Nytro

Sa nu incadram totusi "Directory Listing" la capitolul ShowOff...

[h=2]Attackers Pounce on Zero-Day Java Exploit[/h]Attackers have seized upon a previously unknown security hole in Oracle’s ubiquitous Java software to break into vulnerable systems. So far, the attacks exploiting this weakness have been targeted and not widespread, but it appears that the exploit code is now public and is being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole. News of the vulnerability surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below. Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP). Also, there are indications that this exploit will soon be rolled into the BlackHole exploit kit. Contacted via instant message, the curator of the widely-used commercial attack tool confirmed that the now-public exploit code worked nicely, and said he planned to incorporate it into BlackHole as early as today. “The price of such an exploit if it were sold privately would be about $100,000,” wrote Paunch, the nickname used by the BlackHole author. Oracle has moved Java to a quarterly patch cycle, and its next update is not scheduled until October. In the meantime, it’s a good idea to either unplug Java from your browser or uninstall it from your computer completely. Windows users can find out if they have Java installed and which version by visiting java.com and clicking the “Do I have Java? link. Mac users can use the Software Update feature to check for any available Java updates. If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it. For browser-specific instructions on disabling Java, click here. If you must use Java, security experts are prepping an unofficial patch for the program that should blunt this vulnerability, but it is being offered on a per-request basis at this point. A number of experts I know and respect have vouched for the integrity of this patch, but installing third-party patches should not be done lightly. Note that regressing to the latest version of Java 6 (Java/JRE 6 Update 34) is certainly an option, but not a very good one either. If you do not need Java, get rid of it, and if you do need it for specific applications or sites, limit your use of Java to those sites and applications, using a secondary browser for that purpose. Sursa: Attackers Pounce on Zero-Day Java Exploit — Krebs on Security

Chiar eram curios cat de complexe sunt "Anti"-urile astea ale lor... Edit: Se da kill la process Cam trist, toti antivirusii cam au self-defense si hook-uri pe OpeProcess/TerminateProcess, deci nu prea vor merge aceste "Anti-uri".

YAJDE = Yet Another Java Driveby Explit...

In sfarsit un POC!

Da, ce imaginatie bogata...

Stergeti si voi executabilele, nu aveti nevoie de ele, in niciun caz nu le executati. Daca tutorialul e ".exe", mutam topicul la gunoi.

La Costinesti pizza pizde cazare hotel femei cluburi shaorma in Costinesti

La Hotel Napoca e inchiriat in perioada respectiva si nu e indeajuns de mare. Asa parca zicea asta micu.

Da, e o idee, pare ok. Ar mai fi Crystal Pallace Ballrooms, dar cam prea mari si prea scump probabil. Bucuresteni, ceva sugestii in privinta locului?

Apasati si voi F2.

In primul rand, ce locatie ati sugera, votati. Apoi, daca aveti si alte sugestii, despre cum "sa fie", sunt binevenite. PS: a se vedea Blackhat si Defcon. Eu tot incerc sa dau de Andrewboy, dar nu prea reusesc.

Da ba, nu puteti sa va miscati curu...

Registrant Name:Matei Bogdan Registrant Organization:N/A Registrant Street1:Str. Constructorului, Nr. 8 Registrant City: Petrosani Registrant State/Province:Hunedoara Registrant Postal Code:332029 Registrant Country:RO Registrant Phone:+40.0732934042 Registrant Email: bogdanus_16_mihay@yahoo.com

Ban permanent si se muta la gunoi. La munca milogilor.

Nu vad nicio vulnerabilitate, ci doar un link. Vulnerabilitate RST: https://rstcenter.com/forum/admincp/index.php ? Se muta la gunoi.

Vad doar un link. Se muta la gunoi.

Oracle Abandoning MySQL Developers? To run you through the origin of MySQL, it is one of the most popular databases used by developers across the world. Sunday, August 19, 2012: Though there is no open announcement about it, but it’s getting almost clear that the company has all plans to close up the open source software, thereby abandoning the MySQL community. Stamping the move was the recent discovery, where the developers realised that the big fixes released for MySQL did not have any test cases to assure developers that the problem had actually been fixed. This is making the developers unsettled and confused about how Oracle defines open or closed software. And these developers are not shying away from openly talking about the problem in almost every platform. To run you through the origin of MySQL, it is one of the most popular databases used by developers across the world. It landed with Oracle, when it acquired Sun Microsystems in 2010. According to a post in MariaDB, MySQL has used a testing framework called mysql-test since 1999. Over the past years, tests have been built for new features and regression tests that guarantee that a bug fix is permanent. Developers such as those from Facebook and Twitter rely on the testing framework. At Twitter, MySQL serves as the “persistent storage technology behind most Twitter data: the interest graph, timelines, user data and the Tweets themselves.” Moreover, it is being reported that Oracle has removed the revision history for MySQL. This means that developers cannot know the set of changes made to the software, leaving them guessing what was changed when and by who. Kalpana Sharma, EFYTIMES News Network Sursa: http://news.efytimes.com/e1/89071/Oracle-Abandoning-MySQL-Developers

Nu, asa stiam si eu, dar am cautat mai mult de o pagina de "documentatie", si nu e chiar asa. In plus, am tot vazut zeci de pareri care se contrazic, iar diferenta in primul rand consta in modul in care se folosesc. Apoi, modul de implementare este total diferit, mai ales in functie de sistemele de operare. Pe Windows de exemplu, se pot folosi sectiuni critice in loc de mutexi, si e de preferat asta, deoarece sectiunile critice sunt implementate user-land, iar mutexul este un obiect global, inter-process, gestionat de kernel, iar aceste sysenter-uri in kernel sunt mai consumatoare de timp. Pe Linux la fel, lucrurile stau putin diferit, dar nu pot sa iti spun cu certitudine cum, deoarece am citit mai multe pareri si se contrazic, unele afirmand ca semafoarele sunt implementate user-land, ceea ce mi se pare o prostie din moment ce exista explicit syscall-uri special pentru lucrul cu semafoare, iar altii spuneau ca mutex-ul chiar este construit pe baza de semafor, in timp ce altii afirmau ca nu au nicio legatura, dar ca mutex-ul este implementat userland. Cand ajung la munca cred ca fac un mic "benchmark test".

Iar limbajul de asamblare poate sa difere: x86, ARM, powerpc... Cross compiling.

1) Titlu de CACAT 2) Se gaseste si la Accesories 3) Daca ai keylogger, si stii asta, de ce ai sta sa vorbesti pe messenger prin OSK si nu ai cauta un antivirus macar, orice?

[h=2]Vulnerability Summary for the Week of August 13, 2012[/h] The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9 Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9 Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis. Link: http://www.us-cert.gov/cas/bulletins/SB12-233.html

[h=1]Quervar – Induc.C reincarnate?[/h]by Robert Lipovsky Malware Researcher Win32/Quervar (a.k.a Dorifel, XDocCrypt) is a virus family that has been in the news recently, especially in the Netherlands. It has been reported to be causing havoc on computers of several notable Dutch institutions. In our analysis, we provide additional technical details about the workings of the virus and compare it to another virus, the Delphi-infecting Win32/Induc.C, to which it bears a suspiciously strong resemblance. The virus can get onto a victim machine through several infection vectors, including email, download by other malware (it has been seen in the company of the Zeus variant Citadel) and through its own replication mechanisms, described below. As others have previously blogged (here and here), Quervar is a parasitic virus that targets executable files, as well as Microsoft Word and Excel documents. Let’s recapitulate how it does this, what other functionalities are included in the virus code, and why all this is so interesting. [h=1]File infection[/h] After a few initial checks (such as making sure that it’s running only once using a named event and global atom, and checking that it’s been run from a .LNK file with the parameter “-launcher”) the virus creates a thread that will search through drives on the system for files to infect. It goes about this by enumerating the logical drives on the system (GetLogicalDriveStrings) and recursively traversing their directory structures looking for target files. While doing this, it avoids certain drive types (specifically DRIVE_NO_ROOT_DIR, DRIVE_CDROM and DRIVE_UNKNOWN), and drives that contain the System Volume Information directory. Now this looked very familiar, being the exact same procedure that the Win32/Induc.C virus used. And it’s only one of the many similarities we found between the two viruses. By filtering out the specific drive types, the virus is intended to infect files on network mapped drives and removable media, such as USB sticks. The virus is interested in all files with file names containing the strings “.doc”, “.xls” (this includes the newer .docx and .xlsx file extensions) – with the exception of those whose names contain “–.” (this is a marker used by the virus when the original document is dropped from the infected file and launched) – and for file names containing “.exe”. It also checks on whether the “.exe” file found is a 32-bit executable, and looks for the presence of a special marker to ensure that the file hasn’t already been infected. A file size check is also performed – the virus only infects files from 10kB to 30MB in size. The victim file is then infected provided it meets these criteria. The original file is overwritten by the virus body, followed by the infection marker (“[+++scarface+++]” in the case of Win32/Quervar.C) and the original file (document or executable) encrypted with RC4. With Word and Excel documents, two extra steps are taken. Firstly, the icon of the file is changed to that of a Word or Excel document. Secondly, the infected document’s file extension is changed to %RLO%cod.scr (for .doc and .docx files) or %RLO%slx.scr (for .xls and .xlsx files). %RLO% in this case is the Unicode character 0x202E right-to-left override which, as the name suggests, causes the string following the character to be reversed. In effect, this file: would be displayed like this in Windows Explorer: This trick for hiding the executable file extension has been used by malware in the past (see here and here). Interestingly, it doesn’t work on Windows XP by default, as it lacks right-to-left text support. Naturally, when the virus-laden file is executed, it decrypts, drops and opens the original document or launches the original executable. [h=1]Payload and motives[/h] The virus infects executables and documents (i.e. turns documents into executable files as well) on networked mapped drives and removable media. The reason for this is – as with any other virus or worm – to enable it to spread. Even though the original files are RC4 encrypted inside the virus, this is not a case of a file cryptor or ransomware, where the victim has to pay a fee for the decryption key; the reason for the encryption is simply to make disinfection slightly more difficult for AV companies. (All ESET security products are capable of cleaning the infection, or you can download a stand-alone removal tool here.) After all, the virus does try to conceal the fact that files are infected (using the right-to-left extension trick) and opens the original document. Once an infected file is executed, its only action is to “install” the virus on the system and to launch the original file. The installation process is to copy itself and add a Registry entry that will ensure its execution every time the system starts with the “-launcher” parameter. Once “installed” the virus creates three threads: Infecting thread (Infinite loop so that the virus catches when a new drive is mounted or new files for infection appear, with 5s sleep between cycles. For details, see previous section.) Payload thread Self-defense thread While this is in other respects a straightforward and easy-to-analyze virus coded in Delphi, the payload thread employs a little obfuscation through code encryption in order to make static analysis more difficult. First, the virus attempts to set the [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings] “GlobalUserOffline” Registry entry to 0, which would put Internet Explorer out of Offline Mode. (However, there’s a bug in the code, as described in the following section). Then, the decrypted code is responsible for the other malicious actions the virus performs: It contains a set of URLs, to which Quervar tries to connect The HTTP request also sends a unique ID of the infected computer (derived from the path where the virus was launched and the Volume Serial Number of the disk) to identify the individual machine and distinguish it from others in the botnet The virus is able to receive commands from the C&C server, download and execute other malicious code (through HTTP or FTP), and update itself It has the ability to steal user data, including browser history and cache, and the list of URLs typed into the browser While debugging one of the Win32/Quervar samples, we noticed another interesting technique that also seemed very familiar. One of the hard-coded URLs inside the binary pointed to a user avatar on a discussion forum. Here’s the decrypted URL from the Win32/Quervar.C variant: The user whose avatar was used here has already been banned. But that is not the case with the avatar used by the Win32/Quervar.D variant. Unsurprisingly, the downloaded image contained additional encrypted C&C URLs: Here’s the avatar downloaded by Win32/Quervar.D: And here is the associated forum user: The third thread – used as a trivial self-defensive measure by the malware process – is exactly the same as the one used in Win32/Induc.C (well, apart from the Sleep delay duration). The process exits if the Task Manager is opened. The self-defense thread in of Win32/Quervar.C is shown below on the left, and the same in Win32/Induc.C on the right: [h=1]Easter Eggs[/h] As mentioned in the text above, there’s a bug in the part of the Quervar.C code that tries to set the GlobalUserOffline Registry entry. Unlike most other strings, the Registry key is stored unencrypted in the binary, so “decrypting” it results in an addition to the Registry that is essentially gibberish. The abovementioned writing to the Registry takes place only after an unsuccessful attempt to connect to the registry of a remote computer named “\\kaspersky”. Different string markers separating the encrypted original file from the virus body are used in different versions of the virus: [+++scarface+++] in Win32/Quervar.C, a reference to the movie with Al Pacino. [---deadline---] in other variants – this could be a reference to a one of a few movie/TV titles Win32/Quervar.C uses an event called “SayHellotomyLittleFriend” – also from Scarface This variant also uses a global atom called “BreakingBad”, a TV series [h=1]Comparison with Win32/Induc.C[/h] As mentioned in the previous text, we have noticed a great deal of similarity between Quervar and Induc.C. Here’s a comparison table: [TABLE] [TR] [TD=width: 213]Feature[/TD] [TD=width: 213]Win32/Quervar.C[/TD] [TD=width: 213]Win32/Induc.C[/TD] [/TR] [TR] [TD=width: 213]Programming language[/TD] [TD=width: 426, colspan: 2] Delphi [/TD] [/TR] [TR] [TD=width: 213]Malware type[/TD] [TD=width: 426, colspan: 2] virus [/TD] [/TR] [TR] [TD=width: 213]Infects[/TD] [TD=width: 213].exe, .doc(x), .xls(x) files[/TD] [TD=width: 213]Delphi applications and .exe files[/TD] [/TR] [TR] [TD=width: 213]Infection method[/TD] [TD=width: 426, colspan: 2]Appends encrypted file after virus body, with infection string marker[/TD] [/TR] [TR] [TD=width: 213]Infection string marker[/TD] [TD=width: 213][+++scarface+++][/TD] [TD=width: 213]-=supernatural=-[/TD] [/TR] [TR] [TD=width: 213]Infected file extension[/TD] [TD=width: 213].exe, .scr[/TD] [TD=width: 213].exe[/TD] [/TR] [TR] [TD=width: 213]Encryption[/TD] [TD=width: 213]RC4[/TD] [TD=width: 213]xor 5, add 7[/TD] [/TR] [TR] [TD=width: 213]Targets for infection[/TD] [TD=width: 213]Removable media, networked mapped drives[/TD] [TD=width: 213]Removable media, networked mapped drives – the same as Quervar in the case of .exe file infection[/TD] [/TR] [TR] [TD=width: 213]Searching for targets[/TD] [TD=width: 426, colspan: 2]The same logical drive enumeration and recursive directory traversing technique. The exclusions for drive types and drives containing System Volume Information are also the same.[/TD] [/TR] [TR] [TD=width: 213]Self-defense[/TD] [TD=width: 426, colspan: 2]The same thread (different timeout value), exiting after the Task Manager process is seen[/TD] [/TR] [TR] [TD=width: 213]Forms a botnet?[/TD] [TD=width: 426, colspan: 2] Yes [/TD] [/TR] [TR] [TD=width: 213]Main payload[/TD] [TD=width: 426, colspan: 2] Download and execute arbitrary file [/TD] [/TR] [TR] [TD=width: 213]Additional payloads[/TD] [TD=width: 213]Virus update, steal browser history[/TD] [TD=width: 213]–[/TD] [/TR] [TR] [TD=width: 213]C&C URL mechanism[/TD] [TD=width: 426, colspan: 2]Contains hard-coded encrypted URLs, (some of which) point to user avatars on discussion forums, which contain additional URLs[/TD] [/TR] [TR] [TD=width: 213]Countries of highest prevalence[/TD] [TD=width: 213]Netherlands[/TD] [TD=width: 213]Russia, Slovakia[/TD] [/TR] [/TABLE] [h=1]Variants and statistics[/h] Win32/Quervar.C is the virus variant that has been troubling Dutch computer users in the past weeks: however the first variants of Quervar date back to a couple of months to spring 2012 and are not confined only to the Netherlands. As indicated by the graph below, statistics from ESET LiveGrid ™ telemetry show that the Quervar virus (all variants) is most prevalent in Turkey. The variant Win32/Quervar.C (which has a much lower share in detections than the other variants) is detected almost exclusively (~90% of all reported detections) in the Netherlands. [h=1]Conclusion[/h] As has become common practice in the world of malware, the Win32/Quervar virus family implements several techniques, which have already been observed elsewhere. It is part of a bigger “operation”, forms a botnet, and is able to perform tasks sent from the C&C server, and to download and execute other malware. It is not unlikely that the virus botnet operator provides this as a service to other cyber criminals. Furthermore, as David Harley mentions, it has attracted the attention of telephone support scammers. However, what struck us most forcibly in this case is the great degree of similarity to the Win32/Induc.C virus. It’s very likely that the malware writer is the same in both cases, or at any rate that Quervar was inspired by the Win32/Induc.C code. Users of ESET security software are protected from the virus. Anyone else can download the free removal tool here. The Threat Encyclopedia entry can be found here: Win32/Quervar.C. Sursa: Quervar (Dorifel, XDocCrypt) similar code to Induc.C | ESET ThreatBlog