Usr6

Am adunat cateva bucati de cod din wiki-ul pefile (UsageExamples - pefile - Usage examples of pefile - pefile is a Python module to read and work with PE (Portable Executable) files - Google Project Hosting, PEiDSignatures - pefile - Using PEiD signatures - pefile is a Python module to read and work with PE (Portable Executable) files - Google Project Hosting) intr-un script, astfel incat la executia lui sa apara un output gen: Size: 541927bytes MD5: c8260d9531fef36ce1a0369cdb08c39b OEP: 0x48ef89 Packed: True PEiD Signature: [['UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser']] Sections: UPX0 0x1000 0x413000 0 UPX1 0x414000 0x7c000 506880 .rsrc 0x490000 0x6000 24064 Imported: KERNEL32.DLL 0x895b74 LoadLibraryA 0x895b78 GetProcAddress 0x895b7c VirtualProtect 0x895b80 VirtualAlloc 0x895b84 VirtualFree 0x895b88 ExitProcess user32.dll 0x895b90 MessageBoxA DB-ul cu semnaturi PEiD poate fi descarcat de aici: https://code.google.com/p/reverse-engineering-scripts/downloads/detail?name=UserDB.TXT , fisierul "UserDB.TXT" trebuie sa fie in acelasi director cu scriptul python. E de la sine inteles ca pentru a putea fi utilizat este necesar sa aveti instalat pefile utilizare: python RST-PEiD.py PEfile Codul sursa: import sys import os import hashlib import re import pefile import peutils try: signatures = peutils.SignatureDatabase('UserDB.TXT') except: print "Lipseste fisierul cu semnaturi: UserDB.TXT" sys.exit() if len(sys.argv) != 2: print """\tRST PEiD file info:\n Utilizare: python Script.py executabil""" sys.exit() else: pe = pefile.PE(sys.argv[1]) def hashfile(afile, blocksize=65536): handle = open(afile, "rb") temp = hashlib.md5() while True: data = handle.read(blocksize) if not data: break temp.update(data) return temp.hexdigest() print str(sys.argv[1]) print "Size: " + str(os.path.getsize(sys.argv[1])) + "bytes" print "MD5: " + hashfile(sys.argv[1]) print "OEP: " + str(hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)) print "Packed(Entropy): " + str(peutils.is_probably_packed(pe)) matches = signatures.match_all(pe, ep_only = True) print "PEiD Signature: " + str(matches) print "Sections: " for section in pe.sections: print "\t", section.Name.strip("\x00"), hex(section.VirtualAddress), hex(section.Misc_VirtualSize), section.SizeOfRawData print "Imported: " pe.parse_data_directories() for entry in pe.DIRECTORY_ENTRY_IMPORT: print "\t", entry.dll for imp in entry.imports: print '\t\t', hex(imp.address), imp.name #print "Exported: " #for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols: # print "\t", hex(pe.OPTIONAL_HEADER.ImageBase + exp.address), exp.name, exp.ordinal Daca se plictiseste cineva, poate sa-i adauge si verificarea/extragerea semnaturii digitale

Aten?ia autorit??ilor americane se îndreapt? spre România în investiga?ia declan?at? dup? accesarea ilegal? a datelor bancare a aproximativ 110 milioane de clien?i ai re?elei de hypermarketuri Target, scrie ziarul USA Today, în edi?ia online. Hotii au accesat sistemul caselor de marcat ale re?elei americane de hypermarketuri Target, cu ocazia Zilei Recuno?tin?ei, furând datele cardurilor a 110 de milioane de clien?i, au stabilit autorit??ile americane. Target a confirmat c? o grupare infrac?ional? a accesat informa?iile clien?ilor pe 27 noiembrie, cu o zi înainte de Ziua Recuno?tin?ei, în cea mai intens? perioad? de cump?r?turi a anului. Hotii au men?inut accesul la datele bancare pân? pe 15 decembrie. Ini?ial, s-a crezut c? au fost compromise datele bancare a aproximativ 40 de milioane de clien?i, dar, treptat, cifra a ajuns la 110 milioane de persoane. Agen?ia Reuters a relatat c? ?i grupul de retail Neiman Marcus a fost victima unor atacuri pentru sustragerea datelor clien?ilor. "Firmele de securitate informatic? cred c? furturile au originea în Europa de Est, unde România a fost un punct esen?ial spre care s-a îndreptat aten?ia anchetatorilor în cazuri de fraude electronice în ultimii ani", noteaz? USA Today într-un articol cu titlul "Aten?ia se îndreapt? asupra României dup? furturile de date din SUA". Fraudele vizeaz? americani care ofer? date financiare ?i personale unor persoane despre care cred c? sunt vânz?tori legitimi ai unor produse. Printre metodele cele mai utilizate se num?r? vânzarea unor autoturisme sau computere fictive sau "skimming-ul" - ob?inerea codurilor personale de identificare utilizate pentru accesarea conturilor bancare, explic? USA Today, avertizând c? problemele de securitate care au vizat re?eaua de hypermarketuri Target de s?rb?tori ar putea fi doar începutul seriei de fraude care ar viza industria de retail din Statele Unite. sursa: Hackeri români, suspec?i într-un caz de furt de date a 110 milioane americani - Mediafax Articolul a fost editat putin

Following are tutorials on different operating system concepts. Few of these tutorials are written by me, few are either gathered from various magazines/news papers or have been obtained from various Internet sources. The copyright of these tutorials belongs to their orginal publisher as the case may be. You can submit a tutorial on operating system. Your tutorial will be published here with your credentials. Submit your tutorial by sending it with an email to us. Booting Process The process and functions that a computer goes through when it first starts up, ending in the proper loading of the Operating System and preparing it to receive commands. Writing Hello World Bootloader Tutorial about creating a bootloader from scratch. Step by step tutorial with assembly code. Writing the bootloader to the floppy disk and booting the machine from this disk. Programming Floppy Disk Controller This tutorial describes the registers used to interface with the fdc controller, and the commands which it recognises. The Floppy Controller on a PC uses a standard configuration. On the XT there are 3 ports available for control and data access registers. On the AT, there are 4, and on the PS/2 there are 6. Real mode Real mode, also called real address mode, is an operating mode of 80286 and later x86-compatible CPUs. Real mode is characterized by a 20 bit segmented memory address space (meaning that a maximum of 1 MB of memory can be addressed), direct software access to BIOS routines and peripheral hardware, and no concept of memory protection or multitasking at the hardware level. Protected mode Protected mode on the 386 offers the programmer better protection and more memory than on the 286. The purpose of protected mode is not to protect your program. Learn about the difference between real mode and protected mode. How to enter into the protected mode. CHS to LBA Translation CHS translation is needed only for disk drives between 528MB and 8GB. Below 528MB CHS addresses do not require translation. Above 8GB CHS addressing is not supported by ATA hard disk drives or by system BIOS software. Most systems are finally making the switch to using LBA addressing on all capacity drives. FAT File System An introductory tutorial about DOS FAT File System. It explains the structure of Absolute Sector of the FAT, the addressing of logical sector. Read More.. Global Descriptor Table (GDT) The Global Descriptor Table (GDT) defines base access privileges for certain parts of memory. We can use an entry in the GDT to generate segment violation exceptions that give the kernel an opportunity to end a process that is doing something it shouldn't. Most modern operating systems use a mode of memory called "Paging" to do this: It is alot more versatile and allows for higher flexibility. Interrupt Descriptor Table (IDT) The Interrupt Descriptor Table, or IDT, is used in order to show the processor what Interrupt Service Routine (ISR) to call to handle either an exception or an 'int' opcode (in assembly). IDT entries are also called by Interrupt Requests whenever a device has completed a request and needs to be serviced. Segmentation Segmentation is a Memory Management technique in which memory is divided into variable sized chunks which can be allocated to processes. Each chunk is called a segment. A table stores the information about all such segments and is called Global Descriptor Table (GDT). A GDT entry is called Global Descriptor. Paging Paging is another memory management technique which widely uses virtual memory concept. When paging is used, the processor divides the linear address space into fixed-size pages (of 4KBytes, 2 MBytes, or 4 MBytes in length) that can be mapped into physical memory and/or disk storage. When a program (or task) references a logical address in memory, the processor translates the address into a linear address and then uses its paging mechanism to translate the linear address into a corresponding physical address. Partition Table This is the tutorial about partition table. In this tutorial we will learn how the hard disk is divided into partitions. What are the primary partitions and what is the master boot record. We will also see the structure of the master boot record and the entry of each partition in MBR. Graphical User Interface Graphical user interfaces (GUIs) have become the user interface of choice. Yet despite the GUI's popularity, surprisingly few programs exhibit good interface design. Moreover, finding information explaining what constitutes a good and intuitive interface is exceedingly difficult. In this article, I describe the basic rules for all good interfaces -the cardinal dos and don'ts. OS Glossary Different terms related to operating system. GDT, LDT, CHS, LBA etc. Makefile Tutorial Write a makefile. Tutorial to make a makefile. Make is one of the original Unix tools for Software Engineering.By S.I. Feldman of AT&T Bell Labs circa 1975.

da, ceva de genul "extragerea key-urilor" si dupa utilizarea lor pentru a construi un removal tool

Scriptul de mai jos "sare" in alt director -ales aleator- de fiecare data cand este executat Am fost in: C:\BugsBunny.py Acum sunt in: C:\WINDOWS Am fost in: C:\WINDOWS\BugsBunny.py Acum sunt in: C:\Documents and Settings\LocalService\Local Settings\Temp .. #Python 2.7 import random import sys import os import shutil file_name = sys.argv[0] print "Am fost in:", file_name random_dir = random.randint(1, 10000) i = 0 for root, subfolders, files in os.walk("C:\\"): for folder in subfolders: i += 1 if i == random_dir: dir_path = os.path.join(root, folder) shutil.move(file_name, dir_path) print "Acum sunt in:", dir_path raw_input() sys.exit()

Contul Yahoo al directorului SRI George Maior a fost spart de hackerul "Guccifer", cel care a publicat coresponden?a dintre Corina Cre?u ?i Colin Powell, scrie site-ul Thesmokinggun.com, purt?torul de cuvânt al SRI precizând c? e vorba despre un cont anterior numirii lui Maior la ?efia serviciului "Este vorba de un email privat vechi al domnului Maior, folosit de dinainte de a deveni director al Serviciului ?i nu îl folosea decât pentru zona academic?. Primea coresponden?a exclusiv pentru zona academic? ?i era gestionat de un asistent pentru acest scop. Se vor lua toate m?surile legale pentru asemenea situa?ii, iar «Micul Guccifer» va fi o dat? prins ?i judecat conform legii", a declarat pentru MEDIAFAX purt?torul de cuvânt al SRI, Sorin Sava. Conform site-ului Thesmokinggun.com, lista "victimelor" celebrului hacker "Guccifer", care a spart conturile lui Colin Powell, ale unor membri ai familiilor Bush ?i Rockefeller ?i ale unor oficiali ai Administra?iei Obama, este mult mai lung? decât se ?tia pân? acum. "O arhiv? mare de date dezv?luie faptul c? incursiunilor ilegale ale lui 'Guccifer' i-au c?zut victime ?i alte înalte personalit??i atât din SUA cât ?i din str?in?tate în ultimul an. Hackerul a accesat coresponden?a electronic?, liste de contacte, înregistr?ri telefonice, fotografii personale ?i mai multe documente financiare confiden?iale, inclusiv c?r?i de credit, informa?ii bancare ?i documente privind investi?ii", noteaz? Thesmokinggun.com. Noua list? a victimelor lui "Guccifer" îl include ?i pe directorul SRI, George Maior. Publica?ia men?ioneaz? doar faptul c? directorului Serviciului Român de Informa?ii, George-Cristian Maior, i-a fost spart contul de Yahoo. Pe list? se afl? persoane din industria de entertainment, oameni de afaceri, academicieni, diploma?i, oficiali militari ?i guvernamentali, precum ?i jurnali?ti. Printre cei afecta?i de ac?iunile lui "Guccifer" se afl? actorul american Steve Martin, John Dean, fost consilier al pre?edintelui Richard Nixon, actri?a Mariel Hemingway, trei membri ai Camerei Lorzilor din Marea Britanie, Laura Manning Johnson, fost analist CIA, George Roche, fost secretar al For?elor Aeriene, ?i pre?edintele MetLife (companie de asigur?ri). Conform unora dintre persoanele afectate, conturile au fost sparte de pe adrese IP din Grecia ?i Rusia, sus?ine Thesmokinggun.com. Hackerul "Guccifer", a c?rui identitate este necunoscut?, a revendicat, în februarie 2013, piratarea unor conturi de e-mail apar?inând unor membri ai familiei Bush, divulgând coresponden?? de natur? personal?. În august 2013, "Guccifer" a postat pe pagina sa de Facebook un link c?tre o coresponden?? prin e-mail între fostul secretar american de Stat Colin Powell ?i europarlamentarul PSD Corina Cre?u. "Un tr?d?tor al patriei", a scris hackerul pe wall-ul lui Powell pe Facebook, ata?ând un link spre un drive Google cu e-mailuri primite de Powell de la Cre?u în perioada 2010-2011, prin contul s?u pe AOL. În aceste e-mailuri, Cre?u îl nume?te pe Powell, originar din Bronx, New York, "dragostea vie?ii mele" ?i sugereaz? c? scrie despre o poveste de dragoste mai veche, potrivit TheSmokingGun.com. Fostul secretar de Stat american a fost nevoit s? ofere clarific?ri despre rela?ia sa cu Corina Cre?u, în urma acestor dezv?luiri. Potrivit mai multor publica?ii, între care The Daily Mail, Huffington Post, New York Daily News ?i postului american de televiziune Fox News, fostul general a r?spuns unor întreb?ri din partea site-ului The Smoking Gun.com, afirmând c? nu ?i-a în?elat so?ia - cu care este c?s?torit de aproximativ 50 de ani - cu Cre?u, în prezent europarlamentar PSD, dup? ce e-mailuri "de natur? foarte persoan?" au fost f?cute publice. Într-un r?spuns la întreb?ri din partea site-ului TheSmokingGun.com, fostul general de patru stele a insistat, într-un comunicat, c? nu i-a fost necredincios so?iei sale, Alma. "A fost o prietenie care a devenit foarte personal? pe e-mail", a spus Powell site-ului. "Îmi trimitea fotografii frecvent. Multe fotografii de familie, cu nepoate ale ei, pe care le ador?, de la reuniuni de familie, de la ?edin?e oficiale de lucru, de la c?s?torie ?i ni?te poze în costum de baie... Niciodat? nimic nepotrivit", a subliniat el. Powell a declarat c? a cunoscut-o pe Cre?u în urm? cu aproximativ zece ani, în timp ce era secretar de Stat al fostului pre?edinte George W. Bush, iar ea era purt?tor de cuvânt al pre?edintelui României Ion Iliescu. El a subliniat c? s-au întâlnit personal "o dat? sau de dou? ori" în ultimii opt ani. Sursa: Contul de Yahoo al directorului SRI, George Maior, a fost spart de hackerul "Guccifer". Ce spune purt?torul de cuvânt al SRI - Mediafax

Security researchers have uncovered evidence of a new piece of malware that may be able to take gigabytes' worth of data hostage unless end users pay a ransom. Discussions of the new malware, alternately dubbed PrisonLocker and PowerLocker, have been occurring on underground crime forums since November, according to a blog post published Friday by Malware Must Die, a group of researchers dedicated to fighting online crime. The malware appears to be inspired by CryptoLocker, the malicious software that wreaked havoc in October when it used uncrackable encryption to lock up victims' computer files until they paid hundreds of dollars for the decryption key. PowerLocker could prove an even more potent threat because it would be sold in underground forums as a DIY malware kit to anyone who can afford the $100 for a license, Friday's post warned. CryptoLocker, by contrast, was custom built for use by a single crime gang. What's more, PowerLocker might also offer several advanced features, including the ability to disable the task manager, registry editor, and other administration functions built into the Windows operating system. Screen shots and online discussions also indicate the newer malware may contain protections that prevent it from being reverse engineered when run on virtual machines. PowerLocker encrypts files using keys based on the Blowfish algorithm. Each key is then encrypted to a file that can only be unlocked by a 2048-bit private RSA key. The Malware Must Die researchers said they had been monitoring the discussions for the past few months. The possibility of a new crypto-based ransomware threat comes as developers continue to make improvements to the older CryptoLocker title. Late last month, for instance, researchers at antivirus provider Trend Micro said newer versions gave the CryptoLocker self-replicating abilities that allowed it to spread through USB thumb drives. Sursa: Researchers warn of new, meaner ransomware with unbreakable crypto | Ars Technica Intrebare intrebatoare Daca ar fi posibila realizarea unui removal tool pentru asemea tipuri de malware dar metodele folosite la realizarea lui ar fi ilegale, imorale si ar incalca principiile etice, oare l-ar realiza cineva?

Acest engine are ca inspiratie engine-urile polymorphice utilizate de virusii anilor 90 pentru a ingreuna detectia antivirus. La fiecare executare a fisierului dupa decriptare codul malware era recriptat cu o alta parola aleasa aleator rezultand un fisier diferit. Pentru utilizarea pycrypto m-am inspirat de aici: Python and cryptography with pycrypto | Laurent Luce's Blog Python 2.7 algoritm de criptare RC4, parola = 64 litere alese in mod aleator la fiecare executie import random import sys import re from Crypto.Cipher import ARC4 lparola = 64 nume_fisier = sys.argv[0] continut_fisier = open(nume_fisier, "r").read() def aleator(): variabila = '' for i in range(lparola): variabila += random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz') return variabila script ="""print "\tHello, I am RST Polymorphic Engine 0.2" print "This script will be crypted, delete me after first run" raw_input() """ #criptare initiala # parola = aleator() # obj1 = ARC4.new(parola) # criptat = obj1.encrypt(script).encode("hex") # #print criptat # lungime_criptat = hex(len(criptat)) # #print len(lungime_criptat) # #print int(lungime_criptat, 16) # continut_fisier += '\n##' + criptat + parola + lungime_criptat+ hex(len(lungime_criptat))# # #decriptare # #print continut_fisier # temp_1 = int(continut_fisier[-3:], 16) #print temp_1 # temp_2 = int(continut_fisier[-3 -temp_1: -3], 16) #print temp2 # parola = continut_fisier[-3 -temp_1 -lparola:-3 -temp_1] #print parola # temp_3 = -3 - temp_1 - temp_2 - lparola temp_4 = continut_fisier[temp_3: -3 -temp_1 -lparola] obj2 = ARC4.new(parola) #print temp_4 # decriptat = obj2.decrypt(temp_4.decode("hex")) #print decriptat # exec(decriptat) continut_fisier = re.sub(".{89}#\n", "", continut_fisier) # continut_fisier = re.sub("\n#", "\n", continut_fisier) # #print continut_fisier # # #recriptare # #decriptat = script plain text, temp_3 = offset pus cript # #parola2 = aleator() #print parola # #obj1 = ARC4.new(parola2) #criptat = obj1.encrypt(decriptat).encode("hex") #print criptat # #lungime_criptat = hex(len(criptat)) #print len(lungime_criptat) # #print int(lungime_criptat, 16) # #print criptat # #continut_fisier = continut_fisier[:temp_3 -1] + "#" + criptat + parola2 + lungime_criptat + hex(len(lungime_criptat)) #print continut_fisier # scriu = open(nume_fisier, "w") scriu.write(continut_fisier) scriu.close() sys.exit() Include o "functie" de auto-cleaning, la primul run isi elimina singur toate partile de cod inutile in viitor, totusi, scriptul care a fost criptat este necesar sa fie eliminat manual Dupa primul run: import random import sys import re from Crypto.Cipher import ARC4 lparola = 64 nume_fisier = sys.argv[0] continut_fisier = open(nume_fisier, "r").read() def aleator(): variabila = '' for i in range(lparola): variabila += random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz') return variabila script ="""print "\tHello, I am RST Polymorphic Engine 0.2" print "This script will be crypted, delete me after first run" raw_input() """ temp_1 = int(continut_fisier[-3:], 16) temp_2 = int(continut_fisier[-3 -temp_1: -3], 16) parola = continut_fisier[-3 -temp_1 -lparola:-3 -temp_1] temp_3 = -3 - temp_1 - temp_2 - lparola temp_4 = continut_fisier[temp_3: -3 -temp_1 -lparola] obj2 = ARC4.new(parola) decriptat = obj2.decrypt(temp_4.decode("hex")) exec(decriptat) parola2 = aleator() obj1 = ARC4.new(parola2) criptat = obj1.encrypt(decriptat).encode("hex") lungime_criptat = hex(len(criptat)) continut_fisier = continut_fisier[:temp_3 -1] + "#" + criptat + parola2 + lungime_criptat + hex(len(lungime_criptat)) scriu = open(nume_fisier, "w") scriu.write(continut_fisier) scriu.close() sys.exit() #4049eff8b7283ce8be7131c9c3f025030fd4a2e1474c126d3c31edf7eb64b1bd6591f383230ef0e17f1cd8fe6681c95eb34005887eeefefad76b64d8d0ab301996738e47cec14186d7a283c10b65cf77cadbabf3c39c2a5e5c852082fe5b3c2850156ae02577b6d29235f7e4f339ba22a983cdc7ded692d8911e5f7fgZqSphoqERUeUEyvankUOpiuEDyVoENOCJpVNiiJcGHJHpnwgFzfItmoncWKTUMm0xf80x4 Dupa autocleaning la urmatoarele executii se mai modifica doar partea criptata: #d8c3fae6dae61792b9389f57d143ef14d3845dab8da2ad08e25d8aef03ef1bdf3cb4938ccf607dca3c74c8522c971bee83406680a901fe32d4b9aaf60bc473216164929de7cd53bcb253646eeaad3cb71405a89f7aa931b53f3a1cb75447d289465d7cbf15dc7f46c747a3fbfc21f7ec94c3d2a84cfc825919f72041lgwkmIJdWycsxlcmlvNnzJWxnfUJFxTNYwSzIDTHgKZzDQoUrfFOtaZWHZorNMfu0xf80x4 Utilitate: scop didactic sugestiile, criticile, etc. sunt bine venite

Domnule BlackGate, este adevarat au fost utilizatori care au avut semnaturi mai mari si probabil ca unii inca mai au. Nu sta nimeni sa verifice semnaturile la toti utilizatorii. Nu esti primul caruia ii trimit pm sa-si modif semnatura si probabil nici ultimul care va primi pm pe acelasi motiv. Poate exista si exceptii dar pana acuma toti au inteles de buna voie, nu a fost nevoie de cartonase. @hate.me, cartonasul galben a venit dupa negocierea esuata purtata pe pm "Originally Posted by Usr6 Incearca sa folosesti o semnatura mai mica, nu este expozitie foto multumim pentru intelegere, Conducerea partidului." Raspunsul lui: "ce treaba ai tu cu semnatura mea? nu vad nici-o regula in privinta semnaturii du-te si veziti de ale tale" Inteleg ca toata lumea e in goana dupa audienta, dar pt subiecte de genul exista topic dedicat https://rstforums.com/forum/42827-important-abuzuri-de-putere.rst Mutat la cosul de gunoi.

Agen?ia american? de informa?ii NSA este foarte aproape s? creeze un "computer cuantic", capabil s? decripteze aproape orice codificare, potrivit edi?iei de joi a ziarului The Washington Post, care citeaz? documente divulgate de c?tre fostul consultant Edward Snowden. Potrivit acestor documente, calculatorul la care lucreaz? NSA îi va permite s? sparg? codurile informatice care protejeaz? secrete bancare, medicale, informa?ii guvernamentale sau din lumea afacerilor. Gigan?i informatici ca IBM urm?resc de mult obiectivul de a crea "computere cuantice", care s? permit? exploatarea puterii atomilor ?i moleculelor, sporind astfel în mod considerabil rapiditatea ?i securitatea computerelor. Îns? unii exper?i consider? pu?in probabil ca Agen?ia Na?ional? american? pentru Securitate s? fie pe punctul de a crea o asemenea "ma?in?", f?r? ca membrii comunit??ii ?tiin?ifice s? fie la curent cu acest lucru. "Pare pu?in probabil ca NSA s? fie atât de avansat? în compara?ie cu companiile civile, f?r? ca cineva s? ?tie acest lucru", noteaz? în The Washington Post Scott Aaronson, de la MIT. NSA nu a r?spuns unei solicit?ri AFP pe aceast? tem?. Potrivit documentelor ob?inute de cotidian, NSA lucreaz? la acest proiect în camere speciale, numite "cu?ti Faraday", care protejeaz? de o poluare electromagnetic? provenind din exterior. Cu puterea poten?ial? a computerelor cuantice, aceste ma?ini inovatoare ar fi capabile s? descifreze orice cod utilizat în prezent la protejarea activit??ilor online, indiferent c? este vorba despre b?nci sau mesageria electronic?. Snowden dezv?luie de mai multe luni amploarea programului american de spionaj în toate direc?iile, vizând între altele o serie de ??ri europene, institu?ii UE sau sistemul intern de videoconferin?e al ONU, ?i în principal rolul NSA. Sursa: NSA, foarte aproape de crearea unei ma?ini universale de decriptare: Un COMPUTER CUANTIC ar putea sparge orice cod din mediul online - Mediafax

"Virusul" cunoscut sub numele de "politia romana" si mai toate cele asemanatoare lui sunt oarecum inofensive daca nu au acces la internet (nu se pot conecta la centrul de comanda). Daca au acces la centrul de comanda treburile se complica, in unele cazuri devin chiar dramatice daca vb de Cryptolocker 1/ 2 sau altele asemanatoare. Functionarea detaliata a fost descrisa de hate.me aici: https://rstforums.com/forum/79412-help-remove-politia-romana-virus-2.rst#post510619 In cazul "politiei romane", daca nu dispuneti de un firewall "dement" care sa interzica accesul la internet al oricarei aplicatii ce nu are acceptul dvs puteti impiedica malware-ul sa se conecteze la internet rezolvand local toate* centrele de comanda. Adaugati in "C:\WINDOWS\system32\drivers\etc\hosts" toate domeniile de mai jos 127.0.0.1 lgsfbhyyrrnalpcbqkob.com 127.0.0.1 iqhbyacfnea.com 127.0.0.1 chbqrhunxg.com 127.0.0.1 fktihyjhkomdxqkucg.com 127.0.0.1 lldpoyrzfi.com 127.0.0.1 yqmodbxjxgczajstz.com 127.0.0.1 vltnftcjrzrxnhfwgf.com 127.0.0.1 wchdbyuteue.com 127.0.0.1 zpqwczqatnmmb.com 127.0.0.1 cdqvfoezutpworgjg.com 127.0.0.1 bunzvlesey.com 127.0.0.1 ytnxvxnlumzvtdelo.com 127.0.0.1 ykvmiyfbbaqgryd.com 127.0.0.1 upijkzzgohsviiufgwj.com 127.0.0.1 jhkkssojlwnyjgnsslm.com 127.0.0.1 yyuihmtl.com 127.0.0.1 zlohhvqhqgyvbhbhe.com 127.0.0.1 pjgwxsqwbdqh.com 127.0.0.1 zjwceimakuvaieqxzdi.com 127.0.0.1 obhmbdjxkgmzw.com 127.0.0.1 qtermfciofx.com 127.0.0.1 daobcnqwefamhdfcs.com 127.0.0.1 ktlwxakbho.com 127.0.0.1 kbvmxwjxtvncddaiyb.com 127.0.0.1 aqazrrwmzrvrvoshpi.com 127.0.0.1 raxlendajlubxdhq.com 127.0.0.1 zbtgaqubvmmvvcx.com 127.0.0.1 zmfcmghjbpbxwn.com 127.0.0.1 lxynmytvhgyiv.com 127.0.0.1 xaftdwovbbtvt.com Daca v-ati infectat cu "politia romana" si malware-ul nu reuseste sa se conecteze la centrul de comanda, poate fi eliminat in 2 timpi si 3 miscari: Start > Run... >cmd.exe tasklist -pentru a lista toate procesele tasklill -pentru a inchide processul malwareului si google for removal tool * extrase din sampleul: https://rstforums.com/forum/76505-sample-virus-politia-romana.rst

Botconf'13 - First botnet fighting conference Invited talk: Preliminary results from the European antibotnet pilot action ACDC. Integrating industry, research and operational networks into detecting and mitigating botnets Ulrich Seldeslachts Advanced Techniques in Modern Banking Trojans Spam and All Things Salty: Spambot v2013 Distributed Malware Proxy Networks Legal limits of proactive actions: Coreflood botnet example Back to life, back to correlationVasileios Friligkos Using cyber intelligence to detect and localize botnets Zombies in your browser Spatial Statistics as a Metric for Detecting Botnet C2 Servers The Home and CDorked campaigns : Widespread Malicious Modification of Webservers for Mass Malware Distribution Malware Calling Disass Efficient Program Exploration by Input Fuzzing The power of a team work – Management of Dissecting a Fast Flux Botnet, OP-Kelihos “Unleashed” Hendrik Adrian and Dhia Mahjoub Blog post Perdix: a framework for realtime behavioral evaluation of security threats in cloud computing environment Participatory Honeypots: A Paradigm Shift in the Fight Against Mobile Botnets My Name is Hunter, Ponmocup Hunter Reputation-based Life-course Trajectories of Illicit Forum Members APT1: Technical Backstage Invited talk: Europol and European law enforcement action against botnets A General-purpose Laboratory for Large-scale Botnet Experiments DNS Resolution Traffic Analysis Applied to Bot Detection Exploit Krawler: New Weapon againt Exploits Kits BladeRunner: Adventures in Tracking Botnets The hunter becomes the hunted – analyzing network traffic to track down botnets Download : https://www.botconf.eu/index.php/schedule/ p.s. La Multi Ani!.

Python 2.7 Windows/Linux de fiecare data cand este executat schimba numele tuturor variabilelor Dupa prima executie import sys, re, random, time mcKBaOPDkBsgftnRvfTLKaDHYMBIYSHumBBKdsyvYTMTRWbrICpzEfPHxR = sys.argv[0] YdJbEcTXwqxHjPWgAgGtHnRGvKyLUmsmKXQyururvDLAliXMMLZANPsLmsSFovnHC = ['mcKBaOPDkBsgftnRvfTLKaDHYMBIYSHumBBKdsyvYTMTRWbrICpzEfPHxR', 'vGVpdSgGQMHvGQuapQnjEewHEjaSKpsYuRioPREDCJeOlscRVe', 'dakfVfRcKEwMHJqZovcerfeqLgxjEeMVnKCPithcMVKelPgEsFYzgtHBchxrUVnsgf', 'DIKbRMfdjcHKYjZGmwVSmfredwXINjybJPbpRrJggGGOkGOJFiMcjCOAxSxAbMyWewBMiT', 'IiUmJXpytWJhDduNGCBrFyXuHUOsofjkXFLtIlvIJHgfieDjQuuFowwSUDorNHEl', 'JcVhVUAlnfzubrYYwxzEiwfwMILROSZPYBwOABNehMNvuJoescHewJPGMxGYl', 'BeLoxxmthjYaavanluphrTeTscxFQXwmlFosWLkEgZNmpeXIBUkRjAODrSvwykEqEGFltWQ', 'clRkpxKsCvUPDzwrjEqTPtpcUKBCHPdwUbLTArAzirswKhHRiqnYVwHBENLSbm', 'veOALBXnIGBsbQMImhpbfasONGdwHbjCkIfsxISNDtwvmkMqwfwVXQ', 'yjvNuKrHSumDqlDwPlysoMXxXGqINBjytnUnVkbnnYoWjeduoTUHxATHfwyNpfkWR', 'zmhjbxMIlsgEdDzwyztZzZdGMZMCTOcWuIotKmWnBNJLvOQgCrxGflJldwIvtXMHQysbi', 'AfcxDFkPbKRQEYjAZVHqhbsClcqyxknitdeEYzETOYGXFDBIwUXdYnHyddLkxraIwpep', 'OhjcqxMTrEStVNOyXeSvVtnPhElsbgmMwAUvnfxxxmWxQMchfAuhHNEEbxGUV', 'YdJbEcTXwqxHjPWgAgGtHnRGvKyLUmsmKXQyururvDLAliXMMLZANPsLmsSFovnHC'] JcVhVUAlnfzubrYYwxzEiwfwMILROSZPYBwOABNehMNvuJoescHewJPGMxGYl = [] def dakfVfRcKEwMHJqZovcerfeqLgxjEeMVnKCPithcMVKelPgEsFYzgtHBchxrUVnsgf(): DIKbRMfdjcHKYjZGmwVSmfredwXINjybJPbpRrJggGGOkGOJFiMcjCOAxSxAbMyWewBMiT = random.randint(47,71) vGVpdSgGQMHvGQuapQnjEewHEjaSKpsYuRioPREDCJeOlscRVe = '' for i in range(DIKbRMfdjcHKYjZGmwVSmfredwXINjybJPbpRrJggGGOkGOJFiMcjCOAxSxAbMyWewBMiT): vGVpdSgGQMHvGQuapQnjEewHEjaSKpsYuRioPREDCJeOlscRVe += random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz') return vGVpdSgGQMHvGQuapQnjEewHEjaSKpsYuRioPREDCJeOlscRVe IiUmJXpytWJhDduNGCBrFyXuHUOsofjkXFLtIlvIJHgfieDjQuuFowwSUDorNHEl = open(mcKBaOPDkBsgftnRvfTLKaDHYMBIYSHumBBKdsyvYTMTRWbrICpzEfPHxR, "r").read() OhjcqxMTrEStVNOyXeSvVtnPhElsbgmMwAUvnfxxxmWxQMchfAuhHNEEbxGUV = re.search("\[\'.+\'\]", IiUmJXpytWJhDduNGCBrFyXuHUOsofjkXFLtIlvIJHgfieDjQuuFowwSUDorNHEl) BeLoxxmthjYaavanluphrTeTscxFQXwmlFosWLkEgZNmpeXIBUkRjAODrSvwykEqEGFltWQ = eval(OhjcqxMTrEStVNOyXeSvVtnPhElsbgmMwAUvnfxxxmWxQMchfAuhHNEEbxGUV.group()) for veOALBXnIGBsbQMImhpbfasONGdwHbjCkIfsxISNDtwvmkMqwfwVXQ in BeLoxxmthjYaavanluphrTeTscxFQXwmlFosWLkEgZNmpeXIBUkRjAODrSvwykEqEGFltWQ: clRkpxKsCvUPDzwrjEqTPtpcUKBCHPdwUbLTArAzirswKhHRiqnYVwHBENLSbm = dakfVfRcKEwMHJqZovcerfeqLgxjEeMVnKCPithcMVKelPgEsFYzgtHBchxrUVnsgf() IiUmJXpytWJhDduNGCBrFyXuHUOsofjkXFLtIlvIJHgfieDjQuuFowwSUDorNHEl = re.sub(veOALBXnIGBsbQMImhpbfasONGdwHbjCkIfsxISNDtwvmkMqwfwVXQ, clRkpxKsCvUPDzwrjEqTPtpcUKBCHPdwUbLTArAzirswKhHRiqnYVwHBENLSbm, IiUmJXpytWJhDduNGCBrFyXuHUOsofjkXFLtIlvIJHgfieDjQuuFowwSUDorNHEl) JcVhVUAlnfzubrYYwxzEiwfwMILROSZPYBwOABNehMNvuJoescHewJPGMxGYl.append(clRkpxKsCvUPDzwrjEqTPtpcUKBCHPdwUbLTArAzirswKhHRiqnYVwHBENLSbm) yjvNuKrHSumDqlDwPlysoMXxXGqINBjytnUnVkbnnYoWjeduoTUHxATHfwyNpfkWR = str(JcVhVUAlnfzubrYYwxzEiwfwMILROSZPYBwOABNehMNvuJoescHewJPGMxGYl) IiUmJXpytWJhDduNGCBrFyXuHUOsofjkXFLtIlvIJHgfieDjQuuFowwSUDorNHEl = re.sub("\[\'.+\'\]",yjvNuKrHSumDqlDwPlysoMXxXGqINBjytnUnVkbnnYoWjeduoTUHxATHfwyNpfkWR, IiUmJXpytWJhDduNGCBrFyXuHUOsofjkXFLtIlvIJHgfieDjQuuFowwSUDorNHEl) zmhjbxMIlsgEdDzwyztZzZdGMZMCTOcWuIotKmWnBNJLvOQgCrxGflJldwIvtXMHQysbi = open(mcKBaOPDkBsgftnRvfTLKaDHYMBIYSHumBBKdsyvYTMTRWbrICpzEfPHxR, "w") zmhjbxMIlsgEdDzwyztZzZdGMZMCTOcWuIotKmWnBNJLvOQgCrxGflJldwIvtXMHQysbi.write(IiUmJXpytWJhDduNGCBrFyXuHUOsofjkXFLtIlvIJHgfieDjQuuFowwSUDorNHEl) zmhjbxMIlsgEdDzwyztZzZdGMZMCTOcWuIotKmWnBNJLvOQgCrxGflJldwIvtXMHQysbi.close() AfcxDFkPbKRQEYjAZVHqhbsClcqyxknitdeEYzETOYGXFDBIwUXdYnHyddLkxraIwpep = "RST Polymorphic Engine 0.1" print AfcxDFkPbKRQEYjAZVHqhbsClcqyxknitdeEYzETOYGXFDBIwUXdYnHyddLkxraIwpep print "1 sec to exit" time.sleep(1) sys.exit Dupa alta: import sys, re, random, time ATwesnORTArjSQJJnIeOWEOxCskdVzxxcSJZZSDvxESCtnbpqeAqexzRZVYzm = sys.argv[0] dQVFGQpCnJEGfgCHaHUNCNNSQUaYrLMROlRoQmcTsGshDYXmOqFCYM = ['ATwesnORTArjSQJJnIeOWEOxCskdVzxxcSJZZSDvxESCtnbpqeAqexzRZVYzm', 'WkDZXkGNQsqwZtKOhxHsfKyRqbbooWmYzPfZqNBJtkGnEeiISCJBxmcYd', 'ROFyOzNVQzhbBQrbBvVzuOZHJpuNWoaEKboCMPGjgMxXjljlHb', 'AsvkfDFoSBASgCjqtzmCCkHEVPIqYlGobrfdqfzsHplNcjI', 'QfCxcoHzjrCGSIJQKTMItTJEyGlBHXBtNhBaUIhwIakUicGUqVCqV', 'nBKQYJhloIXtazkpfOWwxrTGmbbWDALpEYZmQmIVbOirCjKQtGq', 'kLVZMUjnEbOFjVXRfzoWMkQarvDVlrUhVWBNXGehUWVhOoJx', 'QjtcvSvbRsFMDxiiLGyCdAKnrJIQkSLxBYbupHgoCFPNqiwIJSpYcxjcM', 'PJmvbUazkmFgYiAWTxAZGzcGROmQrtTSmYiQDpgFwKwqdgUU', 'lvgtkqZWFAjnLmZHTRucZRReKWElIZJBEIhnbvGAyrztqioFDYcUQnGXCdfTRrJvfl', 'PtIEnnpQzjTqwwGtpCFdmqhKRdJxchZaHDMOyxovIuKQPwwMfmUpBVSauNHUYvrsQw', 'DGSXtTrrJCZAQhwHYWiffaCSiUMtviwvOULXKXPGjrDpwQuuyFSd', 'JDIIVwMhLSVrqvIclrpooqtjgzYuBbvqSmpGCjFTIOqvwvPAdlkeCKhyLzuSHBoZDqhM', 'dQVFGQpCnJEGfgCHaHUNCNNSQUaYrLMROlRoQmcTsGshDYXmOqFCYM'] nBKQYJhloIXtazkpfOWwxrTGmbbWDALpEYZmQmIVbOirCjKQtGq = [] def ROFyOzNVQzhbBQrbBvVzuOZHJpuNWoaEKboCMPGjgMxXjljlHb(): AsvkfDFoSBASgCjqtzmCCkHEVPIqYlGobrfdqfzsHplNcjI = random.randint(47,71) WkDZXkGNQsqwZtKOhxHsfKyRqbbooWmYzPfZqNBJtkGnEeiISCJBxmcYd = '' for i in range(AsvkfDFoSBASgCjqtzmCCkHEVPIqYlGobrfdqfzsHplNcjI): WkDZXkGNQsqwZtKOhxHsfKyRqbbooWmYzPfZqNBJtkGnEeiISCJBxmcYd += random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz') return WkDZXkGNQsqwZtKOhxHsfKyRqbbooWmYzPfZqNBJtkGnEeiISCJBxmcYd QfCxcoHzjrCGSIJQKTMItTJEyGlBHXBtNhBaUIhwIakUicGUqVCqV = open(ATwesnORTArjSQJJnIeOWEOxCskdVzxxcSJZZSDvxESCtnbpqeAqexzRZVYzm, "r").read() JDIIVwMhLSVrqvIclrpooqtjgzYuBbvqSmpGCjFTIOqvwvPAdlkeCKhyLzuSHBoZDqhM = re.search("\[\'.+\'\]", QfCxcoHzjrCGSIJQKTMItTJEyGlBHXBtNhBaUIhwIakUicGUqVCqV) kLVZMUjnEbOFjVXRfzoWMkQarvDVlrUhVWBNXGehUWVhOoJx = eval(JDIIVwMhLSVrqvIclrpooqtjgzYuBbvqSmpGCjFTIOqvwvPAdlkeCKhyLzuSHBoZDqhM.group()) for PJmvbUazkmFgYiAWTxAZGzcGROmQrtTSmYiQDpgFwKwqdgUU in kLVZMUjnEbOFjVXRfzoWMkQarvDVlrUhVWBNXGehUWVhOoJx: QjtcvSvbRsFMDxiiLGyCdAKnrJIQkSLxBYbupHgoCFPNqiwIJSpYcxjcM = ROFyOzNVQzhbBQrbBvVzuOZHJpuNWoaEKboCMPGjgMxXjljlHb() QfCxcoHzjrCGSIJQKTMItTJEyGlBHXBtNhBaUIhwIakUicGUqVCqV = re.sub(PJmvbUazkmFgYiAWTxAZGzcGROmQrtTSmYiQDpgFwKwqdgUU, QjtcvSvbRsFMDxiiLGyCdAKnrJIQkSLxBYbupHgoCFPNqiwIJSpYcxjcM, QfCxcoHzjrCGSIJQKTMItTJEyGlBHXBtNhBaUIhwIakUicGUqVCqV) nBKQYJhloIXtazkpfOWwxrTGmbbWDALpEYZmQmIVbOirCjKQtGq.append(QjtcvSvbRsFMDxiiLGyCdAKnrJIQkSLxBYbupHgoCFPNqiwIJSpYcxjcM) lvgtkqZWFAjnLmZHTRucZRReKWElIZJBEIhnbvGAyrztqioFDYcUQnGXCdfTRrJvfl = str(nBKQYJhloIXtazkpfOWwxrTGmbbWDALpEYZmQmIVbOirCjKQtGq) QfCxcoHzjrCGSIJQKTMItTJEyGlBHXBtNhBaUIhwIakUicGUqVCqV = re.sub("\[\'.+\'\]",lvgtkqZWFAjnLmZHTRucZRReKWElIZJBEIhnbvGAyrztqioFDYcUQnGXCdfTRrJvfl, QfCxcoHzjrCGSIJQKTMItTJEyGlBHXBtNhBaUIhwIakUicGUqVCqV) PtIEnnpQzjTqwwGtpCFdmqhKRdJxchZaHDMOyxovIuKQPwwMfmUpBVSauNHUYvrsQw = open(ATwesnORTArjSQJJnIeOWEOxCskdVzxxcSJZZSDvxESCtnbpqeAqexzRZVYzm, "w") PtIEnnpQzjTqwwGtpCFdmqhKRdJxchZaHDMOyxovIuKQPwwMfmUpBVSauNHUYvrsQw.write(QfCxcoHzjrCGSIJQKTMItTJEyGlBHXBtNhBaUIhwIakUicGUqVCqV) PtIEnnpQzjTqwwGtpCFdmqhKRdJxchZaHDMOyxovIuKQPwwMfmUpBVSauNHUYvrsQw.close() DGSXtTrrJCZAQhwHYWiffaCSiUMtviwvOULXKXPGjrDpwQuuyFSd = "RST Polymorphic Engine 0.1" print DGSXtTrrJCZAQhwHYWiffaCSiUMtviwvOULXKXPGjrDpwQuuyFSd print "1 sec to exit" time.sleep(1) sys.exit Orice idei pentru imbunatatirea lui, critici, etc. sunt bine venite Utilitate: ingreuneaza intelegerea unui script

So this is a pretty interesting acoustic based cryptanalysis side-channel attack which can crack 4096-bit RSA encryption. It’s been a while since we’ve seen anything hardware based, and RSA 4096 is pretty strong encryption, I wonder how they figured this one out. It makes sense though when you think about it, although I wouldn’t have thought about it – I wasn’t even aware that processors made any audible noise when processing (even if the noise can only be picked up by a fairly high quality mic). Security researchers have successfully broken one of the most secure encryption algorithms, 4096-bit RSA, by listening – yes, with a microphone — to a computer as it decrypts some encrypted data. The attack is fairly simple and can be carried out with rudimentary hardware. The repercussions for the average computer user are minimal, but if you’re a secret agent, power user, or some other kind of encryption-using miscreant, you may want to reach for the Rammstein when decrypting your data. This acoustic cryptanalysis, carried out by Daniel Genkin, Adi Shamir (who co-invented RSA), and Eran Tromer, uses what’s known as a side channel attack. A side channel is an attack vector that is non-direct and unconventional, and thus hasn’t been properly secured. For example, your pass code prevents me from directly attacking your phone — but if I could work out your pass code by looking at the greasy smudges on your screen, that would be a side channel attack. In this case, the security researchers listen to the high-pitched (10 to 150 KHz) sounds produced by your computer as it decrypts data. Interesting that one of the researchers involved in this is also a co-inventor of RSA, but that’s also a good thing – showing they are constantly trying to find ways to improve it, break it etc. Perhaps all new encryption software will come with a feature to play some kind of white noise/music to disrupt any snooping of the high frequency CPU sounds. Without going into too much detail, the researchers focused on a very specific encryption implementation: The GnuPG (an open/free version of PGP) 1.x implementation of the RSA cryptosystem. With some very clever cryptanalysis, the researchers were able to listen for telltale signs that the CPU was decrypting some data, and then listening to the following stream of sounds to divine the decryption key. The same attack would not work on different cryptosystems or different encryption software — they’d have to start back at the beginning and work out all of the tell-tale sounds from scratch. The researchers successfully extracted decryption keys over a distance of four meters (13 feet) with a high-quality parabolic microphone. Perhaps more intriguingly, though, they also managed to pull of this attack with a smartphone placed 30 centimeters (12 inches) away from the target laptop. The researchers performed the attack on different laptops and desktops, with varying levels of success. For what it’s worth, the same kind of electrical data can also be divined from many other sources — the power socket on the wall, the remote end of an Ethernet cable, or merely by touching the computer (while measuring your body’s potential relative to the room’s ground potential). Thankfully it’s a very academic type of attack and doesn’t have much of a real world implication on the majority of folks, the method could be constructed for other algorithms I assume – using the same technique. But really, how many people sit around in public places decrypting sensitive documents? I don’t think there’s many. Sursa: Researchers Crack 4096-bit RSA Encryption With a Microphone - Darknet - The Darkside Pe acelasi subiect: Researchers crack the world’s toughest encryption by listening to the tiny sounds made by your computer’s CPU | ExtremeTech Research paper: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis [PDF]

Traditional Botnets With tradition botnets (Be it HTTP, IRC or some other protocol), the structure remains the same. The bots all connect to one or more servers through one or more domains. Although the network structure can differ from very basic to very complex, the botnet can easily be disabled with enough cooperation. seizing control of an active domain or sever associated with the botnet can usually be all that is needed in order to disband it, however if for some reason it isn't possible to send commands to the bots, a different approach is needed. Attempting to shut down the control sever is usually a waste of time as it would not take long for the botmaster to set up another and redirect the domain to it, which only leaves the option of going after the domain. A botnet that isn't run by beginners will likely use multiple domains, if a single domain is shut down, the bots will connect to the next. To take down such a botnet: it would be required for researchers to either suspend all domains associated with the botnet (in a time frame that doesn't allow the botmaster to update the bots with new domains), or to seize the domain the botnet is currently using and point it to a functional server (known as a sinkhole), designed to keep the bots away from the legitimate control server and out of the botmaster's reach. Peer to Peer Peer to Peer (P2P) botnets try to solve the problem of security researchers and authorities targeting domains or servers, by creating a decentralized network. The idea of P2P is that all the bots connect & communicate with to each-other in order to remove the need for a centralized server, however it's not as straight forward as that. CommandsIf bots are communicating with each-other, then the botmaster needs to make sure only he can command the bots, this is usually done using digital signing. Signing is performed by using asymmetric encryption, a special type of encryption that required two keys (public and private). if one key is used to encrypt a message, it can only be decrypted with the other key. If the botmaster keep one key secret (private key) and embed the other key in the bot (public key), he can use his key to encrypt commands and then the bots can decrypt them using the public key: without the botmaster's private key, no one can encrypt the commands. Most people's idea of a peer to peer botnet is similar to Figure 1, the bots all connect to each-other via IP address, forwarding commands to each-other, removing the need for a central server or domain, this representation however is incorrect. Computers that are behind NAT, Firewalls, or use a proxy server to access the internet: cannot accept incoming connection, but can make outgoing connection. This is a bit of a problem as it would prevent the majority of bots being connected to by other bots. In traditional botnets, this obviously isn't a problem as the bots connect to the server, so a peer to peer network still requires servers in a way. Bots that are capable of accepting incoming connections (not behind Proxy / NAT / Firewall) act as servers (usually referred to as nodes or peers), the bots that are not capable of accepting connections (usually referred to as workers) will then connect to one or more nodes in order to receive commands (Figure 2). Although the nodes are technically servers, they are used in a way that prevents take down, that is: the workers are distributed between many nodes, allowing them to shift to another node if one is taken down. P2P botnets only work if there are enough nodes that it is impractical to take them all down, the bad news is because the nodes are legitimate computers, they can't simply be seized like a server would be. Each node maintains a list of IP addresses of other nodes which it shares with the workers, the workers then store the lists, allowing them to switch nodes if the current one were to die. At this stage the botnet would just be many small groups of bots connected to many different nodes, which would be impossible to command. For commands to circulate the entire network, either: The bots will connect to multiple nodes and pass any commands received to the other nodes; The nodes connect to other nodes and pass commands between themselves; or a combination of the two. Bootstrapping In order for a bot to join the network: it would need the IP address of at least one node, this is where bootstrapping comes in. The bot is hard-coded with a list of bootstrap servers, which it connects to when it is first run on the infected computer. the job of a bootstrap server is to maintain a huge list of node IP addresses, providing new bots with a smaller list of node IPs (introducing it to the network). Generally bootstrap servers provide some sort of signing, which prevents them from being hijacked by security researchers and used to give new bots invalid node IPs. Obviously the bootstrap servers are a central points, like with traditional botnets, they could be taken down, however this isn't a huge issue. If all of the bootstrap servers were to be seized at once, it would not effect the bots that are already on the botnet, however it would prevent new infections from joining. The botmaster can simply cease infecting new systems until they can set up new bootstrap servers,this would be only a temporary hold back so it is fairly pointless to attack the bootstrap system. Dismantling the botnet Attacking the bootstrap system only temporarily prevents new bots joining the network, digitally signed commands prevent anyone other than the botmaster commanding the bots, and there are far too many nodes to take down at once, so what can be done? Peer Poisoning Nearly all peer to peer botnets is existence have a vulnerability in the peer sharing mechanism. As explained earlier, the nodes are required to maintain and share a list of other nodes with the workers, to distribute the workers among the vast number of nodes. It would be incredibly time consuming or even impossible for the botmaster to manually provide each node with a list of other nodes, so the nodes do it automatically. When a new bot is identified as being capable of accepting connections, the node it is connected to adds it to the node list and shares it with the other nodes. So what if you were to introduce a malicious computer to the network, one that would be identified as capable of becoming a node, the from there you provided the workers and other nodes with a list of invalid ips? Probably not a lot. It's likely that the nodes would verify each new node IP address to make sure it's real, but with that in mind there's another way! Security researchers could introduce many malicious nodes to the network, but instead of providing workers and other nodes with false IP addresses, they would only share a list of other malicious nodes. With enough resources, the malicious nodes can become a significant part of the botnet and separate the workers from the legitimate nodes. By only issuing the IP addresses of other malicious nodes, it increases the chance that the workers will only be aware of malicious nodes and significantly decreases the chance of them rejoining the network. At a given date the malicious nodes can stop forwarding commands from legitimate nodes: leaving all the workers which are connected to malicious nodes unable to receive commands, and leaving the botmaster no time to react. Such an attack would be unlikely to separate all the workers from the network, but could cripple a significant part of the botnet. Malicious nodes can be left running to commandeer more bots and attempt to keep hold of any bots which may have stored IP addresses of legitimate nodes. Sursa: MalwareTech: Peer-to-Peer Botnets for Beginners

cam trasa de par stirea: Israel Population 7,412,200(2008 census) daca in fiecare locuinta ar fi ~2 persoane + 1 computer, ar insemna ca >90% din case sunt infectate cu botnetul respectiv sau ca jumate din populatia tarii(sa presupunem ca fiecare cetatean ar avea un pc) sa fie infectata cu botnetul respectiv daca respectivul nu a descoperit vreo metoda de spread al botnetului prin apa de la robinet mi se par SF informatiile

Dup? 22 de ani, revista Chip î?i înceteaz? apari?ia. La fel alte dou? titluri mai noi, Level ?i Foto Video. “Închidem din cauza distribu?iei. Distribuitorii sunt pu?i pe dat tunuri”, a declarat pentru Paginademedia.ro Dan B?descu, managerul companiei care edita revistele. Sumele pe care le are editura de încasat de la distribuitori sunt de peste 350.000 de euro, spune Dan B?descu. Dan B?descu, pentru Paginademedia.ro: “Am ajuns în situa?ia de a nu mai putea pl?ti oamenii ?i nici tipografia. Noi tr?im din vânzare ?i din publicitate, dar distribuitorii nu ?in cont de asta, nu îi intereseaz?. Sunt por?i pe a da tunuri. În prim? faz?, distribuitorii ne-au adus în insolven??. Din cauza lor am ajuns în insolven??. Acum am ajuns? s? închidem titlurile.” Dan B?descu spune c? sumele pe care le are de încasat de la distribuitori s-au acumulat, în timp, ajungând la peste 350.000 de euro: aproximativ 150.000 de euro dup? falimentul Rodipet, 150.000 de euro dup? falimentul Hiparion ?i aproximativ 60-70.000 de euro dup? Press Point, urma?ul Hiparion. Ce e de f?cut? “Vom vedea dac? trecerea pe online este cea mai bun? variant?. Suntem în situa?ia de a avea numerele gata, dar de a nu putea s? le scoatem, pentru c? suntem în imposibilitatea de a pl?ti tipografia. Dac? g?sesc pe cineva s? preia titlurile, poate c? ele vor merge mai departe.” Chip este cel mai vechi titlu din portofoliu, primul num?r ap?rând în toamna anului 1991. A urmat, în 1996, revista Level ?i, la începutul anilor 2000, publica?ia Foto-Video. Potrivit celor mai recente date publicate de BRAT – Biroul Român de Audit Transmedia, revista Chip vindea, în medie, 8.300 de exemplare pe apari?ie, în perioada iulie – septembrie. Level avea vânz?ri medii de 7.000 de exemplare. Sursa: Revistele Chip, Level ?i Foto – Video, închise Din Cauza Distribu?iei: “distribuitorii Sunt Pu?i Pe Dat Tunuri” | Pagina de media – Petri?or Obae

Adev?rul Live îl are ca invitat pe Bogdan Botezatu, senior threat analyst la Bitdefender. Cu specialistul în securitate vorbim despre viru?ii anului 2013, sfaturile pentru utilizatorii simpli ?i la ce ne putem a?tepta în 2014. Despre viru?ii anului 2013 ?i de ce s? ne ferim în 2014 cu Bogdan Botezatu de la Bitdefender | adevarul.ro

+ ora sistemului sa corespunda cu cea folosita de proxy/socks/vpn + flash disable (ip/dns) + dns resolving via socks/proxy/etc + language + plugins cateva din detaliile ce pot fi aflate despre tine cand vizitezi un site: Whoer.net - find out IP address: Extended version

Who Is Paunch? Last week, the world got the first glimpses of a man Russian authorities have accused of being “Paunch,” a computer crime kingpin whose “Blackhole” crimeware package has fueled an explosion of cybercrime over the past several years. So far, few details about the 27-year-old defendant have been released, save for some pictures of a portly lad and a list of his alleged transgressions. Today’s post follows a few clues from recent media coverage that all point to one very likely identity for this young man. The first story in the Western media about Paunch’s arrest came on Oct. 8, 2013 from Reuters, which quoted an anonymous former Russian police detective. But the initial news of Paunch’s arrest appears to have broken on Russian news blogs several days earlier. On Oct. 5, Russian news outlet neslushi.info posted that a hacker by the name of Dmitry Fedotov had been arrested the night before in Togliatti, a city in Samara Oblast, Russia. The story noted that Fedotov was wanted for creating a program that was used by various organized crime groups to siphon roughly 26 billion rubles (USD $866 million) from unnamed banks. Another story from local news site Samara.ru on Oct. 8 references a Dmitry F. from Togliatti. This is an interesting lead; last week’s story on Paunch cited information released by Russian forensics firm Group-IB, which did not include Paunch’s real name but said that he resided in Togliatti. Fast-forward to this past week, and we see out of the Russian publication Vedomosti.ru a story stating that Paunch owned his own Web-development company. That story also cited Group-IB saying that Paunch had experience as an advertising manager. This Yandex profile includes a resume for a Dmitry Fedotov from Togliatti who specializes in Web programming and advertising, and lists “hack money” under his “professional goals” section. It also states that Fedotov attended the Volga State University of Service from 2003-2005. That Yandex profile for Fedotov says his company is a site called “neting.ru,” a Web development firm. The current Web site registration records for that domain do not include an owner’s name, but a historic WHOIS record ordered from domaintools.com shows that neting.ru was originally registered in 2004 by a Dmitry E. Fedotov, using the email addresses box@neting.ru and tolst86@mail.ru. A cached contact page for neting.ru at archive.org shows the same box@neting.ru email address and includes an ICQ instant messenger address, 360022. According to ICQ.com, that address belongs to a user who picked the nickname “tolst,” which roughly translates to “fatty.” This brings up something I want to address from last week’s story: Some readers said they thought it was insensitive of me to point out that Paunch himself called attention to his most obvious physical trait. But this seems to be a very important detail: Paunch had a habit of picking self-effacing nicknames. The pictures of Paunch released by Group-IB show a heavyset young man, and Paunch seems to have picked nicknames that called attention to his size. One email address known to have been used by the Blackhole author was “paunchik@googlemail.com” (“paunchik” means “doughnut” in Russian). Blackhole exploit kit users who wished to place their advertisements in the crimeware kit itself so that other customers would see the ads were instructed to pay for the advertisements by sending funds to a Webmoney purse Z356971281174, which is tied to the Webmoney ID 561656619879; that Webmoney ID uses the alias “puzan,” a variant of the Russian word ????, or “potbelly.” Turns out, “tolst” was a common nickname picked by Paunch. We can see a user who picked that same “tolst” nickname posting in a Russian car forum in March 2013 about his new ride: a white Porsche Cayenne. According to this photo released by Group-IB, Paunch also owned a white Porsche Cayenne. Tolst posted pictures of the interior of his Porsche here. Neting.ru’s archived FAQ points to an official payment page at virtual currency Webmoney, which includes the name Dmitry E. Fedotov and the ICQ number 360022. That same Webmoney account shows up on wmid.name, a site that lists account holders who have a reputation for being late with promised payments. The last account on the bottom of that page is an entry that lists the same Webmoney ID, along with Dmitry Evegeny Fedotov‘s date of birth (Nov. 6, 1986), passport number (3606578837), and physical address. It’s not clear when Fedotov was added to this list, but it’s possible he was simply unable to pay for promised transactions due to his early October arrest and detention. This Odnoklassniki profile for a Dmitry Fedotov from Togliatti also puts his birthday at Nov. 6, and says he attended Volga State University of Service from 2003 to 2005. Early on, Fedotov appears to have made a living by writing and selling Web scripts for various online currency exchange sites. But by 2009, this young man was growing more interested in computer security — specifically Web browser vulnerabilities. The Web community Fido20.ru includes a member named “tolst” from Togliatti who gives his name as Dmitry Fedotov and was very active in discussions about network security, privacy and hacking. In this post from 2009 titled “Vulnerabilities in browsers and their plugin-ins,” Fedotov can be seen warning users about unspecified new vulnerabilities in Apple’s Quicktime and Microsoft’s DirectX versions 7 through 9. In another thread, Fedotov encourages the sharing of browser exploits and provides links to several vulnerability archives. He also tells fellow forums members that they are asking to get hacked if they leave various browser plugins activated. “As I have done before, I am asking all the users as well as IT Security professionals to disable all plug-ins and add-ons in their browsers,” Fedotov warned forum members. “Do not think that if you are not users of Internet money (web money), there is no danger of being infected. In this case, the infected PCs are turned into socks proxies, spam/ddos bots and all the bad activity is done under your name, so that law enforcement can place all the blame on your shoulders. Safe surfing and good luck to you.” Sursa: Who Is Paunch? — Krebs on Security un alt articol interesant: Meet Paunch: The Accused Author of the BlackHole Exploit Kit — Krebs on Security cam la ce nivel se juca: “...We have budgeted $450,000 to buy vulnerabilities of a browser and its plugins, which will be used only by us afterwards! ”

Information Security and Risk Management in Context Learn to defend and protect vital company information using the latest technology and defense strategies. Analyze internal and external threats to proactively prevent information attacks. Gain experience by solving real-world problems and leave the class equipped to establish and oversee information security. About the Course Explore the latest techniques for securing information and its systems, from policies and procedures to technologies and audit. Learn from leading experts who share proven practices in areas such as mobile workforce safety, security metrics, electronic evidence oversight and coping with e-crime and e-discovery. Study the protection of Cloud computing information. Discover how to foster the development of future information security leaders. Topics covered include: Information security strategies and individual privacy Legal security implications Medical health record confidentiality and integrity Cutting-edge technologies https://www.coursera.org/course/inforiskman incepe pe 11 decembrie

JPMorgan Chase has warned 465,000 holders of prepaid cash cards that their personal information may have been obtained by hackers who breached the bank's network security in July, according to a report published Thursday. JPMorgan issued the cards on behalf of corporations and government agencies, which in turn used them to pay employees and issue tax refunds, unemployment compensation, and other benefits, Reuters reported. In September, bank officials discovered an attack on Web servers used by its www.ucard.chase.com site and reported it to law enforcement authorities. In the months since, bank officials have investigated exactly which accounts were involved and what pieces of information were exposed. Wednesday's warning came after investigators were unable to rule out the possibility that some card holders' personal data may have been accessed. The bank usually keeps customers' personal information encrypted, but during the course of the breach, data belonging to notified customers temporarily appeared in plaintext in log files, Reuters said. The notified card holders account for about two percent of the roughly 25 million UCard users. The bank is offering affected card holders a year of free credit-monitoring services. sursa: Hack on JPMorgan website exposes data for 465,000 card holders | Ars Technica

On the 4th of December the German Federal Criminal Police Office (BKA) issued a press release stating they had arrested two suspects for computer crimes, with the support of GSG 9 (A German special operations unit). The release detailed that the two suspect has reportedly modified, distributed and used existing malware as part of a botnet, which had been responsible for mining over 700,000 euros worth of bitcoins (which have now been confiscated). There was also evidence found of other crimes committed, such as: fraud and distribution of copyrighted pornographic material. The full press release is in German but can be read here. Skynet is a botnet that uses a modified version of the Zeus banking trojan, communicates using the IRC protocol (through TOR), and primarily mines bitcoins as well as harvesting banking information. The botnet is thought to be one of the first to use a TOR hidden service for a command and control server in order to evade sinkholing. The author gained a large amount of media publicity in late 2012 due to his usual openness about his illegal activities, mainly on twitter and reddit (in the form of an "Ask Me Anything" thread). Although it cannot be confirmed that the pair arrested were those behind the Skynet botnet, the author hasn't tweeted since the alleged arrest and multiple sources who have worked closely with him have confirmed he was arrested. The story syncs up with the skynet author's operations such as selling banking information, mining bitcoin, using modified malware, and running a porn site. A day prior to the alleged arrest the author appeared to be working on upgrading the Skynet malware to use a modified version of the leaked carberp bootkit, allowing the malware to start before antiviruses and run with kernel mode privileges. sursa: MalwareTech: Infamous Skynet Botnet Author Allegedly Arrested despre skynet: https://rstforums.com/forum/75085-skynet-tor-botnet-analiza-sample.rst

Download CyberGhost 5 VPN: Download-Adventskalender - CHIP Licenta: CyberGhost VPN Registration Service Licenta e posibil sa functioneze si cu versiunea in engleza. Sursa: http://malwaretips.com/Thread-Giveaway-CyberGhost-5-VPN-12-months-code