Little info . . .
Tuesday, October 18, 2011
Friday, July 15, 2011
Achievement
Today I have cleared GREM, another milestone in my career after last year's GCIH.
Privileged to be one out of 573 round the globe.
http://www.giac.org/certified-professionals/directory/forensics
You can find my profile here:
GCIH
http://www.giac.org/certified-professional/bhupendra-singh-awasya/123355
nj0y !!!
Privileged to be one out of 573 round the globe.
http://www.giac.org/certified-professionals/directory/forensics
You can find my profile here:
GREM
http://www.giac.org/certified-professional/bhupendra-singh-awasya/123355
nj0y !!!
Tuesday, June 14, 2011
SpyEye V.1.3.4.X
A new crimeware toolkit emerged in underground economy in December 2009 named SpyEye. It took a chunk of Zeus crimeware toolkit space. Now after take down of Zeus and revealing of Zeus code, recently SpyEye guys introduced their new version "SpyEye V.1.3.4.X" incorporating Zeus in it.
To read more, follow:
#@V3 $@F3 BR0W$!n9 !!!
nj0y !!!
Tuesday, May 24, 2011
Google search to find Compromised Google Images
Since few weeks, we heard about google image searches infected by Search Engine Optimization (SEO) poisoning. Many legitimate sites linked to scareware trojans and exploits via Google Image results are discovered every day. Many of these sites would otherwise be considered as safe but they've been compromised by a hack of some sort.
Do not search for inurl:wp-images unless you are using test network or use Google SSL as the poisoned SEO sites will only attack if visited from http://www.google.com.
Read more at f-secure
#@v3 $@f3 br0w$!n9 !!!
nj0y !!!
Tuesday, April 26, 2011
'Stars' Hits Iran
It is in reports that a new computer worm codenamed 'Stars' have been identified as a malicious software and/or part of cyber attacks against Iran.
This could be another/second computer worm to target Iran in the past eight months, after Stuxnet.
Analysts are analysing the peiece of code, no futher details revealed to the rest of the world.
To read more, please follow:
Lets see, walk with present to see the future.
Monday, April 18, 2011
Propagating Malware via legitimate websites
Few years ago, In 2006 and earlier, “No one ever thought of spreading malware via legitimate websites.” Popular Infection Vectors (before 2006) are:
Drive-by-download. Drive-by-download is working covertly, which make it difficult to suspect or detect. Since last 3-4 years, awareness in web administrators and security professionals regarding server side vulnerabilities has increased. Eventually, they are doing their job quite nicely, securing all six OSI layers except the last and most vulnerable layer- "Application layer".
Motive of malware authors:
Details may be find in presentations.
1. WCMP-Web2.0 Attacks.pdf
2. Tweet for DDoS.pdf
To know more, follow:
http://www.cert-in.org.in/s2cMainServlet?pageid=PRSTNVIEW03&reCode=CIWS-2011-1910
http://www.cert-in.org.in/Downloader?pageid=5&type=2&fileName=CIPS-2011-0066.0%20Attacks.pdf
http://www.cert-in.org.in/Downloader?pageid=5&type=2&fileName=CIPS-2011-0067.pdf
#@v3 #@f3 8r0w$!n9 . . .
nj0y !!!
- Go to system and install a malicious piece of code (Rarely heard of it or very few cases),
- Supply malware in USB drives with autorun (pretty common and still effective, spreading malware enormously)
- Distribute malware as an email attachment (pretty common and still effective unfortunately)
- Convincing users to download legitimate looking software but actually MALWARE (providing direct link in email, chat or other mechanism)
Drive-by-download. Drive-by-download is working covertly, which make it difficult to suspect or detect. Since last 3-4 years, awareness in web administrators and security professionals regarding server side vulnerabilities has increased. Eventually, they are doing their job quite nicely, securing all six OSI layers except the last and most vulnerable layer- "Application layer".
Motive of malware authors:
- Access on the infected computer
- Steal user credentials, banking or other passwords
- Use as a launching pad for further attacks
- Install more sophisticated malwares/viruses
- Gain chain of access to corporate networks via VPN etc for which user or user's system is allowed for.
Details may be find in presentations.
1. WCMP-Web2.0 Attacks.pdf
2. Tweet for DDoS.pdf
To know more, follow:
http://www.cert-in.org.in/s2cMainServlet?pageid=PRSTNVIEW03&reCode=CIWS-2011-1910
http://www.cert-in.org.in/Downloader?pageid=5&type=2&fileName=CIPS-2011-0066.0%20Attacks.pdf
http://www.cert-in.org.in/Downloader?pageid=5&type=2&fileName=CIPS-2011-0067.pdf
#@v3 #@f3 8r0w$!n9 . . .
nj0y !!!
Friday, February 4, 2011
Rouge Antivirus AVG-Antivirus-2011
Again, the Rouge Antivirus Vendors are on rise. This is not just happening this year, actually this is noticed during the begining of year. Check my last year's blog posting "Beaware of Security Essentials 2010, A Rouge Anti-Virus" for the similar Rouge antivirus product.
This time they, "Rouge Antivirus Vendors", came up with "AVG -Antivirus 2011", which is obviously fake. Rouge Antivirus Vendors are impersonating the legitimate AVG antivirus product and replicating the GUI and trademark symbols of AVG antivirus.
Just have a look to the Rouge antivirus "AVG -Antivirus 2011" shortcut icon:
Once installed on system, It blocks other programs running on the computer, hijacks web browsers and displays fake security alerts, threats and risk. This kind of fake security warning may be observed.
It also reports false infections found on your computer and ask to purchase a full version to remove them.
This is the warning page displayed by Rouge AVG-Antivirus 2011, which says, this is trial version having limited functionality and in-order to disinfect your system, you need to purchase the full version of Rouge AVG-Antivirus 2011. And they will lead you to the make some financial transactions.
Please do care about this threat, do not panic and pay. For removal please follow the steps mentioned below:
- Disable System Restore Temporarily
- Update the latest virus definitions for your existing Antivirus
- Reboot computer in Safe Mode
- Run a full system scan and clean/delete all infected file(s)
Countermeasures:
- Use caution while clicking on links to Web pages
- Keep up-to-date Antivirus and Antispyware signatures
- Be cautious while opening e-mail attachments
- Keep up-to-date patches and fixes on the operating system and application software
A List of rouge anti-virus /anti-spyware products can be found here.
nj0y !!!
courtesy: SAGI (Researcher)
#@V3 $@F3 8R0W$!n9 . . .
To read more, please follow:
http://bh00ps.blogspot.com/2010/05/beware-of-security-essentials-2010.htmlhttp://en.wikipedia.org/wiki/Rogue_security_software
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2010-0826
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2010-0863
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2010-0860
Monday, January 10, 2011
Zero Day Vulnerabilities in Windows
Apologies, for writing after so long,
What brings me to write in here is, the issues seen early this year, two critical vulnerabilities in Microsoft. Almost all flavours of Microsoft operating systems are affected. And the worry is both issues are Zero day and no patch is available from the vendor, off-course some workarounds are there, follow the references.
First issue discovered is in Windows Graphic Rendering Engine (GRE), Issue is caused due to some stack overflow vulnerability in "CreateSizedDIBSECTION()" function in "shimgvw.dll" module. Attackers could exploit this vulnerability by luring users to view a malicious crafted thumbnail image.
Second issue is in Microsoft Internet Explorer 8 (IE8), almost all different flavours of MS has this latest browser. Issue is caused due to use-after-free error in mshtml.dll when processing circular references between JScript objects and Document Object Model (DOM) objects. Attackers can exploit this vulnerability by luring users to visit a crafted webpage or website.
After exploiting any of these vulnerabilities, attackers can take control of affected systems.
For more info, please follow the following links:
http://www.microsoft.com/technet/security/advisory/2490606.mspxhttp://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3AWin32%2FCVE-2010-3970&ThreatID=-2147325626
http://tools.cisco.com/security/center/viewAlert.x?alertId=22180
http://www.vupen.com/english/advisories/2011/0018
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3970
http://community.websense.com/blogs/securitylabs/archive/tags/CVE-2010-3970/default.aspx
http://www.securityfocus.com/bid/45662
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2011-0001
http://www.vupen.com/english/advisories/2011/0026
http://lcamtuf.coredump.cx/cross_fuzz/msie_crash.txt
http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html
http://isc.sans.edu/diary.html?date=2011-01-05
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2011-0002
http://www.theregister.co.uk/2011/01/03/ie_0day_leaked/
Subscribe to:
Posts (Atom)
-
Microsoft released workaround for DLL vulnerability Microsoft has released an advisory explaining the DLL preloading attacks and provides wo...
-
Today early morning (12:07 AM), I got missed call from a number starts from +92 . I know about this number very well so didn't picked up... -
Nowadays, hardware have become so cheap that cybercriminals can easily reproduce fake point-of-sale (POS) devices that can be used to skim ...