Microsoft released workaround for DLL vulnerability

Microsoft released workaround for DLL vulnerability

Microsoft has released an advisory explaining the DLL preloading attacks and provides workaround that allows customers to disable the loading of libraries from remote network or WebDAV shares. This workaround tool can be configured to disallow insecure loading of per-application or global system basis.

When an application queries or loads a .dll file, but full path name is not hard coded, Windows searches a pre-defined set of directories for it. An attacker/intruder could social engineer a victim into loading a malicious .dll from a USB drive or from a network and execute arbitrary code to exploit this vulnerability.

For testing this vulnerability you can use latest metasploit and any windows applications which searches for .dll, this metasploit server will dynamically generate .dll as requested by compromised system, but before that u need to compromise the system.

Workarounds suggested:

Disable loading of libraries from WebDAV and remote network

Disable the WebClient service.

Block TCP ports 139 and 445 at the firewall.

Microsoft has issued a tool to allow administrators to alter the library loading behavior on a system-wide basis or for specific applications. The tool is available at:

http://support.microsoft.com/kb/2264107

Users can consider the best practices against DLL preloading attacks described here(http://msdn.microsoft.com/en-us/library/ff919712%28VS.85%29.aspx)

To read more, follow:

http://www.cert-in.org.in/vulnerability/civn-2010-193.htm

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

http://blog.metasploit.com/2010/08/better-faster-stronger.html

http://news.cnet.com/8301-27080_3-20014625-245.html

http://support.microsoft.com/kb/2264107

http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx

http://www.microsoft.com/technet/security/advisory/2269637.mspx

http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx

http://isc.sans.edu/diary.html?storyid=9445

http://www.offensive-security.com/offsec/microsoft-dll-hijacking-exploit-in-action/

$3cur3 y0ur $y$t3m !!!

nj0y !!!

PT with Browser

PT with Browser

yes, penetration testing became so easy nowadays. You don't need heavy, bulky, expensive vulnerability assessment tools. Now you just need now is, a browser (Firefox) and its Add-ons (plug-ins), which are available freely. Here I'm going to tell you something about free Mozilla Add-ons, which can help you to effectively perform vulnerability assessment and penetration testing.

These tools are listed below:

1. SQL Inject Me: SQL Injection vulnerabilities can cause a lot of damage to a web application.

2. HackBar: Simple security audit / Penetration test tool.

3. Backend Software Information: Detect the backend software of the current website (Drupal 5.x, 6.x, Wordpress 2.x, Django, phpBB, MediaWiki, MoinMoin, Joomla, Reddit, ...).

4. Firebug: It integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

5. FxIF: View EXIF data in image properties.

6. Fireforce: Launches brute-force attacks on GET or POST forms.

7. Widerbug: web developing with CSS and JavaScript.

8. Lazarus: Lazarus securely auto-saves all forms as you type.

9. ShowIP: Show the IP address(es) of the current page in the status bar.

10. Multiproxy Switch: This tool lets you switch proxy between multiple configurations, and it's easy to manage, easy to configure.

11. FoxyProxy Standard: FoxyProxy is an advanced proxy management tool that completely replaces Firefox's limited proxying capabilities.

12. PassiveRecon: PassiveRecon provides information security professionals with the ability to perform "packetless" discovery of target resources utilizing publicly available information.

13. Live HTTP Headers: View HTTP headers of a page and while browsing.

14. Add N Edit Cookies: Cookie Editor that allows you add and edit session and saved cookies.

15. Greasemonkey: Allows you to customize the way a webpage displays using small bits of JavaScript.

16. XSS Me: Cross-Site Scripting (XSS) is a common flaw found in todays web applications.

17. Whiteacid's XSS assistant: Very powerful.

18. SQL Injection: SQL Injection is an Upgrade from the old form free, it is a component to transform checkboxes, radio buttons, select elements to a input text and enable disabled elements from all forms in a page.

It makes easier to test and identify SQL injection vulnerabilities in web pages.

19. FireCAT 1.5 "Plus" Edition: Security databse tools.

20. iMacros for Firefox: Automate Firefox. Record and replay repetitious work. If you love the Firefox web browser, but are tired of repetitive tasks like visiting the same sites every days, filling out forms, and remembering passwords, then iMacros for Firefox is the solution you’ve been dreaming of! ***Whatever you do with Firefox, iMacros can automate it.***

21. Xmarks Sync: Xmarks is the #1 bookmarking add-on. Keep your bookmarks, passwords and open tabs backed up and synchronized across computers and browsers. Search smarter with website ratings and reviews displayed with your search results.

22. Read It Later: Save pages to read later with just one click. When you have time, access your reading list from any computer or phone, even without an internet connection!

To read more, follow:

http://www.securityaegis.com/hacking-with-your-browser/

Have safe browsing, safe hacking and successful penetration testing.

nj0y !!!

Abode Patches

Adobe Patches

This month, adobe released patches for lots of severe vulnerabilities in their products. Most of these vulnerable applications are generally used by us. Hence it is requested, to update all adobe products and avoid system compromise & severe problems caused, and if possible use adobe update manager.

Affected Adobe Products

Adobe Flash Player 10.1.53.64 and earlier

Adobe AIR 2.0.2.12610 and earlier

Adobe ColdFusion 9.0.1 and previous versions

Flash Media Server 3.5.3 and earlier versions

Flash Media Server 3.0.5 and earlier versions

Detail are give below:

Adobe

http://www.adobe.com/support/security/bulletins/apsb10-19.html

http://www.adobe.com/support/security/bulletins/apsb10-16.html

http://www.adobe.com/support/security/bulletins/apsb10-18.html

CERT-In

http://www.cert-in.org.in/advisory/ciad-2010-58.htm

http://www.cert-in.org.in/vulnerability/civn-2010-188.htm

http://www.cert-in.org.in/vulnerability/civn-2010-189.htm

#@V3 $@F3 8R0W$!N9 !!!

nj0y !!!

Hello Friends,

Today is Microsoft patch day, Microsoft has released 15 security bulletins which are covering 34 vulnerabilities.

These vulnerabilities are affecting Windows Kernel, Windows Movie Maker, SChannel, Microsoft XML Core Services, Microsoft MPEG Layer-3 Codecs, Cinepak Codec, SMB Server, Internet Explorer, Microsoft Office Word, Microsoft Office Excel, TCP/IP, Microsoft .NET and Silverlight. Install the patches as mentioned in Microsoft Security Bulletin. Most of them are critical and needs to be patched as early as possible.

MS10-046

Critical

Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

MS10-049

Critical

Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)

MS10-051

Critical

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)

MS10-052

Critical

Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)

MS10-053

Critical

Cumulative Security Update for Internet Explorer (2183461)

MS10-054

Critical

Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)

MS10-055

Critical

Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)

MS10-056

Critical

Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)

MS10-060

Critical

Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

MS10-047

Important

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)

MS10-048

Important

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)

MS10-050

Important

Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)

MS10-057

Important

Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)

MS10-058

Important

Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)

MS10-059

Important

Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)

Apply patches of all vulnerabilities applicable for you and nj0y $@f3 8r0w$!n9 . . .

nj0y !!!

Windows Shortcut(.lnk) Vulnerability

A component of Microsoft Windows, Windows shell is vulnerable to remote code execution via a shortcut file. A shortcut is a link to a file or program, represented by an icon. If you double-click a shortcut, the file or program opens. The shortcut is a mechanism often used to keep frequently used files in a single, easily accessed location, such as a folder or the desktop. Shortcuts are implemented as files with the LNK extension. This .lnk exploit will works in Windows XP, Vista and Windows 7.

An attacker could exploit this vulnerability by introducing removable drives or via setting up remote network share for the targeted users. When users opens the removable drive or browse the share, windows shell will attempt to load the icon of the shortcut file and the malicious binary may be invoked.

A remote attacker, who successfully exploit this vulnerability may execute arbitrary code on system with the privileges of currently logged-in user. this could be dangerous if you are running your system with administrative privileges.

Some of the antivirus vendors has pushed the detection of malicious shorkcut links in their products.

It is suggested to perform certain actions to avoid this vulnerability till the time microsoft will come up with a solution. Workarounds are as follows:

• Disable AutoRun functionality for all drives
  Microsoft
  http://support.microsoft.com/kb/967715
• Disable the displaying of icons for shortcuts
• Disable the WebClient service
• Microsoft
  http://www.microsoft.com/technet/security/advisory/2286198.mspx

To read more, follow:

CERT-In
http://www.cert-in.org.in/vulnerability/civn-2010-169.htm

Microsoft
http://www.microsoft.com/technet/security/advisory/2286198.mspx

Trendmicro
http://blog.trendmicro.com/usb-worm-exploits-windows-shortcut-vulnerability/

ISC
http://isc.incidents.org/diary.html?storyid=9181

nj0y !!!

#@v3 $@f3 br0w$!n9 !!!

Fake Spam page: "Ten Things Girls Should Never Say to Guys"

Today, I found another interesting post on my wall, which caught my attention. This is again related to fake and spam pages on Facebook which is posted earlier in my blog past months. This page claims around 313K fans to lure users. This is also doing the same task, automatically posting at your wall and suggesting others as you like this page, which you haven't done, this application page does it for you. Along with all these weird activities, it will serve you with Adwares and Spywares. If you want to know more about it, please scroll down.

Have a look to this page. This is a fake spam page, using the quote "Ten Things Girls Should Never Say to Guys" for enticing naive users to perform certain clicks. This is not much dangerous as compare to earlier ones, which used to install Backdoors and Trojans, but yes, it installs Adware, which could be also a Spyware.

As for my analysis, this time I decided instead of clicking on "Like" button, I'll click somewhere else where they are telling me to click. So i did and landed up to this page:
This page ask me to prove I'm human, not a bot. But actually it doesn't make any sense. I noticed it is random, only one out of two is functioning. If BLUE one is functioning and if u clicked RED first, u'll find, it works. but if RED one is functioning and u clicked BLUE followed by RED, it doesn't make any sense.
In both of the cases, it will take you to another page, which looks like age confirmation page, look like something at your right. Which I believe a fake confirmation. This is used to trick naive users. See the next page and u'll come to know why they are asking you to confirm.

Here comes the real story, this page will tell you to download two sophisticated Adwares which may be spywares named:

"Create a cartoon image of yourself for your Facebook profile"
and
"Get free Smileys for AIM and other IM programs".
If you click on these links, you will land on two different application download pages, which respectively are like this,

These two applications are meant for the special purpose for what they are claiming. Upon clicking, these pages will serve you two different nice applications. I personally suspected , Apart from their usual business, they are doing something unusual. So I decided to upload these binaries to virustotal for verification, and the results were eye opening. These binaries which I recently downloaded are not a plain applications, they are Adwares and possibly Spywares.
Virustotal analysis is shown below:

• http://www.virustotal.com/analisis/9d265d2d4c6aba901627d82
  a9e355076d9f7b512d0d9da81f016b2c54c81a440-1279272598
  
  
• http://www.virustotal.com/analisis/b48522cc6679d127a75281
  4c62f779e90cf4bcac19c32dbd881a20b3fc17747b-1279273569
  

Once these Adware/Spyware installed on your system, this programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited and could also allow remote attacker to access your computer. This all will be done without your consent, because you have already allowed them to run on your system.

Along with these activities, you will find something on your wall, which look like this:
This will be posted on your wall which shows that you like this page and suggesting others to like the same, which is very much weird. and you actually haven't done.

After putting all these efforts, I was not able to know what are those 10 things which girls should never say to boys, isn't it funny.

Here, I suggest you friends there not to like or allowing access to your profile, who are using FB and blindly clicking on the pages to like without thinking what these pages are doing. Whenever you find any pages which tell you to like first then shows you the content, this is enough to sense something fishy is there. So please beware of these pages.

Similar things I posted earlier in my blog, kindly refer to gain more knowledge about these fake pages. Kindly let me know if you observe anything unusual, over internet obviously.

H@v3 $@f3 Br0w$!n9 !!!

nj0y !!!

Remote Control Facebook

Hey, after few days of busy schedule, i got something interesting and important to share. Earlier also i have experienced these kind of malicious activities over facebook.


Here is one example of same. Initially it lure users by saying "99% of people can’t watch this video for more than 25 seconds".

When you click the link, you will land on another page that offers to show you a video, but before watching the video either you need to copy and paste some code into the browser address bar or to some friends wall or at your status like that, this depends upon the guy who made this malicious page.

In most of the cases people doesn't paste this JavaScript onto their address bar, but if you did, you are taken to a page which automatically tells all your friends that you like the app, and it posts that link to your status. Nearly 600k “friends” that liked it makes it too effective.
A video action captured by AGV Researcher Roger Thompson is posted here:
http://www.youtube.com/watch?v=pFCmN-eSlt0

Payload was not cleared to him when he carried analysis, and this page/application has been deactivated/deleted by Facebook.

To read more, follow:
http://thompson.blog.avg.com/2010/07/remote-control-facebook.html
http://www.f-secure.com/weblog/archives/00001982.html
http://www.allfacebook.com/2010/05/facebook-appears-back-down-on-landing-tab-limitations/
http://www.allfacebook.com/2010/05/facebook-limits-landing-tabs-to-authenticated-pages/

H@v3 $@f3 Br0w$!n9 !!!

nj0y !!!

Fake POS Devices

Nowadays, hardware have become so cheap that cybercriminals can easily reproduce fake point-of-sale (POS) devices that can be used to skim data from credit and debit cards.

In an underground forum, a certain “Nikkon” has posted a fake POS device with flash memory for sale. The device is notably identical to a normal-looking POS terminal. Once used, however, it prints out a default receipt informing the counterfeiter’s victim that an error has occurred while reading his/her card, thus, the transaction could not be completed. Of course, at the same time that this receipt is being printed, the data held in the magnetic strip—along with the victim’s personal identification number (PIN) code—have already been uploaded and saved to the onboard flash memory.

How would this work in the real world? Imagine you are in a restaurant, shop, or café. You would like to pay using your credit or debit card. You are handed a POS device and asked to swipe your card then to enter your PIN code. Moments later, you see that the card is being rejected. You are handed back a receipt as proof. You might dismiss this as a normal failed transaction. What you do not know is that your credit card information has already been stolen until you get your next billing statement.

The initial price of a fake POS device is set at 1,000 EUR. An additional 200 EUR is charged for its setup and delivery. In addition, 40 percent of the stolen credit/debit card information is taken as usage fee by the seller.

Read more:
http://blog.trendmicro.com/for-sale-fake-pos-devices/

h@v3 $@f3 $h0pp!n9 !!!

nj0y !

Fake prize call from +92**********

Today early morning (12:07 AM), I got missed call from a number starts from +92. I know about this number very well so didn't picked up.

These calls belongs to a phone scam. +92 starting phone/mobile numbers belongs to Pakistan. These people generally give missed call to any random number (Specially in India) and innocent victim curiously call back on the number to know who has given missed call to them, which is their first biggest mistake. At start of conversation they will pretend like they are speaking from your mobile service provider and inform you like "Our telephone service provider has selected you as a winner of prize Rs.25,00,000." or some other amount. These guyz will never call, they just give missed calls. Generally no one bother about the number, actually this is an ISD number (+92). Generally in postpaid mobile numbers ISD facility is not available by default but in prepaid mobiles, ISD facility is available (depend upon minimum balance criteria).

Strategy: In order to claim this prize, they try to exploit unawareness of public towards mobile phones. They will tell you to follow some steps. I have one example, they will tell you to type *#06# on your phone, a 15-17 digit number will flashed on your mobile screen, which they call a lucky number. This 15-17 digit numbers are nothing but International Mobile Equipment Identity (IMEI) number of your mobile phone. Unfortunately many are not aware of this and easily caught by their tricks. The ones who doesn't know about IMEI numbers, will easily get convinced by their assertive conversation. These guys are very week in english and you could easily recognize them by their voice that they are not calling from your mobile service providers call center.

Subsequently, in second step: they will tell you to announce this on news channel, and for this they will give you a phone number which might be a wrong number or number may not exist. For making announcement they will tell you to buy a huge amount recharge coupons (upto Rs.2000) of any telecommunication service provider, DTH recharge coupons etc. They will assure you to give a call back. Again they will give a missed call and victim phone user, in covetousness of Rs 25,00,000, call them back.
This time strategy: they will ask you the scratch the recharge coupons and read out the registration/recharge number and tell you to destroy the recharge coupon immediately. They will sell this recharge number back in India in profitable price (less than its cost price), so that any shop keeper will easily buy it without asking any question, because he is also in profit. Once the recharge coupon is destroyed, it is very difficult to trace back who is going to use it. Once this is done, these scammers will elope and go out of your reach (anyway they are not sitting in your country or city).

These scammers are very cautious about their numbers, after phishing 1-2 victims, they will destroy their numbers, due to this it will become difficult to trace them. Now if you will call back on this number, their number will be out of reach. If you call to the number given by scamers for prize announcement, you will find either a wrong number or the number doesn't exist.

You have lost:
money cost recharge coupon which you purchased and
ISD call charged which you have made for prize.

If you have lost anything in this kind of scam, go and lodge a complaint in your nearest police station.

Precautions:
Do not pick or call back on the numbers start with +92 until your relatives or known personals are living in that country.
If you ever receive these call, take help from local police to trace them.
Make aware your near and dear ones about this scam.

I am surprised when i got missed call from this number, more than a year ago I came to know about this scam and surprised still these guys are operational. I believe people are more aware about these kind of scams compare to last year.

Beware of "The Ass in the Lion Skin".

To read more, follow:
http://www.consumercomplaints.in/complaints/fake-call-from-pakistan-92-airtel-c355670.html
http://www.consumercomplaints.in/complaints/198827/page/2
http://www.complaintbox.in/missed-call-international-code-92-caliing-my-mobile-regarding-some-prize-money

nj0y !!!

Bhoops
. ‡*Dejavu*‡ .

Botnet (for hire )at just $8.94/hour*

Recently it has been disclosed by VeriSign cyber security intelligence arm that botnet services are available at very cheap rate $8.94 per hour*. This online investigation is carried out on 25 botnet operators. it has been founs that the botnet operators has advertised for renting their services on three different forums. * Terms and conditions applied.

In the reported advertisement, botnet assured number of illegal services or say attack vectors like ICMP, SYN, UDP, HTTP, HTTPS and Data.

While those masterminding criminal operations involving botnets have in the past often been technical experts, the trend is towards the hiring of botnet services by less-skilled individuals, according to VeriSign. This was disclosed when these was arrest of three men operating Mariposa botnet.

The Mariposa botnet, believed to have been composed of 12.7 million PCs that stole credit card and bank log-in data and infected computers in half of the Fortune 1000 companies and more than 40 banks. According to ZDNet.

The world's largest botnet, Zeus botnet, had its traffic disrupted by repeated disconnections of a Kazakhstani ISP in March, but a series of reconnections revived its activity, security researchers have said. The botnet mainly pushes out the Zeus banking Trojan, an information-stealing keylogger that relays sensitive data back to its controllers.

To read more, follow:
http://news.cnet.com/8301-1009_3-20005844-83.html?tag=mncol;title
http://www.zdnet.co.uk/news/security-threats/2010/05/25/botnet-price-for-hourly-hire-on-par-with-cost-of-two-pints-40089028/
http://www.zdnet.co.uk/news/security-threats/2010/03/12/zeus-botnet-shaken-by-isp-cutoffs-40088290/
http://pandalabs.pandasecurity.com/mariposa-botnet/

H@v3 @ $@f3 br0ws!n9 !!!

nj0y !!!

"Distracting Beach Babes" yet another FB Worm

Hey you guys . . . beware of the Facebook spam or say Facebook worm spreading in a wild. This is kind of same FB spam worm about which I posted early this month name "Candid Camera Prank! [HQ]".

This time the worm posting message like "Distracting Beach Babes" onto your wall. And if you caught by this trick, this will also do the same like its previous version, it will post the same link onto the walls of all of your friends.

Like its previous version, if it lures you to click and if you clicked, you will land on its application page where it will ask you accept for the following:

• Access my public data
• Post on my wall
• Access my data any time

If you accept, that means you have allow this application, to do whatever it wants to do with your profile and your data. It will take you to a luring page which looks like this. Along with this it will give you a fake warning message that your FLV player is out of date, download update for it. This time i didn't wasted my time on downloading this malware because this may be the same kind of adware or may be different malware.

And the last lets see how this application home page looks like. This time there is a profile of an administrator of this application. I am not aware whether it is a real profile or fake. Generally these kind of profile are fake and used for luring users.

Follow the instructions to remove this application from your profile if you already caught before that it will do something more dangerous with your profile and profile data.
The Instructions are:
Goto your "Account"-> "Application Setting", find "Video Wave" in the list and click on 'X' to Remove application from you profile.

To read more about all this and previous please follow:
http://bh00ps.blogspot.com/2010/05/candid-camera-prank-hq-fb-virus.html
http://community.websense.com/blogs/securitylabs/archive/2010/05/22/warning-for-quot-distracting-beach-babes-quot-on-facebook.aspx
http://community.websense.com/blogs/securitylabs/archive/2010/05/15/sexiest-video-ever-on-facebook.aspx

H@v3 @ $@f3 br0w$!n9 !!!

nj0y !!!

Warning !!! Facebook worm "FBHOLE"

A new Facebook worm was spreading in the wild. The worm is doing nothing but posting on people's wall without user's intervention, I mean users doen't know that after clicking on this link the message will be posted on their friends wall, which is so weird. The message getting posted can be seen here...

The message posted by this worm is:

"try not to laugh xD http://www.fbhole.com/omg/allow.php?s=a&r=[RandomNumber]"

If you click on this type of posting on your wall, you will land on a page which merely looks like the page shown. This page says "If i don't, someone else do it." and also shows a fake script error. If you click any where on this page you will trigger a script which will post the same massage, shown above to your wall. The script is running in such a way that it follows your mouse button with a hidden iFrame in it. This iFrame is actually a "publish" button.

This worm is doing nothing except posting to your wall. But posting anything on user's wall without user's concern is wrong.

As of now the domain is blocked and it malicious activity is stopped. To read more about this follow:
http://www.f-secure.com/weblog/archives/00001955.html

H@v3 @ $@f3 br0w$!n9 !!!

nj0y !!!

Zero Day - Microsoft Windows Aero, Remote Code Execution Vulnerabiltiy

Few hours ago, Microsoft released and advisory about a kernel memory error vulnerability, which could allow remote code execution on affected machine installed with Windows Aero. this vulnerability exists in recently released Microsoft's products, Windows 7 x64 and Windows Server 2008 R2 x64 and Itanium.

A remote attacker may exploit this by sending specially crafted image file via email attachment or could host on a web server as a part of website and luring users to open it. Once open, and parsed by windows kernel may cause parsing error in the Canonical Display Driver (cdd.dll) and execute arbitrary code on the user's system.

This is a" Zero Day Vulnerability", no patch is available with MS.

The only safeguard suggested by MS is:

• Disable Windows Aero. (not in use generally)
  

And from my side:

• Do not open image files received from untrusted sources, or received unexpectedly from trusted sources, or file received through instant messaging.
• Do not follow untrusted links and URLs received by any mean.
  

To read more, follow:
http://www.microsoft.com/technet/security/advisory/2028859.mspx
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3678
http://pcandmactech.blogspot.com/2009/12/irfanview-and-bsod.html
http://en.irfanview-forum.de/vb/showthread.php?5647-V4-25-bluescreen-with-Windows-7-cdd-dll-win32k-sys
http://tools.cisco.com/security/center/viewAlert.x?alertId=20527
http://securitytracker.com/alerts/2010/May/1023991.html

h@v3 @ $@f3 br0w$!n9 . . .

nj0y !!!

TwitterNET Builder, Botnet toolkit

TwitterNET Builder, Now any script kiddie can create their own botnet with help of this toolkit. David Jacoby, Kaspersky Lab Expert posted information about this. With the help of this toolkit, it has became very easy to create a malicious program in few clicks. Upon execution, victim's system will become node of botnet. This toolkit will create a profile on twitter which will be contacted by infected computer for receiving instructions and commands. To read more follow:
http://www.securelist.com/en/blog/2163/New_tool_allows_script_kiddies_to_build_botnets_via_Twitter

The detail description of this toolkit can be found at:
http://sunbeltblog.blogspot.com/2010/05/diy-twitter-botnet-creator.html

How to get protected from this?
Do not open unsolicited email attachments or attachments received unexpectedly from trusted sources.
Do not receive or execute files received from untrusted users through instant messaging.
Keep your anti-virus program up-to-date.

H@v3 @ $@f3 br0w$!n9 . . .

nj0y !!!

Beware of Security essentials 2010, A Rouge Anti-Virus

Rouge anti-virus, Security Essential 2010 is spreading now a days. Websense® Security Labs™ has discovered a new job search related malware spam outbreak. People are getting spam mails with a Resume(CV) attached as compressed file, asking them to review it.

Hopefully I didn't receive any sample of this but thought of sharing information with you. So that you will be aware of what is happening.

According to Websense, inside this zip file there is an executable which is Oficla bot. the detection can be seen here . . .
http://www.virustotal.com/analisis/db641f27e14f54a02229cd3d9da9ca0c844c819c1db00b38005c3154be099965-1273654511

Once this bot installed on your computer, it will change your wallpaper and threaten you that your computer is seriously infected. Which is something like:












After all this drama it downloads and install rouge anti-virus program with the name of "Security Essentials 2010". This rogue AV give you fake warnings like your system is infected with multiple serious vulnerabilities and Trojan, virus, worms etc . . .
This is not for the first time, In the past there were few rouge AV, here is one example of "Antivirus 7"

when there was a news of releasing Windows 7 and another one is with name "PersonalSecurity" which was like . . .

To read more, please refer the following links:
http://community.websense.com/blogs/securitylabs/archive/2010/05/12/new-malspam-please-review-my-cv-thank-you.aspx

hope for the best, and never caught in these scams. i have seen people lost money in the name of buying updates for this rouge AV or in the name of getting latest definitions of clearing off infection shown by rouge AV. Please beware of these scams.

H@v3 @ s@f3 br0w$!n9 . . . .

nj0y !!!

Windows XP Service Pack 2 Support will be ceased on July 13, 2010

There is sad news for home users and entrepreneurs who are using Microsoft Windows XP, SP1 and SP2 . . .

Microsoft decided to cease support for its legendary operating system "Microsoft Windows XP SP2" on July 13, 2010. This date was decided when Windows XP Service Pack 3 (SP3) was released on April 21, 2008.

To read more please follow the links:
http://support.microsoft.com/gp/lifean31
http://support.microsoft.com/gp/lifesupsps
http://www.theregister.co.uk/2010/05/14/winxp_sp2_support_cut_off_looms/

Microsoft will continue to provide paid support During the Extended Support phase for Windows XP and security updates at no additional charge. Microsoft will continue support for Windows XP Sp3 till 2014. Finally and officially Windows XP will retire on April 8, 2014.

Upgrade to XP SP3 and nj0y $@f3 br0w$!n9 . . .

nj0y !!!

Security Enhancement by Facebook

------------------------------------------------------------------------------------------------
Facebook is trying really hard to keep their users away from scammers and phishers. Here is an excerpt from Facebook blog: "At Facebook, we're constantly working on new ways to protect you from scams and help you keep your account and information secure," wrote Lev Popov.

One of the feature is (Login Notifications) which allows user to assign devices from where they use to access and send them notifications incase if their account is accessed from any other device.

Another one is (Blocking Suspicious Logins), if fb found login from other than the devices listed in trusted list, Fb ask additional verification questions for verifying the authenticity of user. One more step towards safe browsing . . .

To enable this, Account Settings->Account Security (YES) .

h@v3 @ n!c3 d@y & $@f3 br0w$!n9 . . .

nj0y !!!

Candid Camera Prank! [HQ] FB VIRUS !!!!!

Today i have encountered with an most amazing application named "Candid Camera Prank! [HQ]" on FB (one of social networking websites). This was starts with a post coming from your friend suggesting you like "this is without doubt the sexiest video ever! :P :P :P". Just Have a look what i got:

I thought of finding the logic behind this. When I clicked on this i landed on an application named "Candid Camera Prank! [HQ]". Once i clicked on this, i got message like thanks for subscribing to watch video click on continue. Once you click continue, it will ask you for some common FB options like:

* Publish on your wall, and

* Access your public data

Generally nobody bother about it and click on "Allow", this is so i did and this was my mistake. It will show you a nice photograph along with a sweet error something like "Your FLV player is not up-to-date and you need to download the latest version". I clicked yes and a good named "VLCSetup.exe" but ugly file downloaded on my desktop.

After doing all this efforts i was not able to see the video, then angrily and tiredly i returned back to my profile and i was shocked. What am i looking on my wall. The very same posting is published on all of my friends wall with my name as a suggestive comment to them.

Please remove the application by following the simple steps.

Goto your "Account"-> "Application Setting", find "WINAMP" in the list and click on 'X' to Remove application from you profile.

But any was this was a king of SPAM of i could say Scripting virus. The file downloaded which we discussed recently was actually a "Adware" but the detection was very poor. You may find the detection here:

https://www.virustotal.com/analisis/0c3a4fe16de867b200e4332
880b8a47ac04df441253105fdfcea422aeaf08430-1273925735

Websense posting about the same
http://securitylabs.websense.com/blogs/securitylabs/archive/2010/05/15/sexiest-video-ever-on-facebook.aspx

This was all the issue of FB applications, how a naive user allows an application to do with their data whatever it wants. I think Web2.0 Awareness is prevention against these kind of attacks. This could happen on any social networking websites.

"h@v3 @ $@f3 br0w$!n9"

nj0y !!!