Windows Shortcut(.lnk) Vulnerability

A component of Microsoft Windows, Windows shell is vulnerable to remote code execution via a shortcut file. A shortcut is a link to a file or program, represented by an icon. If you double-click a shortcut, the file or program opens. The shortcut is a mechanism often used to keep frequently used files in a single, easily accessed location, such as a folder or the desktop. Shortcuts are implemented as files with the LNK extension. This .lnk exploit will works in Windows XP, Vista and Windows 7.

An attacker could exploit this vulnerability by introducing removable drives or via setting up remote network share for the targeted users. When users opens the removable drive or browse the share, windows shell will attempt to load the icon of the shortcut file and the malicious binary may be invoked.

A remote attacker, who successfully exploit this vulnerability may execute arbitrary code on system with the privileges of currently logged-in user. this could be dangerous if you are running your system with administrative privileges.

Some of the antivirus vendors has pushed the detection of malicious shorkcut links in their products.

It is suggested to perform certain actions to avoid this vulnerability till the time microsoft will come up with a solution. Workarounds are as follows:

• Disable AutoRun functionality for all drives
  Microsoft
  http://support.microsoft.com/kb/967715
• Disable the displaying of icons for shortcuts
• Disable the WebClient service
• Microsoft
  http://www.microsoft.com/technet/security/advisory/2286198.mspx

To read more, follow:

CERT-In
http://www.cert-in.org.in/vulnerability/civn-2010-169.htm

Microsoft
http://www.microsoft.com/technet/security/advisory/2286198.mspx

Trendmicro
http://blog.trendmicro.com/usb-worm-exploits-windows-shortcut-vulnerability/

ISC
http://isc.incidents.org/diary.html?storyid=9181

nj0y !!!

#@v3 $@f3 br0w$!n9 !!!

Fake Spam page: "Ten Things Girls Should Never Say to Guys"

Today, I found another interesting post on my wall, which caught my attention. This is again related to fake and spam pages on Facebook which is posted earlier in my blog past months. This page claims around 313K fans to lure users. This is also doing the same task, automatically posting at your wall and suggesting others as you like this page, which you haven't done, this application page does it for you. Along with all these weird activities, it will serve you with Adwares and Spywares. If you want to know more about it, please scroll down.

Have a look to this page. This is a fake spam page, using the quote "Ten Things Girls Should Never Say to Guys" for enticing naive users to perform certain clicks. This is not much dangerous as compare to earlier ones, which used to install Backdoors and Trojans, but yes, it installs Adware, which could be also a Spyware.

As for my analysis, this time I decided instead of clicking on "Like" button, I'll click somewhere else where they are telling me to click. So i did and landed up to this page:
This page ask me to prove I'm human, not a bot. But actually it doesn't make any sense. I noticed it is random, only one out of two is functioning. If BLUE one is functioning and if u clicked RED first, u'll find, it works. but if RED one is functioning and u clicked BLUE followed by RED, it doesn't make any sense.
In both of the cases, it will take you to another page, which looks like age confirmation page, look like something at your right. Which I believe a fake confirmation. This is used to trick naive users. See the next page and u'll come to know why they are asking you to confirm.

Here comes the real story, this page will tell you to download two sophisticated Adwares which may be spywares named:

"Create a cartoon image of yourself for your Facebook profile"
and
"Get free Smileys for AIM and other IM programs".
If you click on these links, you will land on two different application download pages, which respectively are like this,

These two applications are meant for the special purpose for what they are claiming. Upon clicking, these pages will serve you two different nice applications. I personally suspected , Apart from their usual business, they are doing something unusual. So I decided to upload these binaries to virustotal for verification, and the results were eye opening. These binaries which I recently downloaded are not a plain applications, they are Adwares and possibly Spywares.
Virustotal analysis is shown below:

• http://www.virustotal.com/analisis/9d265d2d4c6aba901627d82
  a9e355076d9f7b512d0d9da81f016b2c54c81a440-1279272598
  
  
• http://www.virustotal.com/analisis/b48522cc6679d127a75281
  4c62f779e90cf4bcac19c32dbd881a20b3fc17747b-1279273569
  

Once these Adware/Spyware installed on your system, this programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited and could also allow remote attacker to access your computer. This all will be done without your consent, because you have already allowed them to run on your system.

Along with these activities, you will find something on your wall, which look like this:
This will be posted on your wall which shows that you like this page and suggesting others to like the same, which is very much weird. and you actually haven't done.

After putting all these efforts, I was not able to know what are those 10 things which girls should never say to boys, isn't it funny.

Here, I suggest you friends there not to like or allowing access to your profile, who are using FB and blindly clicking on the pages to like without thinking what these pages are doing. Whenever you find any pages which tell you to like first then shows you the content, this is enough to sense something fishy is there. So please beware of these pages.

Similar things I posted earlier in my blog, kindly refer to gain more knowledge about these fake pages. Kindly let me know if you observe anything unusual, over internet obviously.

H@v3 $@f3 Br0w$!n9 !!!

nj0y !!!

Remote Control Facebook

Hey, after few days of busy schedule, i got something interesting and important to share. Earlier also i have experienced these kind of malicious activities over facebook.


Here is one example of same. Initially it lure users by saying "99% of people can’t watch this video for more than 25 seconds".

When you click the link, you will land on another page that offers to show you a video, but before watching the video either you need to copy and paste some code into the browser address bar or to some friends wall or at your status like that, this depends upon the guy who made this malicious page.

In most of the cases people doesn't paste this JavaScript onto their address bar, but if you did, you are taken to a page which automatically tells all your friends that you like the app, and it posts that link to your status. Nearly 600k “friends” that liked it makes it too effective.
A video action captured by AGV Researcher Roger Thompson is posted here:
http://www.youtube.com/watch?v=pFCmN-eSlt0

Payload was not cleared to him when he carried analysis, and this page/application has been deactivated/deleted by Facebook.

To read more, follow:
http://thompson.blog.avg.com/2010/07/remote-control-facebook.html
http://www.f-secure.com/weblog/archives/00001982.html
http://www.allfacebook.com/2010/05/facebook-appears-back-down-on-landing-tab-limitations/
http://www.allfacebook.com/2010/05/facebook-limits-landing-tabs-to-authenticated-pages/

H@v3 $@f3 Br0w$!n9 !!!

nj0y !!!

Fake POS Devices

Nowadays, hardware have become so cheap that cybercriminals can easily reproduce fake point-of-sale (POS) devices that can be used to skim data from credit and debit cards.

In an underground forum, a certain “Nikkon” has posted a fake POS device with flash memory for sale. The device is notably identical to a normal-looking POS terminal. Once used, however, it prints out a default receipt informing the counterfeiter’s victim that an error has occurred while reading his/her card, thus, the transaction could not be completed. Of course, at the same time that this receipt is being printed, the data held in the magnetic strip—along with the victim’s personal identification number (PIN) code—have already been uploaded and saved to the onboard flash memory.

How would this work in the real world? Imagine you are in a restaurant, shop, or café. You would like to pay using your credit or debit card. You are handed a POS device and asked to swipe your card then to enter your PIN code. Moments later, you see that the card is being rejected. You are handed back a receipt as proof. You might dismiss this as a normal failed transaction. What you do not know is that your credit card information has already been stolen until you get your next billing statement.

The initial price of a fake POS device is set at 1,000 EUR. An additional 200 EUR is charged for its setup and delivery. In addition, 40 percent of the stolen credit/debit card information is taken as usage fee by the seller.

Read more:
http://blog.trendmicro.com/for-sale-fake-pos-devices/

h@v3 $@f3 $h0pp!n9 !!!

nj0y !

Fake prize call from +92**********

Today early morning (12:07 AM), I got missed call from a number starts from +92. I know about this number very well so didn't picked up.

These calls belongs to a phone scam. +92 starting phone/mobile numbers belongs to Pakistan. These people generally give missed call to any random number (Specially in India) and innocent victim curiously call back on the number to know who has given missed call to them, which is their first biggest mistake. At start of conversation they will pretend like they are speaking from your mobile service provider and inform you like "Our telephone service provider has selected you as a winner of prize Rs.25,00,000." or some other amount. These guyz will never call, they just give missed calls. Generally no one bother about the number, actually this is an ISD number (+92). Generally in postpaid mobile numbers ISD facility is not available by default but in prepaid mobiles, ISD facility is available (depend upon minimum balance criteria).

Strategy: In order to claim this prize, they try to exploit unawareness of public towards mobile phones. They will tell you to follow some steps. I have one example, they will tell you to type *#06# on your phone, a 15-17 digit number will flashed on your mobile screen, which they call a lucky number. This 15-17 digit numbers are nothing but International Mobile Equipment Identity (IMEI) number of your mobile phone. Unfortunately many are not aware of this and easily caught by their tricks. The ones who doesn't know about IMEI numbers, will easily get convinced by their assertive conversation. These guys are very week in english and you could easily recognize them by their voice that they are not calling from your mobile service providers call center.

Subsequently, in second step: they will tell you to announce this on news channel, and for this they will give you a phone number which might be a wrong number or number may not exist. For making announcement they will tell you to buy a huge amount recharge coupons (upto Rs.2000) of any telecommunication service provider, DTH recharge coupons etc. They will assure you to give a call back. Again they will give a missed call and victim phone user, in covetousness of Rs 25,00,000, call them back.
This time strategy: they will ask you the scratch the recharge coupons and read out the registration/recharge number and tell you to destroy the recharge coupon immediately. They will sell this recharge number back in India in profitable price (less than its cost price), so that any shop keeper will easily buy it without asking any question, because he is also in profit. Once the recharge coupon is destroyed, it is very difficult to trace back who is going to use it. Once this is done, these scammers will elope and go out of your reach (anyway they are not sitting in your country or city).

These scammers are very cautious about their numbers, after phishing 1-2 victims, they will destroy their numbers, due to this it will become difficult to trace them. Now if you will call back on this number, their number will be out of reach. If you call to the number given by scamers for prize announcement, you will find either a wrong number or the number doesn't exist.

You have lost:
money cost recharge coupon which you purchased and
ISD call charged which you have made for prize.

If you have lost anything in this kind of scam, go and lodge a complaint in your nearest police station.

Precautions:
Do not pick or call back on the numbers start with +92 until your relatives or known personals are living in that country.
If you ever receive these call, take help from local police to trace them.
Make aware your near and dear ones about this scam.

I am surprised when i got missed call from this number, more than a year ago I came to know about this scam and surprised still these guys are operational. I believe people are more aware about these kind of scams compare to last year.

Beware of "The Ass in the Lion Skin".

To read more, follow:
http://www.consumercomplaints.in/complaints/fake-call-from-pakistan-92-airtel-c355670.html
http://www.consumercomplaints.in/complaints/198827/page/2
http://www.complaintbox.in/missed-call-international-code-92-caliing-my-mobile-regarding-some-prize-money

nj0y !!!

Bhoops
. ‡*Dejavu*‡ .

Botnet (for hire )at just $8.94/hour*

Recently it has been disclosed by VeriSign cyber security intelligence arm that botnet services are available at very cheap rate $8.94 per hour*. This online investigation is carried out on 25 botnet operators. it has been founs that the botnet operators has advertised for renting their services on three different forums. * Terms and conditions applied.

In the reported advertisement, botnet assured number of illegal services or say attack vectors like ICMP, SYN, UDP, HTTP, HTTPS and Data.

While those masterminding criminal operations involving botnets have in the past often been technical experts, the trend is towards the hiring of botnet services by less-skilled individuals, according to VeriSign. This was disclosed when these was arrest of three men operating Mariposa botnet.

The Mariposa botnet, believed to have been composed of 12.7 million PCs that stole credit card and bank log-in data and infected computers in half of the Fortune 1000 companies and more than 40 banks. According to ZDNet.

The world's largest botnet, Zeus botnet, had its traffic disrupted by repeated disconnections of a Kazakhstani ISP in March, but a series of reconnections revived its activity, security researchers have said. The botnet mainly pushes out the Zeus banking Trojan, an information-stealing keylogger that relays sensitive data back to its controllers.

To read more, follow:
http://news.cnet.com/8301-1009_3-20005844-83.html?tag=mncol;title
http://www.zdnet.co.uk/news/security-threats/2010/05/25/botnet-price-for-hourly-hire-on-par-with-cost-of-two-pints-40089028/
http://www.zdnet.co.uk/news/security-threats/2010/03/12/zeus-botnet-shaken-by-isp-cutoffs-40088290/
http://pandalabs.pandasecurity.com/mariposa-botnet/

H@v3 @ $@f3 br0ws!n9 !!!

nj0y !!!

"Distracting Beach Babes" yet another FB Worm

Hey you guys . . . beware of the Facebook spam or say Facebook worm spreading in a wild. This is kind of same FB spam worm about which I posted early this month name "Candid Camera Prank! [HQ]".

This time the worm posting message like "Distracting Beach Babes" onto your wall. And if you caught by this trick, this will also do the same like its previous version, it will post the same link onto the walls of all of your friends.

Like its previous version, if it lures you to click and if you clicked, you will land on its application page where it will ask you accept for the following:

• Access my public data
• Post on my wall
• Access my data any time

If you accept, that means you have allow this application, to do whatever it wants to do with your profile and your data. It will take you to a luring page which looks like this. Along with this it will give you a fake warning message that your FLV player is out of date, download update for it. This time i didn't wasted my time on downloading this malware because this may be the same kind of adware or may be different malware.

And the last lets see how this application home page looks like. This time there is a profile of an administrator of this application. I am not aware whether it is a real profile or fake. Generally these kind of profile are fake and used for luring users.

Follow the instructions to remove this application from your profile if you already caught before that it will do something more dangerous with your profile and profile data.
The Instructions are:
Goto your "Account"-> "Application Setting", find "Video Wave" in the list and click on 'X' to Remove application from you profile.

To read more about all this and previous please follow:
http://bh00ps.blogspot.com/2010/05/candid-camera-prank-hq-fb-virus.html
http://community.websense.com/blogs/securitylabs/archive/2010/05/22/warning-for-quot-distracting-beach-babes-quot-on-facebook.aspx
http://community.websense.com/blogs/securitylabs/archive/2010/05/15/sexiest-video-ever-on-facebook.aspx

H@v3 @ $@f3 br0w$!n9 !!!

nj0y !!!