Friday, February 4, 2011

Rouge Antivirus AVG-Antivirus-2011

Again, the Rouge Antivirus Vendors are on rise. This is not just happening this year, actually this is noticed during the begining of year. Check my last year's blog posting "Beaware of Security Essentials 2010, A Rouge Anti-Virus" for the similar Rouge antivirus product.

This time they, "Rouge Antivirus Vendors", came up with "AVG -Antivirus 2011", which is obviously fake. Rouge Antivirus Vendors are impersonating the legitimate AVG antivirus product and replicating the GUI and trademark symbols of AVG antivirus.

Just have a look to the Rouge antivirus "AVG -Antivirus 2011" shortcut icon:

Once installed on system, It blocks other programs running on the computer, hijacks web browsers and displays fake security alerts, threats and risk. This kind of fake security warning may be observed.

It also reports false infections found on your computer and ask to purchase a full version to remove them.

This is the warning page displayed by Rouge AVG-Antivirus 2011, which says, this is trial version having limited functionality and in-order to disinfect your system, you need to purchase the full version of Rouge AVG-Antivirus 2011. And they will lead you to the make some financial transactions.

Please do care about this threat, do not panic and pay. For removal please follow the steps mentioned below:

  • Disable System Restore Temporarily
  • Update the latest virus definitions for your existing Antivirus
  • Reboot computer in Safe Mode
  • Run a full system scan and clean/delete all infected file(s)

Countermeasures:

  • Use caution while clicking on links to Web pages
  • Keep up-to-date Antivirus and Antispyware signatures
  • Be cautious while opening e-mail attachments
  • Keep up-to-date patches and fixes on the operating system and application software

A List of rouge anti-virus /anti-spyware products can be found here.

nj0y !!!

courtesy: SAGI (Researcher)

#@V3 $@F3 8R0W$!n9 . . .

To read more, please follow:

http://bh00ps.blogspot.com/2010/05/beware-of-security-essentials-2010.html
http://en.wikipedia.org/wiki/Rogue_security_software
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2010-0826
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2010-0863
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2010-0860
at 2 comments:
Labels:

Monday, January 10, 2011

Zero Day Vulnerabilities in Windows

Apologies, for writing after so long,

What brings me to write in here is, the issues seen early this year, two critical vulnerabilities in Microsoft. Almost all flavours of Microsoft operating systems are affected. And the worry is both issues are Zero day and no patch is available from the vendor, off-course some workarounds are there, follow the references.

First issue discovered is in Windows Graphic Rendering Engine (GRE), Issue is caused due to some stack overflow vulnerability in "CreateSizedDIBSECTION()" function in "shimgvw.dll" module. Attackers could exploit this vulnerability by luring users to view a malicious crafted thumbnail image.

Second issue is in Microsoft Internet Explorer 8 (IE8), almost all different flavours of MS has this latest browser. Issue is caused due to use-after-free error in mshtml.dll when processing circular references between JScript objects and Document Object Model (DOM) objects. Attackers can exploit this vulnerability by luring users to visit a crafted webpage or website.

After exploiting any of these vulnerabilities, attackers can take control of affected systems.

For more info, please follow the following links:

http://www.microsoft.com/technet/security/advisory/2490606.mspx
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3AWin32%2FCVE-2010-3970&ThreatID=-2147325626
http://tools.cisco.com/security/center/viewAlert.x?alertId=22180
http://www.vupen.com/english/advisories/2011/0018
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3970
http://community.websense.com/blogs/securitylabs/archive/tags/CVE-2010-3970/default.aspx
http://www.securityfocus.com/bid/45662
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2011-0001
http://www.vupen.com/english/advisories/2011/0026
http://lcamtuf.coredump.cx/cross_fuzz/msie_crash.txt
http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html
http://isc.sans.edu/diary.html?date=2011-01-05
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2011-0002
http://www.theregister.co.uk/2011/01/03/ie_0day_leaked/
at No comments:

Wednesday, September 1, 2010

Microsoft released workaround for DLL vulnerability

Microsoft released workaround for DLL vulnerability

Microsoft has released an advisory explaining the DLL preloading attacks and provides workaround that allows customers to disable the loading of libraries from remote network or WebDAV shares. This workaround tool can be configured to disallow insecure loading of per-application or global system basis.

When an application queries or loads a .dll file, but full path name is not hard coded, Windows searches a pre-defined set of directories for it. An attacker/intruder could social engineer a victim into loading a malicious .dll from a USB drive or from a network and execute arbitrary code to exploit this vulnerability.

For testing this vulnerability you can use latest metasploit and any windows applications which searches for .dll, this metasploit server will dynamically generate .dll as requested by compromised system, but before that u need to compromise the system.

Workarounds suggested:

Disable loading of libraries from WebDAV and remote network
Disable the WebClient service.
Block TCP ports 139 and 445 at the firewall.
Microsoft has issued a tool to allow administrators to alter the library loading behavior on a system-wide basis or for specific applications. The tool is available at:
http://support.microsoft.com/kb/2264107
Users can consider the best practices against DLL preloading attacks described here(http://msdn.microsoft.com/en-us/library/ff919712%28VS.85%29.aspx)

To read more, follow:
http://www.cert-in.org.in/vulnerability/civn-2010-193.htm
http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html
http://blog.metasploit.com/2010/08/better-faster-stronger.html
http://news.cnet.com/8301-27080_3-20014625-245.html
http://support.microsoft.com/kb/2264107
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
http://www.microsoft.com/technet/security/advisory/2269637.mspx
http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx
http://isc.sans.edu/diary.html?storyid=9445

$3cur3 y0ur $y$t3m !!!

nj0y !!!
at No comments:

Monday, August 23, 2010

PT with Browser

PT with Browser

yes, penetration testing became so easy nowadays. You don't need heavy, bulky, expensive vulnerability assessment tools. Now you just need now is, a browser (Firefox) and its Add-ons (plug-ins), which are available freely. Here I'm going to tell you something about free Mozilla Add-ons, which can help you to effectively perform vulnerability assessment and penetration testing.

These tools are listed below:
1. SQL Inject Me: SQL Injection vulnerabilities can cause a lot of damage to a web application.
2. HackBar: Simple security audit / Penetration test tool.
3. Backend Software Information: Detect the backend software of the current website (Drupal 5.x, 6.x, Wordpress 2.x, Django, phpBB, MediaWiki, MoinMoin, Joomla, Reddit, ...).
4. Firebug: It integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
5. FxIF: View EXIF data in image properties.
6. Fireforce: Launches brute-force attacks on GET or POST forms.
7. Widerbug: web developing with CSS and JavaScript.
8. Lazarus: Lazarus securely auto-saves all forms as you type.
9. ShowIP: Show the IP address(es) of the current page in the status bar.
10. Multiproxy Switch: This tool lets you switch proxy between multiple configurations, and it's easy to manage, easy to configure.
11. FoxyProxy Standard: FoxyProxy is an advanced proxy management tool that completely replaces Firefox's limited proxying capabilities.
12. PassiveRecon: PassiveRecon provides information security professionals with the ability to perform "packetless" discovery of target resources utilizing publicly available information.
13. Live HTTP Headers: View HTTP headers of a page and while browsing.
14. Add N Edit Cookies: Cookie Editor that allows you add and edit session and saved cookies.
15. Greasemonkey: Allows you to customize the way a webpage displays using small bits of JavaScript.
16. XSS Me: Cross-Site Scripting (XSS) is a common flaw found in todays web applications.
17. Whiteacid's XSS assistant: Very powerful.
18. SQL Injection: SQL Injection is an Upgrade from the old form free, it is a component to transform checkboxes, radio buttons, select elements to a input text and enable disabled elements from all forms in a page.
It makes easier to test and identify SQL injection vulnerabilities in web pages.
19. FireCAT 1.5 "Plus" Edition: Security databse tools.
20. iMacros for Firefox: Automate Firefox. Record and replay repetitious work. If you love the Firefox web browser, but are tired of repetitive tasks like visiting the same sites every days, filling out forms, and remembering passwords, then iMacros for Firefox is the solution you’ve been dreaming of! ***Whatever you do with Firefox, iMacros can automate it.***
21. Xmarks Sync: Xmarks is the #1 bookmarking add-on. Keep your bookmarks, passwords and open tabs backed up and synchronized across computers and browsers. Search smarter with website ratings and reviews displayed with your search results.
22. Read It Later: Save pages to read later with just one click. When you have time, access your reading list from any computer or phone, even without an internet connection!

To read more, follow:

Have safe browsing, safe hacking and successful penetration testing.

nj0y !!!








at No comments:

Abode Patches

Adobe Patches

This month, adobe released patches for lots of severe vulnerabilities in their products. Most of these vulnerable applications are generally used by us. Hence it is requested, to update all adobe products and avoid system compromise & severe problems caused, and if possible use adobe update manager.

Affected Adobe Products

Adobe Flash Player 10.1.53.64 and earlier
Adobe AIR 2.0.2.12610 and earlier
Adobe ColdFusion 9.0.1 and previous versions
Flash Media Server 3.5.3 and earlier versions
Flash Media Server 3.0.5 and earlier versions

Detail are give below:
Adobe

CERT-In

#@V3 $@F3 8R0W$!N9 !!!

nj0y !!!
at No comments:

Wednesday, August 11, 2010

Hello Friends,

Today is Microsoft patch day, Microsoft has released 15 security bulletins which are covering 34 vulnerabilities.
These vulnerabilities are affecting Windows Kernel, Windows Movie Maker, SChannel, Microsoft XML Core Services, Microsoft MPEG Layer-3 Codecs, Cinepak Codec, SMB Server, Internet Explorer, Microsoft Office Word, Microsoft Office Excel, TCP/IP, Microsoft .NET and Silverlight. Install the patches as mentioned in Microsoft Security Bulletin. Most of them are critical and needs to be patched as early as possible.

Critical
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

Critical
Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)

Critical
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)

Critical
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)

Critical
Cumulative Security Update for Internet Explorer (2183461)

Critical
Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)

Critical
Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)

Critical
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)

Critical
Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)

Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)

Important
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)

Important
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)

Important
Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)

Important
Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)

Apply patches of all vulnerabilities applicable for you and nj0y $@f3 8r0w$!n9 . . .

nj0y !!!
at No comments:

Monday, July 19, 2010

Windows Shortcut(.lnk) Vulnerability

A component of Microsoft Windows, Windows shell is vulnerable to remote code execution via a shortcut file. A shortcut is a link to a file or program, represented by an icon. If you double-click a shortcut, the file or program opens. The shortcut is a mechanism often used to keep frequently used files in a single, easily accessed location, such as a folder or the desktop. Shortcuts are implemented as files with the LNK extension. This .lnk exploit will works in Windows XP, Vista and Windows 7.

An attacker could exploit this vulnerability by introducing removable drives or via setting up remote network share for the targeted users. When users opens the removable drive or browse the share, windows shell will attempt to load the icon of the shortcut file and the malicious binary may be invoked.

A remote attacker, who successfully exploit this vulnerability may execute arbitrary code on system with the privileges of currently logged-in user. this could be dangerous if you are running your system with administrative privileges.

Some of the antivirus vendors has pushed the detection of malicious shorkcut links in their products.

It is suggested to perform certain actions to avoid this vulnerability till the time microsoft will come up with a solution. Workarounds are as follows:

To read more, follow:

CERT-In
http://www.cert-in.org.in/vulnerability/civn-2010-169.htm

Microsoft
http://www.microsoft.com/technet/security/advisory/2286198.mspx

Trendmicro
http://blog.trendmicro.com/usb-worm-exploits-windows-shortcut-vulnerability/

ISC
http://isc.incidents.org/diary.html?storyid=9181

nj0y !!!

#@v3 $@f3 br0w$!n9 !!!
at 1 comment:
Subscribe to: Posts (Atom)

Reporting Cyber Crime

            Govt. of India took great initiative by facilitating citizens with “National Cyber Crime Reporting Portal”  ( https://cybercrime...

  • Microsoft released workaround for DLL vulnerability
    Microsoft released workaround for DLL vulnerability Microsoft has released an advisory explaining the DLL preloading attacks and provides wo...
  • Fake prize call from +92**********
    Today early morning (12:07 AM), I got missed call from a number starts from +92 . I know about this number very well so didn't picked up...
  • Fake POS Devices
    Nowadays, hardware have become so cheap that cybercriminals can easily reproduce fake point-of-sale (POS) devices that can be used to skim ...