seen the JAR version of this application; it targets the J2ME mobile phones and sends SMS’s to premium numbers. When I installed the malicious .jar package in a test environment, it displayed the following message:
Finally the malware tries to send messages to premium numbers from the infected mobile. Because I was executing this application in a controlled environment, it told me I didn’t have a sufficient balance in my account to send the message. But I did confirm that it tried to send messages, as seen below:
In the recent blog about QR codes by my colleague Jimmy Shah, he suggested how to stay away from such attacks. Our advice has not changed: Use a mobile QR code-/barcode-scanning app that previews URLs, and avoid scanning suspicious codes.
McAfee products detect these malware in our latest DATs as Android/SMS.gen and J2ME/Jifake.a. Read More...
Satanbot Employs VBScript to Create Botnet
Malware is on the rise. At the beginning of 2008, our malware collection had 10 million samples. Today we have already surpassed 70 million. Most of the malicious samples are Trojans (backdoors, downloaders, fake alerts), but there are also a lot of viruses, worms, and bots that in a short time can infect many computers without user interaction. Usually the malicious code comes in a form of an executable or DLL, but sometimes malware authors opt to use alternate languages such as VBScript (Visual Basic Scripting Edition), a lightweight Active Scripting language that is installed by default in most Microsoft Windows versions since Windows 98. One example of this kind of malware is Satanbot: a fully functional VBScript botnet that uses the Remote Desktop Connection to connect to infected systems.
VBScript files are usually in clear text because they are interpreted at runtime, rather than being compiled previously by the author. However, for cases in which the user wants to avoid allowing others to view or modify the source code, Microsoft provides a command-line tool, Script Encoder, which will encode the final script by generating a .vbe file. This file looks like a normal executable, but it can be decoded to its original form. Once that file is decoded, we can look at the bot’s source code, which is divided by sections. Each section specifies a different function of Satanbot, most of which we’ve already seen in AutoRun worms like Xirtem. Here is a description of these functions:
- Enable CMD and REGEDIT: To perform all the changes in the system (modify the registry and execute BAT files), the edition of the registry (regedit) or the use of the command line (cmd) will be enabled by changing the values “DisableRegistryTools” and “DisableCMD” to 0. In addition, one AutoRun feature is configured by creating the value “Update” in the “Run” key with the path of the script, along with hiding files and file extensions in the system.
- Disable UAC: The value “EnableLUA” is checked to verify whether it is necessary to disable the User Account Control in Windows Vista, Windows Server 2008 and Windows 7. If it is enabled, the script will create on the fly another script and a BAT file to disable UAC. Another modification in the registry is done to perform operations that require elevation of privileges without consent or credentials. At the end, all the temporary files used to do the modifications in the system will be deleted.
- Take ownership of folders: The command TAKEOWN (in Windows Vista and 7) runs to take ownership and enable the modification of folders including Application Data, Cookies, and Local Settings
- Self-Install and spread: Another BAT file in the %TEMP% path is created. It first changes the icon of .vbe files to the one used by Windows pictures so the user will think that it is a picture and not the malware. Also the original .vbe, along with a shortcut file, will be copied in several locations, including network shares and peer-to-peer shared folders from popular clients like eMule, LimeWire, and Ares. Another spreading vector this malware uses is infecting removable drives by creating autorun.inf files along with a copy of the original .vbe and a shortcut (.lnk) file.
- Worm test: This may seem a confusing term, but it is another spreading method. The original .vbe will be copied to other folders such as Startup and %Userprofile%\ Microsoft with the name “System File [Not Delete]” to trick the user to not delete the file.
- Worm.s@tan: Contains a loop that will trigger the execution of the code every 60 minutes
- Backdoor: Using another temporary BAT file, the malware will enable Remote Desktop Access by making the following changes to the system:
- Allow unsolicited remote assistance and full control
- Allow the use of blank passwords
- Enable multiple concurrent remote desktop connections (with a maximum of five)
- Automatically start the Terminal Service
- Open port 3389 in the Windows firewall
- Add an administrator user to the system
- Start the Remote Desktop Services UserMode port redirector service
- Create a file in the bot’s path with an “OK” inside
- The foregoing commands execute on reboot while the message “Windows repare quelques fichiers, patientez …” (Windows is repairing some files, wait …) appears to the user at the command prompt.
Another interesting part of the code is the section Compt.Bot, from which the malware sends an HTTP POST request with a specific user agent to the URL of the botnet command server. With that request, the server can get the public IP address of the infected machine, which probably has Remote Desktop Access enabled with the required specifications so the bad guys can connect. By opening that URL in the browser, we can see the IP address of the machine that is connected to the control panel and the number of compromised machines, which can grow very quickly. Take a look at this 24-hour comparison:
Other functionalities of the botnet:
- Delete browser and user histories of some common software: Internet Explorer, Firefox, Chrome, Thunderbird, and Skype
- Terminate processes of security software by downloading and executing a batch file that can be easily updated with more processes
- Download an .exe file from another URL (currently offline). We need to examine this file more thoroughly, but one of its purposes seems to be updating the malware by executing a different embedded .vbe.
Even if VBScript is not the best language to hide malicious activities (using encryption, obfuscation, packers, antidebuggers, or anti-virtual machine features), it is pretty effective when we take into account the rate of infection in just one day. In addition, those scripts can build a botnet of infected machines that can be controlled by using a Remote Desktop connection, which allows the attacker to perform any action in the system. The malicious files related to this threat are detected by McAfee products as VBS/Satanbot. Read More...
29/10/11
Facebook Letting Users Designate 'Guardian Angel' Friends To Restore Locked Accounts
Social networking giant Facebook said on Thursday that it is testing a feature that will allow users to designate certain friends as 'guardian angels' entrusted with helping the user to recover a locked or hijacked account.
The company, which has already experimented with forms of "social authentication," such as using photos of Facebook friends to help users prove they are the rightful owners of locked accounts, said in a blog post that it is testing a feature allowing users to designate "three to five" of their Facebook friends to receive a recovery code in the event that they are locked out of their account. Friends who receive the code can pass it along to the account holder, providing a way for them to get back into their account.
The company has preiodically struggled with account lock-outs. In November, 2010, a software error resulted in a small percentage of Facebook's userbase to be locked out of their account.
Account takeovers are a small problem for the company as measured against legitimate traffic. Facebook estimates that just .06% of account logins each day represents compromised accounts. But, with 750 million users and one billion logins each day, that small percentage still represents a large number - 600,000 - to contend with.
The new feature comes as part of a host of security upgrades scheduled to coincide with national Cybersecurity Awareness Month. The company also announced a new "App Passwords" feature that will enable users to set application specific passwords for their Facebook applications.
Company data, released on Thursday, suggest that Facebook is doing well in its quest to limit spam, malware and account hijacking - at least compared to the larger Internet. Spam is just 4% of the content shared on the social network, compared with anywhere from 85% to 95% of e-mail traffic. (Estimates vary depending on the source.)
However, Facebook's success in quelling malicious traffic hasn't kept privacy advocates from raising red flags about the implications of one company owning so much personal data on its users. At the Black Hat Briefings in Las Vegas in August, researcher Alessandro Acquisti showed how how cloud computing, facial recognition technology and freely available data hosted on Facebook and other Web sites could be used to match faces in a crowd to detailed online profiles.The company released an infographic that depicts the evolution of its security features and to provide other useful, security-related insights.
Read More...
New Tor Release Fixes De-Anonymization Attack
The Tor Project has released a new version of its client software to fix a serious vulnerability that allows an attacker to strip users of their anonymity on the network. The new version also includes a number of other security and privacy fixes.
The attack that enables the anonymity stripping requires a specific set of conditions to be in place and the new version of Tor removes two of those components from the equation, which is enough to prevent the attack. It relies on the fact that user clients will reuse their TLS certificates when connecting to different Tor relays, which can enable an attacker to identify a specific user by his certificate.
"The attack relies on four components: 1) Clients reuse their TLS cert when talking to different relays, so relays can recognize a user by the identity key in her cert. 2) An attacker who knows the client's identity key can probe each guard relay to see if that identity key is connected to that guard relay right now. 3) A variety of active attacks in the literature (starting from "Low-Cost Traffic Analysis of Tor" by Murdoch and Danezis in 2005) allow a malicious website to discover the guard relays that a Tor user visiting the website is using. 4) Clients typically pick three guards at random, so the set of guards for a given user could well be a unique fingerprint for her. This release fixes components #1 and #2, which is enough to block the attack; the other two remain as open research problems," the Tor Project's Roger Dingeldine said in a message announcing version 0.2.2.34.
Dingeldine said in the message that, as far as the Tor Project officials know, the attack that's fixed in this release isn't related to the one publicized by researcher Eric Filiol earlier this week. The fix for the de-anonymization attack involves preventing clients from sending the TLS certificate chain on outbound connections. There are a variety of other security and privacy fixes in the new version of Tor.
Among the other fixes:
- If a relay receives a CREATE_FAST cell on a TLS connection, it no longer considers that connection as suitable for satisfying a circuit EXTEND request. Now relays can protect clients from the CVE-2011-2768 issue even if the clients haven't upgraded yet. - Directory authorities no longer assign the Guard flag to relays that haven't upgraded to the above "refuse EXTEND requests to client connections" fix. Now directory authorities can protect clients from the CVE-2011-2768 issue even if neither the clients nor the relays have upgraded yet. There's a new "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option to let us transition smoothly, else tomorrow there would be no guard relays. o Privacy/anonymity fixes (bridge enumeration):
- Bridge relays now do their directory fetches inside Tor TLS connections, like all the other clients do, rather than connecting directly to the DirPort like public relays do. Removes another avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35. - Bridges relays now build circuits for themselves in a more similar way to how clients build them. Removes another avenue for enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha, when bridges were introduced.
- Bridges now refuse CREATE or CREATE_FAST cells on OR connections that they initiated. Relays could distinguish incoming bridge connections from client connections, creating another avenue for enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
Read More...
Facebook shrugs off alleged security flaw
Says the alleged attachment vulnerability poses no greater risk to users of the social networking site than that which webmail providers face
Facebook downplayed an alleged vulnerability in its social networking site that could allow a hacker to send a potentially malicious file to anyone on Facebook.
The issue concerns a Facebook feature that allows a user to send another user who is not their friend a message as well as an attachment. Facebook prohibits sending executable files, but a security penetration tester found a way to circumvent the filter.
[ Also on InfoWorld: Free cooling lures Facebook to Arctic's edge. | Stay ahead of the key tech business news with InfoWorld's Today's Headlines: First Look newsletter. ]
Nathan Power, who works for the technology consultancy CDW, wrote on his blog that Facebook parses part of a Post request to the server to see if the file being sent should be allowed.
If an executable is attached, Facebook warns that it can't be sent. But by modifying the Post request -- specifically with an extra space after the file name that is to be sent -- an executable could be attached. That poses a danger because it could allow a hacker to send, for instance, a keylogging program to another user in a kind of spear-phishing attach. The victim would then need to be convinced to open and run the file.
In a statement, Facebook's Security Manager Ryan McGeehan wrote that a successful attack would require "an additional layer of social engineering." It also only allows the attacker to send an obfuscated renamed file to another Facebook user one at a time.
Facebook doesn't rely solely on the identification of a file by what it purports to be in name to protect users but also does a security scan of files "so we have defense in depth for this sort of vector," McGeehan wrote. He also said that webmail providers face the same problem with malicious attachments and that "this finding is a very small part of how we protect against this threat overall."
"At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we've been dealing with for a while," McGeehan wrote.
Power wrote Facebook was notified of the issue on Sept. 30 and the company acknowledged the issue on Wednesday.
Read More...
Cisco rolls out router with military-strength encryption
Cisco's ISR G2 router allows point-to-point encryption of IP traffic based on algorithms designated for Department of Defense communications
Cisco has announced a hardware encryption module for its ISR G2 router that allows point-to-point encryption of IP traffic based on what's called "Suite B," the set of encryption algorithms designated by the National Security Agency for Department of Defense communications.
According to Sarah Vanier, security solutions marketing at Cisco, the VPN Internal Service Module for the Cisco ISR G2 router lets information technology managers select how to use any of the main encryption algorithms as well as the SHA-2 hash algorithm to protect sensitive information traveling between any two routing points equipped with the module.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
MORE: Cisco ASA adds identity firewalling
"The module allows you to offload the encryption process on to the card," says Vanier, with the hardware doing the hard work of encryption and decryption of traffic at the beginning and terminating points.
The selection of encryption and hash algorithms in the Cisco card include the Advanced Encryption Standard, standards-based elliptic-curve cryptography or Triple-DES, to satisfy encryption requirements that might range from unclassified to Top Secret in military networks, she said.
The card, which is said to support up to 3,000 concurrent tunnels with throughput of up to 1.2Gbps, can make use of the SHA-2 hash algorithm to assure data integrity between the two router points.
Nelson Chao, Cisco product manager, said the Cisco encryption card does not currently support multi-cast encryption, but that is anticipated to be supported by Cisco in the future, perhaps late next year.
Cisco also points out that the encryption module is still undergoing official encryption testing to achieve the government's FIPS-level certification, but the module is shipping now.
The Cisco VPN Internal Service Module for the ISR G2 starts at $2,000.
Read More...
28/10/11
More Mac malware - new Tsunami backdoor variants discovered
SophosLabs has received a few new samples of the malware - which can be used both to launch denial-of-service attacks and by remote hackers to gain access to your computer.
The new versions, which Sophos is adding detection for as OSX/Tsunami-Gen, are builds for 32-bit Intel x86 and PowerPC Mac computers, whereas the original version was 64-bit only. In addition, the new samples use a different IRC domain for their command & control server.
Some folks have questioned why the computer security industry has dubbed this threat "Tsunami", and I must admit that I find myself feeling somewhat uncomfortable with the name because of the devastating natural disasters that have struck in some parts of the world.
The truth is, however, that the name derives from one of the commands that can be sent to computers running the malicious code, to flood a target with internet traffic.
It's actually the same command that was built into the Linux version of the attack tool (which Sophos calls Troj/Kaiten) first seen some years ago.
Because we see considerably less malware for Mac OS X than we do for Windows, new Mac threats tend to make the news headlines. It's important to note that the sky is not falling, and we believe the threat posed by OSX/Tsunami is currently quite low. Indeed, we have not received any reports from customers yet of infections by this Mac malware.
Nevertheless, it's clear that someone is working on developing new versions of this code for the Mac platform and you have to presume they are not doing it purely for the intellectual challenge. (If they are, Lord help them.. it's not much of a challenge)
Mac users would be wise to take preventative steps against this, and the other malware which we see for the Mac OS X platform. Free anti-virus software is available for Mac home users - so there's really no excuse.
Facebook Attachment Uploader Owned By A Space
Oh look – another vulnerability in Facebook! It wasn’t long ago we reported New Research Shows Facebook’s URL Scanner Is Vulnerable To Cloaking.
Well this time the private messaging function has been compromised, you can attach an executable and send it to anyone as long as you put a space after the filename.
It’s not the first time I’ve seen a mime/file/etc parser be owned by a space, but I expected better from Facebook to be honest.
A security penetration tester discovered a major flaw in Facebook that could allow a person to send anyone on the social-networking site malicious applications.
Nathan Power, a senior security penetration tester at technology consultancy CDW, discovered the vulnerability and publicly disclosed it Thursday on his blog. The flaw was reported to Facebook on Sept. 30, which acknowledged the issue on Wednesday, he wrote.
Power, who could not immediately be reached, wrote that Facebook does not normally allow a person to send an executable attachment using the “Message” tab. If you try to do that, it returns the message “Error Uploading: You cannot attach files of that type.”
Facebook has acknowledged the bug (which is a pretty serious one) but it’s unknown if they’ve actually fixed it yet or not.
You can see the original blog post outlining the vulnerability here:
Facebook Attach EXE Vulnerability
Good job Nathan Power!
Power wrote that an analysis of the browser’s “POST” request sent to Facebook’s servers showed that a variable called “filename” is parsed to see if a file should be allowed. But by simply by modifying the POST request with a space just after the file name, an executable could be attached to the message.
“This was enough to trick the parser and allow our executable file to be attached and sent in a message,” Power wrote.
A person would not have to be an approved friend of the sender, as Facebook allows people to send those who are not their friends messages. The danger is that a hacker could use social engineering techniques to coax someone to launched the attachment, which could potentially infect their computer with malicious software.
Facebook representatives contacted in London did not have an immediate response on Thursday afternoon.
The dangerous part I can see here is that Facebook allows users to send messages to anyone (with attachments) even if they are not friends. Which makes me wonder, how many random guys are sending girls they don’t know pictures of their junk as attachments on Faceobok messages…
I don’t want to know really.
Anyway this should be a fairly simple fix for Facebook and I’d imagine they have probably already fixed this or will be doing so fairly soon.
Read More...
Windows Password Retrieval And Cracking [video]
This video shows grabbing the windows NTLM passwords from a memory dump and then using John the Ripper to crack them.
In other videos I hope to show using a memory dump to detect rootkits and badness on a system.
Read More...
The Facebook Immunity System (FIS) uncovered
Facebook has developed the FIS system (using a signature) that is able to differentiate between spam and legitimate messages (as well as ‘creepers’ – those who use Facebook but cause problems for others) for example basing on the links in spam messages, keywords and IP addresses. Spammers can beat this by using shortened URL services and switching systems (which switches IP addresses). When this happens the system relies on keyword scanning aka blacklist of words i.e. “iPad” or “free” are two common keywords.
Statistic: Since the introduction of FIS some three years ago, spam accounts for less than 4 percent of the total messages on Facebook.
The FIS team is supported by some 30 security experts who manually search for spam across the Facebook network with one particular threat being posed by socialbots. These are fake profile bots that behave like you or me on Facebook. Socialbots will aim to connect with as many ‘friends’ as possible in an attempt to friend users into obtaining access to your Facebook profile data. Socialbots are very difficult to detect, so the FIS has to rely on the security experts to identify the potential threats.
Statistic: FIS is probably the second largest defence system outside of the Web itself. It’s a staggering size considering the 800m+ people that use it daily.
It’s worth pointing out that a socialbot is yet to happen, however it’s only a matter of time before we see this or other similar innovations. As you know by now, FIS relies on patterns of known behaviour (aka HIPS model) rather than behaviour analysis. The FIS policy and classifier engines offer clear opportunities for future development as well as development of specification-based behavioural analysis policies rather than the current anomaly model that Facebook uses.
Please Send me Your Facebook Anti-CSRF Token!
Cross-site Request Forgery attacks
A Cross-site Request Forgery (CSRF) is a type of attack in which attackers can re-use an already authenticated session to a website to perform unwanted actions on that website without the user’s knowledge or consent. For example, let’s say that a user is logged into his or her banking website. If this bank’s website suffers from a CSRF weakness, then another malicious website (say, bad.com) can instruct the user’s browser to navigate to the bank’s webpage to perform actions, such as transferring funds, without the user’s knowledge. For the browser and the bank’s website, it is equivalent to the user opening another tab and performing these actions themselves. Anti-CSRF tokens are one of the many ways employed by websites to prevent CSRF attacks.
Anti-CSRF tokens are usually one-time randomly generated tokens generated by the website. These tokens are submitted as hidden input parameters in Web forms. The tokens are validated at the back-end of the website to rule out any CSRF attacks underway when a form or action is posted. In order to generate a CSRF token, the attackers need to know or guess the Anti-CSRF token, which makes CSRF attacks hard to execute.
This blog details techniques used by the attacker to get access to this Anti-CSRF token. There are three stages to this attack
Stage 1 – Falling for the scam
It starts with an enticing message, like the one below, appearing in the user’s newsfeed from the user’s friend.
Stage 2 – Tricking the user to send their FaceBook Anti-CSRF token
Upon clicking this link, the user is directed to a fake YouTube Web page as shown below. In order to view the video, the user is prompted to verify their identity.
Step 1 of this verification process involves generating a verification code by clicking the Generate Code link. The next and final step is Copying and-pasting the code obtained in step 1 into the verification text box and clicking the Confirm button.
Let’s take a closer look at both of these steps. The following screenshot is the JavaScript snippet for this Web page.
The “Generate Code” link is actually a request to 0.facebook.com/ajax/dtsg.php. This request will return JavaScript code similar to the code shown in the screenshot below. Many browsers like Chrome and Firefox support “view Source URI scheme”. This means that any URL supplied with “view-source:” as the URI handler will open up the source code of that page. So clicking the “Generate Code” link will display the data (JavaScript) returned from the request to dtsg.php in a “View Source” browser window.
The user is then prompted to copy and paste this JavaScript code into the “Insert Verification Code” textbox and then click the Confirm box.
So what is so special about this JavaScript Code? The answer is the Anti-CSRF token called “fb_dtsg”. In order to prevent CSRF attacks, Facebook pages have a unique per session token called “fb_dtsg”. The request to “facebook.com/ajax/dtsg.php” returns JavaScript code containing the “fb_dtsg” token.
The attacker is tricking the victim into revealing his or her Facebook Anti-CSRF token.
In this case the attacker’s third party site receives this Anti-CSRF token when the user copy and pastes the JavaScript code and clicks Confirm. The attacker is now in a position to perform CSRF attacks.
Stage 3 – CSRF attack: Malicious links silently posted to the user’s wall
The picture below details the JavaScript code returned by the attacker upon clicking the Confirm button. This code executes a CSRF attack to post a malicious link on the user’s Facebook page using the CSRF token that was stolen in stage 2.
The thing to note here is that the “post_form_id” value is irrelevant for the success of this attack. In fact, the attacker decided to randomly generate a “post_form_id” value in the code above.
Comparison to self-XSS copy and paste attacks
This attack technique is similar in nature to the Self XSS copy and paste attacks that we saw on the Facebook platform this summer.
In the previous Self-XSS attacks, the attacker managed to trick the user into copying and pasting malicious JavaScript code into the user’s browser. The malicious JavaScript code ran in the same origin context as Facebook.com , and so it was able to extract token values such as the fb_dtsg by parsing the DOM. These extracted token values were later used to post malicious spam messages to the user and the user’s friends.
However, in this latest attack, instead of tricking the victim to execute JavaScript code whilst accessing their Facebook account, the attacker is tricking the victim into sending his or her Anti-CSRF token to the attacker. With the Anti-CSRF token in hand, the attacker then executes a CSRF attack to propagate scam messages.
Conclusion
Although by and large we haven’t seen attackers propagate malicious browser exploits and drive-by-downloads using these spam campaigns, we conjecture that attackers might naturally gravitate towards this in the near future. Furthermore, attackers are using some really innovative social engineering techniques to trick their victims. We advise users to keep their security software up-to-date and not click on any links that seem suspicious.
It's worth noting that we’ve reached out to Facebook and they inform us that they've had great cooperation from browser vendors to fix these issues and will continue to work with them on these issues. They also stated that they try to prevent this behavior by automated monitoring of accounts for suspicious behavior.