Jump to content

m@mb@

Active Members
  • Posts

    92
  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

m@mb@'s Achievements

Newbie

Newbie (1/14)

  • Week One Done Rare
  • One Month Later Rare
  • One Year In Rare

Recent Badges

22

Reputation

  1. As a Chinese living outside of China, I frequently visit Chinese websites, many of which use advertising and visitor tracking provided by Baidu, the largest search engine available in China. As I was browsing one of the most popular Chinese infosec community in China, zone.wooyun.org, at around 12:00pm GMT+8, my browser suddenly started to pop up JS alerts every 5 seconds. Baidu’s traffic hijacked to DDoS GitHub.com | Insight-labs
  2. Tabnabbing: A New Type of Phishing Attack « Aza on Design
  3. wlan.ps1: $filepath = "wlan.txt" $wlans = netsh wlan show profiles | Select-String -Pattern "All User Profile" | Foreach-Object {$_.ToString()} $exportdata = $wlans | Foreach-Object {$_.Replace(" All User Profile : ",$null)} $exportdata | ForEach-Object {netsh wlan show profiles name="$_" key=clear} | Out-File $filepath
  4. So, WhatsApp cares about privacy… After the recent expose of how WhatsApp uses a static key for emcrypting chat messages, the messaging service put up a blogpost, Setting the record straight, to re-assure users that they care about privacy. Apparently miffed at the bold claim, Nadim Kobeissi, a cryptographer, went ahead to publish the static AES key to decrypt all WhatsApp chats: Nadim Kobeissi @kaepora WhatsApp cares about privacy, so here's the AES key to decrypt all WhatsApp chats. 8D4B155CC9FF81E5CBF6FA7819366A3EC621A656416CD793 Here’s the whole deal in English: WhatsApp uses a static key to encrypt backed up messages – same key for everyone. This means that once you have the key, you can decrypt anyone else’s WhatsApp message. Imagine if your house key was same as everyone else’s house keys. Anyway, the gauntlet has been thrown. The real question is, “How many WhatsApp users really care?” Sursa
  5. https://ro.yahoo.com This is probably not the site you are looking for! You attempted to reach ro.yahoo.com, but instead you actually reached a server identifying itself as www.yahoo.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of ro.yahoo.com. You should not proceed, especially if you have never seen this warning before for this site.
  6. The Wild Wild Web: YouTube ads serving malware There’s never a dull moment in the security industry, just as we heard about the latest IE 0day; one of our field security engineers in the Americas stumbled upon a YouTube link that was hosting malware. The vulnerability is not in YouTube as such, but the ad-network seems to be the culprit in this case. We’re working with Google security team to get to the bottom of this, in the meantime some quick details about the infection below. Summary - Classic drive-by download attack, infects the user by exploiting client software vulnerabilities. - The ad network was discovered to be hosting the Styx exploit kit. This exploit kit was recently in the news for compromising at hasbro.com. Well, the attackers seem to have upped their target this time by somehow getting into YouTube ads. - The exploit leveraged in this was a Java exploit. - The Trojan appears to be a Banking Trojan belonging to the Caphaw family. - The outbound CnC went out to Europe in this infection, where the server is likely to be hosted. It uses a DGA (Domain Generation Algorithm) for CnC, we’re still digging into the various IP addresses leveraged. Details The Malware analysis graph from Bromium LAVA console looks like this: The malware was encountered while watching a YouTube video. Fortunately, we captured the forensic traces of the malware infection. We’ve shared all of this with Google security team, who’ve been very helpful and co-operative. We will update this section if we unravel any more interesting details of the origins of this attack. The source of the dropper is as shown below, it appears to be a typical Java drive by download. We noticed the malware tries to detect the version of Java installed and based on the version, it sends out different URLs to ensure that the exploit is compatible with the Java versions. This is a signature of the Styx Exploit kit. We’ve confirmed that the exploit used in this instance of the attack is CVE-2013-2460. The first stage dropper after the Java exploit, is tagged by few AV vendors as Win32/Caphaw. Caphaw is a widely used Banking Trojan and was analyzed by several people last year. Further, the malware then tries to connect to two different domains “smis.cc” and “aqu.su”. smis.cc was created just a month back. The current web reputation for “smis.cc” is known to be bad. Domain name: SMIS.CC Created On: 1/24/2014 9:53:23 AM Expires On: 1/24/2015 9:53:23 AM Last Updated On: 1/24/2014 9:53:23 AM Registrant: Zuzanna Zielinska Zuzanna Zielinska ul. Warynskiego Ludwika 81 Opole, Opole 45-047 PL 48.72763610 Fax: 48.72763610 This server hosts four more domains that includes “aqu.su” and “many.su“. The PE Compilation Timestamp seems to indicate that this malware has obviously been in the run for few months. The attack that we saw was overall a repackaged attack, nothing utterly complex and hence we’re baffled as to how it ended up into YouTube’s ads. Hopefully, we’ll all get to the bottom of this asap. Watering hole attacks are clearly getting popular by attackers. Recently, Yahoo mail users were attacked using similar vectors. Several high profile websites have become victims of such attacks recently. From the attackers point of view, this is the easiest way to cause maximum damage – max ROI. As always, we urge users to beef up your security controls for all online activity and stay safe! I would like to thank Robert Wagner who alerted us about this event and my other Bromium Labs colleagues for their inputs. [uPDATE 02/23/2014] Bromium Labs has been working with the Google security team to unravel the root cause. Google has confirmed that a rogue advertiser was behind this malvertisment. Google has taken this campaign off and is beefing up internal procedures to prevent such events from occurring again. Below is the transcript of how the malware got into the user’s machine. All of the forensic evidence was captured in LAVA, which helped the Google and Bromium teams in our analysis. Modulus operandi The attack that we unearthed with Google security team involved the following steps as seen by the victim: Step 1: User watches a YouTube video Step 2: User sees a thumbnail of another video (*.JPG) Step 3: User clicks on the thumbnail and watches the video. In the background the user gets redirected to a malicious ad served by Googleads (*.doubleclick.net) Step 4: Malware redirects the user to ‘foulpapers.com’ Step 5: Foulpapers.com iframes the aecua.nl Step 6: aecua.nl delivers the exploit (in our case it was Styx exploit kit) Details Steps 1-2 are normal and no abuse was observed. The hijack seems to happen in Step 3. After some digging into the forensic LAVA trace, we finally uncovered the culprit. The background redirect was because of a SWF (Flash) file that injects an IFRAME into the Internet Explorer DOM. \Users\br*****\appdata\local\microsoft\windows\Temporary Internet Files\Content.IE5\B1BHEG61\imgad[1].swf The flash file dropped in the advertisement was the culprit, if you decompile the flash you get this: After reverse engineering the SWF, we observe that the redirect to “foulpapers.com” is present there in the SWF file. Further, the attacker tries to fingerprint the browser and goes ahead if it is Internet Explorer in the IsOurUserAgent() function as shown below. The timestamp of this nicely corresponds to the LAVA graph where we see an outbound request to the IP address 38.96.232.90 which corresponds to ‘foulpapers.com’ and then eventually to the site hosting the exploit kit. Now, looking back, the delivery of this came from this doubleclick ad: So the offending advertisement clearly came from Googleads/Doubleclick via a Flash file. It is important to note that the user did not need to click on any ads on YouTube, the infection happens just by viewing the YouTube videos. However, after this step, the next steps were simple. Foulpapers.com injected IFRAMEs from the malicious website and the website infected the user (micro-VM in this case) The details of the ensuing infection are already covered in the first section of our blog. We don’t yet know the exact bypass which the attackers used to evade Google’s internal advertisement security checks. Google has informed us that they’re conducting a full investigation of this abuse and will take appropriate measures. What’s the impact? YouTube has been targeted many times before. Recently, our friends at Sophos Labs mentioned about a similar campaign uncovered in 2013. More details available here. It’s obvious that the attackers are still able to infiltrate against existing defenses used by YouTube security for ads. This clearly is a concerning trend. We all understand that YouTube is an incredibly popular website with over 1 billion users. So it is a big target. We don’t know the extent of the damage done by this malware campaign. Only Google can possibly estimate some accurate numbers of people impacted by this. From a user security standpoint, we recommend disabling ads using ad blockers in the interim and use robust isolation technologies such as micro-virtualization to prevent such unforeseen attacks. The Wild Wild Web: YouTube ads serving malware | Bromium Labs
  7. Mt.Gox – cel mai mare site de exchange Bitcoin ?i-a suspendat activitatea PUBLICAT DE ANDREI AV?D?NEI-ÎN SECURITATE · ?TIRI — 25 FEB, 2014 AT 12:12 PM Cel mai mare site de exchange Bitcoin, Mt. Gox, a închis site-ul, sistemul de retragere a monedelor, a ?ters feedul de pe Twitter ?i a blocat întregul sistem de trading dup? ce a descoperit “activit??i neobi?nuite” ce se desf??urau pe platform?. The Bitcoin Foundation, un grup de sus?inere a monedei Bitcoin, a confirmat c? Mark Karpeles, Chief Executive la Mt. Gox ?i-a dat demisia din boardul companiei funda?iei. Asta se întâmpl? la doar câteva zile dup? ce Mt. Gox a anun?at c? întâmpin? probleme tehnice. S?pt?mâna trecut?, Mt. Gox anun?a c? au descoperit o problem? tehnic? ce a for?at exchange-ul s? suspende extragerile de bitcoin pentru o s?pt?mân?. Ei au descoperit o gre?eal? în sistemul de tranzac?ionare ce permite falsificarea acestor opera?iuni. Aceast? eroare a dus la furtul de monede virtuale în valoare de aproape 2.7 milioane de dolari din Silk Road 2.0. Mai târziu, surse apropiate Mt. Gox au confirmat c? peste 700,000 de monede Bitcoin lipsesc din registrele Mt. Gox, într-un atac de tipul “slow-leak” ce s-a desfa?urat pe parcursul a mai mul?i ani. Asta a dus la închiderea celui mai mare juc?tor din industrie. Companiile de Bitcoin CoinBase, Blockchain.info, Circle, Kraken, Bitstamp, ?i BTC China’ au declarat în bloc despre MtGox c? aceste eveniment nu reflect? adev?rata valoare a monedei Bitcoin ?i de?i vorbim de liderul industriei, pia?a are numeroase alternative de încredere ?i responsabile implicate în pia?? ce vor continua s? dezvolte moneda virtual?. “This tragic violation of the trust of users of Mt.Gox was the result of one company’s abhorrent actions and does not reflect the resilience or value of bitcoin and the digital currency industry. There are hundreds of trustworthy and responsible companies involved in bitcoin. These companies will continue to build the future of money by making bitcoin more secure and easy to use for consumers and merchants.” “We strongly believe in transparent, thoughtful, and comprehensive consumer protection measures. We pledge to lead the way.” La sfâr?itul s?pt?mânii, moneda Bitcoin a atins cele mai mici valori din iunie 2013 încoace, fluctuând între 300$ ?i 500$. Mt.Gox – cel mai mare site de exchange Bitcoin ?i-a suspendat activitatea | WORLDIT Bitcoin's Price Plummets As Mt. Gox Goes Dark, With Massive Hack Rumored - Forbes
  8. Nu prea mai este/o sa fie pe "viata" - uite ce vor sa faca: "Proprietarii de domenii de internet .ro vor plati o taxa anuala de reinnoire, potrivit unui proiect de Hotarare de Guvern. Fata de practica existenta, proiectul vizeaza modificarea taxei unice pentru inregistrarea domeniilor '.ro' in taxa anuala. In acest sens taxa anuala de inregistrare si reinnoire al unui nume de domeniu .ro se stabileste, la propunerea Registrului (n.a RoTLD), prin ordin al ministrului pentru Societatea Informationala si poate fi platita anual sau in avans pentru maxim 2 ani. "Pentru numele de domenii existente inregistratorii au obligatia reinnoirii acestora in termen de maxim 3 luni de la data publicarii in Monitorul Oficial a ordinului dar pentru numele de domenii inregistrate in ultimele 24 de luni, reinnoirea se face in momentul in care dreptul de folosinta a numelui de domeniu este egal cu 24 luni, pe considerentul ca taxa se poate plati pentru 2 ani in avans". Autoritatile propun in acest document ca "numele de domenii .ro sa fie inregistrate pentru o perioada determinata de mimin un an, care ulterior poate fi prelungita prin reinnoire. Perioada maxima pentru care se poate face inregistrarea sau reinnoirea unui nume de domeniu .ro este de 2 (doi) ani." Revin cu sursa 1 si 2
  9. Pentru cine nu a ajuns DefCamp - Live
  10. Pentru cine nu a ajuns DefCamp - Live
  11. Pentru cine nu a ajuns DefCamp - Live
  12. Bun, user friendly, stabila, IP-uri clasificate pe tari - recomand
  13. Te lauzi cu el - sau vrei sa cumperi/vinzi ??!!!!
  14. Centurion Setup v25.0 Multilingual - ne "probat"
×
×
  • Create New...