[+] Wayc0de's Blog[+]


How To Use Thc-Hydra [video]


Description: In this video I show how to use the brute forcer hydra.

Download: http://www.insecurestuff.in/2011/10/thc-hydra-v71-released.html

If u have any Problem then Contact me on Twitter: http://twitter.com/#!/insecurestuff

DevilRobber Mac OS X Trojan horse spies on you, uses GPU for Bitcoin mining

GraphicConverterYesterday, users of Sophos's security products (including our free anti-virus for Mac home users) had their protection automatically updated to protect against a new Mac OS X Trojan horse that has been distributed via torrent sites such as PirateBay.

Copies of the legitimate Mac OS X image editing app GraphicConverter version 7.4 were uploaded to file-sharing networks. However, they came with an unexpected addition.

Hidden inside the download was a copy of the OSX/Miner-D (also known as 'DevilRobber') Trojan horse.

If your Mac computer was infected by the malware, the first thing you might notice is performance becoming sluggish.

BitcoinThat's because OSX/Miner-D tries to generate Bitcoins, the currency of the anonymous digital cash system, by stealing lots of GPU (Graphics Processing Unit) time.
GPUs are much better than regular CPUs at performing the mathematical calculations required for Bitcoin mining.
Yes, this Mac malware is stealing computing time as well as data.

In addition to Bitcoin mining, OSX/Miner-D also spies on you by taking screen captures and stealing your usernames and passwords. In addition, it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history, and .bash_history.

Curiously, the Trojan also hunts for any files that match "pthc". It's unclear whether this is intended to uncover child abuse material or not (the phrase "pthc" is sometimes used on the internet to refer to pre-teen hardcore pornography).
To complete the assault - if the malware finds the user's Bitcoin wallet it will also steal that.

Of course, the producers of GraphicConverter have done nothing wrong themselves - they are victims of the criminals who are using their popular software as a trap to infect Mac users who download software from unofficial sources.

It's possible that other apps have also been distributed via torrent sites infected by the malware, or that the cybercriminals will use other methods to distribute their Trojan horse.

Clearly, Mac users - like their Windows cousins - should practice safe computing and only download software from official websites and legitimate download services. But, in addition to that, it's becoming clearer every week that Mac users need to take malware protection more seriously by running anti-virus software.
There may be a lot less malware for Mac OS X than there is for Windows, but many Mac users are making themselves an unnecessarily soft target by imagining that they are somehow magically protected from threats.

There are a number of anti-virus products available for Mac, including Sophos's free version for home users, so there's really no excuse.

Android Malware Spreads Through QR Code

Last week, there was quite a buzz in the mobile-malware researchers community about a new Android malware. It came to light not because of its sophistication or complexity but due to the simple method that it uses to spread.

Most Android malware we have witnessed are repackaged malicious apps made available in black markets or third-party markets. This latest Android malware follows the same repacking path as its precursors. The only difference with this malware is that it uses quick response (QR) code to distribute the malicious link. We have already discussed in a recent blog that QR code can be used by attackers to spread malicious files.

A QR code is a type of matrix barcode to store information. These codes are increasingly found on product labels, billboards, and business cards. Why are QR codes so popular? The amount of data they hold. QR codes can carry 7,089 numeric characters or 4,296 alphanumeric characters and can store up to 2KB of data.

All one needs is a smart phone with a camera and QR reader application to scan these codes. The codes can direct users to websites or online videos, and send text messages and emails.


QR code points to McAfee.com

If you scan the QR code above with any QR code reader using your smart phone, it will redirect you to our site http://www.mcafee.com Attackers use these codes to redirect users to URLs that ask users to download malicious applications.

Malicious QR code

Analyzing the payload

Once users download a malicious application onto their mobile devices, they need to install it. This malicious app is the Trojanized Jimm application, which is a mobile ICQ client. The payload is nothing new, as we have already seen these behaviors in the past with other Android malware such as Android/FakePlayer.A and Android/HippoSMS.A. The latter sends SMS’s to premium numbers.


This malicious application requires the following user permissions:

User permission request by the application

Once installed, the malware sends an SMS to a premium number that charges users. The application has the following icon:

The application icon

We have also seen the JAR version of this application; it targets the J2ME mobile phones and sends SMS’s to premium numbers. When I installed the malicious .jar package in a test environment, it displayed the following message:


Installing the malicious application

It prompted me to select a country and then displayed the next message:

Finally the malware tries to send messages to premium numbers from the infected mobile. Because I was executing this application in a controlled environment, it told me I didn’t have a sufficient balance in my account to send the message. ;) But I did confirm that it tried to send messages, as seen below:

In the recent blog about QR codes by my colleague Jimmy Shah, he suggested how to stay away from such attacks. Our advice has not changed: Use a mobile QR code-/barcode-scanning app that previews URLs, and avoid scanning suspicious codes.

McAfee products detect these malware in our latest DATs as Android/SMS.gen and J2ME/Jifake.a.

Satanbot Employs VBScript to Create Botnet

Malware is on the rise. At the beginning of 2008, our malware collection had 10 million samples. Today we have already surpassed 70 million. Most of the malicious samples are Trojans (backdoors, downloaders, fake alerts), but there are also a lot of viruses, worms, and bots that in a short time can infect many computers without user interaction. Usually the malicious code comes in a form of an executable or DLL, but sometimes malware authors opt to use alternate languages such as VBScript (Visual Basic Scripting Edition), a lightweight Active Scripting language that is installed by default in most Microsoft Windows versions since Windows 98. One example of this kind of malware is Satanbot: a fully functional VBScript botnet that uses the Remote Desktop Connection to connect to infected systems.

VBScript files are usually in clear text because they are interpreted at runtime, rather than being compiled previously by the author. However, for cases in which the user wants to avoid allowing others to view or modify the source code, Microsoft provides a command-line tool, Script Encoder, which will encode the final script by generating a .vbe file. This file looks like a normal executable, but it can be decoded to its original form. Once that file is decoded, we can look at the bot’s source code, which is divided by sections. Each section specifies a different function of Satanbot, most of which we’ve already seen in AutoRun worms like Xirtem. Here is a description of these functions:

  1.  Enable CMD and REGEDIT: To perform all the changes in the system (modify the registry and execute BAT files), the edition of the registry (regedit) or the use of the command line (cmd) will be enabled by changing the values “DisableRegistryTools” and “DisableCMD” to 0. In addition, one AutoRun feature is configured by creating the value “Update” in the “Run” key with the path of the script, along with hiding files and file extensions in the system.
  2. Disable UAC: The value “EnableLUA” is checked to verify whether it is necessary to disable the User Account Control in Windows Vista, Windows Server 2008 and Windows 7. If it is enabled, the script will create on the fly another script and a BAT file to disable UAC. Another modification in the registry is done to perform operations that require elevation of privileges without consent or credentials. At the end, all the temporary files used to do the modifications in the system will be deleted.
  3. Take ownership of folders: The command TAKEOWN (in Windows Vista and 7) runs to take ownership and enable the modification of folders including Application Data, Cookies, and Local Settings
  4. Self-Install and spread: Another BAT file in the %TEMP% path is created. It first changes the icon of .vbe files to the one used by Windows pictures so the user will think that it is a picture and not the malware. Also the original .vbe, along with a shortcut file, will be copied in several locations, including network shares and peer-to-peer shared folders from popular clients like eMule, LimeWire, and Ares. Another spreading vector this malware uses is infecting removable drives by creating autorun.inf files along with a copy of the original .vbe and a shortcut (.lnk) file.
  5. Worm test: This may seem a confusing term, but it is another spreading method. The original .vbe will be copied to other folders such as Startup and %Userprofile%\ Microsoft with the name “System File [Not Delete]” to trick the user to not delete the file.
  6. Worm.s@tan: Contains a loop that will trigger the execution of the code every 60 minutes
  7. Backdoor: Using another temporary BAT file, the malware will enable Remote Desktop Access by making the following changes to the system:
  • Allow unsolicited remote assistance and full control
  • Allow the use of blank passwords
  • Enable multiple concurrent remote desktop connections (with a maximum of five)
  • Automatically start the Terminal Service
  • Open port 3389 in the Windows firewall
  • Add an administrator user to the system
  • Start the Remote Desktop Services UserMode port redirector service
  • Create a file in the bot’s path with an “OK” inside
  • The foregoing commands execute on reboot while the message “Windows repare quelques fichiers, patientez …” (Windows is repairing some files, wait …) appears to the user at the command prompt.

Another interesting part of the code is the section Compt.Bot, from which the malware sends an HTTP POST request with a specific user agent to the URL of the botnet command server. With that request, the server can get the public IP address of the infected machine, which probably has Remote Desktop Access enabled with the required specifications so the bad guys can connect. By opening that URL in the browser, we can see the IP address of the machine that is connected to the control panel and the number of compromised machines, which can grow very quickly. Take a look at this 24-hour comparison:

Other functionalities of the botnet:
  • Delete browser and user histories of some common software: Internet Explorer, Firefox, Chrome, Thunderbird, and Skype
  • Terminate processes of security software by downloading and executing a batch file that can be easily updated with more processes
  • Download an .exe file from another URL (currently offline). We need to examine this file more thoroughly, but one of its purposes seems to be updating the malware by executing a different embedded .vbe.

Even if VBScript is not the best language to hide malicious activities (using encryption, obfuscation, packers, antidebuggers, or anti-virtual machine features), it is pretty effective when we take into account the rate of infection in just one day. In addition, those scripts can build a botnet of infected machines that can be controlled by using a Remote Desktop connection, which allows the attacker to perform any action in the system. The malicious files related to this threat are detected by McAfee products as VBS/Satanbot.


Facebook Letting Users Designate 'Guardian Angel' Friends To Restore Locked Accounts

Social networking giant Facebook said on Thursday that it is testing a feature that will allow users to designate certain friends as 'guardian angels' entrusted with helping the user to recover a locked or hijacked account.

The company, which has already experimented with forms of "social authentication," such as using photos of Facebook friends to help users prove they are the rightful owners of locked accounts, said in a blog post that it is testing a feature allowing users to designate "three to five" of their Facebook friends to receive a recovery code in the event that they are locked out of their account. Friends who receive the code can pass it along to the account holder, providing a way for them to get back into their account.

The company has preiodically struggled with account lock-outs. In November, 2010, a software error resulted in a small percentage of Facebook's userbase to be locked out of their account.

Account takeovers are a small problem for the company as measured against legitimate traffic. Facebook estimates that just .06% of account logins each day represents compromised accounts. But, with 750 million users and one billion logins each day, that small percentage still represents a large number - 600,000 - to contend with.

The new feature comes as part of a host of security upgrades scheduled to coincide with national Cybersecurity Awareness Month. The company also announced a new "App Passwords" feature that will enable users to set application specific passwords for their Facebook applications.

Company data, released on Thursday, suggest that Facebook is doing well in its quest to limit spam, malware and account hijacking - at least compared to the larger Internet. Spam is just 4% of the content shared on the social network, compared with anywhere from 85% to 95% of e-mail traffic. (Estimates vary depending on the source.)

However, Facebook's success in quelling malicious traffic hasn't kept privacy advocates from raising red flags about the implications of one company owning so much personal data on its users. At the Black Hat Briefings in Las Vegas in August, researcher Alessandro Acquisti showed how how cloud computing, facial recognition technology and freely available data hosted on Facebook and other Web sites could be used to match faces in a crowd to detailed online profiles.The company released an infographic that depicts the evolution of its security features and to provide other useful, security-related insights.

New Tor Release Fixes De-Anonymization Attack

The Tor Project has released a new version of its client software to fix a serious vulnerability that allows an attacker to strip users of their anonymity on the network. The new version also includes a number of other security and privacy fixes.

The attack that enables the anonymity stripping requires a specific set of conditions to be in place and the new version of Tor removes two of those components from the equation, which is enough to prevent the attack. It relies on the fact that user clients will reuse their TLS certificates when connecting to different Tor relays, which can enable an attacker to identify a specific user by his certificate.

"The attack relies on four components: 1) Clients reuse their TLS cert when talking to different relays, so relays can recognize a user by the identity key in her cert. 2) An attacker who knows the client's identity key can probe each guard relay to see if that identity key is connected to that guard relay right now. 3) A variety of active attacks in the literature (starting from "Low-Cost Traffic Analysis of Tor" by Murdoch and Danezis in 2005) allow a malicious website to discover the guard relays that a Tor user visiting the website is using. 4) Clients typically pick three guards at random, so the set of guards for a given user could well be a unique fingerprint for her. This release fixes components #1 and #2, which is enough to block the attack; the other two remain as open research problems," the Tor Project's Roger Dingeldine said in a message announcing version

Dingeldine said in the message that, as far as the Tor Project officials know, the attack that's fixed in this release isn't related to the one publicized by researcher Eric Filiol earlier this week. The fix for the de-anonymization attack involves preventing clients from sending the TLS certificate chain on outbound connections. There are a variety of other security and privacy fixes in the new version of Tor.

Among the other fixes:

- If a relay receives a CREATE_FAST cell on a TLS connection, it no longer considers that connection as suitable for satisfying a circuit EXTEND request. Now relays can protect clients from the CVE-2011-2768 issue even if the clients haven't upgraded yet. - Directory authorities no longer assign the Guard flag to relays that haven't upgraded to the above "refuse EXTEND requests to client connections" fix. Now directory authorities can protect clients from the CVE-2011-2768 issue even if neither the clients nor the relays have upgraded yet. There's a new "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option to let us transition smoothly, else tomorrow there would be no guard relays. o Privacy/anonymity fixes (bridge enumeration):

- Bridge relays now do their directory fetches inside Tor TLS connections, like all the other clients do, rather than connecting directly to the DirPort like public relays do. Removes another avenue for enumerating bridges. Fixes bug 4115; bugfix on - Bridges relays now build circuits for themselves in a more similar way to how clients build them. Removes another avenue for enumerating bridges. Fixes bug 4124; bugfix on, when bridges were introduced.

- Bridges now refuse CREATE or CREATE_FAST cells on OR connections that they initiated. Relays could distinguish incoming bridge connections from client connections, creating another avenue for enumerating bridges. Fixes CVE-2011-2769. Bugfix on

Facebook shrugs off alleged security flaw

Says the alleged attachment vulnerability poses no greater risk to users of the social networking site than that which webmail providers face

Facebook downplayed an alleged vulnerability in its social networking site that could allow a hacker to send a potentially malicious file to anyone on Facebook.

The issue concerns a Facebook feature that allows a user to send another user who is not their friend a message as well as an attachment. Facebook prohibits sending executable files, but a security penetration tester found a way to circumvent the filter.

[ Also on InfoWorld: Free cooling lures Facebook to Arctic's edge. | Stay ahead of the key tech business news with InfoWorld's Today's Headlines: First Look newsletter. ]

Nathan Power, who works for the technology consultancy CDW, wrote on his blog that Facebook parses part of a Post request to the server to see if the file being sent should be allowed.

If an executable is attached, Facebook warns that it can't be sent. But by modifying the Post request -- specifically with an extra space after the file name that is to be sent -- an executable could be attached. That poses a danger because it could allow a hacker to send, for instance, a keylogging program to another user in a kind of spear-phishing attach. The victim would then need to be convinced to open and run the file.

In a statement, Facebook's Security Manager Ryan McGeehan wrote that a successful attack would require "an additional layer of social engineering." It also only allows the attacker to send an obfuscated renamed file to another Facebook user one at a time.

Facebook doesn't rely solely on the identification of a file by what it purports to be in name to protect users but also does a security scan of files "so we have defense in depth for this sort of vector," McGeehan wrote. He also said that webmail providers face the same problem with malicious attachments and that "this finding is a very small part of how we protect against this threat overall."

"At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we've been dealing with for a while," McGeehan wrote.

Power wrote Facebook was notified of the issue on Sept. 30 and the company acknowledged the issue on Wednesday.

Cisco rolls out router with military-strength encryption

Cisco's ISR G2 router allows point-to-point encryption of IP traffic based on algorithms designated for Department of Defense communications

Cisco has announced a hardware encryption module for its ISR G2 router that allows point-to-point encryption of IP traffic based on what's called "Suite B," the set of encryption algorithms designated by the National Security Agency for Department of Defense communications.

According to Sarah Vanier, security solutions marketing at Cisco, the VPN Internal Service Module for the Cisco ISR G2 router lets information technology managers select how to use any of the main encryption algorithms as well as the SHA-2 hash algorithm to protect sensitive information traveling between any two routing points equipped with the module.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

MORE: Cisco ASA adds identity firewalling

"The module allows you to offload the encryption process on to the card," says Vanier, with the hardware doing the hard work of encryption and decryption of traffic at the beginning and terminating points.

The selection of encryption and hash algorithms in the Cisco card include the Advanced Encryption Standard, standards-based elliptic-curve cryptography or Triple-DES, to satisfy encryption requirements that might range from unclassified to Top Secret in military networks, she said.

The card, which is said to support up to 3,000 concurrent tunnels with throughput of up to 1.2Gbps, can make use of the SHA-2 hash algorithm to assure data integrity between the two router points.

Nelson Chao, Cisco product manager, said the Cisco encryption card does not currently support multi-cast encryption, but that is anticipated to be supported by Cisco in the future, perhaps late next year.

Cisco also points out that the encryption module is still undergoing official encryption testing to achieve the government's FIPS-level certification, but the module is shipping now.

The Cisco VPN Internal Service Module for the ISR G2 starts at $2,000.


More Mac malware - new Tsunami backdoor variants discovered

WavesAs our friends at ESET have mentioned on their blog, new variants of the latest Mac malware - the Tsunami backdoor Trojan - have been discovered.

SophosLabs has received a few new samples of the malware - which can be used both to launch denial-of-service attacks and by remote hackers to gain access to your computer.

The new versions, which Sophos is adding detection for as OSX/Tsunami-Gen, are builds for 32-bit Intel x86 and PowerPC Mac computers, whereas the original version was 64-bit only. In addition, the new samples use a different IRC domain for their command & control server.

Some folks have questioned why the computer security industry has dubbed this threat "Tsunami", and I must admit that I find myself feeling somewhat uncomfortable with the name because of the devastating natural disasters that have struck in some parts of the world.

The truth is, however, that the name derives from one of the commands that can be sent to computers running the malicious code, to flood a target with internet traffic.

Tsunami command

It's actually the same command that was built into the Linux version of the attack tool (which Sophos calls Troj/Kaiten) first seen some years ago.

Because we see considerably less malware for Mac OS X than we do for Windows, new Mac threats tend to make the news headlines. It's important to note that the sky is not falling, and we believe the threat posed by OSX/Tsunami is currently quite low. Indeed, we have not received any reports from customers yet of infections by this Mac malware.

Nevertheless, it's clear that someone is working on developing new versions of this code for the Mac platform and you have to presume they are not doing it purely for the intellectual challenge. (If they are, Lord help them.. it's not much of a challenge)

Mac users would be wise to take preventative steps against this, and the other malware which we see for the Mac OS X platform. Free anti-virus software is available for Mac home users - so there's really no excuse.

Facebook Attachment Uploader Owned By A Space

Oh look – another vulnerability in Facebook! It wasn’t long ago we reported New Research Shows Facebook’s URL Scanner Is Vulnerable To Cloaking.

Well this time the private messaging function has been compromised, you can attach an executable and send it to anyone as long as you put a space after the filename.

It’s not the first time I’ve seen a mime/file/etc parser be owned by a space, but I expected better from Facebook to be honest.

A security penetration tester discovered a major flaw in Facebook that could allow a person to send anyone on the social-networking site malicious applications.

Nathan Power, a senior security penetration tester at technology consultancy CDW, discovered the vulnerability and publicly disclosed it Thursday on his blog. The flaw was reported to Facebook on Sept. 30, which acknowledged the issue on Wednesday, he wrote.

Power, who could not immediately be reached, wrote that Facebook does not normally allow a person to send an executable attachment using the “Message” tab. If you try to do that, it returns the message “Error Uploading: You cannot attach files of that type.”

Facebook has acknowledged the bug (which is a pretty serious one) but it’s unknown if they’ve actually fixed it yet or not.

You can see the original blog post outlining the vulnerability here:

Facebook Attach EXE Vulnerability

Good job Nathan Power!

Power wrote that an analysis of the browser’s “POST” request sent to Facebook’s servers showed that a variable called “filename” is parsed to see if a file should be allowed. But by simply by modifying the POST request with a space just after the file name, an executable could be attached to the message.

“This was enough to trick the parser and allow our executable file to be attached and sent in a message,” Power wrote.

A person would not have to be an approved friend of the sender, as Facebook allows people to send those who are not their friends messages. The danger is that a hacker could use social engineering techniques to coax someone to launched the attachment, which could potentially infect their computer with malicious software.

Facebook representatives contacted in London did not have an immediate response on Thursday afternoon.

The dangerous part I can see here is that Facebook allows users to send messages to anyone (with attachments) even if they are not friends. Which makes me wonder, how many random guys are sending girls they don’t know pictures of their junk as attachments on Faceobok messages…

I don’t want to know really.

Anyway this should be a fairly simple fix for Facebook and I’d imagine they have probably already fixed this or will be doing so fairly soon.

Windows Password Retrieval And Cracking [video]

Description: In one of (hopefully) many videos I will be creating highlighting the capabilities of Volatility, a free memory analysis tool.

This video shows grabbing the windows NTLM passwords from a memory dump and then using John the Ripper to crack them.

In other videos I hope to show using a memory dump to detect rootkits and badness on a system.

The Facebook Immunity System (FIS) uncovered

Facebook has recently released some interesting data from it’s ‘The Facebook Immunity System (FIS)’. According to FIS it processes and checks 650,000 actions every second (it can handle 25 billion actions every day – amazing) to maintain user safety from spam (The FIS reports just 1% of users reporting issues around spam) and other cyber related attacks.

Facebook has developed the FIS system (using a signature) that is able to differentiate between spam and legitimate messages (as well as ‘creepers’ – those who use Facebook but cause problems for others) for example basing on the links in spam messages, keywords and IP addresses. Spammers can beat this by using shortened URL services and switching systems (which switches IP addresses). When this happens the system relies on keyword scanning aka blacklist of words i.e. “iPad” or “free” are two common keywords.

Statistic: Since the introduction of FIS some three years ago, spam accounts for less than 4 percent of the total messages on Facebook.

The FIS team is supported by some 30 security experts who manually search for spam across the Facebook network with one particular threat being posed by socialbots. These are fake profile bots that behave like you or me on Facebook. Socialbots will aim to connect with as many ‘friends’ as possible in an attempt to friend users into obtaining access to your Facebook profile data. Socialbots are very difficult to detect, so the FIS has to rely on the security experts to identify the potential threats.

Statistic: FIS is probably the second largest defence system outside of the Web itself. It’s a staggering size considering the 800m+ people that use it daily.
It’s worth pointing out that a socialbot is yet to happen, however it’s only a matter of time before we see this or other similar innovations. As you know by now, FIS relies on patterns of known behaviour (aka HIPS model) rather than behaviour analysis. The FIS policy and classifier engines offer clear opportunities for future development as well as development of specification-based behavioural analysis policies rather than the current anomaly model that Facebook uses.

Please Send me Your Facebook Anti-CSRF Token!

In the last few months we have seen a variety of spam campaigns propagating on social networking websites. Most of these attacks use some flavor of social engineering tactics. Every now and then, we see some innovative social engineering techniques used by attackers. Here is one such technique that tricks the victim into revealing their all-important Facebook Anti-CSRF token.

Cross-site Request Forgery attacks

A Cross-site Request Forgery (CSRF) is a type of attack in which attackers can re-use an already authenticated session to a website to perform unwanted actions on that website without the user’s knowledge or consent. For example, let’s say that a user is logged into his or her banking website. If this bank’s website suffers from a CSRF weakness, then another malicious website (say, bad.com) can instruct the user’s browser to navigate to the bank’s webpage to perform actions, such as transferring funds, without the user’s knowledge. For the browser and the bank’s website, it is equivalent to the user opening another tab and performing these actions themselves. Anti-CSRF tokens are one of the many ways employed by websites to prevent CSRF attacks.

Anti-CSRF tokens are usually one-time randomly generated tokens generated by the website. These tokens are submitted as hidden input parameters in Web forms. The tokens are validated at the back-end of the website to rule out any CSRF attacks underway when a form or action is posted. In order to generate a CSRF token, the attackers need to know or guess the Anti-CSRF token, which makes CSRF attacks hard to execute.

This blog details techniques used by the attacker to get access to this Anti-CSRF token. There are three stages to this attack

Stage 1 – Falling for the scam

It starts with an enticing message, like the one below, appearing in the user’s newsfeed from the user’s friend.

Stage 2 – Tricking the user to send their FaceBook Anti-CSRF token

Upon clicking this link, the user is directed to a fake YouTube Web page as shown below. In order to view the video, the user is prompted to verify their identity.
Step 1 of this verification process involves generating a verification code by clicking the Generate Code link. The next and final step is Copying and-pasting the code obtained in step 1 into the verification text box and clicking the Confirm button.

Let’s take a closer look at both of these steps. The following screenshot is the JavaScript snippet for this Web page.

The “Generate Code” link is actually a request to 0.facebook.com/ajax/dtsg.php. This request will return JavaScript code similar to the code shown in the screenshot below. Many browsers like Chrome and Firefox support “view Source URI scheme”. This means that any URL supplied with “view-source:” as the URI handler will open up the source code of that page. So clicking the “Generate Code” link will display the data (JavaScript) returned from the request to dtsg.php in a “View Source” browser window.

The user is then prompted to copy and paste this JavaScript code into the “Insert Verification Code” textbox and then click the Confirm box.

So what is so special about this JavaScript Code? The answer is the Anti-CSRF token called “fb_dtsg”. In order to prevent CSRF attacks, Facebook pages have a unique per session token called “fb_dtsg”. The request to “facebook.com/ajax/dtsg.php” returns JavaScript code containing the “fb_dtsg” token.

The attacker is tricking the victim into revealing his or her Facebook Anti-CSRF token.

In this case the attacker’s third party site receives this Anti-CSRF token when the user copy and pastes the JavaScript code and clicks Confirm. The attacker is now in a position to perform CSRF attacks.

Stage 3 – CSRF attack: Malicious links silently posted to the user’s wall

The picture below details the JavaScript code returned by the attacker upon clicking the Confirm button. This code executes a CSRF attack to post a malicious link on the user’s Facebook page using the CSRF token that was stolen in stage 2.

The thing to note here is that the “post_form_id” value is irrelevant for the success of this attack. In fact, the attacker decided to randomly generate a “post_form_id” value in the code above.

Comparison to self-XSS copy and paste attacks

This attack technique is similar in nature to the Self XSS copy and paste attacks that we saw on the Facebook platform this summer.

In the previous Self-XSS attacks, the attacker managed to trick the user into copying and pasting malicious JavaScript code into the user’s browser. The malicious JavaScript code ran in the same origin context as Facebook.com , and so it was able to extract token values such as the fb_dtsg by parsing the DOM.  These extracted token values were later used to post malicious spam messages to the user and the user’s friends.

However, in this latest attack, instead of tricking the victim to execute JavaScript code whilst accessing their Facebook account, the attacker is tricking the victim into sending his or her Anti-CSRF token to the attacker. With the Anti-CSRF token in hand, the attacker then executes a CSRF attack to propagate scam messages.


Although by and large we haven’t seen attackers propagate malicious browser exploits and drive-by-downloads using these spam campaigns, we conjecture that attackers might naturally gravitate towards this in the near future. Furthermore, attackers are using some really innovative social engineering techniques to trick their victims. We advise users to keep their security software up-to-date and not click on any links that seem suspicious.

It's worth noting that we’ve reached out to Facebook and they inform us that they've had great cooperation from browser vendors to fix these issues and will continue to work with them on these issues. They also stated that they try to prevent this behavior by automated monitoring of accounts for suspicious behavior.

Blind Attack On Wireless Insulin Pumps Could Deliver Lethal Dose

Barnaby Jack, famous for getting ATMs to disgorge an avalanche of cash on stage at the Black Hat Briefings, says he has developed an attack that could be used to deliver a lethal dose of insulin to diabetics using the embedded pumps.

Jack, a security researcher at McAfee, demonstrated the hack at the Hacker Halted security conference in Miami on Tuesday. In it, he used a modified antenna and software to wirelessly attack and take control of implantable insulin pumps from the firm Medtronic. Jack demonstrated how such a pump could be commanded to release a fatal dose of insulin to a diabetic who relied on the pump.

The presentation builds on a similar hack, demonstrated at this year's DEFCON hacking conference in which researcher Jerome Radcliffe -- diagnosed with Diabetes 11 years ago -- demonstrated how he could tweak the dosage levels on his pump remotely. Radcliffe's hack required the attacker to know the unique numeric device number of the implantable pump she was attacking. Barnaby's hack improves on that method, allowing an attacker to compromise any vulnerable device within 300 feet even without knowing its unique device ID.

The August hack at DEFCON prompted a response from federal lawmakers. Two senior members of the House Energy & Commerce Committee called for the Government Accountability Office (GAO) to perform a formal review of wireless medical devices like the pump to determine whether devices that are on the market are "safe, reliable and secure. "

Alas, the consensus among security researchers is that they are not. Jack points out that the Medtronic devices do not use encryption to protect wireless communications between the implanted device and the management software. That means that anyone listening on the proper frequency can intercept those communications and even manipulate the device remotely: tweaking the amount of insulin delivered by the pump, disabling it or restarting it.

In an exclusive interview with Threatpost in August, Kevin Fu, an Associate Professor of Computer Science at the University of Massachusetts, said that software vulnerabilities, including those that may be remotely exploitable, are increasingly common as implanted medical devices use wireless technology for management and diagnostic purposes. Along with Prof. Dina Katabi of MIT, Fu is looking into methods for jamming implantable medical devices (IMDs) to prevent them from being wirelessly tampered with.

Jack is a well respected security researcher with a flair for the dramatic. He famously induced an automated teller machine to spit out a cascade of cash at the Black Hat Briefings in 2010 to demonstrate weaknesses in the software that secures cash machines.
In the case of the insulin pump, however, the potential downside is not economic, but existential.
Medtronic, which manufactures the pump attacked by Jack, said at the time of the BlackHat presentation that it takes the security of its devices seriously and will develop more security features as "technology evolves." However, the company, maintains that the risk of deliberate or malicious manipulation of insulin pumps is extremely low. "To our knowledge, there has never been a single reported incident of a deliberate attack on an insulin pump user in more than 25 years of insulin pump use," the company said.


How to enable the Windows 7 administrator account

A number of Windows 7 users have contacted me about why they cannot access certain files and folders – asking me why they don’t appear to have the permission to delete files and folders is an example. The reason for this is very simple. You don’t have administrator access (which isn’t default on Windows 7 or Vista) as Windows 7 runs most apps with least privilege access (non-admin).

You can enable the true or hidden administrator account access by doing the following elevated command prompt: WARNING – THIS DISABLES THE UAC- read more about Managing your Windows 7 User Account Control (UAC).
  • Type ‘cmd’ without the quotes into the Start search programs and files box – you should now see ‘cmd’
  • Right click ‘cmd’ with your mouse and select ‘Run as Administrator’ – you should now see the command console window
  • Type the following command ‘net user administrator / active:yes’ (with spaces but without the quotes) and then press Enter*
  • Type ‘net user administrator’ (with spaces but without the quotes) and then press Enter (see next bullet)
  • You can check whether the Administrator account is active ‘Account active’ should say ‘Yes’
  • Close the ‘cmd’ window by typing ‘exit’ then hit Enter
  • You will now need to log off your PC for the change to be applied.
*This allows you to run Windows 7 with Administrator privileges as default.
Once you’ve finished editing files and folders I’d suggest:
  • You open the command prompt by typing ‘cmd’ into the Start search program and files box (as above)
  • Disable the Administrator account using the following command: ‘net user administrator / active:no’ (with spaces but without the quotes)
  • Type ‘net user administrator’ (with spaces but without the quotes) and then press Enter (see next bullet)
  • You can check whether the Administrator account is active ‘Account active’ should say ‘No’
  • Close the ‘cmd’ console window by typing ‘exit’ then hit Enter
  • You will now need to log off your PC for the change to be applied.
Note: Don’t forget you can also set Windows 7 privileges for individual applications.

Exploit-powered Android Trojan uses update attack

A new DroidKungFu variant poses as a legit application update

A new variant of the DroidKungFu Android Trojan is posing as a legitimate application update in order to infect handsets, according to security researchers from Finnish antivirus vendor F-Secure.

Distributing Android malware as updates is a relatively new tactic that was first seen in July. The primary method of infecting handsets continues to be the bundling of Trojans with legitimate applications; however, the resulting apps are easy to spot because of the extensive permissions they request at installation time.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]

According to security researchers, the new update-based attacks can have a higher success rate than "Trojanizing" apps because users don't tend to question the legitimacy of updates for already-installed software.

Furthermore, when used by threats like DroidKungFu, update attacks can be hard to detect without specialized antimalware tools. That's because these Trojans use Android exploits to gain root access and then deploy their malicious components unhindered.

The new DroidKungFu variant is distributed with the help of a non-malicious application currently available from third-party app stores in China. However, the threat is global because apps infected with earlier versions of the Trojan have been detected on the official Android Market in the past.

"Once installed, the application would inform the user that an update is available; when the user installs this update, the updated application would then contain extra functionalities, similar to that found in DroidKungFu malware," the F-Secure researchers warn.

The update only asks for access to SMS/MMS messages and location, but also contains a root exploit for Android 2.2 "Froyo" that unlocks all system files and functions. Even though this particular DroidKungFu variant doesn't target devices running Android 2.3 "Gingerbread," there are other Trojans that infect this version of the operating system and could adopt the same attack technique in the future.

In addition, there is reason to believe that the malware's authors are also testing other infection methodologies. Last week, security researchers from mobile antivirus vendor Lookout detected another DroidKungFu variant that doesn't use root exploits at all.

Instead, the new Trojan, which Lookout calls LeNa, uses social engineering to trick users into giving the installer super-user access on devices where users have knowingly executed a root exploit. Once deployed, the malware attaches itself to a native system process.

"This is the first time an Android Trojan has relied fully on a native ELF binary as opposed to a typical VM-based Android application," the researchers explained. The malware is distributed by rogue VPN applications, some of which were found on the official Android Market.

Tsunami backdoor for Mac OS X discovered

TsunamiOSX/Tsunami-A, a new backdoor Trojan horse for Mac OS X, has been discovered.

What makes Tsunami particularly interesting is that it appears to be a port of Troj/Kaiten, a Linux backdoor Trojan horse that once it has embedded itself on a computer system listens to an IRC channel for further instructions.

Typically code like this is used to rally compromised computers into a DDoS (distributed denial-of-service) attack, flooding a website with traffic.

If you were wondering where the name "Tsunami" comes from, that should probably help explain things.

It's not just a DDoS tool though. As you can see by the portion of OSX/Tsunami's source code that I have reproduced below, the bash script can be given a variety of different instructions and can be used to remotely access an affected computer.

Tsunami source code

Sophos's Mac anti-virus products (including our free anti-virus for Mac home users) are being updated to detect OSX/Tsunami-A.

The big question, of course, is how would this code find itself on your Mac in the first place? It could be that a malicious hacker plants it there, to access your computer remotely and launch DDoS attacks, or it may even be that you have volunteered your Mac to participate in an organised attack on a website.

But remember this - not only is participating in a DDoS attack illegal, it also means that you have effectively put control of your Mac into someone else's hands. If that doesn't instantly raise the hairs on the back of your neck, it certainly should.

Tsunami snapshot
Mac users are reminded that even though there is far less malware in existence for Mac OS X than for Windows, that doesn't mean the problem is non-existent. You only need to read our short history of Mac malware to realise that.

We fully expect to see cybercriminals continuing to target poorly protected Mac computers in the future. If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying.

My advice to Mac users is simple: don't be a soft target, protect yourself.

Howto Use Droidsheep - Tutorial [video]


Description: This official tutorial for DroidSheep for Android shows how to use DroidSheep to capture sessions in your local network.

DroidSheep runs on your Android device and listens to the networks traffic. If it captures a cookie, it shows a list with the cookies and the user can simply use the victims account without knowing his user credentials.

Download droidsheep: http://www.insecurestuff.in/2011/09/droidsheep.html


Spammers create their own URL shortening services

The strange development may be an attempt to get around filtering software that checks the destination domains

Spammers have created their own services to shorten URLs (uniform resource locators) in an apparent attempt to circumvent security measures in place at well-known shortening websites, according to Symantec.

So far, some 87 URL shortening sites have been set up by spammers, said Nick Johnston, a senior software engineer at Symantec. The spammers have used an open-source URL shortening script and have not built the code themselves. The shortened links are only appearing in spam emails that advertise pharmaceutical products at sites such as "Pharmacy Express," he said.

[ Go deep into HTML5 programming in InfoWorld's "HTML5 Megaguide Deep Dive" PDF how-to report. Then understand the issues surrounding HTML5 today in InfoWorld's HTML5 Deep Dive PDF strategy report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]

In May, Symantec noticed some spammers were using their own shortened URLs, but further investigation showed it was actually just a website that appeared to be a shortened URL but then redirected people to the spam websites. This is the first time the spammers have employed a real URL shortener, Symantec said in its latest intelligence report for October. Why the sites have been left public is unknown.

All of the websites that are advertised in the spam runs, which are on several different IP addresses, are hosted by a U.K. division of a hosting company, which Johnston declined to identify. The company has been notified, but many of the spam sites are still online, he said. All of the domain names were registered in Russia, he said.

Shortened URLs are a bit of a problem when they're abused since users can't easily tell if they are being redirected to a website that might try to infect their computer with malicious software.

The shorter URLs are necessary on sites such as Twitter, when users need the space because of the 140-character limit. To combat abuse, Twitter has introduced its own shortening service, which checks to see if the target is a potentially dangerous website and listed on security blacklists. It also changed the way the shortened links are displayed to give users a better idea of where they are going.

Other major URL shortening companies will remove malicious shortened links if it is determined the links could be harmful. Another method is to warn users they may be going to an attack site.

Johnston said it is quite easy to block the shortened links, since many follow a consistent pattern, such as 3xy.info, and seem only to be used for spam. Since the shortening services don't appear be used legitimately, there's "no risk of false positives by blocking them outright," Johnston said.

The shortening technique might help a bit in getting messages past spam filters if the spammer sends out a very large run of spam with a large set of domains. But more likely that not, the technique won't be that effective.

"You will probably accept as a spammer in less than a day all of those domains will probably be blocked, but that could be an acceptable tradeoff for them," Johnston said.

5 SECONDS to bypass an iPad 2 password [video]

Video The password protection of an iPad 2 running iOS 5 can be circumvented in less than five seconds with just three simple steps.

Bypassing the unlock screen on iPad 2 can be accomplished by first pressing the power button until the power-off screen is displayed. Users then need only to close and reopen the fondleslab's 'smart cover' before, finally, pressing the cancel button to unlock the device.

After dodging the password protection, you can access the foreground application running at the time the device was locked, potentially exposing corporate email in the process. You can't use the home button, so access is limited to foreground applications. As enterprise IT blog BringYourOwnIT.com notes, one obvious workaround would be to instruct users to close any foreground application before locking their iPad.

Below is a video posted by BringYourOwnIT.com illustrating the easy unlock process.

The security weakness comes days after it emerged that locked iPhone 4S could be accessed using Siri, the voice-activated personal assistant built into the device.
There's an easy way for security-conscious users to disable Siri when their phone is locked but this option isn't applied by default, net security firm Sophos Read More...

New DOS tool overloads SSL servers with ease

The DOS attack tool takes advantage of a feature in SSL that can be maliciously exploited to overload servers using a single laptop

A newly released denial-of-service (DOS) tool can be used to bring down SSL servers using an average laptop computer and a standard DSL connection.

Called THC-SSL-DOS, the tool was created by German hacking outfit The Hackers Choice (THC) and exploits a rarely used, but widely available, feature in the SSL protocol called SSL renegotiation.

[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. ]

This type of attack is not new. In fact, vendors have known about the issue since 2003 and, according to the THC, the method was used in last year's DOS attacks against MasterCard.

The hacking outfit decided to release the tool now because it has already been leaked online a couple of months ago. "We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again," a THC member said.

It's worth pointing out that even without SSL renegotiation enabled, attackers can still use THC-SSL-DOS successfully against servers. However, such attacks would require more than a single laptop.

"It still works if SSL renegotiation is not supported but requires some modifications and more bots before an effect can be seen," the group noted. "Taking on larger server farms who make use of SSL load balancers required 20 average size laptops and about 120kbit/sec of traffic," it added.

This is not the first time when SSL renegotiation exposed servers to security risks. Back in November 2009, a Turkish grad student devised a proof-of-concept man-in-the-middle attack that exploited a vulnerability in this SSL feature to steal Twitter login credentials passed over secure connections.

Membuat psyBNC via shell

Askum n salam sejahtera untuk kita semua Hi

kali ini ane akan membuat tutor ttg membuat psyBNC


1. siapin shell untuk pembuatan psyBNC, n langsung download file psyBNCnya

wget http://buto.webs.com/butopsy.tar.gz

kalau sukses akan keluar pesan seperti ini

--2011-10-25 08:47:54-- http://buto.webs.com/butopsy.tar.gz Resolving buto.webs.com... Connecting to buto.webs.com||:80... connected. HTTP request sent, awaiting response... 200 OK Length: 142174 (139K) [application/x-tar] Saving to: `butopsy.tar.gz' 0K .......... .......... .......... .......... .......... 36% 254K 0s 50K .......... .......... .......... .......... .......... 72% 377K 0s 100K .......... .......... .......... ........ 100% 298K=0.5s 2011-10-25 08:47:55 (302 KB/s) - `butopsy.tar.gz' saved [142174/142174]

[Image: psy1.png]

2. extrak file psyBNCnya

tar -zxvf butopsy.tar.gz

[Image: psy2.png]

3. klik dir components, terus dan tulis script dibawah ini

./config 1999

angka 1999 adalah port yang bisa diisi terserah saudara

[Image: psy5.png]

jika sukses maka keluar pesan seperti ini


4. selanjutnya kita jalankan dengan mengetik script dibawah ini


[Image: psy7.png]

5. next kita buka MIRC dan ketikkan script dibawah ini

/s [hostname] [port psyBNC]

catatan : hostname diisi mengikuti IP shell kita

[Image: psy8.png]

6. terus kita masukkan password untuk psyBNC kita

/QUOTE PASS password

catatan : script tergantung dari command psyBNC sendiri

[Image: psy9.png]

7. menambahkan server kepada psyBNC kita

/addserver irc.*****.org:6667

[Image: psy11.png]

jika sukses maka akan seperti gambar dibawah ini

[Image: psy12.png]

8. dan pada akhirnya nick kita akan terus join 24 jam penuh dalam seminggu (itupun kalau shellnya or file psyBNC tidak dihapus)

sekian tutor pembuatan psyBNC via shell dari ane

akhir kata wassalam Bigsmile


THC SSL DoS/DDoS Tool Released For Download

THC-SSL-DOS is a tool to verify the performance of SSL. Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet. This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed.

This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.


./thc-ssl-dos 443
Handshakes 0 [0.00 h/s], 0 Conn, 0 Err
Secure Renegotiation support: yes
Handshakes 0 [0.00 h/s], 97 Conn, 0 Err
Handshakes 68 [67.39 h/s], 97 Conn, 0 Err
Handshakes 148 [79.91 h/s], 97 Conn, 0 Err
Handshakes 228 [80.32 h/s], 100 Conn, 0 Err
Handshakes 308 [80.62 h/s], 100 Conn, 0 Err
Handshakes 390 [81.10 h/s], 100 Conn, 0 Err
Handshakes 470 [80.24 h/s], 100 Conn, 0 Err
Comparing flood DDoS vs. SSL-Exhaustion attack

A traditional flood DDoS attack cannot be mounted from a single DSL connection. This is because the bandwidth of a server is far superior to the bandwidth of a DSL connection: A DSL connection is not an equal opponent to challenge the bandwidth of a server.

This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link. Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack.

The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes. The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).

Tips & Tricks for Whitehats
  1. The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
  2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
  3. Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, … or the secure database port).
Counter measurements
No real solutions exists. The following steps can mitigate (but not solve) the problem:
  1. Disable SSL-Renegotiation
  2. Invest into SSL Accelerator
Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.

You can download THC-SSL-DOS here:

Windows: thc-ssl-dos-1.4-win-bin.zip

Linux: thc-ssl-dos-1.4.tar.gz

Or read more here.

So I Googled your name and found.. a Twitter phishing attack! [video]

Slumped tweetSometimes they claim to have found a funny picture of you, say that you look like you've lost weight, or that there's a horrible blog going around about you.

Whatever the nature of the disguise used by phishing attacks on Twitter, the modus operandi is always the same. Scammers will send you a message, possibly from the compromised account of one of your Twitter followers, and use a social engineering lure to trick you into clicking on the link.

And that link will, inevitably, lead to a fake Twitter login page - designed to grab your username and password which can then be used to send out more spam, or to break into your other online accounts.

Here's the latest attack, which arrives in the form of a Direct Message (DM) from one of your Twitter pals, claiming that they have searched for you on Google and found some "really funny stuff" about you.

Twitter phishing attack via Direct Message
so i googled your name and found some really funny stuff about you lol its archived here [LINK]
Would you click on the link? Well, if you were tempted to do so your web browser would end up on a fake Twitter page just waiting for you to enter your username and password.

Fake Twitter login page

And if you do enter your details, you've been phished. Ouch.
Hopefully, you're not one of the many people who use the same password on multiple websites - otherwise cybercriminals might not just be able to send spam from your Twitter account, they may also have just been handed the skeleton keys for other parts of your online existence.

That could mean that scammers can now steal your personal information for financial gain.

Password chart

If you found your Twitter account was one of those sending out the phishing messages, you shouldn't just change your password and consider if you are using the same password elsewhere. It's also a sensible time to look again at how you choose your passwords.

For instance, it's important that you don't use a word from the dictionary as your password. It's easy to understand why computer users pick dictionary words as they're much easier to remember, but as I explain in this video a good trick is to pick a sentence and just use the first letter of every word to make up your password.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Password security is becoming more important than ever. Make sure that you're taking the issue seriously, or suffer the consequences.

There's some other house-cleaning you should do on your Twitter account too. Visit the Applications tab in "Account Settings", and revoke access for any third-party application that you don't recognise.

Follow me on Twitter if you want to keep up-to-speed with the latest threats, and learn how to protect yourself.

Beware Facebook lottery email scams!

Congratulations! You've won the Facebook lottery!
At least, that's what the following email claims.

Facebook lottery email

The email says that you can turn up in person at an address in London to claim your prize, but you will have to confirm your identity and eligibility.

If you don't want to visit London, then you can choose to pay a mere £385 to have the necessary paperwork couriered to you.
for your convenience, we can have your Facebook Claim Paper Work sent to you via our contracted Courier Service for signing and then send back to us to effect immediate release of your Winning. But note that you are to bear courier charges of this option which attracts the sum of £385 British Pound, only to be paid if you decide to settle for the Facebook Claim Paper Work to be sent to you via our contracted Courier Service. Please note that the £385 British Pound courier charges includes insurance and tax fees, as the paper work in question is highly confidential and needs to be insured for safety measures.
Hmm.. So, you've won a lottery but the company awarding you the prize won't stretch to having something couriered to you? Never mind! It's sure to be covered by your prize winnings, right?

Facebook lottery email

Although the phone number given in the email looks, to the casual observer, to go to a UK mobile phone it actually could be redirected anywhere in the world. The 0770 number is registered with British firm Cloud9, which offers international mobile services.

In short, you think you're phoning Facebook in London - but the phone could be being picked up by Fabian in Nairobi.

If you do call that number, chances are that you will be asked to share personal information and perhaps even conned into paying a fee in advance for the paperwork to be couriered to you.

Facebook lotteryIn short, it's a scam. You never entered a Facebook lottery - so why do you think you've won one? Remember - you cannot win a lottery you haven't entered.

Lottery scams are not new, but they continue to occur because there are plenty of vulnerable people at risk of handing over their personal information or giving money to scammers in advance of their promised winnings.

Aidsql: Sql Injection Penetration Testing Tool [video]

Description: This is a video showing you how to effecitvely audit your website with aidsql.

Download aidSQL: http://www.insecurestuff.in/2011/02/aidsql-tools-to-find-vulnerable-spots.html


Metasploit 4.1 And Armitage: What's New? [video]


Description: This video shows some of the new features in Armitage for Metasploit 4.1. You'll see improved tab management features, more exploit feedback, VNC, brute forcing, token stealing, and an export data feature to aid reporting. You can learn more about Armitage at rel="nofollow">http://www.fastandeasyhacking.com/


Top 15 Free SQL Injection Scanners

While the adoption of web applications for conducting online business has enabled companies to connect seamlessly with their customers, it has also exposed a number of security concerns stemming from improper coding. Vulnerabilities in web applications allow hackers to gain direct and public access to sensitive information (e.g. personal data, login credentials).

Web applications allow visitors to submit and retrieve data to/from a database over the Internet. Databases are the heart of most web applications. They hold data needed for web applications to deliver specific content to visitors and provide information to customers, suppliers etc.

SQL Injection is perhaps the most common web-application hacking technique which attempts to pass SQL commands through a web application for execution by the back-end database. The vulnerability is presented when user input is incorrectly sanitized and thereby executed.

Checking for SQL Injection vulnerabilities involves auditing your web applications and the best way to do it is by using automated SQL Injection Scanners. We’ve compiled a list of free SQL Injection Scanners we believe will be of a value to both web application developers and professional security auditors.

1、SQLIer – SQLIer takes a vulnerable URL and attempts to determine all the necessary information to exploit the SQL Injection vulnerability by itself, requiring no user interaction at all.
Get SQLIer.

2、SQLbftools – SQLbftools is a collection of tools to retrieve MySQL information available using a blind SQL Injection attack.
Get SQLbftools.

3、SQL Injection Brute-forcer – SQLibf is a tool for automatizing the work of detecting and exploiting SQL Injection vulnerabilities. SQLibf can work in Visible and Blind SQL Injection. It works by doing simple logic SQL operations to determine the exposure level of the vulnerable application.
Get SQLLibf.

4、SQLBrute – SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries.
Get SQLBrute.

5、BobCat – BobCat is a tool to aid an auditor in taking full advantage of SQL injection vulnerabilities. It is based on AppSecInc research. It can list the linked severs, database schema, and allow the retrieval of data from any table that the current application user has access to.
Get BobCat.

6、SQLMap – SQLMap is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of SQLMap is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.
Get SQLMap.

7、Absinthe – Absinthe is a GUI-based tool that automates the process of downloading the schema and contents of a database that is vulnerable to Blind SQL Injection.
Get Absinthe.

8、SQL Injection Pen-testing Tool – The SQL Injection Tool is a GUI-based utility designed to examine database through vulnerabilities in web-applications.
Get SQL Injection Pen-testing tool.

9、SQID – SQL Injection digger (SQLID) is a command line program that looks for SQL injections and common errors in websites. It can perform the follwing operations: look for SQL injection in a web pages and test submit forms for possible SQL injection vulnerabilities.

10、Blind SQL Injection Perl Tool – bsqlbf is a Perl script that lets auditors retrieve information from web sites that are vulnerable to SQL Injection.
Get Blind SQL Injection Perl Tool.

11、SQL Power Injection – SQL Power Injection helps the penetration tester to inject SQL commands on a web page. It’s main strength is its capacity to automate tedious blind SQL injection with several threads.
Get SQL Power Injection.

12、FJ-Injector Framwork – FG-Injector is a free open source framework designed to help find SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and modifying HTTP requests, and an interface for automating SQL injection exploitation.
Get FJ-Injector Framework.

13、SQLNinja – SQLNinja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end database. Get SQLNinja.

14、Automagic SQL Injector – The Automagic SQL Injector is an automated SQL injection tool designed to help save time on penetration testing. It is only designed to work with vanilla Microsoft SQL injection holes where errors are returned.
Get Automagic SQL Injector.

15、NGSS SQL Injector – NGSS SQL Injector exploit vulnerabilities in SQL injection on disparate database servers to gain access to stored data. It currently supports the following databases: Access, DB2, Informix, MSSQL, MySQL, Oracle, Sysbase.
Get NGSS SQL Injector


Pentesting Iphone Applications


Description: This presentation mainly focuses on methodology, techniques and the tools that will help security testers while assessing the security of iPhone applications.

winAUTOPWN v2.8 Released For Download – Windows Auto-Hacking Toolkit

I wanted to post this a while back, but the site (and thus the download) was down again – it seems to be a common occurrence. Someone get this guy some proper hosting!

winAUTOPWN and bsdAUTOPWN are minimal Interactive Frameworks which act as a frontend for quick systems vulnerability exploitation. It takes inputs like IP address, Hostname, CMS Path, etc. and does a smart multi-threaded portscan for TCP ports 1 to 65535. Exploits capable of giving Remote Shells, which are released publicly over the Internet by active contributors and exploit writers are constantly added to winAUTOPWN/bsdAUTOPWN. A lot of these exploits are written in scripting languages like python, perl and php. Presence of these language interpreters is essential for successful exploitations using winAUTOPWN/bsdAUTOPWN.

Exploits written in languages like C, Delphi, ASM which can be compiled are pre-compiled and added along-with others. On successful exploitation winAUTOPWN/bsdAUTOPWN gives a remote shell and waits for the attacker to use the shell before trying other exploits. This way the attacker can count and check the number of exploits which actually worked on a Target System.

This version covers almost all remote exploits up-till September 2011 and a few older ones as well. Also added in this release are a few ruby exploits which require ‘socket’ alone for interpretation. Gee-Hence, winAUTOPWN now requires ruby installed as well, just like perl, python and php.

This version incorporates a new command-line parameters: -targetOS to allow selection of the target Operating System. This is essential for a few exploits to work perfectly. The List of OS and the corresponding OS codes are available and asked when winAUTOPWN OR bsdAUTOPWN is executed.

Untill the last release there was only a bind_shell TCP shellcode available in the exploits. This release brings yet another feature which gives the freedom to choose from a variety of shellcodes. You can now select reverse_tcp for Windows cmd and other shellcodes for Solaris, Linux, FreeBSD, etc. This is all done by mod_shellcode which has been created and added to WINDOWS AUTOPWN and BSD AUTOPWN as well. mod_shellcode gets automatically invoked by WINDOWS AUTOPWN for every scripted exploit code whose shellcode can be manually changed. Note that there are a few exploits in a compiled binary form which lack reverse shell and other shellcode features.

mod_shellcode is available as a separate binary in the exploits/ directory for Windows, FreeBSD x86, FreeBSD x64 and DragonFly BSD platforms (just like the main BSD AUTOPWN and other exploit binaries) and hence can also be manually used by exploit writers and exploiters to quickly change shellcodes in their exploit files.

You can download winAUTOPWn v2.8 here:


And well because the site is always down, I’ve uploaded a mirror copy here:

winAUTOPWN_2.8.7z (FileSonic)

Or read more here.