Monday, August 23, 2010

Abode Patches

Adobe Patches

This month, adobe released patches for lots of severe vulnerabilities in their products. Most of these vulnerable applications are generally used by us. Hence it is requested, to update all adobe products and avoid system compromise & severe problems caused, and if possible use adobe update manager.

Affected Adobe Products

Adobe Flash Player 10.1.53.64 and earlier
Adobe AIR 2.0.2.12610 and earlier
Adobe ColdFusion 9.0.1 and previous versions
Flash Media Server 3.5.3 and earlier versions
Flash Media Server 3.0.5 and earlier versions

Detail are give below:
Adobe

CERT-In

#@V3 $@F3 8R0W$!N9 !!!

nj0y !!!
at No comments:

Wednesday, August 11, 2010

Hello Friends,

Today is Microsoft patch day, Microsoft has released 15 security bulletins which are covering 34 vulnerabilities.
These vulnerabilities are affecting Windows Kernel, Windows Movie Maker, SChannel, Microsoft XML Core Services, Microsoft MPEG Layer-3 Codecs, Cinepak Codec, SMB Server, Internet Explorer, Microsoft Office Word, Microsoft Office Excel, TCP/IP, Microsoft .NET and Silverlight. Install the patches as mentioned in Microsoft Security Bulletin. Most of them are critical and needs to be patched as early as possible.

Critical
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

Critical
Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)

Critical
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)

Critical
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)

Critical
Cumulative Security Update for Internet Explorer (2183461)

Critical
Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)

Critical
Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)

Critical
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)

Critical
Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)

Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)

Important
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)

Important
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)

Important
Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)

Important
Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)

Apply patches of all vulnerabilities applicable for you and nj0y $@f3 8r0w$!n9 . . .

nj0y !!!
at No comments:

Monday, July 19, 2010

Windows Shortcut(.lnk) Vulnerability

A component of Microsoft Windows, Windows shell is vulnerable to remote code execution via a shortcut file. A shortcut is a link to a file or program, represented by an icon. If you double-click a shortcut, the file or program opens. The shortcut is a mechanism often used to keep frequently used files in a single, easily accessed location, such as a folder or the desktop. Shortcuts are implemented as files with the LNK extension. This .lnk exploit will works in Windows XP, Vista and Windows 7.

An attacker could exploit this vulnerability by introducing removable drives or via setting up remote network share for the targeted users. When users opens the removable drive or browse the share, windows shell will attempt to load the icon of the shortcut file and the malicious binary may be invoked.

A remote attacker, who successfully exploit this vulnerability may execute arbitrary code on system with the privileges of currently logged-in user. this could be dangerous if you are running your system with administrative privileges.

Some of the antivirus vendors has pushed the detection of malicious shorkcut links in their products.

It is suggested to perform certain actions to avoid this vulnerability till the time microsoft will come up with a solution. Workarounds are as follows:

To read more, follow:

CERT-In
http://www.cert-in.org.in/vulnerability/civn-2010-169.htm

Microsoft
http://www.microsoft.com/technet/security/advisory/2286198.mspx

Trendmicro
http://blog.trendmicro.com/usb-worm-exploits-windows-shortcut-vulnerability/

ISC
http://isc.incidents.org/diary.html?storyid=9181

nj0y !!!

#@v3 $@f3 br0w$!n9 !!!
at 1 comment:

Friday, July 16, 2010

Fake Spam page: "Ten Things Girls Should Never Say to Guys"

Today, I found another interesting post on my wall, which caught my attention. This is again related to fake and spam pages on Facebook which is posted earlier in my blog past months. This page claims around 313K fans to lure users. This is also doing the same task, automatically posting at your wall and suggesting others as you like this page, which you haven't done, this application page does it for you. Along with all these weird activities, it will serve you with Adwares and Spywares. If you want to know more about it, please scroll down.

Have a look to this page. This is a fake spam page, using the quote "Ten Things Girls Should Never Say to Guys" for enticing naive users to perform certain clicks. This is not much dangerous as compare to earlier ones, which used to install Backdoors and Trojans, but yes, it installs Adware, which could be also a Spyware.

As for my analysis, this time I decided instead of clicking on "Like" button, I'll click somewhere else where they are telling me to click. So i did and landed up to this page:
This page ask me to prove I'm human, not a bot. But actually it doesn't make any sense. I noticed it is random, only one out of two is functioning. If BLUE one is functioning and if u clicked RED first, u'll find, it works. but if RED one is functioning and u clicked BLUE followed by RED, it doesn't make any sense.
In both of the cases, it will take you to another page, which looks like age confirmation page, look like something at your right. Which I believe a fake confirmation. This is used to trick naive users. See the next page and u'll come to know why they are asking you to confirm.

Here comes the real story, this page will tell you to download two sophisticated Adwares which may be spywares named:

"Create a cartoon image of yourself for your Facebook profile"
and
"Get free Smileys for AIM and other IM programs".
If you click on these links, you will land on two different application download pages, which respectively are like this,

These two applications are meant for the special purpose for what they are claiming. Upon clicking, these pages will serve you two different nice applications. I personally suspected , Apart from their usual business, they are doing something unusual. So I decided to upload these binaries to virustotal for verification, and the results were eye opening. These binaries which I recently downloaded are not a plain applications, they are Adwares and possibly Spywares.
Virustotal analysis is shown below:Once these Adware/Spyware installed on your system, this programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited and could also allow remote attacker to access your computer. This all will be done without your consent, because you have already allowed them to run on your system.

Along with these activities, you will find something on your wall, which look like this:
This will be posted on your wall which shows that you like this page and suggesting others to like the same, which is very much weird. and you actually haven't done.

After putting all these efforts, I was not able to know what are those 10 things which girls should never say to boys, isn't it funny.

Here, I suggest you friends there not to like or allowing access to your profile, who are using FB and blindly clicking on the pages to like without thinking what these pages are doing. Whenever you find any pages which tell you to like first then shows you the content, this is enough to sense something fishy is there. So please beware of these pages.

Similar things I posted earlier in my blog, kindly refer to gain more knowledge about these fake pages. Kindly let me know if you observe anything unusual, over internet obviously.

H@v3 $@f3 Br0w$!n9 !!!

nj0y !!!
at No comments:

Thursday, July 8, 2010

Remote Control Facebook

Hey, after few days of busy schedule, i got something interesting and important to share. Earlier also i have experienced these kind of malicious activities over facebook.


Here is one example of same. Initially it lure users by saying "99% of people can’t watch this video for more than 25 seconds".

When you click the link, you will land on another page that offers to show you a video, but before watching the video either you need to copy and paste some code into the browser address bar or to some friends wall or at your status like that, this depends upon the guy who made this malicious page.

In most of the cases people doesn't paste this JavaScript onto their address bar, but if you did, you are taken to a page which automatically tells all your friends that you like the app, and it posts that link to your status. Nearly 600k “friends” that liked it makes it too effective.
A video action captured by AGV Researcher Roger Thompson is posted here:
http://www.youtube.com/watch?v=pFCmN-eSlt0
at No comments:

Thursday, June 24, 2010

Fake POS Devices

Nowadays, hardware have become so cheap that cybercriminals can easily reproduce fake point-of-sale (POS) devices that can be used to skim data from credit and debit cards.

In an underground forum, a certain “Nikkon” has posted a fake POS device with flash memory for sale. The device is notably identical to a normal-looking POS terminal. Once used, however, it prints out a default receipt informing the counterfeiter’s victim that an error has occurred while reading his/her card, thus, the transaction could not be completed. Of course, at the same time that this receipt is being printed, the data held in the magnetic strip—along with the victim’s personal identification number (PIN) code—have already been uploaded and saved to the onboard flash memory.

How would this work in the real world? Imagine you are in a restaurant, shop, or café. You would like to pay using your credit or debit card. You are handed a POS device and asked to swipe your card then to enter your PIN code. Moments later, you see that the card is being rejected. You are handed back a receipt as proof. You might dismiss this as a normal failed transaction. What you do not know is that your credit card information has already been stolen until you get your next billing statement.

The initial price of a fake POS device is set at 1,000 EUR. An additional 200 EUR is charged for its setup and delivery. In addition, 40 percent of the stolen credit/debit card information is taken as usage fee by the seller.

Read more:
http://blog.trendmicro.com/for-sale-fake-pos-devices/

h@v3 $@f3 $h0pp!n9 !!!

nj0y !
at 2 comments:

Tuesday, June 8, 2010

Fake prize call from +92**********


Today early morning (12:07 AM), I got missed call from a number starts from +92. I know about this number very well so didn't picked up.

These calls belongs to a phone scam. +92 starting phone/mobile numbers belongs to Pakistan. These people generally give missed call to any random number (Specially in India) and innocent victim curiously call back on the number to know who has given missed call to them, which is their first biggest mistake. At start of conversation they will pretend like they are speaking from your mobile service provider and inform you like "Our telephone service provider has selected you as a winner of prize Rs.25,00,000." or some other amount. These guyz will never call, they just give missed calls. Generally no one bother about the number, actually this is an ISD number (+92). Generally in postpaid mobile numbers ISD facility is not available by default but in prepaid mobiles, ISD facility is available (depend upon minimum balance criteria).

Strategy: In order to claim this prize, they try to exploit unawareness of public towards mobile phones. They will tell you to follow some steps. I have one example, they will tell you to type *#06# on your phone, a 15-17 digit number will flashed on your mobile screen, which they call a lucky number. This 15-17 digit numbers are nothing but International Mobile Equipment Identity (IMEI) number of your mobile phone. Unfortunately many are not aware of this and easily caught by their tricks. The ones who doesn't know about IMEI numbers, will easily get convinced by their assertive conversation. These guys are very week in english and you could easily recognize them by their voice that they are not calling from your mobile service providers call center.

Subsequently, in second step: they will tell you to announce this on news channel, and for this they will give you a phone number which might be a wrong number or number may not exist. For making announcement they will tell you to buy a huge amount recharge coupons (upto Rs.2000) of any telecommunication service provider, DTH recharge coupons etc. They will assure you to give a call back. Again they will give a missed call and victim phone user, in covetousness of Rs 25,00,000, call them back.
This time strategy: they will ask you the scratch the recharge coupons and read out the registration/recharge number and tell you to destroy the recharge coupon immediately. They will sell this recharge number back in India in profitable price (less than its cost price), so that any shop keeper will easily buy it without asking any question, because he is also in profit. Once the recharge coupon is destroyed, it is very difficult to trace back who is going to use it. Once this is done, these scammers will elope and go out of your reach (anyway they are not sitting in your country or city).

These scammers are very cautious about their numbers, after phishing 1-2 victims, they will destroy their numbers, due to this it will become difficult to trace them. Now if you will call back on this number, their number will be out of reach. If you call to the number given by scamers for prize announcement, you will find either a wrong number or the number doesn't exist.

You have lost:
money cost recharge coupon which you purchased and
ISD call charged which you have made for prize.

If you have lost anything in this kind of scam, go and lodge a complaint in your nearest police station.

Precautions:
Do not pick or call back on the numbers start with +92 until your relatives or known personals are living in that country.
If you ever receive these call, take help from local police to trace them.
Make aware your near and dear ones about this scam.

I am surprised when i got missed call from this number, more than a year ago I came to know about this scam and surprised still these guys are operational. I believe people are more aware about these kind of scams compare to last year.

Beware of "The Ass in the Lion Skin".

To read more, follow:
http://www.consumercomplaints.in/complaints/fake-call-from-pakistan-92-airtel-c355670.html
http://www.consumercomplaints.in/complaints/198827/page/2
http://www.complaintbox.in/missed-call-international-code-92-caliing-my-mobile-regarding-some-prize-money

nj0y !!!

Bhoops
. ‡*Dejavu*‡ .
at 5 comments:
Subscribe to: Posts (Atom)

Reporting Cyber Crime

            Govt. of India took great initiative by facilitating citizens with “National Cyber Crime Reporting Portal”  ( https://cybercrime...

  • Microsoft released workaround for DLL vulnerability
    Microsoft released workaround for DLL vulnerability Microsoft has released an advisory explaining the DLL preloading attacks and provides wo...
  • Fake prize call from +92**********
    Today early morning (12:07 AM), I got missed call from a number starts from +92 . I know about this number very well so didn't picked up...
  • Fake POS Devices
    Nowadays, hardware have become so cheap that cybercriminals can easily reproduce fake point-of-sale (POS) devices that can be used to skim ...