Usr6

link: SecurityKISS - Free VPN Service A giveaway will start at 27.03.2014 00:00 and finish 29.03.2014 24:00 GMT. sursa: PROMO - SecurityKISS Tunnel-(30 GB/month) for 3 months free of charge | MalwareTips.com

Sugestie inutila, poll inutil, prevederea exista in regulament: 1. Ac?iuni pentru care ve?i primi avertisment sau chiar ban: offtopic, post dublu(ave?i buton de editare), post inutil, redeschidere topic, insultare membru(atac la persoan?), nume topic inadecvat, informa?ie deja postat?, limbaj inadecvat(IRC style - sh, tz, CAPS, în culori sau agramat total), avatare mari sau care întrec bunul sim?, semn?turi penibile, linkuri cu referrer, imagini dinamice în semn?tur?. Se editeaza titluri, se dau avertismente. In caz de intalniti topicuri de genul, puteti folosi butonul report, NU MUSC?.

Analyzing how hacks are done, so as to stop them in the future Reverse engineering is the process of analyzing hardware or software and understanding it, without having access to the source code or design documents. Hackers are able to reverse engineer systems and exploit what they find with scary results. Now the good guys can use the same tools to thwart these threats. Practical Reverse Engineering goes under the hood of reverse engineering for security analysts, security engineers, and system programmers, so they can learn how to use these same processes to stop hackers in their tracks. The book covers x86, x64, and ARM (the first book to cover all three); Windows kernel-mode code rootkits and drivers; virtual machine protection techniques; and much more. Best of all, it offers a systematic approach to the material, with plenty of hands-on exercises and real-world examples. Offers a systematic approach to understanding reverse engineering, with hands-on exercises and real-world examples Covers x86, x64, and advanced RISC machine (ARM) architectures as well as deobfuscation and virtual machine protection techniques Provides special coverage of Windows kernel-mode code (rootkits/drivers), a topic not often covered elsewhere, and explains how to analyze drivers step by step Demystifies topics that have a steep learning curve Includes a bonus chapter on reverse engineering tools Practical Reverse Engineering: Using x86, x64, ARM, Windows Kernel, and Reversing Tools provides crucial, up-to-date guidance for a broad range of IT professionals. Download: http://upload.evilzone.org/download.php?id=4356861&type=rar Sursa:https://evilzone.org/ebooks/practical-reverse-engineering/

Features Explains how to write programs in the X86 assembly language, the C programming language, and X86 assembly language modules embedded in a C program Describes the general computer architecture of the X86 microprocessor Presents the most commonly used X86 assembly language instructions Explains the theory behind the design of program examples, where necessary Pedagogical Features Supplies end-of-chapter homework problems that range from simple to complex Includes a multitude of program design examples with complete code and outputs Offers answers to select problems in an appendix and a complete solutions manual available upon qualifying course adoption Summary The predominant language used in embedded microprocessors, assembly language lets you write programs that are typically faster and more compact than programs written in a high-level language and provide greater control over the program applications. Focusing on the languages used in X86 microprocessors, X86 Assembly Language and C Fundamentals explains how to write programs in the X86 assembly language, the C programming language, and X86 assembly language modules embedded in a C program. A wealth of program design examples, including the complete code and outputs, help you grasp the concepts more easily. Where needed, the book also details the theory behind the design. Learn the X86 Microprocessor Architecture and Commonly Used Instructions Assembly language programming requires knowledge of number representations, as well as the architecture of the computer on which the language is being used. After covering the binary, octal, decimal, and hexadecimal number systems, the book presents the general architecture of the X86 microprocessor, individual addressing modes, stack operations, procedures, arrays, macros, and input/output operations. It highlights the most commonly used X86 assembly language instructions, including data transfer, branching and looping, logic, shift and rotate, and string instructions, as well as fixed-point, binary-coded decimal (BCD), and floating-point arithmetic instructions. Get a Solid Foundation in a Language Commonly Used in Digital Hardware Written for students in computer science and electrical, computer, and software engineering, the book assumes a basic background in C programming, digital logic design, and computer architecture. Designed as a tutorial, this comprehensive and self-contained text offers a solid foundation in assembly language for anyone working with the design of digital hardware. Download: https://evilzone.org/ebooks/x86-assembly-language-and-c-fundamentals/ Sursa: https://evilzone.org/ebooks/x86-assembly-language-and-c-fundamentals/

cei care urmaresc si alte zone ale forumului nu doar cea offtopic stiu ca nu au nevoie de cont pentru a putea descarca de pe docspedia: RSTForums Docspedia Downloader realizarea unui membru rst @Silviu https://rstforums.com/forum/79606-docspedia-search-engine-downloader-fara-cont.rst

If you run a website on a Linux server or are responsible for the security of your company’s Unix servers, there’s something very important you should do right now. Researchers at ESET, in collaboration with CERT-Bund, the European Organization for Nuclear Research (CERN), the Swedish National Infrastructure for Computing and other agencies, have uncovered a widespread cybercriminal operation that has seized control of tens of thousands of Unix servers. And if your system is found to be infected, experts strongly recommend you re-install the operating system, and consider all credentials used to log into the machine as compromised. In short, if you are a victim, all passwords and private OpenSSH keys should be changed. The attack, which has been given the name “Windigo” after a mythical creature from Algonquian Native American folklore, has resulted in over 25,000 Unix servers being hacked, resulting in 35 million spam messages being sent each day from compromised machines. That would be bad enough, normally. But in this case, malicious hackers have also been using hijacked web servers to infect visiting Windows PCs with click fraud and spam-sending malware, and display dating website adverts to Mac users. Even smartphone users don’t escape – finding their iPhones redirected to X-rated content, with the intention of making money for the cybercriminals. ESET’s security research team has published a detailed technical paper into “Operation Windigo”, and says it believes that the cybercrime campaign has been gathering strength, largely unnoticed by the security community, for over two and a half years. “Over 35 million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements,” said ESET security researcher Marc-Étienne Léveillé. In its attempt to hijack servers and infect computers, Windigo uses a complex knot of sophisticated malware components including Linux/Ebury (an OpenSSH backdoor and credential stealer that was the subject of a detailed investigation by ESET researchers earlier this month), Linux/Cdorked, Perl/Calfbot, Linux/Onimiki, Win32/Glubteba.M, and Win32/Boaxxe.G. During a single weekend, ESET researchers observed more than 1.1 million different IP addresses going through part of Windigo’s infrastructure, before being redirected to servers hosting exploit kits. An analysis of the visiting computers revealed a wide range of operating systems being used. This in itself threw up some light relief, as researchers discovered that “23 people apparently still browse the Internet on Windows 98, and one person even does it on Windows 95.” Léveillé and his fellow researchers are appealing for Unix system administrators and webmasters to run the following command which will tell them if their server is compromised or not: $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected" That single Unix command should quickly tell you if your system is seriously compromised or not by Windigo, and whether you need to take steps to clean-up and better protect your servers in future. Further details on how to tell if your server has been compromised are available included in ESET’s technical white paper on Operation Windigo [PDF]. Sursa: 500,000 PCs attacked each day after UNIX servers hijacked by Windigo pe acelasi subiect: Operation Windigo – the vivisection of a large Linux server-side credential-stealing malware campaign: Operation Windigo – the vivisection of a large Linux server-side credential-stealing malware campaign

Bad news for WhatsApp users on Android. If you chat on WhatsApp, its time to be careful and avoid getting too private. An IT security expert Bas Bosschert has discovered a critical vulnerability, allowing another Android apps to access and read all of a user’s chat conversations. So how and what happens: When you allow WhatsApp to build a back-up data for your chats in order to install the app on other computing devices, the back-up data is sent to WhatsApp database and is saved in the SD card of your smartphone. Now rather than building a unique password or code for each and every user, WhatsApp is using the exact same code for all of its users, which is a bad news because any developer can make an app to decrypt and penetrate in to the data including chats, images and videos. So as long as you grant the app permissions it asks for, your messages will be exposed to third-parties. An important point is that this security flaw is affecting the Android users only. As far as the Apple‘s iOS is concerned, the app does the same thing, but Apple blocks all access to the WhatsApp database where the data is stored. How it is done: To learn how it is done, visit Bosschert’s official blog here. How to avoid it? According to my personal view, it is very simple to avoid getting your chats exposed to a third party. All you have to do is to NEVER download/use or allow an unknown/phony app on your Android phone. Sursa: Vulnerability in WhatsApp Allows Hackers To Read Your Conversation and View Media | HackRead - Latest Cyber Crime - Information Security - Hacking News

Everybody that has a mobile phone should watch this video. Also, check out the excellent (and scary) visualization of the data from his cell phone over six months by the German newspaper Zeit. Via: What your phone company knows about you | Break & Enter

A few days ago the personal blog and Reddit account of MTgox CEO, Mark Karpeles, were hacked. Attackers used them to post a file, MtGox2014Leak.zip, which they claim contains valuable database dumps and specialized software for remote access to MtGox data. But this application is actually malware created to search and steal Bitcoin wallet files from their victims. It seems that the whole leak was invented to infect computers with Bitcoin-stealer malware that takes advantage of people keen interest in the MtGox topic. The file is a zip archive (MD5 90e78be95914f93030b04eaceb22b447). It contains different kinds of data. The biggest item inside is trades.zip, which is 620MB: this is actually publicly available data on MtGox trades. Finally, the archive contains software binaries for Window PC and Mac. We detect the Trojan (MD5:c4e99fdcd40bee6eb6ce85167969348d), a 4.3MB PE32 executable, as Trojan.Win32.CoinStealer.i Both have been created with the Livecode programming language – an open-source and cross-platform application development language. When the victim executes the application, it looks like the back-office software for accessing the databases of Mt. Gox’s owning company, Tibanne Co. Ltd.. The malware part is quite simple. The Livecode application contains the source code as an encrypted and packed binary that’s available when executed. We dumped the Trojan code from memory and analyzed it. The malware creates and executes the TibanneSocket.exe binary and searches for the files bitcoin.conf and wallet.dat – the latter is a critical data file for a Bitcoin crypto-currency user: if it is kept unencrypted and is stolen, cybercriminals will gain access to all Bitcoins the user has in his possession for that specific account. When the Trojan finds Bitcoin files it sends the content to a webserver The Command and ?ontrol server, which used to be located in Bulgaria seems like has been shutdown is now offline. Malware creators often using social engineering tricks and hot discussion topics to spread malware, and this is great example of an attack on a focused target audience. Sursa: Analysis of, Malware from the MtGox leak archive - Securelist

sqli-labs series part 23 (bypassing addslashes - charset Mismatch) sqli-labs series part 21 (bypassing WAF -setting up TOMCAT) sqli-labs series part 22 (bypassing waf - Impedance Mismatch) sqli-labs series part 20 (bypassing blacklist filters part 3) sqli-labs series part 19 (bypassing blacklist filters part 2) sqli-labs series part 18 (bypassing blacklist filters part 1) sqli-labs series part 17 (second order injections) sqli-labs series part 16 (cookie based injections) sqli-labs series part 15 (injection in INSERT QUERY) sqli-labs series part 13 (POST parameter injection BLIND boolean and time based) sqli-labs series part 14 (POST parameter injection in UPDATE query) sqli-labs series part 12 (POST parameter injection Double Query based) sqli-labs series part 11 (POST parameter injection -error based) sqli-labs series part 10 (Dumping Database using outfile) sqli-labs series part 9 (Blind injections - Time based) sqli-labs series part 8 (Blind injections - Boolean based) sqli-labs series part 7 (Double Query Injection continued.....) sqli-labs series part 6 (Double Query Injection) sqli-labs series part 5 sqli-labs series part 4 Sqli-labs series part 3 sqli-labs series part 2 install-sqli-labs Playlist:

*a**** s***a

Se pare c? Marcel intrase pe câteva siteuri porno de unde calculatorul s?u ag??ase un virus informatic. Potrivit surselor noastre, virusul afi?eaz? un mesaj ca venind din partea Poli?iei în care esti informat foarte autoritar c? ai înc?lcat legea ?i ai fost amendat de autorit??i. În acela?i mesaj ti se spune suma uria?? pe care trebuie s? o pl?te?ti apoi ?i se indica contul in care trebuie sa virezi imediat banii. Virusul afi?eaz? un mesaj ca venind din partea poli?iei prin care e?ti informat c? ai înc?lcat legea. Tocmai de aceea a scris ?i un bilet de adio, ca s? lamureasc? lucrurile. B?rbatul nu a putut suporta gândul c? ?i-a nenorocit familia ?i înc? într-un mod atât de ru?inos. S-a gândit apoi c? fiul s?u cel mic va pl?ti toat? via?a gre?eala sa ?i, într-o clip? de r?t?cire, a ales calea crimei urmat? de sinucidere. Marcel Datcu a l?sat un bilet so?iei sale : “Nu mi se pare normal ce am f?cut (…)Îmi cer iertare de la to?i (…) Am primit aten?ionare c? am de plat? 70.000 lei sau fac 11 ani de pu?c?rie (…)Nu vreau ca Nicu?or s? r?mân? s? sufere în urma mea (…) Eu nu suport s? fac pu?c?rie. Nu suport!” Dup? ce ?i-a adus fiul cel mic de la gr?dini??, în jurul orelor prânzului, Marcel Datcu s-a spânzurat de grinda din sufragerie ?inându-?i ?i copilul în bra?e, legat cu o frânghie de gât. În acest fel, tat?l ?i copilul au murit ?trangula?i. Cum ac?ioneaz? virusul Imediat ce computerul porne?te ecranul este blocat. Daca sistemul este localizat într-una dintre ??rile în care se vorbeste una dintre cele 25 de limbi predefinite, virusul ”Poli?ia Român?” afi?eaz? un mesaj în limba utilizatorului. Mesajul îl informeaz? c? sistemul a fost blocat în urma detectarii unei activitati suspecte precum descarcarea de material f?r? plata drepturilor de autor sau pornografie. Mesajul mai precizeaz? c? sistemul ar putea fi deblocat prin plata unei r?scump?r?ri denumite amend?. Surse: http://braila24.ro/primul-om-din-lume-care-s-a-sinucis-din-cauza-unui-virus-informatic-s-a-spanzurat-alaturi-de-baiatul-de-4-ani-galerie-foto-35967.html ?OCANT. ?i-a UCIS COPILUL ?i s-a SINUCIS din cauza unui VIRUS de pe internet. Cum arat? ”mesajele” ucigase - Justi?ie > EVZ.ro

Web accounts belonging to Mt.Gox CEO Mark Karpeles have been hacked over the alleged malleability theft of 744,408 bitcoins, according to the BBC. Some 716 MB of Mt.Gox’s transaction history were leaked. The hackers compromised Karpeles’s Reddit account and personal blog, posting the link to the leak. The attackers were motivated by the current status of Mt.Gox and its recent actions. “It’s time that MtGox got the Bitcoin community’s wrath instead of [the] Bitcoin community getting Goxed,” the hackers wrote in the data dump message. “The word `Goxed’ has been used to describe the sudden interruptions in trading MtGox imposed when it was going through technical problems before its final closure,” the article said. The leak contained sensitive information about Mt.Gox’s back-office admin service, entries from the business ledger and a more than one million trades spreadsheet. After a close analysis of the leaked documents there is nothing that can prove if their genuine or not, the only sure thing is that almost all documents contain transactions from bitcoin users. In the light of recent events Mt.Gox filed for temporary bankruptcy protection in the US and it was granted by a judge from Dallas, Texas while the bankruptcy process in Japan is ongoing. It’s been close to 5 weeks since Mt.Gox was taken offline due to suffering a DDoS attack on the February 7 and on April 1, it is scheduled to return to court to extend the US bankruptcy protection. Sursa: Mt.Gox CEO’s Web Accounts Hacked over Alleged Theft; Trading Information Leaked | HOTforSecurity

“Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile”.[2] Installation: 1-Download Mandiant Redline from https://www.mandiant.com/resources/download/redline 2-Double click on Redline-1.11.msi 3-follow up the steps, then click close Redline Usage: To analysis a memory image : 1-Select From a Saved Memory File under Analyze Data on the home screen 2-Click Browse under Location of Saved Memory Image (for this diary I will not use an Indicators of Comporomise) 3-Click Next then OK Depending on the size of the image and the speed of your PC, Mandiant Redline will take time to process the memory image. 4-For this example I am going to choose “I am reviewing A Full Live Response or Memory Image” Now our Image is ready for Review: From the left hand side you can choose which type of Data you would like to analysis in this view it’s the “Processes” Here you can find all the process which was running on the system when the memory image was acquired . It shows the full details about the process such as the Process ID,Path ,Arguemnts ,User name ,SID …etc . If you would like to view the open ports on the System while the image was acquired , To view ports, click Ports under Processes on the Analysis Data window’s Host tab. [1] InfoSec Handlers Diary Blog - Acquiring Memory Images with Dumpit [2] https://www.mandiant.com/resources/download/redline Sursa: InfoSec Handlers Diary Blog - Introduction to Memory Analysis with Mandiant Redline

Introduction The year 2014 started with a diplomatic crisis in Crimes and Ukraine. The tension rose just after the 2014 Ukrainian revolution, in which the government of President Viktor Yanukovych was ousted after a popular revolt in Kiev. In the region there are groups contrary to the protest that desire the integration of Crimea with Russia, and these groups are opposed to others consisting of Crimean Tatars and ethnic Ukrainians which supported the revolution. The deposed president Yanukovych during the days of revolution covertly requested the intervention of the Russian military to stabilize the internal situation of Ukraine. On February 26th, the Russian government moved nearly 150,000 units along the Ukrainian border, officially for a military exercise. In the next days, pro-Russian armed soldiers without insignia seized numerous buildings in Crimea, including the parliament building, two airports, and structures belonging the Ukraine principal telecommunication provider, interrupting services with the rest of Ukraine. The Ukrainian government accused Russia of interference in Ukraine’s internal affairs and invasion of the country, but Moscow denied these accusations. The Russian militia involved in the Peninsula of Crimea was also reinforced with other resources, including a couple of vessels of the Russian Black Sea Fleet, which violated Ukrainian waters. After the events precipitated on March 1, the Russian parliament approved President Vladimir Putin’s order to use military force in Ukraine. The Russian Cyber Strategy The tension between Russia and Crimea has a corresponding conflict in cyber space. Numerous attacks were registering on both sides during the revolution in Kiev, and the cyber offensives have had an escalation after the approval of the Russian parliament for military use in Crimea. The decision of the Russian government has triggered a series of events in cyber space as state-sponsored cyber units, groups of hacktivists, and cyber criminals started their campaigns against the enemies. Ukraine’s mobile phone infrastructure is under attack, according to the declaration of Valentyn Nalivaichenk, the head of Ukraine’s SBU security service during a press conference. The official stated that the country is suffering a serious attack in the last few days. The attack against Ukraine’s mobile phone infrastructure originated in Crimea and is interfering with the phones of members of the parliament. “I confirm that an IP-telephonic attack is under way on mobile phones of members of Ukrainian parliament for the second day in a row,” declared Valentyn Nalivaichenko, according the Reuters agency. Ukraine’s telecommunications system has come under attack. The attackers used equipment installed within Ukrtelecom networks in the Crimea region under the control of Russian forces. This circumstance has raised tension between the two countries, and although the majority of the Crimean population is pro-Russian, the sabotage is interpreted by the government of Kiev as an intolerable act of war. The equipment is blocking the phones of Nalivaichenko and his deputies. “At the entrance to (telecoms firm) Ukrtelecom in Crimea, illegally and in violation of all commercial contracts, was installed equipment that blocks my phone as well as the phones of other deputies, regardless of their political affiliation … The security services are now seeking to restore at least the security of communications,” according to the security chief. “All state information security systems were unprepared for such a brazen violation of the law,” Nalivaichenko said. The attack is not isolated. Internet connections within the peninsula of Crimea have been severely hampered. Not yet identified militias have seized the offices of telecommunications service provider Ukrtelecom, cutting phone and Internet cables. Militias also set up roadblocks to isolate Crimea from the rest of the Ukraine. Both military operations appear as part of a strategy to isolate the region in case of attack. Security experts believe that the mission for the Russian military is to isolate the region, and probably for this reason Russian naval vessels were placed in the port at Sevastopol: the units are carrying jamming equipment to block radio communications. Ukrainian naval communications stations around the area of Sevastopol and power lines have been already sabotaged. The Crimean peninsula is suffering numerous denial of service attacks , and Ukrainian telecom provider Ukrtelecom JSC reported that “unknown individuals seized several Crimean communications facilities” last week and that communications between the peninsula and the rest of Ukraine have been degraded as a result of “unknown actions [that] physically damaged fiber optic trunk cable.” Other disconcerting news reports that all communication services in Crime have been shut off, including Internet and mobile. The attacks have taken place also on the Web, as numerous website were already attacked. Two government websites in Crimea were shut down, but it is not clear if they were brought down by foreign hackers or by the same officials of local government. Other media sources report that the Crimean Peninsula’s landline, Internet, and mobile services have been almost entirely shut off. Military experts have no doubt that this is the prelude to a kinetic operation. In particular, Russia adopted the same strategy in 2008 when it isolated Georgia by taking control of government websites and interfering with Internet activities in the country that was without its own Internet exchange point (IXP) and was reliant on foreign governments, including Russia, for nearly 70% of its Internet exchange capacity. The Ukraine seems to have just one Internet exchange point located in Crimea, so it’s quite easy for Russian cyber units to isolate the region. “Ukraine has a strong and diverse Internet frontier … The roads and railways of Ukraine are densely threaded with tens of thousands of miles of fiberoptic cable, connecting their neighbors to the south and east (including Russia) with European Internet markets. The country has a well-developed set of at least eight regional Internet exchanges, as well as direct connections over diverse physical paths to the major Western European exchanges. At this level of maturity, our model predicts that the chances of a successful single-event Internet shutdown are extremely low,” revealed a recent analysis by intelligence company Renesys, which monitors Internet service around the world. Two Crimean government web portals also went offline, but the cause is still unclear. The attacks also hit Russian entities. The most famous victim is the Russian news agency, Russia Today. Its website was defaced by unknown hackers. In an information warfare context, the principal targets are critical infrastructures of a country. We must consider that the Russian government dedicates huge investments to improve cyber capabilities and it is possible that in case of an imminent kinetic attack, the government of Moscow will use also cyber weapons to destabilize defensive structures in the area. Uroburos and the Snake Platform Recently, researchers at German G Data published an interesting analysis for Uroborun rootkit alleged to be a component of Russian cyber weapons program. Uroburos is considered an advanced rootkit that is active since as far back as 2011. It is used to infect networks belonging to high-level targets, stealing data after setting up rogue P2P networks. It targets both 32-bit and 64-bit Microsoft Windows systems. German security firm G Data has conducted an interesting study on the malware trying to discover its authors, and its conclusion is that Uroburos is certainly of Russian origin. What is Uroburos? “Uroburos is a rootkit, composed of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities. It can steal information (most notably: files) and it is also able to capture network traffic. Its modular structure allows extending it with new features easily, which makes it not only highly sophisticated but also highly flexible and dangerous. Uroburos’ driver part is extremely complex and is designed to be very discrete and very difficult to identif,” reported G Data analysis. The Uroborus rootkit presents all the characteristics of a sophisticated design proper for a state-sponsored campaign. It has an unusual complexity, and the modular structure of the malware was certainly designed in Russia, based on the references left by authors in its source code. The peculiarity of the malware is that it checks for the presence of the USB stick-loving Agent.btz (‘Buckshot Yankee‘) on the victims’ computer, a worm that successfully infected US military networks in 2008. If Uroburos finds Agent.btzworm, it does not activate. “The malicious software, or malware, caught a ride on an everyday thumb drive that allowed it to enter the secret system and begin looking for documents to steal. Then it spread by copying itself onto other thumb drives. Pentagon officials consider the incident, discovered in October 2008, to be the most serious breach of the U.S. military’s classified computer systems.” According experts at G Data, Uroburos is a considerable a framework resulting from Intelligence activity. It has surely required a huge investment, and it is likely that malware developers involved in the project are still working on it. “By commanding one infected machine that has Internet connection, the malware is able to infect further machines within the network, even the ones without Internet connection. It can spy on each and every infected machine and manages to send the exfiltrated information back to the attackers, by relaying this exfiltrated data through infected machines to one machine with an Internet connection.” The Uroburos rootkit was designed to infect networks of huge organizations, even if they have air gapped sub networks. Similar agents are privileged weapons to hit a critical infrastructure in case of attack. The Russian government is known to have invested a lot in the development of cyber weapons and to improve cyber capabilities of its militias. Just a few day after the disclosure of the Uroburos rootkit, BAE Systems Applied Intelligence firm disclosed a Russian cyber espionage campaign codenamed as SNAKE that remained undetected for a long time, at least eight years. The attackers behind operation SNAKE penetrated highly secured Windows systems all around the world, but the most interesting revelation is that the Uroburos rootkit recently discovered was just one component of the overall SNAKE campaign. “The cyber-espionage operation behind the Snake rootkit is well established, a sample compiled in January 2006 indicates that the activity would have begun in at least 2005. It is also sophisticated, using complex techniques for evading host defences and providing the attackers covert communication channels. Toolmarks left behind by the authors ‘vlad‘ & ‘gilg‘, leave tantalizing clues as to the personas behind this,” states the report. The disclosure of the SNAKE campaign confirms the hypothesis made by researchers in G Data. The security community was facing with a large scale campaign organized by Russian entities, and the complexity of the agent suggests the involvement of the Russian government. Within the SNAKE campaign the attackers used numerous various pieces of malware. Western intelligence officers have found another spyware, dubbed Turla, used to infect government networks all over the world. The following image demonstrates that Ukrainian entities are most impacted by the diffusion of the malware. Researchers linked the malware Turla to the popular cyber espionage campaign Red October, discovered by Kaspersky more than one year ago. “It is sophisticated malware that’s linked to other Russian exploits, uses encryption and targets western governments. It has Russian paw prints all over it,” said Jim Lewis, a former U.S. foreign service officer. The SNAKE campaign adopted sophisticated techniques to infect Windows systems. Bypassing security defenses, it has the ability to hide in the victim’s web traffic. “Hiding a few DNS/HTTP requests among busy network traffic allows the Snake rootkit to stay unnoticed.” The presence of a reconnaissance component in the Snake framework suggests the existence of an arsenal of infiltration tools. “As demonstrated, the backdoor commands allow Snake to provide remote attackers with full remote access to the compromised system. Its ability to hibernate, staying fully inactive for a number of days, makes its detection during that time very difficult.” Last summer the Russian government announced the creation of a dedicated branch for the information warfare. Belonging to the Russian Armed Forces, its purpose is to improve cyber capabilities of the country, exactly has many other governments are doing. Official military fonts revealed that the agency’s budget for 2013 was 2.3 billion rubles ($70 million). “Cyber space is becoming our priority…the decision to create a cyber-security command and a new branch of the armed forces has already been made … We are working on the overall concept of the program to be developed in this area … We have reviewed 700 innovative projects so far,” declared Andrei Grigoryev, the head of the recently created Foundation for Advanced Military Research, in an interview with Echo Moskvy radio. Andrei Grigoryev, head of the Foundation for Advanced Military Research, announced that the new unit will be composed of three main areas of military: R&D, futuristic weaponry and soldier gear, and Cyber warfare. A Look to the Past, to Understand the Present and Predict the Future The offensives occurred in these days have many similarities with the attacks that anticipated the invasion of Georgia in 2008. Also in that case, Russian militias engaged in information warfare against the enemies to prepare for a kinetic attack. Georgia and security experts accused Russian state-sponsored hackers of breaking into Georgian government and principal commercial websites as part of an information warfare campaign to supplement Russia’s military operations in South Ossetia. The principal government websites were hacked and shut down, including Georgian President Mikheil Saakashvili’s official website, as well as the websites of the Ministry of Foreign Affairs, the Ministry of Defence, the central government site, and various commercial sites, which have all been forced offline over the past week. The hackers of the group of “South Ossetia Hack Crew” defaced The Georgian Parliament website with images comparing Saakashvili to Adolf Hitler. The cyber expert Jart Armin, the most skilled researcher on the story of a group of Russian cyber criminals, linked the attacks on the Georgian government to the operation of the Russian Business Network (RBN), demonstrating a link with Russian authorities. Armin discovered that Georgian Internet servers were controlled by foreign attackers and Internet traffic was totally hijacked to servers in Moscow. Security experts claim Georgia’s websites suffered powerful “denial-of-service” attacks, which knock targets offline. The attacks not only hit government websites. The Russian strategy also targeted any communication channel, even the principal Georgian hacking forum, avoiding the fact that Georgian hackers were able to organize a structured reply. One of Georgia’s most popular hacking forums was down for over 24 hours and was under a permanent DDoS attack. Another singularity of the attacks against Georgia was the availability within the principal Russian hacking forum of a public list of email addresses belonging to Georgian politicians. The hackers arranged a massive spamming campaign and abused the list to conduct spear phishing attacks against the politicians. Security experts and military strategists believe that the list was spread by the Russian military to incite hackers to coordinate a series of attacks against the government. The Rule of Hacktivism Crimea is the battlefield between Ukraine and Russia, but as usual it happens that the dispute also has repercussions in cyber space where the governments are increasing their covert operations. The disputes in cyberspace may involve also third-party actors like hacktivists or cyber mercenaries, or in the worst scenario, other governments interested in fomenting the conflict. We cannot ignore also the possibility to conduct PSYOPs by foreign governments interested in destabilizing the area or the global diplomatic scenario. Foreign actors could spread propaganda messages over the principal forums and social networks, influencing the strategy of group of hacktivists and the sentiment of the population. Many Russian and Ukrainian URLs have already been attacked as part of the #OpUkraine and #OpRussia campaigns, launched as usual on principal social networks like VK, Odnoklassniki and Facebook. Ukrainian activists are starting a hacking campaign against Russian websites. The Ukranian site Bimba, which calls itself the “cyber weapon of the Maidan revolution,” is sustaining an online recruiting campaign for cyber volunteers wishing to participate in attacks against Russia. “The VK group #???????????? // #OpUkraine, identified with Anonymous, uploaded a paste to the pastebin.com site, containing an anti-Russian message and a link to a download of an internal SQL data from Crownservice.ru (publishes tenders for governmental jobs), in a file called Putin Smack Down Saturday,” states an interesting post published on SenseCy blog. If we analyze the hacktivism phenomena, we can clearly distinguish that almost all operations are conducted to sustain the Ukrainian population. Groups like Anonymous have chooses the side to support, and a series of clamorous attacks hit Russian entities. Russia Today, Russian principal news channel website (RT.com) has been hacked and defaced by an unknown group of hackers. The media agency confirmed the attack with a Tweet from its official account: “RT website has been hacked, we are working to resolve the problem” The hackers have replaced the words “Russia” and “Russians” with “Nazi” or “Nazis”. The defacement is visible in the following image. The modifications to the Russia Today website were visible for nearly 30 minutes. One of the changed headlines stated: “Nazi nationalist leader call on ‘most wanted’” Though it is still unclear who is behind the attackes, recently the popular collective Anonymous invited its followers to join in the hacking operation dubbed #OpRussia in support of the Ukrainian protesters. Under the #OpRussia campaign the group of hacktivists has hacked hundreds of Russian websites. The attack on the pro-Kremlin news organization is successive to the approval for the use of military force in Ukraine’s Crimea by Russian parliament. Another important attack was conducted by a group of hackers called the Russian Cyber Command, which leaked around 1,000 documents allegedly stolen from Russian Defense Export Company Rosoboronexport.The hacktivists expressed their dissent to Putin’s strategy with a message next to a link pointing to the leaked files: “Taken into consideration recent Russian Government delusional attempts to start WWIII, we – Free from Putin – people of Russian Federation – Free computer renegades and outlaws from IT Security – have decided to initiate a true domestic CyberWar on Russian Military Enterprises and eventually we shall deliver critical infrastructure companies on which Russian Putin’s Empire stands on.” The hackers have stolen the files from the systems of India’s embassy in Moscow. Once inside the embassy’s networks, they sent a spear phishing mail to the CEO of Rosoboronexport. According the hackers’ message, it is just the first of a long series data breach against Russian companies. “Same way we have infected SUKHOI, OBORONPROM, GAZFLOT, RUSAL and VELES CAPITAL and many others, but we shall deliver them right after this very first leak,” the hackers said. At the time of this writing, a group of Ukrainian hacktivists known as Cyber-Berkut published a list of 40 websites that it had hacked, and it includes the state-funded broadcaster Russia Today. A post on the page of the group on a popular social network reports the following message: “Today, the “KiberBerkut” countdown begins. Traitors of Ukraine who have transgressed the laws of our homeland, you have nine days to voluntarily surrender to the prosecuting authorities or the Kharkov Simferopol.” The post remarks that Russian “imposters” “have no right” to control Ukraine and must surrender to Ukraine. Conclusions What to expect in the future? It’s difficult to say. While diplomacy will continue to work, deep in cyber space the attacks will increase. It is premature to define the tensions in cyber space as a cyber war between Russia and Ukraine. On one side hackers who are pro-Ukraine will intensify their activities against Russian entities, while Russian cyber units and patriotic hackers will increase their offensives against Ukrainian opposites. I made a rapid tour on principal social media, andf I noted that on both sides there has started a misinformation campaign. On the one hand, Putin’s supporters are publishing disconcerting stories and images about atrocities committed by Ukrainian forces in Crimea, and on the other side of Putin it is possible to read everything. I desire to close this article by evaluating the position of the Chinese Government on the Crimean crisis. To do so, I contacted a professional that I consider the greatest expert of Chinese Cyber Warfare, Lieutenant Colonel – US Marine Corps Retired & Chairman Cyber Defence and Network Security, Bill Hagestad II. Pierluigi: Bill Based on your experience which is the position of China on the events? Is China interested in the dispute and why (supremacy, energy, weapons)? Bill Hagestad II:Yes! Of course! The People’s Republic of China is very interested in what is happening in both the Ukraine, geo-strategic energy issues and Crimea, geo-political focused attention. Pierluigi:Do you think that Chinese cyber units could interfere with actual cyber conflict between Ukraine and Russia? If yes, how and why? Bill Hagestad II: No, the Chinese will not ‘interfere’ unless asked to aid the Russians in terms of providing a Mandarin-based rootkit or other form of malware which the Ukrainian info-security technical appliances and teams will not be able to detect using Cyrillic language based IDS & IPS solution – essentially the ultimate Zero Day exploit. With the escalation of tensions in Crimea, the number of cyber attacks will sensibly increase, and there is the concrete risk that other critical infrastructure in the country will be impacted. Sursa:Crimea – The Russian Cyber Strategy to Hit Ukraine - InfoSec Institute Pentru cei care cauta sample-uri Uroburos/Turla/Snake, am postat aici: https://rstforums.com/forum/82531-sample-uri-uroburos-turla-snake.rst

Fisierele de mai jos sunt daunatoare pc-ului, descarcati doar pentru analiza Uroburos aka Win32/Win64 Turla | Big Dropper's payloads (2013): hppts://t.co/w140OnX2XW hppts://t.co/4aVyhPwjnw Uroburos aka Win32/Win64 Turla | Additional components: hppts://t.co/ylGqNinJfA Uroburos aka Win32/Win64 Turla 2006: hppts://t.co/hx6E2zhPTh 2009/2010: hppts://t.co/4NnxLDz0Wm 2013: hppts://t.co/tTXiFjvVi1 pass: infected sursa:https://twitter.com/malwarechannel

Contents: 1. NtGlobalFlag 2. Heap flags 3. The Heap 4. Thread Local Storage 5. Anti-Step-Over 6. Hardware A. Hardware breakpoints B. Instruction Counting C. Interrupt 3 D. Interrupt 0x2d E. Interrupt 0x41 F. MOV SS 7. APIs A. Heap functions B. Handles i. OpenProcess ii. CloseHandle iii. CreateFile iv. LoadLibrary v. ReadFile C. Execution Timing D. Process-level i. CheckRemoteDebuggerPresent ii. Parent Process iii. CreateToolhelp32Snapshot iv. DbgBreakPoint v. DbgPrint vi. DbgSetDebugFilterState vii. IsDebuggerPresent viii. NtQueryInformationProcess ix. OutputDebugString x. RtlQueryProcessHeapInformation xi. NtQueryVirtualMemory xii. RtlQueryProcessDebugInformation xiii. SwitchToThread xiv. Toolhelp32ReadProcessMemory xv. UnhandledExceptionFilter xvi. VirtualProtect E. System-level i. FindWindow ii. NtQueryObject iii. NtQuerySystemInformation iv. Selectors F. User-interface i. BlockInput ii. FLD iii. NtSetInformationThread. iv. SuspendThread v. SwitchDesktop G. Uncontrolled execution i. CreateProcess ii. CreateThread iii. DebugActiveProcess iv. Enum... v. GenerateConsoleCtrlEvent. vi. NtSetInformationProcess. vii. NtSetLdtEntries viii. QueueUserAPC ix. RaiseException x. RtlProcessFlsData xi. WriteProcessMemory.. xii. Intentional exceptions. H. Conclusion Download: http://pferrie.host22.com/papers/antidebug.pdf Autor: Peter Ferrie (Principal Software Development Engineer, Microsoft Corporation virus researcher, reverse-engineer and software preservationist)

Get a free license Steganos Online Shield for 1 year (5 GB of bandwidth per month for free). VPN-service protects your personal data using encryption Internet connection. https://www.steganos.com/specials/?m=chip0414&p=sos Sursa

G Data Security experts have analyzed a very complex and sophisticated piece of malware, designed to steal confidential data. G Data refers to it as Uroburos, in correspondence with a string found in the malware's code and following an ancient symbol depicting a serpent or dragon eating its own tail. What is Uroburos? Uroburos is a rootkit, composed of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities. It can steal information (most notably: files) and it is also able to capture network traffic. Its modular structure allows extending it with new features easily, which makes it not only highly sophisticated but also highly flexible and dangerous. Uroburos' driver part is extremely complex and is designed to be very discrete and very difficult to identify. Technical complexity suggests connections to intelligence agencies The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered. Uroburos is designed to work in peer-to-peer mode, meaning that infected machines communicate among each other, commanded by the remote attackers. By commanding one infected machine that has Internet connection, the malware is able to infect further machines within the network, even the ones without Internet connection. It can spy on each and every infected machine and manages to send the exfiltrated information back to the attackers, by relaying this exfiltrated data through infected machines to one machine with Internet connection. This malware behavior is typical for propagation in networks of huge companies or public authorities. The attackers expect that their target does have computers cut off from the Internet and uses this technique as a kind of workaround to achieve their goal. Uroburos supports 32-bit and 64-bit Microsoft Windows systems. Due to the complexity of this malware and the supposed spying techniques used by it, we assume that this rootkit targets governments, research institutes, or/and big companies. Relation to Russian attack against U.S. suspected Due to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we assume that the group behind Uroburos is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ. Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed. It appears that the authors of Uroburos speak Russian (the language appears in a sample), which corroborates the relation to Agent.BTZ. Furthermore, according to public newspaper articles, this fact, the usage of Russian, also applied for the authors of Agent.BTZ. According to all indications we gathered from the malware analyses and the research, we are sure of the fact that attacks carried out with Uroburos are not targeting John Doe but high profile enterprises, nation states, intelligence agencies and similar targets. Probably undiscovered for at least three years The Uroburos rootkit is one of the most advanced rootkits we have ever analyzed in this environment. The oldest driver we identified was compiled in 2011, which means that the campaign remained undiscovered for at least three years. Infection vector still unknown At the current stage of the investigations it is unknown how Uroburos initially infiltrates high profile networks. Many infection vectors are conceivable. E.g. spear phishing, drive-by-infections, USB sticks, or social engineering attacks. Download the technical analysis of the Uroburos malware here: https://www.gdata.de/rdk/dl-en-rp-Uroburos Sursa: http://blog.gdatasoftware.com/blog/article/uroburos-highly-complex-espionage-software-with-russian-roots.html

A new, free Google Chrome browser extension called Streak lets email senders using Google accounts see when recipients open email. And, oh my, it also lets senders see who, exactly, opened the email, and where the recipient is located. The extension, part of a customer relationship management (CRM) system that includes tools for sales, support and hiring, places email recipients on a map, with big red dots indicating their locations. It also gives users real-time location updates. Streak is a bit creepy. But it's not, of course, "changing the email game", as has been somewhat breathlessly claimed. Streak may well be in the business of giving marketers the ability to eyeball our whereabouts and our email-opening schedules, but it certainly didn't invent email tracking - not by a long shot. Articol complet: How emails can be used to track your location and how to stop it | Naked Security

Wolfram Language este un limbaj de programare cu paradigme multiple ce încearc? s? fie cat mai general cu putin?? (mai aproape de limbajul natural), este dezvoltat de Wolfram Research ?i este principalul limbaj cu care Mathematica interac?ioneaz?. El este dezvoltat ?i coordonat de Stephen Wolfram având în minte crearea unui limbaj de programare cat mai general, ce îmbr??i?eaz? computatii simbolice, programare func?ional? ?i programare logic?, permi?ând reprezentarea unor structuri arbitrare de date. Wolfram Language În urma cu trei luni, Stephen Wolfram ar?ta o parte din func?ionalit??ile ce urmeaz? s? le aib? Wolfram Language, un limbaj de programare la care acesta a lucrat peste 30 de ani. “You know, I’ve been working towards what is now the Wolfram Language for about 30 years,” Wolfram says in the video. “But it’s only in recent times that we’ve had what we need to create the whole Wolfram Language.” Acum doua zile, a publicat pe Youtube un videoclip ce explic? mai în detaliu ce poate face noul limbaj de programare, precum ?i modul intuitiv în care func?ioneaz?. Wolfram Language pare s? aib? r?spunsuri la aproape tot, peste 5,000 de func?ii fiind deja integrate in acest limbaj, permi?ându-?i s? creezi interfe?e, grafice ?i multe alte lucruri. “The knowledge graph is a vastly less ambitious project than what we’ve been doing at Wolfram Alpha. Making the world computable is a much higher bar than being able to generate Wikipedia-style information … a very different thing. What we’ve tried to do is insanely more ambitious.” Stephen Wolfram – “Computing a theory of everything” la TED 2010 El a avut în 2010 la TED o prezentare de 20 de minute extrem de interesant? despre cariera sa ?i despre ce pot face tehnologiile la care a lucrat în tot acest timp. De ce Wolfram Language ar putea schimba modul în care program?m? Oricât de nebun pare Stephen Wolfram, a reu?it în decursul carierei s? dezvolte un limbaj de programare ce pare s? r?spund? întreb?rilor umane, s? rezolve probleme matematice complexe, s? integreze cele mai complicate probleme computa?ionale ?i s? rela?ioneze cu toate informa?iile într-un mod ce mi se pare unic. Wolfram Language ar putea fi “the next hit” pentru c? schimb? modul în care dezvolt?m aplica?ii ce interac?ioneaz? cu Big Data. Dac? acum, un novice în domeniul IT înva?? bazele limbajelor de programare, apoi dore?te s? evolueze replicând (sau cum ne place s? spunem, reinventand roata) iar abia apoi trece ?i la inova?ie, Wolfram Language ar putea reu?i s?-l treac? peste pasul de replicare ?i l-ar arunca direct în inova?ie. “Pe scurt, am date despre orice, pot s? le interpretez, ce fac cu ele?”. Sursa: https://www.worldit.info/articole/de-ce-wolfram-language-ar-putea-fi-unul-din-limbajele-de-programare-ce-va-schimba-lumea/

@NO-MERCY Kani Video tutorials newbies: Download Kani Video.tutorials.newbies(OllyDbg).rar from Sendspace.com - send big files the easy way Android reversing books: don't have

Tilon, son of Silon, or… SpyEye2 evolution of SpyEye? The malware family commonly known as Tilon has been around for several years now. While several public analysis reports have described the malware; no one has thus far linked it with the well-known SpyEye malware family. In light of the recent news of the guilty plea of SpyEye distributor Gribodemon we revisit the Tilon malware family. We give a detailed analysis of similarities to SpyEye and also place Tilon and SpyEye into a wider context of the digital underground. The original name Tilon was chosen due to the similarities with Silon. This was merely true for the outer layer of the malware, the so called loader. A better name probably was SpyEye2, as the functional part of the malware is sourced from SpyEye. The team behind its creation was similar, however reinforced with at least one better skilled programmer. The decline in Tilon/SpyEye2 activity after the arrest of Gribodemon was evident, the development however continued and the fraudulent activities did not stop. Finally after nearly a year of declining usage, it seems we might have come to the real end of the SpyEye era, or will the team behind SpyEye2 continue and start working on getting new customers? Read all the details in this intelligence report: http://foxitsecurity.files.wordpress.com/2014/02/spyeye2_tilon_20140225.pdf Sursa: Tilon/SpyEye2 intelligence report | Fox-IT International blog

otp "Ca eu sa decriptez un astfel de cod, trebuie sa am acces la cheie, la cifru, tocmai d-asta nu se poate folosi in practica." din acest motiv se utilizeaza criptografia, daca ai putea avea acces la un mesaj fara cheie si cifru ar insemna ca e plain text:)) "Nu ai avea cum sa pastrezi cheia in siguranta." Da, intrucat cheia trebuie sa fie unica si macar de aceiasi lungime cu mesajul, daca poti sa transmiti cheia de lungime x in siguranta atunci poti sa trimiti si mesajul in siguranta, deci nu ai nevoie de criptarea mesajului. 3des: nu cred ca ai inteles intrebarea, intrebam de ce trebuie sa folosesti 3 chei diferite cheie1 != cheie2 !=cheie3 si nu aceiasi cheie de 3 ori cheie1 =cheie2 =cheie3, deci lung c1+c2+c3 = lung c1 +c1 +c1 = 168 legat de nr respectiv, DA, este un nr prim. "daca numarul se imparte la 2, si da un numar intreg, atunci nu este prim. Cum numarul nostru se termina in 1, rezultatul va fi cu virgula, deci este prim." 21/2 = 10.5, da cu virgula, dar 21 nu e prim Toate intrebarile au fost din curs. Cand ai timp liber mai rasfoieste-l.

Daca OTP(One Time Pad) este atat de sigur de ce nu este folosit in practica de nimeni? De ce in cazul utilizarii algoritmului 3DES sunt necesare 3 chei diferite? Nr. de mai jos este un numar prim?, justifica raspunsul. 162778675242098655165378531485029218839543715218913672761641612792459453034694351962598272866586723219272491504312649120075978140685921274108558408988121394616541477502866128536709799499732615052956955477637354465869036660461840242858143856897056746707273821334824310901701410160913168913111019611637560513792218569385270025325082678728122668574137860002599688442075911231143623002669047312076153948025512086637266317829856065017068435974194536175795498704881509873763420148737144961281397106299936665982521758110408474768274660316806747806427480905451720383437994226373815819725252598037976249963029797845281288773667146078695825605988597487898421815057588706815027573892033251075467395598620520258701566410431596156636040821272536371507390390739298492875171013814940731143080069423244247933481257872716638569200918883114963130907827981977818135836102822361987175348284286902032534671266989660114371555532668988881013645916264933251997858211716273350465750755979986419190464624259575460111508680531