Nytro

Comisii: Utilizarea cartelelor prepay, din 2016 doar în baza datelor personale de identificare - VIDEO de Liviu Dadacus - Mediafax Utilizarea cartelelor telefonice prepl?tite (prepay) va fi posibil?, începând cu 1 ianuarie 2016, doar dac? de?in?torul va comunica operatorului de telefonie datele personale de identificare, potrivit unei ini?iative legislative votate de Comisiile Juridic? ?i de IT din Camera Deputa?ilor. Potrivit textului de lege adoptat de deputa?ii din cele dou? Comisii, ini?iativa legislativ? urmeaz? s? intre în vigoare de la 1 ianuarie 2015, de?in?torii de cartele prepay având la dispozi?ie un an, pân? la 1 ianuarie 2016, pentru a comunica operatorului de telefonie datele personale, în caz contrar num?rul fiind anulat. Ini?iativa legislativ? reglementeaz? ?i modalitatea în care se va face conectarea la internet prin intermediul unei re?ele wi-fi, acesul urmând a fi permis în baza comunic?rii num?rului de telefon mobil pe care operatorul va trimite un SMS cu un cod de acces. Pre?edintele Comisiei IT din Camer?, deputatul Daniel Oajdea, a declarat c? ini?iativa legislativ? a fost adopat? de comisii într-o form? ”corect? ?i benefic?” pentru toat? lumea ”Proiectul de lege prevede re?inerea datelor de identificare ale persoanei, nu ?i re?inerea datelor de trafic, atât pentru prepay, cât ?i pentru wi-fi”, a spus Oajdea. El a explicat modul în care legea va reglementa acest domeniu. ”Orice om care va de?ine o cartel? prepl?tit? are la dispozi?ie, de la intrarea în vigoare a legii, un an în care poate consuma creditul sau poate s? mearg? la operator ?i s?-?i declare datele. Dac? nu, num?rul va fi anulat. Legea intr? în vigoare, dac? textul va fi adopatat a?a, la 1 ianuarie 2015. Pentru prepay se vor da datele de identificare ale persoanei din cartea de identitate, pa?aport sau permis de conducere. Referitor la accesul la internet în re?ea wi-fi, se identific? doar persoana. E procedura cunoscut? care se aplic? ?i în Germania: î?i dai num?rul de telefon mobil ?i prime?ti un cod cu care te autentifici”, a spus Oajdea. El a ar?tat c? deputa?ii nu au fost de acord cu re?inerea datelor de trafic, m?sur? care vine în contradic?ie ?i cu decizia CEDO, de?i SRI a solicitat ?i acest lucru. ”Date de trafic înseamn?, la internet, orice pagin? accesat?. Nu s-a aprobat a?a ceva, ci doar identificarea utilizatorului”, a spus Oajdea. La rândul s?u, generalul SRI Dumitru Dumbrav?, prezent la dezbaterea ini?iativei legislative în cadrul comisiilor, a evitat s? fac? declara?ii în leg?tur? cu forma în care proiectul a fost adoptat. ”Suntem mul?umi?i de faptul c? s-a votat, pentru c? am fost ni?te sus?in?tori ai legii”, a fost singurul comentariu f?cut de Dumbrav?. Comisiile Juridic? ?i de IT din Camera Deputa?ilor au elaborat, miercuri, Raport comun la proiectul de lege privind utilizarea cartelelor prepay, acesta fiind adoptat cu 14 voturi ”pentru”, 4 voturi ”împotriv?” ?i o ab?inere. Raportul va intra în dezbaterea plenului Camerei ?i va fi supus votului acestui for legislativ cel mai probabil în sesiunea extraordinar? de s?pt?mâna viitoare. Camera Deputa?ilor este for decizional. Sursa: Comisii: Utilizarea cartelelor prepay, din 2016 doar în baza datelor personale de identificare - VIDEO - Mediafax

Boost::este::de::cacat(); E imensa, greu de invatat si gruparea claselor e de rahat. Recomand scrierea unor clase proprii, special pentru proiectul la care se lucreaza, clase care ulterior pot fi extrem de usor refolosite. Cu alte cuvinte, esti programator harnic o singura data, apoi poti fi unul lenes si eficient.

Da-ne link

Fraud? la vânzarea online de telefoane ?i tablete: Prejudiciu de peste 1,3 milioane de euro din TVA de Roxana Alexe - Mediafax Inspectorii antifraud? au identificat un prejudiciu de peste 1,37 milioane euro, reprezentând TVA aferent vânz?rii online de telefoane mobile inteligente ?i tablete de ultim? genera?ie, de mai multe firme, iar în urma perchezi?iilor realizate de procurorii bucure?teni ?ase persoane au fost arestate. rie 2014, a fost identificat? existen?a unui circuit de societ??i comerciale care se ocupa cu vânzarea online de telefoane mobile inteligente ?i tablete de ultim? genera?ie, organizat pe dou? paliere, informeaz? Direc?ia General? Antifraud? Fiscal? (DGAF). Primul palier era constituit din societ??i prin care produsele electronice, achizi?ionate în principal din Germania, erau introduse în România. Aceste societ??i nu declarau marfa ?i nu pl?teau taxele ?i impozitele aferente activit??ilor comerciale derulate. Totodat?, aceste firme erau înlocuite sistematic cu unele nou înfiin?ate, pe numele a diverse persoane fizice cu situa?ie material? precar?, inclusiv a unei persoane aflate la închisoare. Al doilea palier era format din firmele specializate în comer?ul online cu telefoane mobile ?i tablete, prin care erau distribuite electronicele pe pia?a româneasc?, mai spune DGAF. Urmare a aspectelor identificate, inspectorii antifraud? au sesizat, în luna martie, Parchetul de pe lâng? Tribunalul Bucure?ti. Astfel, în data de 18 iunie în baza autoriza?iilor emise de instan?a competent?, procurorii Parchetului de pe lâng? Tribunalul Bucure?ti au realizat perchezi?ii la sediile firmelor ?i la adresele persoanelor implicate, fiind descoperite sume mari de bani în numerar ?i autoturisme de lux. De asemenea, în 19 iunie, cele ?ase persoane învinuite c? au organizat ?i derulat activit??ile respective au primit mandate de arestare pentru 29 de zile. Sursa: Fraud? la vânzarea online de telefoane ?i tablete: Prejudiciu de peste 1,3 milioane de euro din TVA - Mediafax

Acceptam donatii, insa nu veniti cu: dau si eu 5-10 dolari, pentru ca nu vreau ulterior sa imi sara jumatate de forum in cap ca "Ba, eu am platit pentru forum". Deocamdata ne descurcam, daca vom vrea sa ne extindem (avem idei si planuri) atunci va vom cere ajutorul.

Da, are doua foldere: unul pentru x86 si altul pentru x64. Dar arata bine. Si e open.

Nu arata rau deloc Dar de ce are EAX, EBX... ? Nu trebuia sa fie pentru x64?

Da, e misto.

Dar vai: "he was accused of breaking into an apartment" Ce cauta el acolo? Mi se rupe sufle... pula de el. Tigan borat. La munca, nu la furat.

Ia da-ne niste link-uri catre topicuri unde aveai ceva de spus. Nu stiu de ce, dar am impresia ca nu e vorba de niste tutoriale sau de ceva educativ...

Pentru a nu va lasa in ceata, va ofer un sfat care va poate aduce VIP mai repede decat va imaginati. Vorbiti cu @em e un baiat cu inima mare si sunt sigur ca va va ajuta cu cea mai mare placere. Eu nu sunt asa. Daca imi dati PM ma pis pe voi si va dau ban permanent. Muie.

About the Author Georgia Weidman is a penetration tester and researcher, as well as the founder of Bulb Security, a security consulting ?rm. She pre-sents at conferences around the world includ-ing Black Hat, ShmooCon, and DerbyCon, and teaches classes on topics such as penetration testing, mobile hacking, and exploit develop-ment. Her work in mobile security has been featured in print and on television internation-ally. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security.

Niciunu din Valcea?

Super, si eu voiam sa fac asa ceva. Cred ca ar fi mai optim sa gasesti dimensiunile fisierelor si sa calculezi hash-ul doar pentru cele cu aceeasi dimensiune.

Surse de rootkit-uri

Draga Antonescu, (nu Crin) ...

Am folosit doar versiunea free. Bine, parca gasisem si o versiune mai veche crackuita, dar nu am ramas surprins de el.

Android's New App Permissions Setup Raises Red Flags By Eduard Kovacs on June 13, 2014 Google has recently made changes to the way permissions for Android applications are displayed, but experts warn that the modifications make automatic updating of mobile applications riskier than before. Under the new format, permissions requested by Android applications are organized into groups to simplify the installation process and help users make informed decisions about whether or not they want to install a certain app, Google developers noted. The problem, as highlighted by many security experts, is the fact that if a user gives an app access to a certain permission category, when the app is updated, it can start using other permissions in the same category without informing the user. “Once you’ve allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won’t need to manually approve individual permissions updates that belong to a permissions group you’ve already accepted,” Google explained. For example, if an application needs to read text messages, the user must give it access to the “SMS” permissions group. If the app is updated, it can automatically access all other individual permission in the “SMS” group ? such as edit text messages, send SMS messages and receive text messages ? without the user being notified. Furthermore, Google has decided to remove network communication permissions from the primary permissions screen on the basis that most apps need access to the Web in order to work. The company said it was removing apps that violate Google Play policies, and noted that systems are in place to protect users against potentially harmful elements. Georgia Weidman, the CEO of Bulb Security, told SecurityWeek that the changes are a “step in the complete wrong direction.” “Most users don't really care about permissions anyway, but it seems a red flag to me that if you've accepted something in a certain group you don't get notified of additional permissions in that group on update,” Weidman said. “Google hopes to solve the problem of apps not autoupdating by grouping permissions into categories. But you risk apps being able to silently add new permissions when they update,” Marc Rogers, principal security researcher at Lookout, told SecurityWeek in an emailed statement. “Under the new system Google will only notify users if an app requests permissions in a group the user hasn't already accepted. People need to understand that they are essentially allowing all permissions in a given category.” “Right now the best advice to users who are concerned about permissions is that you should go into the Play store and change the settings for apps to turn off autoupdate for any app that you do not implicitly trust,” Rogers said. This way the app has to be manually updated and you get a chance to check its permissions with each install.” There are also several threads on Reddit highlighting the negative impact these changes have on security and privacy. Sursa: Android's New App Permissions Setup Raises Red Flags | SecurityWeek.Com

[TABLE=width: 100%] [TR] [TD]Android Cheatsheet (updates to dweinst@insitusec.com) : Vuln/Exploit List (privesc)[/TD] [/TR] [/TABLE] [TABLE=class: tblGenFixed] [TR=class: rShim] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s0]Vulnerability/Exploit name[/TD] [TD=class: s1]release date[/TD] [TD=class: s1]author[/TD] [TD=class: s1]effect (root, unlock,...)[/TD] [TD=class: s1]notes[/TD] [TD=class: s1]link[/TD] [TD=class: s2][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]psneuter[/TD] [TD][/TD] [TD=class: s4]scotty2[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]https://github.com/tmzt/g2root-kmod/blob/master/scotty2/psneuter/psneuter.c[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Exploid[/TD] [TD=class: s5]7/15/2010[/TD] [TD=class: s4]Stealth[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]C-skills: android trickery[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]GingerBreak[/TD] [TD=class: s5]5/26/2011[/TD] [TD=class: s4]Stealth[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]C-skills: yummy yummy, GingerBreak![/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]RageAgainstTheCage[/TD] [TD][/TD] [TD=class: s4]Stealth[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]KillingInTheNameOf[/TD] [TD][/TD] [TD=class: s4]Stealth[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]C-skills: adb trickery #2[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Zimperlich[/TD] [TD=class: s5]2/24/2011[/TD] [TD=class: s4]Stealth[/TD] [TD][/TD] [TD][/TD] [TD=class: s4]C-skills: Zimperlich sources[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Zergrush[/TD] [TD][/TD] [TD=class: s4]Revolutionary[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]https://github.com/revolutionary/zergRush/blob/master/zergRush.c[/TD] [TD=class: s4]Revolutionary - zergRush local root 2.2/2.3 [22-10: Samsung/SE update] - xda-developers[/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Tacoroot[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]HTC Recovery symlink attack to local.prop from /data/recovery/something bliss found first, but was too slow![/TD] [TD=class: s4]https://github.com/CunningLogic/TacoRoot[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Nachoroot[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]AMI304 Magnetic Sensor, symlink to local.prop. [/TD] [TD=class: s4]https://github.com/CunningLogic/NachoRoot[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Burritoroot[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Typo prevented app from sending a debugging intent, caused adb to run as root[/TD] [TD=class: s4]https://github.com/CunningLogic/BurritoRoot[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Gorditaroot[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]install custom recovery or root[/TD] [TD=class: s4]Similar to Nachoroot, different path, AMI304 Magnetic Sensor, symlink to recovery mtd device[/TD] [TD=class: s4]https://github.com/CunningLogic/GorditaRoot[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Enchilada[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]System left r/w & Internal memory left as ext4? I think. Symlink attack from DCIM dir to install-recovery.sh[/TD] [TD=class: s4]https://github.com/CunningLogic/Enchilada[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]ZTERoot (Avail)[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]~70 rediculous intents left over from engineering. Stupid OEM.[/TD] [TD=class: s4]https://github.com/CunningLogic/ZTERoot[/TD] [TD=class: s4][Exclusive] Developer Codes Left In Retail ZTE Avail (AT&T) Offer Quick And Easy Root Access[/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]ZTERoot (Merrit)[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Symlink attack from debugging/logging app[/TD] [TD=class: s4][ROOT] ZTE z990g Merit (An avail variant?) - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG ICS Root[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Symlink attack[/TD] [TD=class: s4][ROOT] LG Intuition & LG Spectrum ICS - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]DefyXT Root[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s6]Unprotected intent allowing various permission changes.[/TD] [TD=class: s4][Root] Republic Wireless Motorola Defy XT - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Cyanide[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]DeftXT Root Loggerlancher changing permissions, system mounted r/w[/TD] [TD=class: s4]https://github.com/CunningLogic/Cyanide[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG Optimus Logic[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG Optmus Elite[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]LG not verifying integrity of system partition when flashing through download mode. TOT images are patchable. Probably valid on all LG devices.[/TD] [TD=class: s4][Exclusive] How To Root The Virgin Mobile LG Optimus Elite[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Pantech[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Pantach does not verify integerty of system partition when flashing through download mode. PDL images are patchable.[/TD] [TD=class: s4]unpublished[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]HTC DNA[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]enable unlocking[/TD] [TD=class: s4]Backupmanger sets /data 777, then symlink to mmbblk0p5 to change CID. Not root, but enables bootloader unlock[/TD] [TD=class: s4][unlock] Bootloader unlock - Updated November 26th 2012 - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]HTC One X AT&T[/TD] [TD][/TD] [TD=class: s4]jcase[/TD] [TD=class: s4]root[/TD] [TD=class: s4]HTC Ready2go webapp triggering chmod 777 on file in world writable dir. Lasted whole 4 hours.[/TD] [TD=class: s4][Exclusive] How To Root The AT&T HTC One X On Version 1.85 (Or Earlier)[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Hisense Pulse[/TD] [TD][/TD] [TD=class: s4]cj_000[/TD] [TD=class: s4]root[/TD] [TD=class: s4]ro.debuggable=1 on initial firmware[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Generic LG[/TD] [TD][/TD] [TD=class: s7]?[/TD] [TD=class: s4]root[/TD] [TD=class: s4]ro.debuggable=1 on some older LGs[/TD] [TD=class: s4]unpublished[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG ADB Backdoor[/TD] [TD][/TD] [TD=class: s4]Giantpune[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Backdoor, restarts adb as root with key[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Poot[/TD] [TD][/TD] [TD=class: s4]Giantpune[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Qualcomm diag device[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Lit[/TD] [TD][/TD] [TD=class: s4]Giantpune[/TD] [TD=class: s4]root[/TD] [TD=class: s4]LG Backlight[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]ZTE Backdoor[/TD] [TD][/TD] [TD=class: s4]"Anonymous"[/TD] [TD=class: s4]root[/TD] [TD=class: s4]binary spawned root shell, password protected.[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]HTC Eris 2.1 Root[/TD] [TD][/TD] [TD=class: s4]wag3slav3[/TD] [TD=class: s4]install custom recovery[/TD] [TD=class: s4]symlink attack from /data/local/something to recovery block device[/TD] [TD=class: s4]? XDA Forums[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Droid 3 Root[/TD] [TD=class: s5]8/25/2011[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack from /data/local/something to local.prop[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Motofail[/TD] [TD=class: s5]2/11/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/dontpanic and /data/logger[/TD] [TD=class: s4]http://vulnfactory.org/public/motofail_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]XYZ[/TD] [TD=class: s5]2/17/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /pds/public/battd, /data/dontpanic, and /data/logger[/TD] [TD=class: s4]http://vulnfactory.org/public/xyz_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG Spectrum Root[/TD] [TD=class: s5]2/19/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/gpscfg/gps_env.conf[/TD] [TD=class: s4]http://vulnfactory.org/public/spectrum_root_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Megatron[/TD] [TD=class: s5]2/26/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on com.ti.fmrxapp[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]LG Esteem Root[/TD] [TD=class: s5]2/15/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/bootlogo/bootlogopid[/TD] [TD=class: s4]http://vulnfactory.org/public/LG_Esteem_Root_v2_Windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Razr's Edge[/TD] [TD=class: s5]6/21/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/local/12m[/TD] [TD=class: s4]http://vulnfactory.org/public/razrs_edge_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Razr Blade[/TD] [TD=class: s5]1/15/2013[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/dontpanic, overwriting SmartActions .jar file to run code as system[/TD] [TD=class: s6]http://vulnfactory.org/public/razr_blade.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]X-Factor[/TD] [TD=class: s5]10/23/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]change CID[/TD] [TD=class: s4]symlink attack on telephony ADB restore to change permissions on /dev/diag, followed by kernel exploit (same as Poot)[/TD] [TD=class: s4][ROOT] HTC One X AT&T 2.20 Firmware - X-Factor root exploit - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Samsung Admire Root[/TD] [TD=class: s5]9/12/2011[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/log/dumpState_app_native.log[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Thinkpad Tablet[/TD] [TD=class: s5]1/22/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on Lenovo Mobility Manager[/TD] [TD=class: s4]http://vulnfactory.org/public/Thinkpad_Root_Windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Sony Tablet S[/TD] [TD=class: s5]2/8/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /log to change package.list, followed by symlink attack on "pm" (replace "lib" directory of system app to remove arbitrary files)[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Xoomfail[/TD] [TD=class: s5]2/18/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]cmdclient changed perms on /data to 0777 by design[/TD] [TD=class: s4]Security Research by Dan Rosenberg[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Motofail2Go[/TD] [TD=class: s5]10/16/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on data directory for bug2go[/TD] [TD=class: s4]http://vulnfactory.org/public/motofail2go_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]XPRT[/TD] [TD=class: s5]10/8/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/dontpanic[/TD] [TD=class: s4]http://vulnfactory.org/public/xprt_root_windows.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Nandpwn[/TD] [TD=class: s5]8/4/2012[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Ridiculousness on Logitech Revue[/TD] [TD=class: s4]https://github.com/djrbliss/revue/tree/master/nandpwn[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Motochopper[/TD] [TD=class: s8]4/9/2013[/TD] [TD=class: s4]bliss[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]http://vulnfactory.org/public/motochopper.zip[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]ADB Restore Root[/TD] [TD][/TD] [TD=class: s4]bin4ry[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Exynos-abuse[/TD] [TD][/TD] [TD=class: s4]alephzain[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Access to system memory through /dev/exynos-mem on Exynos devices[/TD] [TD=class: s4][ROOT][sECURITY] Root exploit on Exynos - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]IconiaRoot[/TD] [TD][/TD] [TD=class: s4]alephzain[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4][ROOT][sECURITY] Root exploit on Exynos - xda-developers[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]fr3vo[/TD] [TD][/TD] [TD=class: s4]Kevin Bruckert[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Arbitrary kernel write in Qualcomm's MSM rotator[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]levitator[/TD] [TD][/TD] [TD=class: s4]Jon Larimer, Jon Oberheide[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Out-of-bounds memory mapping in pvrsrvkm[/TD] [TD=class: s4]http://jon.oberheide.org/files/levitator.c[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]mempodroid[/TD] [TD][/TD] [TD=class: s4]saurik/zx2c4[/TD] [TD=class: s4]root[/TD] [TD=class: s4]Bad kernel jazz with /proc/pid/mem and suid binaries[/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]asroot (Wunderbar?)[/TD] [TD][/TD] [TD=class: s4]zinx[/TD] [TD=class: s4]root[/TD] [TD][/TD] [TD=class: s4]http://code.google.com/p/flashrec/source/browse/#svn%2Ftrunk%2Fandroid-root[/TD] [TD][/TD] [/TR] [TR] [TD=class: hd]. [/TD] [TD=class: s3]Samsung Infuse 4G[/TD] [TD=class: s5]1/3/2012[/TD] [TD=class: s4]Michael Coppola[/TD] [TD=class: s4]root[/TD] [TD=class: s4]symlink attack on /data/data/.drm/.wmdrm/sample.hds[/TD] [TD=class: s4]Rooting the Samsung Infuse 4G | Michael Coppola's Blog[/TD] [TD][/TD] [/TR] [/TABLE] Publicat de Google Drive – Raporta?i un abuz – Se actualizeaz? automat la fiecare 5 minute

DarunGrim: A Patch Analysis and Binary Diffing Tool Introduction DarunGrim is a binary diffing tool. DarunGrim is a free diffing tool which provides binary diffing functionality. Binary diffing is a powerful technique to reverse-engineer patches released by software vendors like Microsoft. Especially by analyzing security patches you can dig into the details of the vulnerabilities it's fixing. You can use that information to learn what causes software break. Also that information can help you write some protection codes for those specific vulnerabilities. It's also used to write 1-day exploits by malware writers or security researchers. This binary diffing technique is especially useful for Microsoft binaries. Not like other vendors they are releasing patch regularly and the patched vulnerabilities are relatively concentrated in small areas in the code. That makes the patched part more visible and apparent to the patch analyzers. * DarunGrim 3: DarunGrim3 is an advanced version of DarunGrim2 which provides nice file management UI. Binaries: http://github.com/ohjeongwook/DarunGrim/downloads Source: http://github.com/ohjeongwook/DarunGrim License: New BSD License Documentation: DarunGrim 3 Installation & Usage Guide Blogs: Reverse Engineering | Reverse Engineering stuff Sursa: DarunGrim: A Patch Analysis and Binary Diffing Tool

Extracting the payload from a CVE-2014-1761 RTF document Monday June 9, 2014 Background In March Microsoft published security advisory 2953095, detailing a remote code execution vulnerability in multiple versions of Microsoft Office (CVE-2014-1761). A Technet blog was released at the same time which contained excellent information on how a typical malicious document would be constructed. NCC Group’s Cyber Defence Operations team used the information in the Technet blog to identify a malicious document within our malware zoo that exploited this vulnerability which appears to have been used in a targeted attack. In this blog we show one method of analysing the shellcode manually to extract the payload. Matching the malicious document The Technet blog gives a number of pointers toward a malicious document. First there is a bad header at the beginning of the document, which should be {\rtf in a real document but is {\rt{. Our sample matches this: The MSComctl object is a short way into the document, in this case an ImageComboCtl: And it is easy to identify the potential ROP chain: What will happen if the exploit is successful? If the exploit doesn’t work on our test systems, how can we manually extract the payload? We know that the document should contain something useful, either saving malicious embedded content or using a URL download/execute. But where is this shellcode? Analysing the shellcode After identifying the vulnerability we can now hunt for the shellcode which will run on successful exploitation. The Technet blog suggests the shellcode is placed near the end of the file so this is a good place to start. Upon loading into IDA the correct option to choose is 32-bit disassembly. Locating the shellcode How can we quickly identify what might be code? One common technique in shellcode is using the hashes of Windows APIs, searching for these can often yield good results. Running a small IDA Python script over the database returns some possible matches: The first four are probably misdetections but the following API names definitely look suspicious. All of them are toward the end of the file, which ends at 0x71CB1. Checking the results for Sleep() and ExitProcess() shows the following potential shellcode locations: Turning the bytes into code It is now possible to see where some of the hashed APIs might be used, which gives an indication of where the shellcode is located. We can begin to convert the unknown bytes into code (right click and choose “Code”, or use the shortcut ‘C’). If we accidentally choose the wrong place to start analysing then it is possible to end up with “”junk” results, as demonstrated below: We can fix this by undefining the junk code (right click, “Undefine” or shortcut ‘U’), then making code at a slightly different offset. Very quickly the disassembly starts looking like real code: Calling functions by hash We can now see that the API hash is placed in the EBX register before a function is called, which has been manually named CallByHash by us in the disassembly above. This function uses the standard mechanism of obtaining the PEB to find loaded modules: The correct API is found using a simple ROR 0x13 (19 decimal) loop until the generated hash matches the value in EBX where the desired hash is stored (see comparison instruction at 0x71A83). This allows the shellcode to locate and call any Windows API from kernel32.dll without knowing anything about the process which loaded the RTF file or including API name strings. Finding ourselves – where is the RTF file? The shellcode next needs to find the RTF file so it can locate and save the payload. It does this by iterating over all possible file handles until a valid one is found. This will always work because Word must have the RTF file open in order to parse it. The code below tries each possible handle in turn, starting from 0x4 until 0x4000. It then calls GetFileSize, ensuring that the handle is valid by checking the return code. The code which follows is responsible for finding the start of the payload and saving it to disk. The position is first reset to the start of the file (offset 0) using SetFilePointer. The loop below then looks for the characters S18t in the document and obtains the offset if the string is found. If the characters are not present then the shellcode tries the next handle until an open file containing S18t is located. Once the payload data is found it is unobfuscated with a simple XOR loop, seen below. This is important to note for when we extract the data manually later. Following this are standard calls to GetTempPathA, CreateDirectoryA, CreateFileA and WriteFile, which save the payload to disk. Finally the shellcode calls LoadLibraryExA to launch the payload and then sleeps before calling ExitProcess to terminate Microsoft Word cleanly. Unusual code or shellcode trickery? Other typical techniques are also evident, for example this simple sequence: The constant 0x40000000 (equivalent to GENERIC_WRITE permissions) is obtained by taking the number 0x41010101 and subtracting 0x1010101, avoiding null bytes in the shellcode. The same trick is used for some API hashes, for example CloseHandle below: A simple calculation shows that the hash for CloseHandle would be 0xED00C776, which contains a null byte. Extracting the payload With the information above we can extract the payload data from the document and decode the executable which will be run. By searching for the string S18t the start of data can be found. The bytes following S18t look suspiciously like an obfuscated PE header, using our earlier information about the usage of XOR 0x4 we can test to see if this is correct: From here we can copy all of the bytes from offset 0x6c38 to the end of the file and then apply XOR 0x4 to obtain a PE file. The resulting file will contain the shellcode at the end; this could be removed if desired. Loading the payload into IDA shows a well formed executable which allows us to begin further analysis. In this instance the payload was a 425KB executable which is often called the “havex RAT”. Crowdstrike attribute the use of this malware to a group called ENERGETIC BEAR in their Global Threat Report 2013. At the time of our analysis only 1 antivirus engine of 50 on VirusTotal detected the payload as malicious, once again highlighting the malicious code arms race. Conclusion Using the techniques described above it is possible to extract the payload even if the exploit is unreliable or we have an incomplete malicious document. This allows creation of network or host indicators that allow us to prevent or detect the malicious payload. It is also a useful reminder of the speed at which known attackers will use new exploits to distribute their existing malware. For further information: Follow us on twitter @NCCGroupInfosec for notifications of new blog articles. If you’re an existing customer please contact your account manager if you required tailored advice and consultancy, including incident response, forensics, malicious code analysis and cyber defence services. Sursa: https://www.nccgroup.com/en/blog/2014/06/extracting-the-payload-from-a-cve-2014-1761-rtf-document/

rm -rf remains Just for fun, I decided to launch a new Linux server and run rm -rf / as root to see what remains. As I found out, rm lives in the future with idiots like me, so you have to specify --no-preserve-root to kick this exercise off. # rm -rf --no-preserve-root / After committing this act of tomfoolery, great utilities like /bin/ls /bin/cat /bin/chmod /usr/bin/file will all be gone! You should still have your connection over SSH as well as your existing bash session. This means you have all the bash builtins, like echo. Articol complet: rm -rf remains

An Introduction to Recognizing and Decoding RC4 Encryption in Malware There is something that we come across almost daily when we analyze malware in the VRT: RC4. We recently came across CVE-2014-1776 and like many malware samples and exploits we analyze, RC4 is used to obfuscate or encrypt what it is really doing. There are many ways to implement RC4 and it is a very simple, small algorithm. This makes it very common in the wild and in various standard applications. Open-source C implementations can be found on several websites such as Apple.com and OpenSSL.org. What is RC4? RC4 was designed by Ron Rivest of RSA Security in 1987. RC4 is a fast and simple stream cipher that uses a pseudo-random number generation algorithm to generate a key stream. This key stream can be used in an XOR operation with plaintext to generate ciphertext. The same key stream can then be used in an XOR operation against the ciphertext to generate the original plaintext. While it is still common in malware, RC4 has been legitimately implemented in a number of areas where speed and privacy are of concern. In the past, both WEP and TLS both used RC4 to protect data sent across the wire. However, last Fall, Microsoft recommended that customers disable RC4 by enabling TLS1.2 and AES-GCM. For more information including a detailed history of RC4, check out the Wikipedia article. Why is it used in malware? Increasingly, we find that RC4 is used to encode data that is sent to a remote server to be decrypted on the other side using a pre-shared key. This makes detection a bit trickier (but not impossible) and also makes it harder to determine exactly what is being sent across the wire. What we will usually do when we think we’ve come across some sort of encryption is determine the source of it and whether the data being sent is static (for matching purposes) and what exactly that data is. Articol complet: VRT: An Introduction to Recognizing and Decoding RC4 Encryption in Malware

CentOS 7 Public QA Release Friday , 13, June 2014 Jeff Sheltren We are happy to announce the immediate availability of the first CentOS 7 QA Release. !!! This is a QA release only and not the final CentOS 7 release !!! In the past, CentOS QA testing has been performed by a small group of people within the CentOS community. We are happy that we are now able to open this up to the wider community to get early feedback and bug reports prior to the 7 release. CentOS 7 QA release is available for download at: Index of / We are first populating individual RPMs in their respective build directories. Once there is a working base install tree, it will be made available at the same URL. Please note the following: - This is NOT the final CentOS 7 release. Packages, ISOs, and install media *will* change between this release and the final 7 release. - The packages posted at the above URL will likely be updated in-place before the final release. - Things may be broken! Don’t install this on your production servers. Consider it a beta/preview release. - Help us make the 7 release better by reporting bugs at My View - CentOS Bug Tracker - This is not an officially supported release. If you have questions, aren’t sure if you’ve found a bug, etc., please ask in #centos-devel on Freenode, or email the centos-devel email list. - Packages in the QA release are *not* GPG-signed. The final 7 release will contain gpg-signed packages as usual. - Upgrading from the QA release to the final 7 release may be possible, but it’s not supported or documented in any way. Expect that you will need to re-install when 7 final is released. We appreciate any and all bug reports at My View - CentOS Bug Tracker (please also check upstream bugzilla.redhat.com and link to those bugs when filing a new CentOS issue), and assistance with the “Branding Hunt” (see [CentOS-devel] The Branding Hunt - howto). https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.0_Release_Notes/part-Red_Hat_Enterprise_Linux-7.0_Release_Notes-Known_Issues.html contains a list of known issues at the time of the upstream release. Currently, we only have RPM packages online, but will be bringing installable media online as soon as we have it ready. Again, this is NOT a final release. It may harm nearby puppies, kittens, or other (cute) animals and/or servers. This is our first attempt at opening up CentOS to the wider community, so please bear with us as we work through any issues that arise with the process. As always, feedback is welcome on the email list or on IRC (#centos-devel on Freenode). Edit: Even though we don’t yet have an installable tree in place, you can point an existing el7beta/el7rc install to the buildlogs repo with the following yum repo definitions (for example /etc/yum.repos.d/centos-buildlogs.repo) : [centos-qa-03] name=CentOS Open QA – c7.00.03 baseurl=Index of /c7.00.03 enabled=1 gpgcheck=0 [centos-qa-04] name=CentOS Open QA – c7.00.04 baseurl=Index of /c7.00.04 enabled=1 gpgcheck=0 Thanks, and enjoy the release! -Jeff Sheltren on behalf of the CentOS QA Team Sursa: CentOS 7 Public QA Release – Seven.CentOS.org

[h=2]Ransomware infecting user32.dll[/h] Over the past months we’ve been monitoring a new variant of the Department of Justice (DOJ) ransomware. Till date there is nothing written about this new variant on the internet. This blog item aims to address this. Analysis of this particular ransomware shows that the method to infect victims is different compared to previous ransomware samples. Instead of dropping an executable on the system it infects the Windows system DLL: user32.dll. This file is typically located in: C:\Windows\System32\user32.dll or C:\Windows\SysWOW64\user32.dll So far we’ve observed that the ransomware is only infecting the 32-bit version of user32.dll. Static detection Our support desk helped a victim in January 2014. Four months later, detection is still poor: Resource section The ransomware enlarges the resource section of user32.dll as can be seen in the table below: [TABLE] [TR] [TH=colspan: 4]Original user32.dll[/TH] [TH=colspan: 4]Infected user32.dll[/TH] [/TR] [TR] [TH]name[/TH] [TH]va[/TH] [TH]vsize[/TH] [TH]rawsize[/TH] [TH]name[/TH] [TH]va[/TH] [TH]vsize[/TH] [TH]rawsize[/TH] [/TR] [TR] [TD].text[/TD] [TD]0×1000[/TD] [TD]0x5f283[/TD] [TD]0x5f400[/TD] [TD].text[/TD] [TD]0×1000[/TD] [TD]0x5f283[/TD] [TD]0x5f400[/TD] [/TR] [TR] [TD].data[/TD] [TD]0×61000[/TD] [TD]0×1180[/TD] [TD]0xc00[/TD] [TD].data[/TD] [TD]0×61000[/TD] [TD]0×1180[/TD] [TD]0xc00[/TD] [/TR] [TR] [TD].rsrc[/TD] [TD]0×63000[/TD] [TD]0x2a088[/TD] [TD]0x2a200[/TD] [TD].rsrc[/TD] [TD]0×63000[/TD] [TD]0x33a88[/TD] [TD]0x33c00 [/TD] [/TR] [TR] [TD].reloc[/TD] [TD]0x8e000[/TD] [TD]0x2de4[/TD] [TD]0x2e00[/TD] [TD].reloc[/TD] [TD]0x8e000[/TD] [TD]0x2de4[/TD] [TD]0x2e00[/TD] [/TR] [/TABLE] Analysis of the increased resource section in this file shows that it contains an encrypted payload with a decryptor embedded. We will show how the malware gets active once it has successfully infected the user32.dll file. EntryPoint patched The code in the entrypoint of an infected user32.dll is patched with a jump to AlignRects, as can be seen below: Original: UserClientDllInitialize: 7e41b217 8B FF mov edi, edi 7e41b219 55 push ebp 7e41b21a 8B EC mov ebp, esp 7e41b21c 83 7D 0C 01 cmp [ebp+0xC], 1 7e41b220 75 05 jnz 0x7e41b227 7e41b222 E8 5D 07 00 00 call 0x7e41b984 7e41b227 5D pop ebp 7e41b228 90 nop 7e41b229 90 nop 7e41b22a 90 nop 7e41b22b 90 nop 7e41b22c 90 nop 7e41b22d 8B FF mov edi, edi 7e41b22f 55 push ebp 7e41b230 8B EC mov ebp, esp Patched: UserClientDllInitialize: 7e41b217 8B FF mov edi, edi 7e41b219 55 push ebp 7e41b21a 8B EC mov ebp, esp 7e41b21c 83 7D 0C 01 cmp [ebp+0xC], 1 7e41b220 75 0E jnz 0x7e41b230 7e41b222 E8 00 00 00 00 call 0x7e41b227 7e41b227 83 04 24 0A add [esp], 0xa 7e41b22b E9 B0 22 05 00 jmp AlignRects ________________________________________ 7e41b230 8B EC mov ebp, esp The code at AlignRects is not the original, but is replaced with code that allocates a new block of executable memory. Hereafter it copies the encrypted payload from the resource section to this newly allocated memory. AlignRects: 7e46d4e0 leave 7e46d4e1 pusha 7e46d4e2 push ebp 7e46d4e3 mov ebp, esp 7e46d4e5 sub esp, 8 7e46d4e8 mov eax, [ebp+0x4C] ; EAX becomes base-address of ; user32.dll (7E410000) 7e46d4eb mov ecx, eax 7e46d4ed add eax, 0x13bc 7e46d4f2 mov eax, [eax] ; EAX becomes address of ; NtQueryVirtualMemory 7e46d4f4 add eax, 0xfffff5f0 ; EAX becomes address of ; NtAllocateVirtualMemory 7e46d4f9 push 0x40 7e46d4fb push 0x3000 7e46d500 lea ecx, [ebp-0x4] 7e46d503 mov [ecx], 0xc576 7e46d509 push ecx 7e46d50a push 0 7e46d50c lea ecx, [ebp-0x8] 7e46d50f mov [ecx], 0 7e46d515 push ecx 7e46d516 push 0xff 7e46d518 call eax ; Call NtAllocateVirtualMemory 7e46d51a mov edi, [ebp-0x8] ; EDI = allocated address 7e46d51d mov eax, edi 7e46d51f mov esi, [ebp+0x4C] ; ESI = base-address of ; user32.dll (7E410000) 7e46d522 add esi, 0x8d200 ; ESI = address of encrypted payload ; in resource section 7e46d528 mov ecx, 0x98bb 7e46d52d rep movs es:[edi], ds:[esi] ; Copy to allocated ; (executable) range 7e46d52f leave 7e46d530 add eax, 0x981e ; EAX = address of decryption code 7e46d535 jmp eax ; Start decryption !! As can be seen from this code an executable block of memory is allocated. In order to do that, the address of NtAllocateVirtualMemory is calculated using the address of NtQueryVirtualMemory, which was obtained from the IAT of user32.dll. The encrypted payload is copied into the newly allocated range of memory. This encrypted payload contains a small piece of decryption code, located near the end of the encrypted payload. This decryption code is shown below: 0:000> r eax=0029981e ebx=7e41b217 ecx=00000000 edx=7c90e514 esi=7e4a6abb edi=002998bb eip=0029981e esp=0007f9d4 ebp=0007fa10 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 0:000> u eax l20 0029981e call 00299823 00299823 pop edx EDX = current location ! 00299824 sub edx,7FFA2F22h 0029982a push esi 0029982b lea esi,[edx+7FFA2F1Dh] ESI = allocated mem-base (290000) 00299831 mov ecx,981Eh ECX = size to decrypt (num bytes) 00299836 sub esi,ecx 00299838 push esi 00299839 mov ebx,6FAAEh The XOR key (BL only, so AEh) 0029983e xor byte ptr [esi],bl Decrypt byte-by-byte 00299840 inc esi 00299841 inc ebx Modify XOR key for each byte (+1) 00299842 loop 0029983e 00299844 pop eax 00299845 pop ecx 00299846 mov dword ptr [eax+12h],ecx 00299849 jmp eax Jump to allocated mem-base, which is now decrypted. The decryption of the payload uses a XOR based decryption scheme were the XOR value for each byte to decrypt is incremented after each operation. Once all bytes in the allocated memory range are decrypted, the now plain code is executed. Note the first two instructions of this decryption code, where a call/pop combination is used to obtain the current address. This makes the decryption code position independent. The only ‘fixed’ values in this code are the size of the encrypted payload and the XOR key, so automating the payload and decryptor to avoid static detection can be easily accomplished. Once the ransomware becomes active, some typical ransomware behavior is performed: Windows Safe Mode is disabled Task Manager is blocked Command Prompt is blocked Registry Editor is blocked … and of course the police themed picture is shown where a ransom fee is demanded in order to release the PC (see picture at the top of this article). Victims can use the very easy-to-use HitmanPro.Kickstart to get rid of police themed ransomware infection. Blocking CD-ROM drives A new property of this particular ransomware is that it disables CD-ROM drives. This makes it for some computers harder to clean the system as is explained below. When HitmanPro detects a system file that is infected, it searches for a white-listed variant on the computer. This as Windows tends to keep a copy of system files on multiple locations on the hard disk. If HitmanPro cannot find a white-listed known safe version, it prompts for the Windows installation CD/DVD media that came with the computer. This is a very useful feature of HitmanPro and it has been in HitmanPro for years to return infected system files to pristine state! But since this new ransomware infection blocks access to the CD/DVD the user can no longer provide the Windows installation media for original files. New Cloud Service Today we release a BETA build of HitmanPro that queries a new HitmanPro-cloud service that can provide a clean system file so that the user no longer has to provide Windows installation media. 32-bit: http://dl.surfright.nl/HitmanProBeta.exe 64-bit: http://dl.surfright.nl/HitmanProBeta_x64.exe Samples: 3AF4FA2BFFAAB37FD557AE8146AE0A29BA0FAF6D99AD8A1A8D5BF598AC9A23D1 3A061EE07D87A6BB13E613E000E9F685CBFFB96BD7024A9E7B4CB0BE9A4AF38C 7DD93123078B383EC179C4C381F9119F4EAC4EFB287FE8F538A82E7336DFA4CA Sursa: Ransomware infecting user32.dll |