._/:: 8#00p$ ::\

Monday, April 18, 2011

Propagating Malware via legitimate websites

Few years ago, In 2006 and earlier, “No one ever thought of spreading malware via legitimate websites.” Popular Infection Vectors (before 2006) are:

Go to system and install a malicious piece of code (Rarely heard of it or very few cases),

Supply malware in USB drives with autorun (pretty common and still effective, spreading malware enormously)

Distribute malware as an email attachment (pretty common and still effective unfortunately)

Convincing users to download legitimate looking software but actually MALWARE (providing direct link in email, chat or other mechanism)

Malware authors are shifting their focus from traditional desktop bases attack methodology to the new emerging dynamic and user interactive web applications for spreading malware.

Drive-by-download. Drive-by-download is working covertly, which make it difficult to suspect or detect. Since last 3-4 years, awareness in web administrators and security professionals regarding server side vulnerabilities has increased. Eventually, they are doing their job quite nicely, securing all six OSI layers except the last and most vulnerable layer- "Application layer".

Motive of malware authors:

Access on the infected computer

Steal user credentials, banking or other passwords

Use as a launching pad for further attacks

Install more sophisticated malwares/viruses

Gain chain of access to corporate networks via VPN etc for which user or user's system is allowed for.

Web 2.0 functionalities are also being effectively used for controlling botnet.

Details may be find in presentations.
1. WCMP-Web2.0 Attacks.pdf
2. Tweet for DDoS.pdf

To know more, follow:
http://www.cert-in.org.in/s2cMainServlet?pageid=PRSTNVIEW03&reCode=CIWS-2011-1910

http://www.cert-in.org.in/Downloader?pageid=5&type=2&fileName=CIPS-2011-0066.0%20Attacks.pdf

http://www.cert-in.org.in/Downloader?pageid=5&type=2&fileName=CIPS-2011-0067.pdf

#@v3 #@f3 8r0w$!n9 . . .

nj0y !!!

Friday, February 4, 2011

Rouge Antivirus AVG-Antivirus-2011

Again, the Rouge Antivirus Vendors are on rise. This is not just happening this year, actually this is noticed during the begining of year. Check my last year's blog posting "Beaware of Security Essentials 2010, A Rouge Anti-Virus" for the similar Rouge antivirus product.

This time they, "Rouge Antivirus Vendors", came up with "AVG -Antivirus 2011", which is obviously fake. Rouge Antivirus Vendors are impersonating the legitimate AVG antivirus product and replicating the GUI and trademark symbols of AVG antivirus.

Just have a look to the Rouge antivirus "AVG -Antivirus 2011" shortcut icon:

Once installed on system, It blocks other programs running on the computer, hijacks web browsers and displays fake security alerts, threats and risk. This kind of fake security warning may be observed.

It also reports false infections found on your computer and ask to purchase a full version to remove them.

This is the warning page displayed by Rouge AVG-Antivirus 2011, which says, this is trial version having limited functionality and in-order to disinfect your system, you need to purchase the full version of Rouge AVG-Antivirus 2011. And they will lead you to the make some financial transactions.

Please do care about this threat, do not panic and pay. For removal please follow the steps mentioned below:

Disable System Restore Temporarily
Update the latest virus definitions for your existing Antivirus
Reboot computer in Safe Mode
Run a full system scan and clean/delete all infected file(s)

Countermeasures:

Use caution while clicking on links to Web pages
Keep up-to-date Antivirus and Antispyware signatures
Be cautious while opening e-mail attachments
Keep up-to-date patches and fixes on the operating system and application software

A List of rouge anti-virus /anti-spyware products can be found here.

nj0y !!!

courtesy: SAGI (Researcher)

#@V3 $@F3 8R0W$!n9 . . .

To read more, please follow:

http://bh00ps.blogspot.com/2010/05/beware-of-security-essentials-2010.html
http://en.wikipedia.org/wiki/Rogue_security_software
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2010-0826
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2010-0863
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2010-0860

Monday, January 10, 2011

Zero Day Vulnerabilities in Windows

Apologies, for writing after so long,

What brings me to write in here is, the issues seen early this year, two critical vulnerabilities in Microsoft. Almost all flavours of Microsoft operating systems are affected. And the worry is both issues are Zero day and no patch is available from the vendor, off-course some workarounds are there, follow the references.

First issue discovered is in Windows Graphic Rendering Engine (GRE), Issue is caused due to some stack overflow vulnerability in "CreateSizedDIBSECTION()" function in "shimgvw.dll" module. Attackers could exploit this vulnerability by luring users to view a malicious crafted thumbnail image.

Second issue is in Microsoft Internet Explorer 8 (IE8), almost all different flavours of MS has this latest browser. Issue is caused due to use-after-free error in mshtml.dll when processing circular references between JScript objects and Document Object Model (DOM) objects. Attackers can exploit this vulnerability by luring users to visit a crafted webpage or website.

After exploiting any of these vulnerabilities, attackers can take control of affected systems.

For more info, please follow the following links:

http://www.microsoft.com/technet/security/advisory/2490606.mspx
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3AWin32%2FCVE-2010-3970&ThreatID=-2147325626
http://tools.cisco.com/security/center/viewAlert.x?alertId=22180
http://www.vupen.com/english/advisories/2011/0018
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3970
http://community.websense.com/blogs/securitylabs/archive/tags/CVE-2010-3970/default.aspx
http://www.securityfocus.com/bid/45662
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2011-0001
http://www.vupen.com/english/advisories/2011/0026
http://lcamtuf.coredump.cx/cross_fuzz/msie_crash.txt
http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html
http://isc.sans.edu/diary.html?date=2011-01-05
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2011-0002
http://www.theregister.co.uk/2011/01/03/ie_0day_leaked/

Wednesday, September 1, 2010

Microsoft released workaround for DLL vulnerability

Microsoft has released an advisory explaining the DLL preloading attacks and provides workaround that allows customers to disable the loading of libraries from remote network or WebDAV shares. This workaround tool can be configured to disallow insecure loading of per-application or global system basis.

When an application queries or loads a .dll file, but full path name is not hard coded, Windows searches a pre-defined set of directories for it. An attacker/intruder could social engineer a victim into loading a malicious .dll from a USB drive or from a network and execute arbitrary code to exploit this vulnerability.

For testing this vulnerability you can use latest metasploit and any windows applications which searches for .dll, this metasploit server will dynamically generate .dll as requested by compromised system, but before that u need to compromise the system.

Workarounds suggested:

Disable loading of libraries from WebDAV and remote network

Disable the WebClient service.

Block TCP ports 139 and 445 at the firewall.

Microsoft has issued a tool to allow administrators to alter the library loading behavior on a system-wide basis or for specific applications. The tool is available at:

http://support.microsoft.com/kb/2264107

Users can consider the best practices against DLL preloading attacks described here(http://msdn.microsoft.com/en-us/library/ff919712%28VS.85%29.aspx)

To read more, follow:

http://www.cert-in.org.in/vulnerability/civn-2010-193.htm

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

http://blog.metasploit.com/2010/08/better-faster-stronger.html

http://news.cnet.com/8301-27080_3-20014625-245.html

http://support.microsoft.com/kb/2264107

http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx

http://www.microsoft.com/technet/security/advisory/2269637.mspx

http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx

http://isc.sans.edu/diary.html?storyid=9445

http://www.offensive-security.com/offsec/microsoft-dll-hijacking-exploit-in-action/

$3cur3 y0ur $y$t3m !!!

nj0y !!!

Monday, August 23, 2010

PT with Browser

PT with Browser

yes, penetration testing became so easy nowadays. You don't need heavy, bulky, expensive vulnerability assessment tools. Now you just need now is, a browser (Firefox) and its Add-ons (plug-ins), which are available freely. Here I'm going to tell you something about free Mozilla Add-ons, which can help you to effectively perform vulnerability assessment and penetration testing.

These tools are listed below:

1. SQL Inject Me: SQL Injection vulnerabilities can cause a lot of damage to a web application.

2. HackBar: Simple security audit / Penetration test tool.

3. Backend Software Information: Detect the backend software of the current website (Drupal 5.x, 6.x, Wordpress 2.x, Django, phpBB, MediaWiki, MoinMoin, Joomla, Reddit, ...).

4. Firebug: It integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

5. FxIF: View EXIF data in image properties.

6. Fireforce: Launches brute-force attacks on GET or POST forms.

7. Widerbug: web developing with CSS and JavaScript.

8. Lazarus: Lazarus securely auto-saves all forms as you type.

9. ShowIP: Show the IP address(es) of the current page in the status bar.

10. Multiproxy Switch: This tool lets you switch proxy between multiple configurations, and it's easy to manage, easy to configure.

11. FoxyProxy Standard: FoxyProxy is an advanced proxy management tool that completely replaces Firefox's limited proxying capabilities.

12. PassiveRecon: PassiveRecon provides information security professionals with the ability to perform "packetless" discovery of target resources utilizing publicly available information.

13. Live HTTP Headers: View HTTP headers of a page and while browsing.

14. Add N Edit Cookies: Cookie Editor that allows you add and edit session and saved cookies.

15. Greasemonkey: Allows you to customize the way a webpage displays using small bits of JavaScript.

16. XSS Me: Cross-Site Scripting (XSS) is a common flaw found in todays web applications.

17. Whiteacid's XSS assistant: Very powerful.

18. SQL Injection: SQL Injection is an Upgrade from the old form free, it is a component to transform checkboxes, radio buttons, select elements to a input text and enable disabled elements from all forms in a page.

It makes easier to test and identify SQL injection vulnerabilities in web pages.

19. FireCAT 1.5 "Plus" Edition: Security databse tools.

20. iMacros for Firefox: Automate Firefox. Record and replay repetitious work. If you love the Firefox web browser, but are tired of repetitive tasks like visiting the same sites every days, filling out forms, and remembering passwords, then iMacros for Firefox is the solution you’ve been dreaming of! ***Whatever you do with Firefox, iMacros can automate it.***

21. Xmarks Sync: Xmarks is the #1 bookmarking add-on. Keep your bookmarks, passwords and open tabs backed up and synchronized across computers and browsers. Search smarter with website ratings and reviews displayed with your search results.

22. Read It Later: Save pages to read later with just one click. When you have time, access your reading list from any computer or phone, even without an internet connection!

To read more, follow:

http://www.securityaegis.com/hacking-with-your-browser/

Have safe browsing, safe hacking and successful penetration testing.

nj0y !!!

Abode Patches

Adobe Patches

This month, adobe released patches for lots of severe vulnerabilities in their products. Most of these vulnerable applications are generally used by us. Hence it is requested, to update all adobe products and avoid system compromise & severe problems caused, and if possible use adobe update manager.

Affected Adobe Products

Adobe Flash Player 10.1.53.64 and earlier

Adobe AIR 2.0.2.12610 and earlier

Adobe ColdFusion 9.0.1 and previous versions

Flash Media Server 3.5.3 and earlier versions

Flash Media Server 3.0.5 and earlier versions

Detail are give below:

Adobe

http://www.adobe.com/support/security/bulletins/apsb10-19.html

http://www.adobe.com/support/security/bulletins/apsb10-16.html

http://www.adobe.com/support/security/bulletins/apsb10-18.html

CERT-In

http://www.cert-in.org.in/advisory/ciad-2010-58.htm

http://www.cert-in.org.in/vulnerability/civn-2010-188.htm

http://www.cert-in.org.in/vulnerability/civn-2010-189.htm

#@V3 $@F3 8R0W$!N9 !!!

nj0y !!!

Wednesday, August 11, 2010

Hello Friends,

Today is Microsoft patch day, Microsoft has released 15 security bulletins which are covering 34 vulnerabilities.

These vulnerabilities are affecting Windows Kernel, Windows Movie Maker, SChannel, Microsoft XML Core Services, Microsoft MPEG Layer-3 Codecs, Cinepak Codec, SMB Server, Internet Explorer, Microsoft Office Word, Microsoft Office Excel, TCP/IP, Microsoft .NET and Silverlight. Install the patches as mentioned in Microsoft Security Bulletin. Most of them are critical and needs to be patched as early as possible.

MS10-046

Critical

Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

MS10-049

Critical

Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)

MS10-051

Critical

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)

MS10-052

Critical

Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)