Jump to content

ccesar

Members
  • Posts

    14
  • Joined

  • Last visited

About ccesar

  • Birthday 10/24/1981

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

ccesar's Achievements

Newbie

Newbie (1/14)

10

Reputation

  1. Android is well known for its flexible platform especially when it comes to mods and customization. By pushing things a bit further you could end up with a modern and small hacking tool just as Pwnie Express did to the Nexus 5, which it dubs as the Pwn Phone.. For 1295$, the retail price of Pwn Phone, you get the Nexus hardware together with a completely modified version of Android. It has the kernel recompiled and also runs on its own derivative of Kali Linux on the back-end of the main OS. The custom firmware makes possible that the Pwn Phone can use additional Wi-Fi, Bluetooth and Ethernet adapters, by acting as a USB host. The added adapters offer better range and performance than those integrated already into the phone. The Pwn Phone it’s designed for white hat hackers that need to test the security of their Wi-Fi and Ethernet networks. To make this task as easy as it can be, the device comes with 103 tools for network monitoring and attack already installed. 26 of those tools can be executed with one single tap, because they are optimized for touchscreens. Some of the other tools are more complex, needing a terminal interface to work properly. Web-based administration tools makes easy to do many of the Pwn Phone’s functions from other devices, such as PC’s or laptops. If you need a bigger screen, the company also sells a Pwn Pad which is based on the Nexus 7 tablet and sells for $1095. Although Pwn Phone targets a narrow niche of individuals, we can understand the power of Android OS and the possibilities that it can offer us in the future. If you are interested in the things the Pwn Phone can do but already have a Nexus 5, there are reports that in the future there will be a version of its custom OS available for download. We don’t have a timeframe for this or how much it will cost, but we’ll keep you posted. Sursa Nexus 5 become a strong white hat hacking tool through Pwnie Express
  2. In general vorbind, Vodafone. Orange mi se pare un pic sub el, probabil ca acoperire sunt comparabili. Cosmote din ce am auzit, in multe zone sta mai bine ca si acoperire decat ceilalti.
  3. Intradevar chestia cu Germania e un pic relativa mai ales daca vrei una deja adusa, 99% din ele au km dati inapoi bine de tot. Eu personal as prefera una din Romania, cu carte service si istoric verificabil la reprezentanta, plus o verificare facuta de un mecanic, chiar nu am incredere in cele aduse ("folosite de un doctor doar duminica la plimbare"), zici ca au venit cu spatele pana in Romania . Ca sa te convingi e suficient sa faci o comparatie de preturi autovit.ro cu mobile.de sau autoscout.com si ai sa vezi ca acelasi model de masina, cu km apropiati si dotari asemanatoare e mult mai scumpa in Germania/vestul Europei, deci ceva e sigur in neregula, ca samsarii trebuie sa traiasca si ei. Legat de masinile de care ai spus, nu sunt in aceeasi clasa, ar trebui sa compari Fiesta cu Polo si Focus cu Golf. Mai bine urmaresti un pic forumurile dedicate sa vezi problemele specifice, ClubFord » Comunitatea posesorilor de Ford din Romania, fordfocusclub.ro, vwforum.promotor.ro. Oricum masina fara probleme specifice nu cred ca exista, important e sa vezi care sunt mai probabile, mai costisitoare, etc.
  4. De inteles, in principiu am inteles ce se intampla, dar pentru chestiile de detaliu mai trebuie studiat. Oricum, exploit kiturile mi se par interesante ca si functionare dar e o curiozitate personala ca sa zic asa si nu prea am timp.
  5. 2014-02-26 - ANGLER EK - SILVERLIGHT EXPLOIT DELIVERS GRAFTOR/ZBOT VARIANT PCAP AND MALWARE PCAP of the traffic: 2014-02-26-Angler-EK-traffic.pcap ZIP file of the malware: 2014-02-26-Angler-EK-malware.zip NOTES This is a good summary of Angler EK using a Silverlight exploit as early as Nov 2013: Cybercriminals target Silverlight browser plug-in users with new exploit kit | PCWorld CHAIN OF EVENTS ASSOCIATED DOMAINS 206.188.192.114 - kaplanbenefits.com - Used by malicious link from phishing email. 31.170.161.196 - Web hosting, domain names, VPS - 000webhost.com - First redirect (unsuccessful) 62.149.130.229 - Dea Comunicazione - siti web, software, grafica pubblicitaria - Second redirect (successful) 23.239.12.68 - northerningredients.com - Angler EK domain INFECTION CHAIN OF EVENTS 02:56:38 UTC - 192.168.204.175:49380 - 206.188.192.114:80 - kaplanbenefits.com - GET /balanced/index.html 02:56:39 UTC - 192.168.204.175:49382 - 31.170.161.196:80 - Web hosting, domain names, VPS - 000webhost.com - GET /ruder/pinpoints.js 02:56:39 UTC - 192.168.204.175:49381 - 62.149.130.229:80 - Dea Comunicazione - siti web, software, grafica pubblicitaria - GET /distincter/retorted.js 02:56:39 UTC - 192.168.204.175:49386 - 23.239.12.68:80 - northerningredients.com - GET /own0woz7z3 02:56:40 UTC - 192.168.204.175:49386 - 23.239.12.68:80 - northerningredients.com - GET /cv54YKgz9At-cCTNZ0EYXC_pZdLDophzYvfVm5rJrBjd-0Tt 02:56:43 UTC - 192.168.204.175:49387 - 23.239.12.68:80 - northerningredients.com - GET /KAJtQvM2lHDmWTYj3eVuD6tbMy08Tz9aCh5NOndiktjP6vj6 02:56:45 UTC - 192.168.204.175:49387 - 23.239.12.68:80 - northerningredients.com - GET /favicon.ico 02:56:51 UTC - 192.168.204.175:49386 - 23.239.12.68:80 - northerningredients.com - GET /EC6L7mwntxp1t-NHd_173-LrahqYJFGXAwhWObRWb_PyUAFe POST-INFECTION CALLBACK TRAFFIC 02:58:06 UTC - 192.168.204.175:49391 - 173.194.77.104:80 - Google - GET / UDP traffic from 192.168.204.175 (the infected host) to several dozen IP addresses on various ports PRELIMINARY MALWARE ANALYSIS SILVERLIGHT EXPLOIT File name: 2014-02-26-Angler-EK-silverlight-exploit.xap File size: 53.0 KB ( 54292 bytes ) MD5 hash: 54437862cb93c253e97f7b653917384e Detection ratio: 0 / 50 First submission: 2014-02-25 01:01:06 UTC VirusTotal link: https://www.virustotal.com/en/file/9cd9503a50bc010aa247e2e6409e413d90a9a50fdd6ecd1f795f15e5b5951cce/analysis/ MALWARE PAYLOAD File name: fegyko.exe File size: 331.0 KB ( 338944 bytes ) MD5 hash: 0e1baf2546a3cd0544e333715d95ab3d Detection ratio: 14 / 50 First submission: 2014-02-26 03:50:33 UTC VirusTotal link: https://www.virustotal.com/en/file/72fc35a8f1b3f5a279e5d2843da304bd670f2885adbac5444110a935c01b62e6/analysis/ Malwr link: https://malwr.com/analysis/YTFhNWVlNDg3YmMxNGNlNGIyNGNhYjYyMWViOWY0Nzk/ This is the malware payload after it copied itself to a folder named Xeoram in the AppData\Roaming\ directory. SNORT EVENTS SNORT EVENTS FOR THE ANGLER EK TRAFFIC (FROM SECURITY ONION) 2014-02-26 02:56:39 UTC - 23.239.12.68:80 -> 192.168.204.175:49386 - ET CURRENT_EVENTS Angler Landing Page Feb 24 2014 2014-02-26 02:56:40 UTC - 23.239.12.68:80 -> 192.168.204.175:49386 - ET SHELLCODE Possible Encoded %90 NOP SLED 2014-02-26 02:56:43 UTC - 23.239.12.68:80 -> 192.168.204.175:49387 - ET CURRENT_EVENTS Angler EK encrypted binary (2) Jan 17 2013 2014-02-26 02:56:52 UTC - 23.239.12.68:80 -> 192.168.204.175:49386 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013 HIGHLIGHTS FROM THE TRAFFIC The infected web page - kaplanbenefits.com/balanced/index.html Successful redirect - www.deacomunicazione.it/distincter/retorted.js Angler EK delivers Silverlight exploit - northerningredients.com/cv54YKgz9At-cCTNZ0EYXC_pZdLDophzYvfVm5rJrBjd-0Tt Angler EK delivers EXE payload, XOR-ed the the ASCII string: adb234nh northerningredients.com/KAJtQvM2lHDmWTYj3eVuD6tbMy08Tz9aCh5NOndiktjP6vj6 Angler EK delivers the same EXE payload again, XOR-ed the the ASCII string: aldonjfg northerningredients.com/EC6L7mwntxp1t-NHd_173-LrahqYJFGXAwhWObRWb_PyUAFe NOTE: When I tried XOR-ing both versions of the file from the PCAP, they both had the same MD5 hash, but it was different than the hash for a file named fegkyo.exe in the AppData\Roaming\Xeoram folder. Fegkyo.exe is the exact same size as the files from the PCAP, and it's presumably a copy of the properly deobfuscated malware payload. When I sent the deobfucated files I extracted from the PCAP to Virus Total and Malwr, they were marked as corrupt. FINAL NOTES Once again, here are links for PCAP file of the traffic and ZIP file of the associated malware: PCAP of the traffic: 2014-02-26-Angler-EK-traffic.pcap ZIP file of the malware: 2014-02-26-Angler-EK-malware.zip The ZIP file is password-protected with the standard password. If you don't know it, email me at admin@malware-traffic-analysis.net and ask. Click here to return to the main page. Sursa: Malware-Traffic-Analysis.net - 2014-02-26 Continuare Malware-Traffic-Analysis.net - 2014-02-27
  6. German security firm offers unauthorized patch for critical encryption bug in OS X Mavericks Computerworld - A German security company has released an unauthorized patch for Apple's OS X Mavericks that it claimed closes the hole the Cupertino, Calif. giant left wide open in the operating system's implementation of basic Internet encryption. Cologne, Germany-based SektionEins GmbH published the patch on Saturday, the day after Apple updated its iOS 7 and iOS 6 mobile operating systems to fix a flaw in their handling of SSL (secure socket layer) and TLS (transport layer security). Those protocols create an encrypted connection between a personal computer and a server -- such as one at Amazon.com -- so that snoopers cannot read the traffic and extract information like credit card numbers or log-in credentials. According to many security researchers, SektionEins' (which translates to "SectionOne" in English) among them, OS X Mavericks contains the same critical vulnerability. SektionEins' blog detailed the flaw in Mavericks and provided a link to the unofficial patch. Unauthorized patches are rare; the last time someone offered one for the more widely-used Windows, for instance, was 2006-2007, when a group calling themselves ZERT (Zeroday Emergency Response Team), issued several home-brewed patches for bugs in Windows and Internet Explorer. Users should be wary of unsanctioned fixes, as there's no guarantee that they work or are even clean of malicious code. Cyber criminals have used the lure of security updates to plant malware on machines for years, for example. SektionEins was clear about the risks users took if they applied the home-grown Mavericks patch. "You should not attempt to run this on production systems," the company said on its blog. "We strongly consider this patch experimental and you should only apply it to your systems if you understand the risk." The German firm's website has been in operation since 2007, according to Internet domain registration records. Apple today confirmed that it is working on a Mavericks update. "We are aware of this issue and already have a software fix that will be released very soon," a spokeswoman said in an email reply to questions Monday. But users who are leery of installing a third-party patch -- as most should be -- can take other steps to protect themselves until Apple ships a fix for OS X. "iOS is a no-brainer, update, as in you should have updated yesterday," said Andrew Storms, director of DevOps at San Francisco's CloudPassage, in a Monday interview. "OS X is more concerning because there's no word from Apple about exactly when they're going to patch it. That's classic Apple, keeping mum." Like other security experts, Storms urged users to refrain from using their Macs at public Wi-Fi hotspots, the most obvious and easiest places for hackers to attempt "man-in-the-middle" attacks, where the criminals interpose themselves between the client computer and server, then snatch the unencrypted bits from the ether. He also said users can protect themselves by using an alternative to Safari, which relies on the vulnerability cryptographic code libraries. According to the quick-and-dirty test site gotofail.com both Google's Chrome and Mozilla's Firefox are secure. But while it may be safe to access the Web using Chrome or Firefox at a public, unencrypted Wi-Fi hotspot, Storms pointed out that a slew of other applications, including those for social networking services and Apple's native OS X applications, ranging from Mail to Calendar, are not. When Apple does issue a fix for Mavericks, it will place a notation on this page and begin offering it to users who manually launch Software Update from the Apple menu. Others will receive it automatically, as Mavericks regularly pings Apple's servers. Source: https://www.computerworld.com/s/article/9246555/German_security_firm_offers_unauthorized_patch_for_critical_encryption_bug_in_OS_X_Mavericks
  7. Ca sa distrugi un HDD in maxim 5 secunde alta solutie nu e decat distrugerea fizica, un soft nu are cum sa faca asta intr-un mod eficient ptr ca platanele cu datele oricum raman. Ptr asta in afara de un baros sanatos, rezolvarea e, cum sa mai spus, un magnet foarte puternic sau mai exact un camp electromagnetic, am vazut pe undeva discutii despre disimularea instalatie ptr asa ceva in tocul usii, astfel incat cand este scos din incaperea in care se afla, datele sa fie distruse. Oricum cea mai simpla solutie ptr confidentialitatea datelor ramana criptarea, eventual whole disk encryption, cu TruCrypt (si cu o partitie ascunsa daca esti un pic mai paranoic), PGP, etc.
  8. Asa e, sigur la eMag nu e problema cu modulele RAM sau HDD-ul si nici in alte parti nu cred ca e, atat timp cat ai acces la ele si nu te atingi de vreun sigiliu.
  9. Anatomy of a poisoned image: colour-coded JavaScript! You may have read recently about a newly-discovered attack that involves injecting code into your browser using poisoned image files. Code-carrying image files are usually a serious security concern, especially if they involve deliberately malformed content that was criminally crafted to trip up your browser, or PDF reader, RTF viewer, video player, and so forth. A well-known example from late in 2013 was a TIFF handling vulnerability in Microsoft Windows. This TIFF exploit was used by criminals, who lured you to open an innocent-looking document file containing a booby-trapped TIFF image; crashed Microsoft Office; grabbed control of your CPU; and tricked your computer into running executable code without any official popups or warnings. An attack of that sort is known as a remote code execution exploit, or RCE. RCEs usually rely not only on remotely delivered content that is deliberately and criminally unusual, but also on software behaviour that isn't supposed to happen. Fortunately, this latest poisoned code injection isn't anywhere near as dangerous as the TIFF hole: it doesn't exploit a vulnerability that allows it to take over without warning. But it does tell an interesting, even amusing, story of subterfuge and guile, so here you are. The start of the attack The first stage of the attack is some unwanted JavaScript, tacked on the end of a 9000-line JavaScript file downloaded as jquery.js. In any server logs, the presence of jquery.js is unlikely to ring any immediate alarms: it is a widely-used Javascript programming library that is free and open source. Indeed, for the first 8981 lines, the file is jquery.js - the official, unmodified, uncompressed file from version 1.6.2. (As you can see from the datestamp, the crooks are often many versions and several years behind, too.) The malicious addition comes right at the end. You'll notice a pair of functions that stand out rather obviously, at least to a security researcher: Even at a glance, you can make an educated guess that the loadFile() function is there to fetch an image and then to pass some part of it to JavaScript's eval() function. Fetching images is unexceptionable behaviour for a JavaScript function, but using an image as input to eval() is both unusual and suspicious. ? The eval() function contributes both to the flexibility and the danger of JavaScript: it takes a text string, compiles it, and runs it as if that string had been an original part of the JavaScript code that was just downloaded. Crooks love eval() because it means that the code they send to your browser isn't the code they ultimately intend to run: this helps them hide away their malware in the hope that it will only ever exist in its final, malevolent form inside your browser. JavaScript-based malware often uses various text encodings (e.g. hexadecimal) and scrambling techniques (e.g. ROT13) to disguise the code it will eventually pass to eval(). String obfuscation is especially handy for disguising the presence of suspicious URLs in the malicious code. In the "poisoned image" approach we're studying here, however, the string isn't encoded as another string - it's encoded into a series of coloured pixels! Here's how the crooks did it. The initial image The image that is fetched by the loadFile() function above is 17x17 pixels. Magnified 20 times, it looks like this: Looking at the image doesn't give much away. If we open the image file in a hex editor, there's still nothing obvious to see: PNG files are stored as a series of data sections, the most important of which is IDAT, the actual image data. The raw data (highlighted in blue above) in the IDAT section is compressed, disguising still further any patterns that might otherwise be obvious. But if we convert the image to a raw RGB file, in which each pixel is represented by three bytes denoting the amount of red, green and blue it contains, things start to get interesting: Each pixel has the same value for red, green and blue, as we'd expect for a greyscale image. And the majority of those greyscale values map into the range in the ASCII chart reserved for digits and letters: We can also see the stand-out values 0x20 (space, annotated in pink) and 0x0D-followed-by-0x0A (the carriage return-line feed combination used on Windows to denote the end of a line of text, annotated in green). The hidden source code With a little bit of colourisation and a slight tweak to the contrast to aid in clarity, the image now clearly reveals itself as a colour-coded matrix of JavaScript source code: The darker regions in the image correspond to the lower values in the ASCII chart, namely the digits and punctuation marks. Notice that the JavaScript code that unpacks the PNG file and extracts the colour-coded source code doesn't need to know how to parse the PNG file format to find the IDAT section, and doesn't need to know how to decompress the image data. It relies on the browser to render the image into an HTML5 canvas, which transparently (if you will pardon the pun) deals with decoding and decompressing the raw image file. The source code is then sucked back in, pixel by pixel, from the rendered version of the image. Indeed, the malware could switch to a different file format, such as JPEG or GIF, without any additional code required in the bogus jquery.js file. The invisible components As you can see from the code listing above, even a keen-eyed user won't spot the 17x17 pixel greyscale-image-that-isn't, because it is rendered 10,000 pixels off to the left of the window: oImg.style.left = "-10000px"; The code that's extracted from the invisible image and submitted to eval() creates a similarly out-of-shot IFRAME: elm.style.left = '-1000px'; elm.style.top = '-1000px'; The invisible IFRAME is then populated with an HTML page that consists only of a SCRIPT tag that pulls in yet more JavaScript. This script, in turn, produces yet another IFRAME, once again positioned invisibly: document.write("<iframe style='position:absolute; top: -200px;' src=..."); At this point, at least in our experiments, things ended in an amusingly ironic anticlimax. The final webpage we reached, after all this jiggery-pokery, was this: <html><head></head><body></body></html> That's an empty page, so even if it were visible, our colourful journey would end in nothing: A final warning Of course, the cybercriminals could quickly and easily vary the web trajectory followed by the image-rendering trick in the bogus jquery.js file. They could change the image itself or the location and contents of any of the IFRAMEs that are subsequently fetched, so we can't promise that things will end with the same sort of wry smile in your case... Sursa Anatomy of a poisoned image: colour-coded JavaScript! | Naked Security
  10. Fiesta Exploit Kit Analysis In January, Cisco published a blog post on the ubiquitous Fiesta Exploit Kit (EK) which is quite active at the moment. To supplement their analysis, this post takes a look at an individual Fiesta drive-by attack observed by Context as part of our managed Targeted Attack Detection Service (TADS). The post also shows the methodology we used to investigate the incident and decode the traffic. Compromising a user through a drive-by web attack certainly isn’t new, but due to advances in the detection of phishing emails it is becoming an increasingly popular alternative. Another drawback for the attacker when relying on phishing attacks to deliver malicious code is that an email often contains clues such as sender addresses and information in SMTP headers. This makes it easier for email scanners and intrusion detection systems to identify and attribute further attacks. In the case of Fiesta, the perpetrator(s) of this activity appear to have compromised numerous webservers in order to inject their malicious code into webpages. The result is a potential victim pool of thousands of browsers visiting those sites; an ideal attack platform for those who are trying to compromise as many online bank accounts as possible using crimeware. What makes this attack vector all the more insidious is that the only parties likely to detect malicious code delivered server-side are the administrators for the websites and those who have the resources to implement technical countermeasures - certainly not the average user. This is in contrast to a phishing email, where it only takes one recipient to become suspicious and alert the appropriate authorities. This post looks into the methods employed by the Fiesta EK to shed some light on how this kit is able to change its code and avoid being detected. Compromise stages 1. The exploitation process starts off with a user visiting a trusted webpage containing embedded malicious JavaScript. 2. An embedded script tag on the compromised website causes the user’s browser to request and execute further code hosted on a second domain (In this case valeriesn[.]com). This domain acts as an intermediary between the original compromised webpage and the Fiesta EK landing page as shown in the image below. This approach gives the attacker much greater flexibility regarding where the victim browser is directed to. They could be sent to different domains hosting the exploit kit, to a different exploit kit entirely, or even nowhere if the attacker does not want to raise suspicion. This provides a layer of adaptability and security to the attacker and aids against detection and disruption of the campaign. 3. When the user’s browser visits the landing page, it is profiled to detect possible attack vectors. As shown in the image below, Fiesta then attempts to exploit the victim browser by directing it to one or more encoded URL addresses: While the Fiesta Exploit Kit is capable of serving many different exploits, in this particular case Context observed exploits for the following CVEs: CVE-2013-2465 CVE-2013-1493 Decoding Fiesta EK code The landing page consists of a large amount of JavaScript code embedded within a HTML document. Almost every aspect of this page can be changed to evade detection, including the page title, variable and function names, and strings in the code. The Fiesta EK goes to great lengths to obfuscate its code and uses a function to encode the majority of the strings using a number and key combination. The function responsible for this process can be seen below: The long string stored in the variable “b” is the key used to encode the strings in the document. In order to reliably decode the contents of the encoded strings in Fiesta EK pages, Context recreated this function in the form of the following Python script: A copy of this script can be downloaded from here. When we ran this script against our sample file we received the following output: From this list of strings Context was able to identify a number of potential attack vectors included in the script. After a delay of approximately 10 minutes from the drive-by attack two executable files were observed being downloaded by the host from the IP address 115.47.49.181 (Beijing, China). At the time of writing ‘clock.exe’ was identified as malicious by 33/46 VirusTotal vendors with the majority calling it ‘Papras’: (https://www.virustotal.com/en-gb/file/041fce3bdcf15db414b2ea47e47b07fcf605749237b2471a5a54da4318b5e0a8/analysis/) According to F-Secure, ‘Papras’ is a Trojan that steals login credentials and uses a rootkit to hide itself. The file ‘setini.exe’ was detected by 23/47 VirusTotal vendors was identified by the name ‘Pony’ and ‘fareit’ amongst others. (https://www.virustotal.com/en-gb/file/b8637fae5a01780c7db6b7150e80a77e90e57613bcf86e1fe555115116c011ec/analysis/) This file is an information stealer that is also used to download additional malware such as Zeus. Sadly, the home user has little chance to determine whether malicious code has been injected onto a webpage. As always, keeping browser patching levels up to date drastically reduces the attack surface area as the exploit kit will have fewer or no vulnerabilities to exploit. But if your organisation isn’t willing to carry this risk, you may want to consider in-depth network monitoring. Thanks to Cisco for raising Fiesta in their post and the original groundwork by malware don’t need coffee. Thanks also to the excellent Kahu Security for the background information. Sursa Context ? Information Security
×
×
  • Create New...