Usr6

50,000,000 usernames and passwords lost as LivingSocial "special offers" site hacked LivingSocial, the online offers site owned in largish part by Amazon, has just emailed its userbase, said to be 50,000,000-strong, to fess up to a data breach. That's right: another day, another shed-load of password hashes in the hands of crooks. At least LivingSocial's password database was salted and hashed, which reduces the impact of the breach a lot. Naked Security reader Chris, from Melbourne, Australia, kindly sent us a copy of the notification email he received: LivingSocial recently experienced a security breach on our computer systems that resulted in unauthorised access to some customer data from our servers. We are actively working with the authorities to investigate this issue. The information accessed includes names, email addresses, the date of birth of some users, and encrypted passwords; technically 'hashed' and 'salted' passwords. We never store passwords in plain text. To revise password storage quickly: don't store the actual password. Store a random string of characters instead, combine the password and this random string (that's "salting" the string to vary its flavour), and pass the salted password through a non-reversible cryptographic function to get a message digest code (that's "hashing" the data by slicing, dicing and stirring together the salted input in a digital mixing bowl). A crook can check to see if your password is, say, s3cr3cy by salting-and-hashing himself, but he has to start with a guess, because he can't go back from the hash to your password. That's why easy-to-guess passwords are bad: the crooks crack them first. ? You often hear the term "hashed and salted", as in the email above, but technically you salt and then hash, otherwise the salt wouldn't get mixed into the hash calculation. The silver lining I'm always determined to find when SNAFUs like this occur is that LivingSocial took the opportunity to sneak an additional, and pertinent, security reminder into its breach notification: Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website – and require you to login – before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a website that asks for such information. Good advice, not least because cybercrooks love to take security announcements, from patches and updates to breach notifications, and use them to try to get new victims on the hook. And it's just when you're expecting a notification from a company you do business with that you are at the greatest risk of believing emails that you'd probably discard out of hand at any other time. ? Never click on login links contained in emails. A reputable company will never send you such emails, precisely so you can assume that all email-borne login links are bogus, and ignore them. The same sort of reason why many jurisdictions require game hunters, whom you'd expect to sneak around in camouflage, to wear conspicuously lurid and unnatural-looking jackets. If you're dressed entirely unlike any other animal on Planet Earth, you won't be mistaken for one. If you read LivingSocial's online warning, you will see a further suggestion on what to do next: We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s). That's also good advice, but a few more words would have made it even better: if you've used the same password on multiple sites, change the passwords on those sites so that they are all different. And if you are in the habit of re-using passwords, don't wait until one of your accounts gets hacked before you go and change all those common passwords. The whole idea of using different passwords on different sites is to avoid what you might call a "race to the bottom," where all your logins end up as insecure as the slackest, sloppiest, weakest site on the list. And if you struggle to come up with decent passwords, fear not: watch fellow writer Graham Cluley's venerable and amusing video, which gives you a surprisingly easy and effective technique to stay off the "easily guessed" password lists.

Rootkits are dangerous programs that are downloaded from the Internet, or present in malicious purchased software, that once installed take over your computer without your knowledge. Rootkits can do anything from logging every one of your keystrokes, including user names and passwords, email messages or even your word processing documents and sending that data off to hackers, to executing programs in the background without your knowledge or permission. And there's nothing that you can do about it unless you take the time right now to install Radix. It's your best hope against combating Rootkit Attacks. Here's what Radix does... Detects and removes Rootkits using sophisticated methodologies. Detects and repairs drivers that have been modified by Rootkits. Detects and repairs computer processes modified by Rootkits. Detects and reveals hidden processes and files, including Alternate Data Streams (ADS). Detects MBR Rootkits. Allows the removal of "locked" or "unremovable" processes and files. Provides to dump memory areas from processes. Shows the Global Descriptor Table (GDT) for advanced Rootkit Detection capabilities. Shows the Import Address Table (IAT) for advanced Rootkit Detection capabilities. Shows the Interrupt Descriptor Table (IDT) for advanced Rootkit Detection capabilities. Shows and fixes rootkits found in the Service Dispatcher/Descriptor Table (SDT). Shows hidden Registry Keys. Operates in both command line mode for power users, or as a graphical tool for regular users. Shows and terminates all kind of Windows Handles. Allows removal scripts to be run to help in rootkit removal. Detects SYSENTER Rootkits. Detects hidden Services. Detects hidden Handles / Registry Callbacks. Object handling Routines (ParseProcedure,) Windows 7 support Download: http://www.usec.at/downloads3/radix_installer.zip Although this software is free please donate to help support the software and site costs.:usec.at - Radix Anti-Rootkit

In a recent spearphish campaign, a malicious Word document was used to infect the email recipient. I was able to find an interesting tool and used it to recreate the Word document. Before we get to that, let’s do a quick analysis on the document… Here we see the Word document with an embedded object: Viewing the file with Notepad, we can see that this is an RTF file and definitely looks suspicious. A little ways down, we can see a NOP sled. Let’s use OfficeMalScanner to extract the objects and confirm our suspicions. Looks like we have to use RTFScan instead. RTFScan tell us that there are matching shellcode signatures in the OBJDATA section. Then it dumps a single OLE object and suggests that we run OfficeMalScanner again. The OLE object is rather small considering the original “file.doc” file is 791KB. Something is wrong. Here’s what the OLE file looks like: Let’s have a look at the original Word file again. This time we notice the magic for Word in hexcode. What if we strip away the original RTF headers and make this file look like a Word document? Maybe then OfficeMalScanner can extract the hidden binaries. With a hex editor, we do just that. Since this is hex, we need to convert it to binary and write it out to a file. We can open this file called “file.doc_” which has the Word magic at the beginning. Now we copy the rest of the binary code from the original “file.doc” file and paste it to the bottom. Now let’s run OfficeMalScanner on this modified file using its scan and brute options…and hope this actually works. Great it does! OfficeMalScanner finds the XOR key and is able to extract two embedded files. The first file appears to be a Word document. And opens in Word with a warning. The other file is an executable. You can actually do this the long way and carve out the embedded objects from the Word document manually but this would take more time than what’s necessary. Thanks to Frank Boldewin’s tool and a little tweaking, we can get the job done fast! The exploit used is CVE-2012-0158 and seems to have very good coverage on VirusTotal (31 / 46). Here is the tool I used to recreate the malicious Word document. Actually I found two. It would be irresponsible to share these files so don’t bother asking. Sorry! Filename: Word-2013.1.8.exe MD5: ea7084ef5faa8c7721ab163cb6cb58d2 Filename: MS10-087.exe MD5: 2898479123b90278cfc7b30ddd9c4bd6 Sursa: Dissecting a Malicious Word Document | Kahu Security

Windows (Mac, Android, iOS coming soon): There are a ton of online syncing and storage services, but not all of them locally encrypt your data for higher security. Just out of limited beta, Tresorit is a new Dropbox alternative with client-side encryption. The company offers 5GB of free space, but for a limited time Lifehacker readers can grab 50GB free for life. Tresorit's biggest selling point is the strong security. Your files and folders are encrypted before they're uploaded to the cloud. To get technical about it: Files are encrypted with AES-256 before being uploaded to the cloud. Additional security is provided before upload by HMAC message authentication codes applied on SHA-512 hashes. Encrypted files are uploaded to the cloud using TLS-protected channels The company is also putting its money where its mouth is: On April 15, Tresorit is inviting the world's hackers to try to break its encryption and win $10,000. So Tresorit is pretty confident in its security claims. The Windows software (Mac, Android, and iOS versions coming before June) is also really easy to use. You can select any folder to be synced (as a "Tresor"), share folders with other users, and also adjust permissions of shared folders by user. On the downside, there's no web-based access for your files, people you share folders with will also need the software installed, and it takes a few seconds longer for your synced files to appear on another computer (probably because of the encryption that has to happen first). Other Dropbox alternatives with client-side encryption, SpiderOak and Wuala, have more features, but Tresorit's interface is a lot more user-friendly. And it's hard to beat 50GB of free encrypted space. If you want to try it out, you'll need to register via the link below to get the 50 gigs free. This offer is good until May 20. Update: Some people are reporting only getting 5GB. Tresorit has fixed the glitch, so it should work fine now, but if you were one of these people, email support@tresorit.com and they'll set you up with the 50GB. Also, you can follow @tresorit on Facebook or Twitter to be notified when Mac and mobile apps are available. Tresorit Sursa: Get 50GB of Free, Encrypted Online Storage from Tresorit

Mai sunt câteva zile pân? când interfa?a Facebook Home, care transform? telefonul Android într-unul Facebook, va debuta în magazinul virtual de aplica?ii Google Play. Înainte de a desc?rca ?i instala aplica?ia, utilizatorii ar trebui s? ?tie la ce riscuri se expun. Bianca Dima, security researcher la compania de securitate digital? Bitdefender, a explicat pentru gândul cum ar putea fi folosite datele minate din telefon de re?eaua social? ?i cum ar putea profita de noua aplica?ie hackerii. "Aplica?ia Facebook Home î?i dore?te s? schimbe modul în care utilizatorii interac?ioneaz? cu re?eaua social? într-unul mai rapid, prietenos ?i energic. Mutarea accentului de pe desktop pe mobil poate aduce îns? o serie de riscuri legate de securitatea datelor. Odat? cu utilizatorii, agen?ii de publicitate ?i escrocii î?i vor muta 'sediul' de afaceri la Facebook Home", spune Dima. Potrivit ei, Facebook a anun?at c? vor fi colectate aproximativ acelea?i date ca în varianta standard a Facebook, cea de pe web, dar nu a dat foarte multe detalii despre localizare: "Aceasta nu este atât de relevant? pentru publicitari când folosim re?eaua social? de la un calculator aflat mereu în acela?i loc. Odat? cu aplica?ia mobil? ?i transmiterea de informa?ii din mers, în timp real, localizarea va fi relevant? nu doar pentru publicitari, ci ?i pentru hackeri". Datele colectate de noua aplica?ie pot fi folosite ?i pentru atacuri de spear phishing, furtul de informa?ii personale ale anumitor indivizi sau companii. Infractorii informatici pot strânge date despre localizare ?i alte informa?ii personale prin inginerii sociale ?i whaling, atacuri care ?intesc manageri sau al?i oameni afla?i în pozi?ii-cheie. Mai mult, ne putem a?tepta ca aplica?iile periculoase ?i viru?ii care se r?spândesc în varianta clasic? a re?elei sociale s? se propage cu mai mare u?urin?? ?i prin Facebook Home. "Una dintre cele mai r?spândite astfel de aplica?ii este cea care îi invit? pe utilizatori s? dea click pe un video cu o vedet? surprins? în ipostaze compromi??toare. Acest truc le permite criminalilor informatici s? infecteze telefoanele mobile cu viru?i, furându-le datele personale, bancare sau promovând reclame ?i alte scam-uri pe conturile lor de Facebook", a explicat, pentru gândul, Bianca Dima. Facebook Home este riscant? dac? este utilizat? pe telefoanele de serviciu Companiile se expun ?i ele la riscuri majore când au încorporat? o politic? BYOD (Bring Your Own Device). Telefonele mobile folosite de angaja?i sunt o problem? în sine pentru c? traficul de date se face prin 3G, nu prin gateway-ul firmei. O singur? vulnerabilitate din aplica?ia Facebook Home poate infecta întreaga re?ea a firmei, spune Dima, cauzând pagube financiare ?i de imagine, atunci când telefonul se conecteaz? la aceasta printr-un punct de acces wireless (Wi-Fi). Miza pentru publicitari Facebook Home deschide o nou? er? în advertising, permi?ând companiilor s? furnizeze reclame la produse/servicii care sunt în apropiere. "Aceast? tendin?? ar putea duce la malvertising regional, targetat pe clien?ii unei companii specifice. Reclamele pe Facebook Home ar putea fi nu doar mai bine ?intite, ci ?i agresive. Acestea pot fi folosite pentru a colecta date personale, ulterior vândute sau distribuite companiilor de publicitate sau altor entit??i, f?r? a informa utilizatorul în mod explicit cu privire la acest lucru. Un studiu realizat recent de Bitdefender în România arat? c? volumul reclamelor agresive ce ?intesc utilizatorii de Android a crescut cu 76,2% în perioada septembrie 2012 – februarie 2013", explic? analistul Bitdefender. În acest moment, rata utilizatorilor care au instalat ?i actualizat o solu?ie antivirus pentru mobile este mic?. Lipsa de con?tientizare a pericolelor de pe Android poate duce la un num?r crescut de viru?i ?i link-uri frauduloase distribuite pe Facebook Home. Viru?ii de Android înregistreaz? o rat? de cre?tere important? de la o lun? la alta ?i devin din ce în ce mai greu de detectat pentru utilizatorii obi?nui?i de smartphone, care nu sunt suficient de aten?i la securitatea telefonului. "Este în interesul Facebook ?i al companiilor care vând publicitate prin Facebook Home ca profilul nostru s? fie cât mai deschis publicului larg. Totu?i, utilizatorii î?i vor putea schimba gradul de confiden?ialitate a mesajelor pe care le distribuie modificând set?rile automate. Utilizatorii pot s? î?i debifeze ?i permisiunile legate de localizare, pe care le g?sesc în set?rile telefonului", recomand? Bianca Dima. Sursa: Bitdefender, pentru Gândul: Ce riscuri de securitate aduce interfa?a Facebook Home - Gandul

Procurorii Direc?iei de Investigare a Infrac?iunilor de Criminalitate Organizat? ?i Terorism au re?inut nou? persoane din Craiova, acuzate c? fac parte dintr-o grupare care a confec?ionat, distribuit ?i montat aparatur? de tip skimming pe ATM-uri din state ale Uniunii Europene, Cambogia sau Coreea. Potrivit unui comunicat al DIICOT, datele de identificare copiate erau folosite pentru falsificarea unor mijloace de plat? electronic?, utilizate ulterior pentru efectuarea de retrageri sau opera?iuni financiare frauduloase. La data de 5/6 aprilie 2013, în baza informa?iilor furnizate de c?tre procurorii DIICOT, autorit??ile judiciare franceze au re?inut în Fran?a patru membri ai grup?rii. De asemenea, pe 8 aprilie, procurorii DIICOT au prins al?i trei membri ai grup?rii, pe raza municipiului Craiova, în timp ce transportau cu un autoturism aparatur? ?i echipamente de skimming. Procurorii DIICOT au efectuat luni 18 perchezi?ii domiciliare în jude?ele Dolj ?i Hunedoara, la locuin?ele membrilor grup?rii, în vederea identific?rii de mijloace de prob?. Cercet?rile în cauz? au fost efectuate împreun? cu ofi?eri de poli?ie judiciar? din cadrul BCCO Craiova ?i cu sprijinul lucr?torilor din cadrul SAS - IPJ Dolj, SCCO Gorj, IJJ Craiova, suportul informatic fiind asigurat de c?tre DIPI Dolj ?i SOS Craiova. DIICOT coopereaz? în instrumentarea cauzei cu autorit??ile judiciare franceze. O parte din membrii grup?rii au fost anterior trimi?i în judecat? în 2012, pentru comiterea de infrac?iuni informatice.AGERPRES Sursa: DIICOT: Nou? persoane din Craiova, re?inute pentru falsificare de carduri bancare

I’m pleased to announce the release of version 4 of the REMnux Linux distribution for reverse-engineering malicious software. The new version includes a variety of new malware analysis tools and updates the utilities that have already been present on the distro. What’s new in REMnux v4? See the details below and register for a free webcast where I will showcase some of the key additions. You can download the latest release at REMnux.org. What’s New in REMnux v4 REMnux is now available as a Open Virtualization Format (OVF/OVA) file for improved compatibility with virtualization software, including VMware and VirtualBox. (A proprietary VMware file is also available. You can also get REMnux as an ISO image of a Live CD.) Key updates to existing tools and components: Core system: Upgraded the underlying Ubuntu OS components and packages; increased default RAM of the virtual appliance to 512MB; replaced OpenJDK with Oracle Java 7 runtime. Memory analysis: Updated Volatility to version 2.2. PDF analysis: Updated pdfid and pdf-parser, Origami, peepdf Web analysis: Updated SWFTools, V8, libemu, NetworkMiner, Burp Proxy, Wireshark, Firefox and its add-ons. Other changes: Updated xorsearch, DensityScout, Pyew, passive-dns, ClamAV, capabilities.yara; replaced FreeMind with XMind New tools added to REMnux: Windows tools: Installed Wine; added OfficeMalScanner, Malzilla XOR analysis: Added NoMoreXOR, brutexor, XORBruteForcer PE file analysis: Added pev, dism-this, ExeScan, udis86 (udcli), autorule (/usr/local/autorule), distool Other file analysis: Added extract_swf.py, ExifTool, MASTIFF other additions: Added hack-functions (/usr/local/hack-functions), bulk_extractor, ProcDot Getting Started With REMnux The one-page REMnux Usage Tips cheat sheet outlines some of the more popular tools installed on REMnux. Feel free to customize it to incorporate your own tips and tricks. The recorded Malware Analysis Essentials Using REMnux webcast provides a good overview and examples of some of the tools for performing static malware analysis. If you find REMnux useful, take a look at the reverse-engineering malware course that my colleagues and I teach at SANS. It makes use of REMnux and various other tools. Tune into the webcast I’ll conduct to highlight some of the additions to the latest version of REMnux. If you haven’t already, download the REMnux distro at REMnux.org. Thank you to the developers of the OS and tools installed on REMnux for their contributions to the community. Thank you to the individuals who provided feedback, instructions and recommendations for improving the REMnux distribution. Sursa: New Release of REMnux Linux Distro for Malware Analysis

Summary Last December, our senior malware researcher (Mr. Abhishek Singh) posted an article about a Trojan which could detect mouse clicks to evade sandbox analysis. Interestingly, we have found another spear phishing document that downloads malware which incorporates improved mouse click detection anti-sandboxing capability. It also leverages multiple advanced evasion techniques to achieve stealth and persistent infection. The name of malicious document is translated to be “Islamic Jihad.doc”. Hence, we suspect that this weaponized document was used to target the governments of Middle East and Central Asia. This new malware is significant for several reasons: It detects multiple mouse clicks: In the past, evasion methods using mouse clicks only detected a single click, making the malware fairly easy to overcome. The callback goes to a legitimate URL: Often when malware performs its callback, the communication goes directly to the CnC server. In this case, the callback goes to a legitimate URL shortening service, which would then redirect the communication to the CnC server. Automated blocking technologies are likely to block only the URL shortening service and not the CnC server. It has anti-forensic capability: This malware doesn’t kick into high gear immediately. Instead it requires an Internet connection for malicious code to be downloaded to the memory and executed. Unlike predecessors that are very obvious and immediately get to work, this malware is merely a husk and its true malicious intent could only be found in the downloaded code. This prevents forensic investigators from extracting the “true” malicious code from the disk. Overall, this malware was observed to send information about the computer and set up a backdoor for remote access. This backdoor provides the attacker the flexibility on how malicious activities could be executed. Technical Analysis: How Does it Work? After opening this malicious document, it attempts to download an XOR encoded binary (using a two byte XOR key) for the stage one payload. It was also observed that the attacker leveraged a shortened URL to “hide” malicious domains from automated analysis technologies. After investigation, the malicious domain was analyzed to be recently registered. See Figure 1 for the first stage download scenario. Figure 1 Stage One Download The attacker has designed the stage one malware to be merely a husk. Having the decrypted executable file alone would not be useful in understanding its intent. It is because a majority of the malicious code is only available after downloading the second stage payload. The second stage payload was available as a fake “JPEG” file from the malicious server. By designing the malware this way, it makes it harder to perform incidence response and facilitates ease of update of malicious code. Again, in this second stage download, the malicious domain was not found in the malware. It made use of the dynamic DNS service provided by “NO-IP” to indirectly access the malicious domain. See Figure 2 for the second stage download scenario. The technical details of each component (shellcode and payload) will be further elaborated. Figure 2 Stage Two Download Shellcode Analysis The spear phishing document was in RTF format which as designed loads MSCOMCTL.ocx and exploits CVE 2012-0158. By executing return at 0x27606EFF, it will load EIP with address 0x27583C30 which is translated to be JMP ESP to execute shellcode in the stack. See the figure below. Figure 3 Stack Corruption To “JMP ESP” Like most modern shellcode, its stub decrypts its body using a simple XOR key (see Figure 4). By stepping through the shellcode, it attempts to download hxxp://ow.ly/iGKKT and saves it to the temp directory with a file name prefixed with “moo”, e.g., “moo1.tmp” (see Figure 5). It is important to note that “ow.ly” is not a malicious domain. Instead, it is a URL shortening server. It is believed that the rational for such indirect access is to defeat automated URL blacklisting. Figure 6 depicts how a malicious URL could be shortened using this service. Figure 4 Single Byte XOR Key 0xF1 Figure 5 URLDownloadToFileA Figure 6 URL Shortening Service From the network traffic, it is obvious that the real malicious content is located at hxxp://symbisecure.com/update/winword.pkg (see Figure 7). As an excecutable file usually contains many zeros in series, the zeros would become the XOR key when XOR encoded. For example, 0xAA xor 0×00 equals to 0xAA. By examining the content using a hex editor, it is obvious that there are many “9E 44” repeated. Hence, by trying 0x449E (little endian) as an XOR key, it would reveal that it is a PE file. At offset zero, it is decrypted to be “MZ”; at offset 0x3C, it is decrypted to be 0x00000E0; and at 0x000000E0, it is decrypted to be PE (see Figure 8). By generalizing this idea, the single or double byte XOR key can be seen as a dword XOR key as it repeats over itself. For example, 0x449E XOR key could be seen as 0x449E449E. By counting the DWORD with the highest occurance, it could be a probable XOR key if the file is XOR encrypted. This should work for samples that are (1, 2 or 4, but not 3 bytes) XOR encrypted. Figure 7 Stage 1 Download Content Figure 8 Double Byte XOR Encrypted Payload Payload Analysis Even though “winword.pkg” is an executable husk to host malicious code downloaded at the second stage, it contains a mouse-click check to detect human behaviors. Only if the number of left clicks is three or more, will the malware proceed further to download the second stage payload – the true malicious code (see Figure 9 and Figure 10). Figure 9 Track Number of Left Clicks Figure 10 Proceed If Left Click Count Is Three Or More After the malware detects sufficient mouse clicks, it proceeds to decrypt its malicious URL to download the second stage payload (see Figure 11). By following the TCP stream (see Figure 12) and examining the header of the downloaded JPG file, it is obvious that downloaded content is not a JPEG file. By doing so, it effectively downloaded an executable content that is not conformed to PE format to defeat network binary extraction. A legitimate JPG file should contain the byte sequence “FFD8FFE0xxxx4A46494600” at offset zero, where “4A464946” corresponds to “JFIF”. Below is the hardcoded URL and user-agent that is used by this malware sample. URL: hxxp://kibber.no-ip.org/adserv/logo.jpg User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV2) Figure 11 Malicious Domain Decryption Figure 12 Fake JPG After the JPG file is downloaded and executed directly in the memory, it achieves persistency by creating a shortcut link file at the start up folder. This link file will execute a copy of itself located at “C:\ProgramData\Google2\GoogleUpdate.exe” (see Figure 13). It would look legitimate to users as it masquerades as a legitimate Google Updater. It “would” appear normal if it attempts to access the Internet. In comparison, the real “GoogleUpdate.exe” resides in “program files” instead “program data” directory (see Figure 14). Figure 13 Persistency Mechanism Figure 14 Genuine GoogleUpdate.exe The downloaded “JPG” file was analyzed to be a backdoor in the victim’s machine. It lists the running processes, IP configuration, and directories of root drives (C to H) as depicted in Figure 15. This information is posted to hxxp://symbisecure.com/adserv/get.php in Base-64 format. After decoding, it is interesting that it begins with a Tag named “BaneChant”. After doing a quick search, it seems to be a sound track composed by Hans Zimmer for the movie “The Dark Knight Rises” (see Figure 16). This is the reason we name this malware Trojan.APT.BaneChant. Figure 15 Commands Executed Figure 16 Exfiltrated Computer Information As depicted in Figure 17, the malware could perform other tasks as listed below. Command ‘g’: Download and execute a file. The downloaded file has a temporarily file name prefixed with “java”. Command ‘i’: Run downloaded code (fileless) as a separate thread. The user-agent used is “Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko)”. Command ‘x’: Download and execute, follow by an uninstallation of “GoogleUpdate.exe”. The downloaded file has same prefix “java”. Command ‘u’: Uninstall “GoogleUpdate.exe” Figure 17 Backdoor Access Conclusion As defense technologies advance, malware also evolves. In this instance, we could see that the malware has performed a number of tricks to defeat detection. It attempts to: Evade sandbox by detecting human behaviors (multiple mouse clicks); Evade network binary extraction technology by performing multi-byte XOR encryption on executable file; Social engineer user into thinking that the malware is legitimate; Avoid forensic and incidence response by using fileless malicious codes; and Prevent automated domain blacklisting by using redirection via URL shortening and Dynamic DNS services. Sursa: Trojan.APT.BaneChant: In-Memory Trojan That Observes for Multiple Mouse Clicks | FireEye Blog

Hacktivist group Anonymous has launched a second massive cyber attack against Israel, dubbed #OpIsrael. The collective threatens to "disrupt and erase Israel from cyberspace" in protest over its mistreatment of Palestinians. Dozens of Israeli websites were unavailable as of early Sunday. In a video message posted on YouTube, Anonymous said that on April 7, “elite cyber-squadrons from around the world have decided to unite in solidarity with the Palestinian people against Israel as one entity to disrupt and erase Israel from cyberspace.” Addressing the Israeli government, the group stated: “You have NOT stopped your endless human right violations. You have NOT stopped illegal settlements. You have NOT respected the ceasefire. You have shown that you do NOT respect international law.” Earlier on Saturday, an Anonymous affiliated group identifying itself as The N4m3le55 cr3w announced that they “have gathered 600 websites and 100 plus servers we will be attacking” throughout Israel. The list includes banks, schools, businesses and a host of prominent government websites. “That is just our targets,” the group warned. “We cannot speak on what the rest of Anonymous will be attacking but we can guarantee it will be in the 1000?s.” The massive cyber attack falls on the eve of Holocaust Memorial Day. Anonymous has accused the Israeli government of mistreating its own citizens, violating treaties, attacking its neighbors, threatening to shut down the Internet in Gaza and ignoring “repeated warnings” about human rights abuses. "The estimations are that [the cyber-attacks] will reach an unusual level that we have never seen before," Deputy Information Security Officer Ofir Cohen said in an e-mail sent to Knesset employees on Thursday, The Jerusalem Post reported. Cohen added that the E-government – the Israeli government’s information security body – and the Knesset's internet service provider (ISP) are working to block the attack. On Wednesday, thousands of Israeli Facebook users were infected by a virus, although its effects at this point appear to be minimal. On Friday, Israeli radio reported that scores of large organizations had closed their websites to shield them from hacker attacks. Despite the impending threat, Lior Tabansky, a fellow at the Yuval Ne'eman Workshop for Science, Technology, and Security of Tel Aviv University, told the Times of Israel that distributed denial of service (DDos) attacks, which work by overwhelming targeted servers with traffic which stems from multiple systems, are the only tool at the hackers’ disposal. "Unless they have names and passwords, [DDoS] is really their only attack strategy. Unfortunately, there is little a company can do to stop it, but it is not the major cyber-threat many people, especially in the media, believe it to be. It's more of an annoyance, and if they do manage to intimidate sites into submission, the victory will be one of public relations." Yitzhak Ben Yisrael, of the government's National Cyber Bureau, told AP that hackers had mostly failed to shut down key sites. "So far it is as was expected, there is hardly any real damage," Ben Yisrael indicated. "Anonymous doesn't have the skills to damage the country's vital infrastructure. And if that was its intention, then it wouldn't have announced the attack of time. It wants to create noise in the media about issues that are close to its heart.” However, other experts have warned that the hackers may attempt to deploy malware such as “Trojan horses”, which can steal information and harm host computer systems. Meanwhile, an official from the Hamas movement praised the attack. "God bless the minds and the efforts of the soldiers of the electronic battle," Ihab Al- Ghussian, Gaza's chief government spokesman, wrote on his official Facebook page, AP reported. Anonymous launched the first ‘OpIsrael’ cyber-attacks in November 2012 during Operation Pillar of Defense, an eight day Israeli Defense Force (IDF) incursion into the Gaza s trip. Some 700 Israeli website suffered repeated DDos attacks, which targeted high-profile government systems such as the Foreign Ministry, the Bank of Jerusalem, the Israeli Defence Ministry, the IDF blog, and the Israeli President's official website. The Israeli Finance Ministry reported an estimated 44 million unique attacks on government websites over a four day period. Following ‘OpIsrael,’ Anonymous posted the online personal data of 5,000 Israeli officials, including names, ID numbers and personal emails. The group also took part in an attack in which the details of some 600,000 users of the popular Israeli email service Walla were released online. http://rt.com/files/news/1e/a0/80/00/18.jpg http://rt.com/files/news/1e/a0/80/00/17.jpg Sursa: Anonymous launches massive cyber assault on Israel — RT News

According to a report from Russian newspaper, a group of 20 people who served as its malware development team, were arrested by the Sluzhba Bezpeky Ukrayiny and the Federalnaya sluzhba bezopasnosti Rossiyskoy Federatsii (federal security service of Russia, FSB) in cities around Ukraine. Over $250 million has been stolen by the members of the botnet ring, which had roughly 20 members aged between 25 and 30. “Our experts did an enormous amount of work, which resulted in identifying the head of this criminal group, the owner and operator of a specialized banking botnet, identifying the control servers, and identifying the directing of traffic from popular websites in order to spread malware infection,” said Ilya Sachkov, chief executive of Group-IB, As recently as December, Carpberp fetched $40,000 per kit. Carberp malware was used as part of the "Eurograbber" botnet system uncovered late last year that went after both PCs and smartphones in its financial fraud campaign. Like other banking Trojans, Carberp could intercept information which could be used to break into online banking accounts and transfer funds. Its mobile component allows criminals to steal mobile transaction authentication numbers (mTANs) sent by banks to authorize specific transactions. Each of them worked remotely, and were responsible for the development of one part of the malware, officials said. Carberp was constantly modified and updated to ensure it would evade antivirus detection. If found guilty, under current law, they could face up to five years in prison. Sursa: Carberp botnet developers team arrested in Russia - Hacking News pe acelasi subiect: Carberp Trojan developers arrested in Ukraine http://www.zdnet.com/suspected-hackers-behind-carberp-botnet-eurograbber-arrested-7000013580/ http://itsecuritypro.co.uk/2013/04/05/20-carberp-coders-arrested-in-russia-and-the-ukraine/

An explanation of how the Internet works at the protocol level, including IP, UDP, TCP, ICMP, and HTTP. Playlist (8 video):

Cam otevistic titlul, recunosc Povestea incepe cu postul acesta https://rstforums.com/forum/67358-cc-checker-validator.rst, reclamat de un utilizator al acestui forum (caruia i se multumeste) pe motiv ca ar avea un continut interzis in regulamentul rst. Lucrurile de genul acesta fiind interzise in aceasta comunitate, am eliminat linkurile respective fara a mai sta sa le verific daca sunt sau nu infectate. Azi, am deschis executabilul intr-un text editor pentru a vedea daca merita sau nu analizat mai amanuntit: h t t p : / / p r i v a t e s t u f f s . c o m / b r i g h t - f u t u r e - e x e / b r i g h t . t x t J C : \ W i n d o w s \ S y s t e m 3 2 \ d r i v e r s \ e t c \ h o s t s Continutul fisierului: "http://privatestuffs.com/bright-future-exe/bright.txt" 108.174.59.2 http://libertyreserve.com 108.174.59.2 www.libertyreserve.com 108.174.59.2 http://www.libertyreserve.com 108.174.59.2 https://libertyreserve.com 108.174.59.2 https://www.libertyreserve.com oricine a deschis macar o data in viata lui fisierul "C:\Windows\System32\drivers\etc\hosts", poate sa deduca de unul singur ce rol au datele de mai sus Exceptand fisierul bright.txt, pe siteul respectiv("http://privatestuffs.com/bright-future-exe/") mai exista un fisier cu acelasi continut "bright.zip" Concluzie: Pastrati banii la ciorap.

Romanian HY Team Romanian HackYard Team btw, inca nu face public backtrack6 r1, mai lasa-l cateva zile poate reusim sa introducem in el matasploit pro

FileAlyzer is a tool to analyze files – the name itself was initially just a typo of FileAnalyzer, but after a few days I decided to keep it. FileAlyzer allows a basic analysis of files (showing file properties and file contents in hex dump form) and is able to interpret common file contents like resources structures (like text, graphics, HTML, media and PE). Using FileAlyzer is as simple as viewing the regular properties of a file – just right-click the file you want to analyze and choose Open in FileAlyzer. Download: http://www.spybotupdates.com/files/filealyz-2.0.5.57.exe md5: D670C0B28E93941AD2FFB774DB271486 Home page: FileAlyzer | Spybot © ™ - Search & Destroy

update, cursul din 2012: Week 0 Introduction. Bits. Binary. ASCII. Programming. Algorithms. Statements. Boolean expressions. Conditions. Loops. Variables. Threads. Events. Week 1 C. Source code. Compilers. Object code. Functions. Comments. Standard output. Arithmetic operators. Precedence. Local variables. Types. Casting. Standard input. Libraries. Boolean expressions, continued. Conditions, continued. Loops, continued. Week 2 Functions, continued. Global variables. Parameters. Return values. Stack. Frames. Scope. Arrays. Strings. Command-line arguments. Cryptography. Week 3 Linear search. Binary search. Asymptotic notation. Bubble sort. Selection sort. Merge sort. Week 4 Recursion. Debugging. File I/O. Structures. Pointers. Dynamic memory allocation. Heap. Week 5 CS50 Library. Pointers, continued. Forensics. Week 6 File I/O. Linked lists. Stacks. Queues. Hash tables. Trees. Binary search trees. Tries. Week 7 Huffman coding. Bitwise operators. HTTP. HTML. Week 8 CSS. PHP. SQL. Week 9 SQL, continued. JavaScript. Ajax. Design. Week 10 Security. Week 11 Life after 50. playlist: home page https://www.cs50.net/

Perchezi?ii de amploare în mai multe jude?e din ?ar?, dar ?i în Republica Dominican? ?i Anglia. Sunt vizate aproximativ 80 de persoane acuzate de fraude cu carduri clonate. Prejudiciul dep??e?te 2 milioane de euro. "Procurorii Direc?iei de Investigare a Infrac?iunilor de Criminalitate Organizat? ?i Terorism – Structura Central?, împreun? cu ofi?eri de poli?ie judiciar? din cadrul B.C.C.O. Pite?ti ?i IGPR - DCCI, efectueaz? un num?r de 85 de perchezi?ii domiciliare pe raza municipiului Bucure?ti ?i a jude?elor Ilfov, Vâlcea, Vrancea, Bra?ov, Constan?a, Olt, S?laj, Cluj ?i Suceava, Br?ila, Gala?i, Giurgiu, Hunedoara, Ia?i, Neam?, Satu-Mare, ac?iunea vizând destructurarea unor grupuri infrac?ional organizate transfrontaliere, specializate în s?vâr?irea infrac?iunilor de acces f?r? drept la un sistem informatic, de?inere de echipamente în vederea falsific?rii ?i falsificarea de instrumente de plat? electronic?, punerea în circula?ie de instrumente de plat? falsificate ?i efectuarea de opera?iuni frauduloase cu instrumente de plat? electronic?", se arat? în comunicatul DIICOT. De asemenea, sunt efectuate perchezi?ii domiciliare ?i în Germania, Marea Britanie, S.U.A. ?i Republica Dominican?. "Grup?rile vizate de c?tre ac?iunea D.I.I.C.O.T. sunt constituite din peste 100 de persoane, iar liderii au fost identifica?i ca fiind Ghear? Constantin, zis Tic?, 53 de ani, Ursu Romeo, zis Boenic?, 45 de ani, Ghiuri Lucian zis Piticu, 45 de ani, ?i ?erban Relu, 57 de ani. În fapt, se re?ine c?, sub coordonarea acestora, membrii grup?rilor au confec?ionat aparatur? de skimming, echipamentele fiind ulterior utilizate în vederea copierii datelor de identificare a mijloacelor de plat? electronic? utilizate la diferite terminale ATM sau POS –uri, aflate pe teritoriile urm?toarelor state: Germania, Spania, Elve?ia, Portugalia, Fran?a, Marea Britanie, Ecuador, Columbia, Austria. Datele de identificare copiate erau folosite pentru falsificarea unor mijloace de plat? electronic?, utilizate ulterior pentru retragerea unor sume substan?iale de bani, pe teritoriile Republicii Dominicane, S.U.A., Japoniei, Iordaniei ?i Nepalului", se mai arat? în comunicat. Valoarea prejudiciului dep??e?te suma de 2.000.000 de euro. Sursa: Perchezi?ii de amploare la FALSIFICATORI DE CARDURI | REALITATEA .NET Pe acelasi subiect: Perchezitii la falsificatorii de... | RTV.net | Romania TV PERCHEZI?II în Bucure?ti ?i 16 jude?e, la falsificatori de carduri care ar fi retras dou? milioane de euro - Mediafax Zeci de perchezi?ii ?n Rom?nia ?i Anglia pentru prinderea unei re?ele de ho?i din bancomate - portalul de business MONEY.ro Perchezi?ii la falsificatorii de carduri. Fratele lui Nicu Ghear? este printre suspec?i | adevarul.ro Perchezi?ii la falsificatorii de carduri din Constan?a - Reporter Neptun TV Poli?i?tii caut? 100 de falsificatori de carduri. Fratele lui Nicu Ghear?, lider al grup?rii. Prejudiciul, 2 milioane euro si altele...

prowling - NSM foo: Modifying VirtualBox settings for malware analysis prowling - NSM foo: Modifying VirtualBox settings for malware analysis part 2 prowling - NSM foo: Modifying VirtualBox settings for malware analysis part 3 http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf KernelMode.info • View topic - Win32/Simda

usor, dar nu simplu. dupa multe scarpinaturi in cap... si hartii mazgalite: se multumeste pt challenge. frumos.

Book Description Delve inside Windows architecture and internals—guided by a team of internationally renowned internals experts. Fully updated for Windows 7 and Windows Server 2008 R2, this classic guide delivers key architectural insights on system design, debugging, performance, and support—along with hands-on experiments to experience Windows internal behavior firsthand. Table of Contents Chapter 1. Concepts and Tools Chapter 2. System Architecture Chapter 3. System Mechanisms Chapter 4. Management Mechanisms Chapter 5. Processes, Threads, and Jobs Chapter 6. Security Chapter 7. Networking Table of Contents Chapter 8. I/O System Chapter 9. Storage Management Chapter 10. Memory Management Chapter 11. Cache Manager Chapter 12. File Systems Chapter 13. Startup and Shutdown Chapter 14. Crash Dump Analysis Download: Part1: Download Microsoft.Press.Windows.Internals.Part.1.6th.Edition.Mar.2012.rar from PreFiles.com Part2: Download Microsoft.Press.Windows.Internals.Part.2.6th.Edition.Sep.2012.rar from PreFiles.com Sursa: http://www.wowebook.com/book/windows-internals-part-1-6th-edition/ http://www.wowebook.com/book/windows-internals-part-2-6th-edition/

https://www.youtube.com/watch?feature=player_embedded&v=OVRZB5lJir8 Free 100 GB Cloud Backup for the First 1,000,000 Users Zoolz seamlessly and automatically protects your computer and any storage it can access (External and Network drives) without limiting your upload speed, file size, or data selections. Zoolz encrypts your files before leaving your machine, securely transfers your files, and stores them on encrypted servers using military grade 256 AES Encryption. Zoolz is smart enough to know when your drive is disconnected and once reconnected will resume with incremental backups even if the drive letter has changed. Easy restore: go to the web console, select what you want to restore, and after 3-5 hours, you will receive an email with a link to download your files Currently Zoolz Free is only allowed in: US, Canada, UK, Australia, Germany, France, Switzerland, Austria, Denmark , Finland, Sweden, Belgium, Ireland, Luxembourg, Netherlands, and Spain Link: https://www.zoolz.com/

Malcon este o conferinta anuala din india la care participa personele interesate de domeniul malware Paul Rascagneres - Smartcards Reloaded - Remotely! Ucha Gobejishvili - Chrome 0-day Shantanu Gawde - Windows Phone 8 Malware Prototype Atul Alex - Surprise paper! Mohit - Advanced Malware Engine Rashid Bhat - Advances in ROP attacks Gianni Gnesa - Modern Vulnerability Discovery with IDA Pro Mohit Arora - Tampering in Energy Meters link: Home - MalCon - Malware Conference canal youtube: malconlive - YouTube -prezentari din 2011

Starting today, we will give 100GB storage (Premium package) for a year-long free. Any Kleii user who signed up before March 10th is entitled to the giveaway. This program will be expired at May 1st 2013 https://www.kleii.com/welcome_back

Welcome to Google's Python Class -- this is a free class for people with a little bit of programming experience who want to learn Python. The class includes written materials, lecture videos, and lots of code exercises to practice Python coding. These materials are used within Google to introduce Python to people who have just a little programming experience. The first exercises work on basic Python concepts like strings and lists, building up to the later exercises which are full programs dealing with text files, processes, and http connections. The class is geared for people who have a little bit of programming experience in some language, enough to know what a "variable" or "if statement" is. Beyond that, you do not need to be an expert programmer to use this material. Contents: Day 1 Part 1. Introduction and Strings Day 1 Part 2. Lists, Sorting, and Tuples Day 1 Part 3. Dicts and Files Day 2 Part 1. Regular Expressions Day 2 Part 2. Utilities. OS and Commands Day 2 Part 3. URLs and HTTP, Exceptions Day 2 Part 4. Closing Thoughts https://developers.google.com/edu/python/

serialul ar trebui sa fie gen: ***4***?k2Lc0- ce nu se pupa: -----serialul ar trebui sa aiba 14 caractere (nr de caractere al stringului cu care este comparat:"ibL%ef7?k2Lc0-"), dar se citesc maxim 10 (0Ah) -----verificarea serialului: se compara c[3]cu "4" (34h) dupa care c[7] cu "?"(3Fh) se modifica primele 7 ( c[0] -c[6] ) dupa cum urmeaza: xor c, 22h add c, 5 la urma se compara cu "bL%ef7?k2Lc0-" pentru a fi validat/invalidat pentru a obtine serialul valid din "bL%ef7?k2Lc0-" ar trebui modificare primele 7 caractere: sub c,5 xor c, 22 dar, rezultatul obtinut nu trece prima etapa de verificare c[3] =4, c[7] = ? 69 62 4c 25 65 66 37 sub 64 5d 47 20 60 61 32 xor 46 7f 65 02 42 43 10

Gruparea de hackeri activisti Anonymous, impreuna cu alti hackeri din lume, planuiesc un atac cibernetic masiv asupra Israelului, amenintand sa "rada aceasta tara de pe harta Internetului". "Activistii hackeri vor incepe un atac masiv asupra Israelului, la 7 aprilie", a scris Anonymous pe contul de Twitter, cerandu-le hackerilor din intreaga lume sa se alature operatiunii "OpIsrael", scrie Russia Today. Guvernul israelian ia in serios aceste amenintari, pregatindu-se pentru defensiva. "Stim ca exista pregatiri online pentru un atac, in ultimele zile. Ceea ce este mai special la acest atac este faptul ca grupari afiliate Anonymous din intreaga lume par sa-si uneasca fortele impotriva Israelului", a declarat, pentru Haaretz, Ofir Ben Avi, director al Diviziei online din cadrul Guvernului. Prima operatiune "OpIsrael" a avut loc in noiembrie 2012. "Noi suntem Anonymous, suntem legiunea. Noi nu iertam. Noi nu uitam", se scria in mesajul adresat atunci autoritatilor israeliene. Nu mai putin de 700 de site-uri israeliene au fost atacate atunci, inclusiv cel al Ministerului de Externe si al Presedintiei. Ministerul de Finante a anuntat ca a fost vorba de 44 de milioane de atacuri asupra site-urilor guvernamentale. Datele personale a peste 5.000 de oficiali israelieni, incluzand nume, mailuri personale si numerele de identitate, au ajuns pe Internet. Sursa: Anonymous: Sa radem Israelul de pe harta Internetului Articol Russia Today: ‘Erase Israel from the Internet’: Anonymous plots massive cyber-attack — RT News