M2G

Tutorialele ar trebui sa fie accesibile tuturor. Informatia trebuie sa fie cat mai usor de gasit asa ca posteaza si parola mai bine.

JSFuck - Write any JavaScript with 6 Characters: []()!+

By hunting through benign bits of code on your computer, the Frankenstein virus can turn itself into something rather nasty MARY SHELLEY'S Victor Frankenstein stitched together the body parts of ordinary individuals and created a monster. Now computer scientists have done the same with software, demonstrating the potential for hard-to-detect viruses that are stitched together from benign code pilfered from ordinary programs. The monstrous virus software, dubbed Frankenstein, was created by Vishwath Mohan and Kevin Hamlen at the University of Texas at Dallas. Having infected a computer, it searches the bits and bytes of common software such as Internet Explorer and Notepad for snippets of code called gadgets - short instructions that perform a particular kind of small task. Previous research has shown that it is theoretically possible, given enough gadgets, to construct any computer program. Mohan and Hamlen set out to show that Frankenstein could build working malware code by having it create two simple algorithms purely from gadgets. "The two test algorithms we chose are simpler than full malware, but they are representative of the sort of core logic that real malware uses to unpack itself," says Hamlen. "We consider this a strong indication that this could be scaled up to full malware." Frankenstein follows pre-written blueprints that specify certain tasks - such as copying pieces of data - and swaps in gadgets capable of performing those tasks. Such swaps repeat each time Frankenstein infects a new computer, but with different gadgets, meaning that the malware always looks different to antivirus software, even if its ultimate effects are the same. The research was part-funded by the US air force, and Hamlen says that Frankenstein could be particularly useful for national security agencies attempting to infiltrate enemy computer systems with unknown antivirus defences. "It essentially infers what the [target computer's] defences deem permissible from the existing files on the system to help it blend in with the crowd," he says. Existing malware already attempts to randomly mutate its code to some extent, but antivirus software can still recognise them as something nasty. Frankenstein is different because all of its code, including the blueprints and gadget-finder, can adapt to look like parts of regular software, making it harder to detect. Just three pieces of such software are enough to provide over 100,000 gadgets, so there are a huge number of ways for Frankenstein to build its monster, but it needs blueprints that find the right balance. If the blueprint is too specific, it leaves Frankenstein little choice in which gadgets to use, leading to less variation and making it easier to detect. Looser blueprints, which only specify the end effects of the malware, are too vague for Frankenstein to follow, for now. The researchers presented the work at the USENIX Workshop on Offensive Technologies in Bellevue, Washington, this month. Marco Cova at the University of Birmingham, UK, says that fighting Frankenstein could be a challenge for current antivirus software that relies on identifying various distinctive signatures of malware, but some defence is possible. Antivirus software could either look for signatures that match sequences of gadgets, or they would look at the behaviour of a program, rather than its specific code. "If the definition of maliciousness is 'a program reads my keystrokes and sends them to a remote website' then you don't care about the specific byte sequences that implement this behaviour," Cova says. Unstoppable gadget cannibalism Defending against malware able to build itself from other bits of code is never easy. Last month, Microsoft released an updated version of its Enhanced Mitigation Experience Toolkit (EMET), which provides extra protection for some PC users. It features a new defence designed to stop malware from executing other software's code, just as Frankenstein does (see main story). It works by wrapping key software in a layer of code that checks whether parts of the software are being repurposed. Microsoft paid $50,000 in a recent security prize to the creator of the technique, but just two weeks later an Iranian security researcher called Shahriyar Jalayeri claims to have bypassed EMET's protective wrapper. Sursa

Nu scrie destu de clar? Un raspuns din variantele de mai jos. Nu pot sa fie mai multe raspunsuri. Cum poti zice ca un eveniment se poate intampla cu 2 probabilitati diferite in aceleasi conditii? E destul de clar ca trebuie ales un raspuns din cele 4

25% sanse pentru ficare. => 1/4 + 1/4 + 1/4 + 1/4 Pentru ca sunt 2 raspunsuri la fel putem sa zicem ca ai sanse 1/2 sa nimeresti acel raspuns deci ai 1/2 + 1/4 + 1/4 50% sanse sa mineresti 25% si 50% sanse sa nimeresti altceva. acel altceva e 50% c) 0% fiecare avand un aport de 25%. Daca presupui ca raspunsul este 25% ajungi la concluzia ca ai 50% sanse sa fie 25%. Pai atunci raspunsul ar fi 50%. Dar nu poate fi 50% pentru ca ai 50% sanse sa nimeresti 25% si 25% sanse sa nimeresti 50% sau 0%. Deci raspunsul ar fi 25%. ....bla bla infinit ... etc. Poti continua pe acest rationament si observi ca te invarti in cerc. Aici e paradoxul.

Nu trebuie inlocuite variantele de raspuns. Sansele pentru un raspuns corect din 4 variante sunt 25% dar sunt 2 variante la fel deci probabilitatea se schimba in 50% Deci raspunsul pentru intrebare ar fi 50%, dar e o singura varianta cu 50% asa ca intoarcem de unde am plecat. (din 4 raspunsuri nu poti sa ai 50% sanse decat daca sunt la fel 2 cate 2) E un paradox.

4 variante de raspuns => 25% sanse sa alegi un raspuns corect. Ai 4 variante din care un singur raspuns e corect => ai 25% sanse sa mineresti raspunsul. Nu va intereseaza care sunt raspunsurile ci doar probabilitatea. //am gandit aiurea. Nu-i asa

Cititi asta ca o sa va placa! Email addresses are the keys to the kingdom of all our personal data. It’s too bad we had to relearn this lesson last week when Wired’s Mat Honan had the crap hacked out of him. A foolproof way to limit your exposure to such attacks is to sign up to different services using as many different un-guessable email addresses as possible. On Tuesday, an app I’ve been using called Gliph made that really easy to do. Here’s how to set it up. What Is Gliph? Gliph is like a Guy Fawkes mask for your online identity. It’s a free app for iPhone, Android and the mobile Web. You can use it to send encrypted text messages to other Gliph users with as much or as little personal information exposed as you want. And starting today, you can also use it to send and receive email to anyone through your regular email client without ever exposing your identity or information. Not only can you use Gliph email to sign up for other services without exposing yourself to a hacking, you can use it for Craigslist transactions or any other kind of temporary encounter where you want to exchange contact info. You could accomplish a similar thing by setting up a bunch of new email addresses on free Web-based email services. But with Gliph, email addresses are easy to create and delete, your emails sent via your addresses all come to one location, and you don't have to log into multiple services to access different email accounts. Step 1: Claim A Gliph Instead of picking a user name when you sign up for Gliph, you get to create a string of three to five icons that represents you. Have fun with it! Step 2: Create A Cloak You get one free randomly generated email address when you sign up for Gliph. The addresses don’t have anything to do with your Gliph name; they’re something like watermelon29@cloak.gli.ph. In Gliph, you can add a note, like “signup for Dumb.ly app,” so you can remember what that email is used for. Step 3: Email To Your Heart’s Content You can now send cloaked email to any address. None of your information is exposed to the recipient, not even your Gliph symbols. They only see the randomly generated Gliph email address. When the recipient replies to that address, Gliph forwards the message to the email address you used to sign up for Gliph. So if you gave Gliph a Gmail address, that’s where you’ll get the responses. If you reply from there, the message will be routed through Gliph, so it will appear to come from your cloaked address. Make sure people on both sides check their spam filters if messages don’t appear. In our tests, Gmail allowed the messages through, but Outlook.com mail filtered them out. !!!!!!: Unlike Gliph-to-Gliph messages, which are encrypted and remain inside the service, the content of these emails is not secure. Not only is it exposed to the recipient, the replies are sent directly to the email address you provided to Gliph, which may not be secure, either. Your email address, and thus your identity, will never be exposed when using cloaked email from Gliph. But you can’t assume that the words in the message will be kept private, too. How To Get More Cloaks And Enable Attachments Your cloaked email address will stick around, but if you want another one, all you have to do is successfully invite someone to join Gliph. That’s not just a gimmick; it’s great to have trusted friends and contacts on Gliph because that lets you communicate with them using the totally secure, encrypted messaging it offers. It’s also great for journalists and sources to protect anonymity, for example. Once you’ve gotten five people to sign up for Gliph through your invitations, your account gains the ability to add attachments to cloaked emails sent from Gliph, even for cloaks you already had. https://gli.ph Sursa

Poate catorva vi se pare ceva banal dar mai sunt multi care nu stiu... iFrames and script tags are being used by malicious hackers to serve up drive-by internet attacks, silently and invisibly. iFrames allow webmasters to embed the content of one webpage into another, seamlessly. There are legitimate reasons why some websites may want to do that - but what cybercriminals do is exploit the functionality (presumably they have been able to gain write access to the website) to deliver malware such as fake anti-virus or a PDF vulnerability exploit to infect your computer. What's sneaky is that malicious hackers can make the embedded content invisible to the naked eye, by making the window zero by zero pixels in size. You can't see the threat, but your web browser is still dragging it down. Sursa

The Sirefef/Zaccess family of Trojans - designed to download other malware, disable the machine's security features, and often make lasting changes to the computer - is usually distributed to unsuspecting victims via email spam campaigns. But its peddlers have lately changed tack, and have begun bundling the malware with codecs, game installers and crack/keygen applications, Trend Micro warns. "During the last weeks of July, we received reports from customers that their services.exe files were being patched by an unknown malware," the researchers shared. As it turned out, the patched file was component of the Sirefef/Zaccess malware family, and was used to run the malware's other malicious components upon reboot. "This proved to be a new variant of Sirefef/Zaccess, which now uses user-mode technique to stealthily load its malicious code, instead of using regular rootkit techniques," they said. This infection with this new variant was traced back to the execution of K-Lite Codec Pack.exe, and it has more than likely been downloaded by the users themselves from the Internet in order to play movies downloaded via P2P applications. To keep up the illusion that the offered codec is legitimate and to up the likelihood of it being used, the file names are also often modified to include the titles of popular movies. According to Trend Micro numbers, Sirefef/Zaccess infections have hugely increased in July, going from some 1,000 infected computers on the first of the month to over 11,000 on the 27th. The great majority of infected computers is located in the US. Nevertheless, all users are advised to be cautious when downloading files from untrusted sources such as P2P networks. Sursa

Reuters' blogging platform has been hacked for the second time in two weeks, and this time false news that Saudi Arabia's Foreign Minister Prince Saud al-Faisal had died was posted on one of the journalists' blog. Reuters confirmed that the story was not posted by the journalist, that the news was completely untrue, and that they are working to solve the situation. It is believed that the attackers behind this latest hack might be the same ones who managed to hack the blogging platform and hijack one of Reuters' Twitter accounts earlier this month, given that the false news posted then and now would benefit only the current Syrian government and President Bashar al-Assad. Both incidents are being investigated, Stuff reports. After the first hack it has been revealed that Reuters still used an older version of WordPress which has several publicly known security issues, and that it was probably how the attackers managed to get it. I sincerely hope that between then and now Reuters has updated the software. Still, if they did, that means that this time the hackers must have used another tactic. Sursa

Un topic e suficient. In categorie nu ai ce posta. O sa ramana aproape goala si nu isi are rostul.

Towards the end of July, anti-Malware vendor Intego broke the story of Crisis, the name given to a Trojan that targets Mac OS X. On Friday, ThreatMetrix, a provider of technologies that help organizations combat fraud and malware, published a report that breaks the code down, and examines the internals of the latest so-called threat targeting Mac users. The first thing ThreatMetrix discusses in its report on Crisis, is what many researchers, and thanks to the coverage on the Malware itself the public at large, already knew: Crisis targets OS X 10.6 and 10.7, but it will not run on 10.8 (Mountain Lion) without modification. It’s interesting to note however, that if a system is attacked, the Kernel driver that is created post-infection appears to be designed to work on OS X 10.5, 10.6, and 10.7. So the creators seem to have been working at this code for a while in some regards, or they have targeted the parts of the Kernel that have remained consistent over time. Calling it a complex piece of Malware, ThreatMetrix discovered that Crisis can be used to take screenshots on the infected host, as well as copy address book entries, calendar events, capture webcam images, down / upload files, record sound, copy the clipboard, monitor Skype chats, and website traffic (log what sites were visited). “This is a complex piece of software, with several different components and many features. It is going to take more time to fully understand every piece, but, at this stage, we can definitely say that OS X malware has taken the next step,” the report concludes. The one thing the ThreatMetrix report doesn’t mention is how Crisis was discovered. The malware itself wasn’t actively targeting users, and it wasn’t discovered in the wild. Crisis, which remains something far less than its name suggests, was discovered in a malware submission queue on VirusTotal. Every security firm in the world who has a tie to the Virus Total submission list got a copy of Crisis. It would appear that the authors submitted it in order to see how well (or poorly) it was detected. Now that it has been processed by most of the security firms in the market – including Apple – it’s going to have a hard time making itself a true threat. What Crisis represents, which is what ThreatMetrix seemed to be going for in their report, is that malicious coders are attempting to develop malware for Macintosh that mirrors the abilities of what is already available for the PC. [PDF] Report: http://threatmetrix.com/docs/ThreatMetrix-Labs-Report-August-2012.pdf Sursa

When testing Web Applications, usually a security analyst will try to identify all the inputs to be injected like Cookies, POST/GET parameters, HTTP Headers, etc. Once identified, the analyst will start injecting malicious data into those fields, something like: Cookie: --attack string-- name= --attack string-- uri?name= --attack string-- EVERYTHING injected in the parameter's value, what about parameter's name? Does it worth? Why a Developer would like to validate the input receive in the parameter's name? As any other vulnerability, there are specific scenarios where this can be exploited, the most common one is when all the parameters received via GET or POST are used to generated a new URL: java.util.Enumeration e = request.getParameterNames(); if (e.hasMoreElements()) { String name = (String)e.nextElement(); String value = request.getParameter(name); qs= name+"="+java.net.URLEncoder.encode(value,"utf-8"); while (e.hasMoreElements()) { name = (String)e.nextElement(); value = request.getParameter(name); [COLOR="#FF0000"]qs[/COLOR] += "&"+name+"="+java.net.URLEncoder.encode(value,"utf-8"); } } **** Notice only the parameter's value is being URLEncoded************* Then, the Query String is concatenated in the iframe src attribute: <iframe src="xxxx.com?search.aspx?[COLOR="#FF0000"]<%=qs%>[/COLOR] So, let's try to inject XSS into parameter's name, like: %22%20onmouseover%3d"alert(1111)">%20DANUX</iframe> <iframe a%3D"= Which will print out in the browser as: <iframe src="xxxx.com?search.aspx?[COLOR="#00FF00"]" onmouseover="alert(1111)">DANUX</iframe> <iframe a="[/COLOR][COLOR="#FF0000"]"></iframe>[/COLOR] The text highlighted in RED is the portion completed automatically by the application and you can see the html is properly formatted causing the XSS code being executed successfully, tested on FireFox 12.0. As mentioned before, parameter's name injection is not widely tested by Security Analyst, not even by some Security Vendors, I tested my vulnerable App with WebInspect version 9.X and realized it does NOT test parameter's name: Sursa

Aici toata lumea isi ofera cadouri. Cand cineva vrea sa mearga sa doarma toti restu ii recita poezii si ii canta pana adoarme. Daca e ziua ta poti sa fi administrator pentru o zi si sa te dai smecher la gagici ca esti admin pe RST. In felul acesta forumul are grija ca tu sa ai parte de unpic de pasarica de ziua ta. E un fel de cadou mai neconventional. Daca ai probleme in familie si nu ai bani, poti face aici un topic si baietii iti trimit sume $$$ prin paypal. Daca ai vechime mai mare de 3 ani primesti un bonus de 100€ pe luna de la adminii care lucreaza toata ziua pentru a intretine membrii vechi ai forumului Foarte frumos aici, de asta am ales. Sa speram ca si tie iti place.

Ar fi putin ciudat sa ma gandesc care ar fi planul meu de actiune daca as fi in situatia aceea si la varsta de 14 ani. Cel mai probabil, anturajul si lipsa educatiei au cel mai mare "cuvant" de spus in peste 90% din aceste cazuri dar as incepe cu o analiza a propriei persoane. Mi-as da seama ca acel om nu a facut bani pentru ca scopul lui era sa faca bani. As realiza ca acel om trebuie sa fi facut ceva care da o valoare persoanelor de langa el. Ca are ce sa vinda si cand zic asta nu ma refer neaparat la un produs ci poate si la o idee, o personalitate, o prezenta intr-un anumit domeniu. As incerca sa imi gasesc pasiunea si m-as gandii ce mi-ar place sa fac. Ce imi aduce cea mai mare satisfactie si as incepe sa imi muncesc calea spre acel ceva. In fiecare zi as face ceva care sa ma duca mai aproape de visul meu. As incerca sa evit anturajele proaste si sa invat de la cei care sunt mai buni decat sunt eu. Poate ca acel ceva nu se poate face fara bani asa ca as incepe sa lucrez ceva. La o spalatorie, la curatenie sau la orice altceva care ma poate intretine si a-mi asigura nevoie iar daca se poate, cu banii ramasi i-as investi in dezvoltarea mea pe domeniul respectiv. As invata sa vorbesc mai frumos, as invata sa cunosc mai bine oamenii, as intrat in legatura cu cati mai multi oameni pentru a-mi marii numarul oportunitatilor. Dupa vreo 3-4 ani, daca m-am tinut de treaba si departe de vagabondaj as avea un set de aptitudini de baza care sa ma ajute sa intru in domeniul vizat. Probabil ca nevoia o sa ma motiveze si cu multa determinare o sa reusesc sa fac primii pasi spre visul meu. Daca nu mi-am pierdut timpul degeaba, aptitudinile mele vor fi probabil peste cele ale "concurentei". Concurenta care in timpul in care eu imi urmaream visul statea linistata in zona de confort si nu depunea destul efort. Odata ce am intrat pe domeniul respectiv, continui dezvolatarea mea ca profesionist pe acel domeniu si incep sa urc scarile ierarhiei pana in varf. Poate viziunea mea despre viata si incercarile prin care am trecut pana in momentul in care as ajunge la un nivel mediucru in acel domeniu ma vor face sa evoluez mai repede cat o persoana care se multumeste cu confortul zilnic si caldura camilui lui. La final, as sta intr-un hamac intr-o excursie printr-o tara exotica si m-as gandii prin cate am trecut sa ajung acolo. In momentul acesta as avea ceva peste 30 de ani si as incerca sa gasesc un potential asemanator cu al meu printre cei care sunt defavorizati social. As investii in acel potential si as ajuta si pe altii sa se ridice pe proprille picioare si sa se autodepaseasca.

Argumenteaza! Si conversatiile din Y! trec prin server si raman chiar retinute acolo. Se fac probabil si monitorizari de cuvinte cheie pe retelele de IM. Pentru asta e nevoie ca mesajele sa ajunga intr-un server. De ce zici ca nu e ok client - server -client?

Bacul de anul acesta a fost la acelasi nivel de dificultate, daca nu mai usor decat bacul pe care l-am dat eu acum 3 ani. Da, atunci nu erau camere dar asta nu inseamna ca toata lumea copia cu cartea in fata. Si oricum am l-am luat fara sa copiez. Cred ca problema o reprezinta modul de gandire al noilor generatii care nu mai vor sa munceasca pentru nimic. Chiar si pe RST vad cel putin un topic pe luna deschis de catre unu care vrea sa invete sa faca bani. Ca sa citez dintr-o piesa de la parazitii: Cum sa iei frate bacu cand tu o arzi pe facebook 2 ore pe zi, te joci WOW, CS si Metin inca 3 ore si pe cand se face seara te uiti impreuna cu bunica la OTV si alte posturi si emisiuni de cacat? Dupa un asemenea comportament, care credeti ca este nivelul mediu de cultura si de responsabilitate al tinerilor? Un tanar care viseaza toata ziua la haine de firma si la "ifoane" fara sa intinda un deget? Tinerii trebuie sa invete ce este responsabilitatea si sa si-o asume. Nu poti sa mergi sa dai bacul fara sa inveti nimic si pe urma sa dai vina pe sistem, profesori, catel si pe conditiile meteo ca ai picat. Ar trebui introduse cursuri de dezvoltare personala in licee pentru ca sistemul de valori al noilor generatii se distruge cu o viteza fulgeratoare. Incepem sa vrem sa fim cool si prosti in loc de modesti si isteti. Ne americanizam.

Why in the world would you use ip to ip? Ai un server acolo, cel mai bine faci trimiterea mesajelor prin intermediul lor. Serverul stie cui sa trimita mesajul atat timp cat acesta vine cu aceasta informatie. Poti face ca serverul sa foloseasca un set de chei asimetrice si sa hardcodezi cheia publica in aplicatia client. Astfel stii ca doar serverul poate sa citeasca mesajele pe care le trimiti. (ca sa scapi de MITM) In momentul in care mesajul ajunge la server acesta trebuie sa stie ce sa faca cu el. Eventul e nevoie de un sistem de managmenet al cheilor(cheile clientilor) pe server. Nickname-ul e unic pentru fiecare client deci folosesti asta pentru a identifica clientii si constrangi ca actiunile sa poata avea loc doar cand clientul este autentificat. Retii intr-un DB si frecventa incercarilor de autentificare si blochezi accestul pe un anumit User in momentul in care se fac prea multe requesturi de autentificare intr-un anumit interval de timp. Asta pentru a opri atacurile bruteforce. etc etc etc

Da-mi PM cu detaliile sa vad despre ce e vorba.

Nice share. Daca vreti sa invatati cate ceva din codul sursa il aveti aici: jsql-injection-v0.1.src.zip

From the very beginning of our analysis of Win32/Flamer it was clear that this was an extremely sophisticated piece of malware which we had never seen before. It implements extremely elaborate programming logic and has an intricate internal structure. At the heart of Flame’s modularity lies a carefully designed architecture allowing all its components interoperability without causing any incompatibilities. In this blog post we will concentrate mainly on the internal architecture of the mssecmgr.ocx module (Flame, Duqu and Stuxnet: in-depth code analysis of mssecmgr.ocx). In the course of our research we analysed several different versions of mssecmgr.ocx and found specific architectural similarities that allow us to reconstruct Flame’s framework. Flame framework Flame’s main module consists of objects that each implement specific functionality: gathering information on the compromised system; infecting other computers; communicating with C&C, and so on. These objects are split into certain groups according to functionality and are managed correspondingly. The objects belonging to specific classes are inserted into a vector – that’s a C++ STL (Standard Template Library) type, not an infection vector – as shown on the diagram below: Here is the list of different types of objects implemented in mssecmgr.ocx: Command Executers – these objects expose an interface that allows the malware to dispatch commands received from C&C servers; Tasks – objects of this type represent tasks executed in separate threads that constitute the backbone of the main module; Consumers – objects which are triggered by specific events (creation of new modules, insertion of removable media and so on.); Delayed Tasks – these objects represent tasks which are executed periodically with a scheduled delay. The set of objects described above constitute the Flame framework. The approach looks very similar to a “Command” object-oriented design pattern. It is worth mentioning that Stuxnet and Duqu made heavy use of lists (another C++ STL type) to manage objects. Flame, however, relies on vectors. During our Flame analysis we found out that different versions of the malware’s main modules implement different framework objects in all vectors, as reflected in the two tables below. Table 1– Command Executers Objects in different version of mssecmg.ocx Table 2 – Tasks objects in different version of mssecmg.ocx From the tables above it is evident that the malware has evolved over time and its functionality has been significantly extended. Some components that may have been implemented previously as separate modules are incorporated into the main module by later versions. Flame tasks Task objects implement the general functionality of the framework. There are two tasks (among others) that exist in every version of Flame main module,: IDLER task CommandExecuter task. The purpose of the IDLER task is to handle delayed tasks. It runs periodically through the delayed tasks vector and executes its elements as shown in figure 1. The CommandExecuter task is responsible for retrieving and executing commands from the malware’s configuration information using objects from the corresponding vector: Flame consumers Consumers constitute another set of objects implemented in the Flame framework. These objects are inserted into the corresponding vector during initialization and are triggered when a specific event happens. Thus, Flame designers employ an event–driven model that allows Flame to achieve certain goals. Since the malware is intended for gathering information from the infected system this architecture is very efficient. Consumers such as the following are implemented: process consumers – these are notified when an application is run; volume consumers – these are notified when a new volume appears in the system; removable media consumers – react to removable media events; mobile devices consumers – react to mobile device events; consumers for Bluetooth adapter etc. When an event takes place on the system a specific trigger is created which fires the corresponding consumer, which in turn takes an appropriate action: infects media, copies files from removable media, activates a Bluetooth adapter, and so on. Executing commands Command executers are responsible for handling commands received from C&C servers. These are objects that implement a specific interface described below: The CommandExecuter task is responsible for handling commands received from C&C server. The commands are stored in a special repository within the Flame configuration information under the key CMD_QUEUE: The commands are formatted as compressed binary data. While decoding the commands Flame decompresses the data and splits the commands into blocks. Each block is handled by a specific command executer object identified by its own ID number. The screenshot in the figure below presents the interface of a command executer object: Once the command executer is identified the CmdExecuter_Dispatch method is called to handle command information. Different command dispatchers are able to accomplish different actions. For instance the DbQuery command dispatcher is used to execute SQL queries to the SQL Lite database maintained by the malware. Finding commands Commands may also be stored in files in specific directories for which the malware scans. There is a special task object CommandFileFinder whose purpose is to look for files in specific directories and load the contents of these files into the command data repository stored in configuration information. This helps the malware send commands to the machines that don’t have a direct connection with C&C servers. SQL Lite database & Lua As already pointed out Flame uses a SQL Lite relational database to store all the information (sKyWIper (a.k.a. Flame a.k.a. Flamer)) it gathers on the infected system as well as supplemental data which facilitate Flame’s propagation within a targeted system. In the figure below you can see the database schemas reconstructed in the course of research with a brief description: Flame database schema Another interesting feature of the Flamer malware is the use of the LUA scripting engine to perform certain supplemental operations. The following table summarizes information about different scripts extracted from Flame configuration information. Sursa

When I first joined Office, I worked on the team responsible for delivering Help, Templates, and ClipArt into the client applications. As we were testing our work in various simulated customer environments, we found a big problem. At least one big customer (tens of thousands of licenses) had a network environment in which their users were forced to enter a username and password in order to authenticate to the proxy server. Without authenticating to the proxy, all HTTP/HTTPS requests were blocked. Now, this was a fairly uncommon architecture, even then, and is perhaps more so now. In most environments, either the proxy server doesn’t require authentication, or the proxy relies upon the NTLM/Kerberos authentication schemes which permit users’ Windows logon credentials to be automatically used to respond to challenges from the proxy server. Environments that relied upon BASIC or DIGEST authentication require that the user explicitly submit their credentials, typically once per process (because most networking components, e.g. WinINET would cache these credentials for the lifetime of the process). The problem with my features in Office was that they all passed the INTERNET_FLAG_NO_UI flag to WinINET, or ran atop WinHTTP, which explicitly doesn’t include any user-interface, including dialogs. The result of this was that in an environment with a BASIC/DIGEST proxy, all requests failed. In order to work properly in such environments, the application must itself supply the needed credentials to the network stack (e.g. for WinINET, call InternetSetOption, passing the INTERNET_OPTION_PROXY_PASSWORD and INTERNET_OPTION_PROXY_USERNAME option flags) to avoid the need to prompt the user. I added a new rule to Fiddler that made it simple to test products for this problem: When the Require Proxy Authentication box is checked, Fiddler automatically responds to any request lacking a Proxy-Authorization header with a HTTP/407 response containing a Proxy-Authenticate header specifying the authentication scheme required: GET /ua.aspx HTTP/1.1 Accept: text/html, application/xhtml+xml, */* User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: EnhanceIE.com - Your source for Internet Explorer Enhancements HTTP/1.1 407 Proxy Auth Required Connection: close Proxy-Authenticate: Basic realm="FiddlerProxy (username: 1, password: 1)" Content-Type: text/html <html><body>[Fiddler] Proxy Authentication Required.<BR> </body></html> A client that supports manual proxy authentication will then prompt the user for the username and password: The client will then reissue the same request, supplying the provided credentials (base64-encoded) in the Proxy-Authorization header: GET /ua.aspx HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Proxy-Authorization: Basic MTox User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: EnhanceIE.com - Your source for Internet Explorer Enhancements If the client fails to collect the credentials, it will typically treat the HTTP/407 response as fatal and will show an error message or fail silently. When you try this, you can find broken scenarios all over. For instance, when I tried to post this blog using Windows Live Writer, the following error message was shown: Afterward, I was prompted to re-enter my credentials for the web server—there was no way to supply the credentials required by the proxy! Sometimes, an otherwise failing scenario may pass depending on what happens earlier in a process. For instance, if you enable the Fiddler rule, then launch IE to about:blank you will find that Search Suggestions from the Address bar don’t work, showing “An error occurred.” Notably, if you subsequently navigate the tab to a web page, IE will prompt you for proxy credentials using the CredUI dialog box shown above. After you supply those credentials, the Search Suggestions feature starts working—that’s because the proxy credentials are cached for the lifetime of the process. In other cases, failure are silent and there’s no notice to the user. For instance, many background updaters are based on BITS/WinHTTP and will fail silently when a HTTP/407 is encountered. Similarly, Windows’ CAPI component’s Certificate Revocation Checks will fail because the svchost.exe process doesn’t have the required proxy credentials. If you need to sell your software into an enterprise that uses proxies, or just want to make your software robust against even uncommon network configurations, be sure to test manual proxy authentication scenarios! Sursa