Hi dude, do you receive an email from friends complaining that you sent him a message that view your pictures or videos [that you never send]? If yes, then your account had been steal and abused.
Since months ago, lots of social networking phishing website exist and used to steal your accounts. These social networking could be Friendster, Facebook, Bebo, Hi5 and others.
If you cases happen like what describe in F-Secure Weblog, Bingo! you are one of the victims for the attacking trend.
Be sure and secure your systems! Don't let your account abused.
Wednesday, December 31, 2008
Monday, December 29, 2008
Deobfuscating javascript eval() function in ix7.htm
I need to update the detail on how to deobfuscate coding inside the ix7.htm, this is requested by my friend who view my blog "http://www.web2secure.com/2008/12/exploit-ie0day-ms08-078-to-dumeteexe.html"
Tool:
1. Malzilla
Steps:
1. Find and Replace "a1" with "cuteqqcn"
2. Search "cuteqqcn" and replace with "%u" unicode, this because there have a variable define var infect=unescape(sc.replace(/cuteqqcn/g,"\x25\x75"));
3. You may get the output like this.
4. Press "Decode UCS2 (%u)" to decode the unicode and you may get result like this.
5. For analysis eval() function code, we modified the eval() function to document.write() function. This because we don't want to execute malicious code in our systems.
6. Press "Run script" to execute the code and you may see the result
Tool:
1. Malzilla
Steps:
1. Find and Replace "a1" with "cuteqqcn"
2. Search "cuteqqcn" and replace with "%u" unicode, this because there have a variable define var infect=unescape(sc.replace(/cuteqqcn/g,"\x25\x75"));
3. You may get the output like this.
4. Press "Decode UCS2 (%u)" to decode the unicode and you may get result like this.
5. For analysis eval() function code, we modified the eval() function to document.write() function. This because we don't want to execute malicious code in our systems.
6. Press "Run script" to execute the code and you may see the result
Wednesday, December 24, 2008
Exploit IE0Day MS08-078 to DUmete.exe
When Microsoft announced one of their famous browser IE had 0Day vulnerability in wild, lots of hosted web servers especially from China were compromised to host MS08-078 vulnerability.
One of the server called http:// fvgit.cn/01/index.htm hosting malicious code.
http:// fvgit.cn/01/index.htm
http:// fvgit.cn/01/real10.htm
http:// fvgit.cn/01/real11.htm
http:// fvgit.cn/01/fl.htm
http:// fvgit.cn/01/cx.htm
http:// fvgit.cn/01/06014.htm
-http://www. iegif.com/01/DUMete.exe
http:// fvgit.cn/01/I7.htm
http:// fvgit.cn/01/Ix7.htm (IE 7 0Day)
http:// fvgit.cn/01/ff.htm
-http://www. iegif.com/01/DUMete.exe
http:// fvgit.cn/01/xl.htm
However, the website not alive anymore when I write this article. This website consists from different webpages and link to it showed as above. At here I would like to emphasis at MS08-078.
The exploit inject malicious code to memory and initiate downloading trojan file to machine.
To decode the unicode, you may use FreShow or Malzilla tool.
The virustotal result for the DUMete.exe can be viewed
http://www.virustotal.com/analisis/399358e5ba2ff6973bc3a23e7eca8469
When further analysis to this link through IP address, there have similar website host at same IP address and offering same exploit.
http:// bfemf.cn/39/index.htm
http:// bfemf.cn/39/real10.htm
http:// bfemf.cn/39/real11.htm
http:// bfemf.cn/39/fl.htm
http:// bfemf.cn/39/cx.htm
http:// bfemf.cn/39/06014.htm
http:// bfemf.cn/39/I7.htm
http:// bfemf.cn/39/ff.htm
http:// bfemf.cn/39/xl.htm
Anyway, to preven this, antivirus companies and browser vendors already mark these website as malicious site to visit. :D
Merry Christmas !!
One of the server called http:// fvgit.cn/01/index.htm hosting malicious code.
http:// fvgit.cn/01/index.htm
http:// fvgit.cn/01/real10.htm
http:// fvgit.cn/01/real11.htm
http:// fvgit.cn/01/fl.htm
http:// fvgit.cn/01/cx.htm
http:// fvgit.cn/01/06014.htm
-http://www. iegif.com/01/DUMete.exe
http:// fvgit.cn/01/I7.htm
http:// fvgit.cn/01/Ix7.htm (IE 7 0Day)
http:// fvgit.cn/01/ff.htm
-http://www. iegif.com/01/DUMete.exe
http:// fvgit.cn/01/xl.htm
However, the website not alive anymore when I write this article. This website consists from different webpages and link to it showed as above. At here I would like to emphasis at MS08-078.
The exploit inject malicious code to memory and initiate downloading trojan file to machine.
To decode the unicode, you may use FreShow or Malzilla tool.
The virustotal result for the DUMete.exe can be viewed
http://www.virustotal.com/analisis/399358e5ba2ff6973bc3a23e7eca8469
When further analysis to this link through IP address, there have similar website host at same IP address and offering same exploit.
http:// bfemf.cn/39/index.htm
http:// bfemf.cn/39/real10.htm
http:// bfemf.cn/39/real11.htm
http:// bfemf.cn/39/fl.htm
http:// bfemf.cn/39/cx.htm
http:// bfemf.cn/39/06014.htm
http:// bfemf.cn/39/I7.htm
http:// bfemf.cn/39/ff.htm
http:// bfemf.cn/39/xl.htm
Anyway, to preven this, antivirus companies and browser vendors already mark these website as malicious site to visit. :D
Merry Christmas !!
Thursday, December 18, 2008
Microsoft Security Bulletin MS08-078 patch released
Microsoft has announce out-of-cycle release for IE 0Day vulnerability patch on Tuesday (16 Dec), it could be the last patch released for 2008. This 0Day vulnerability cause lots suffers for the IE users especially for Corporate users. It really nightmare for the Corporate IT Security to keep their internal production systems away from attack.
So, update your windows systems ASAP to prevent your systems from being exploit. This vulnerability is currently being actively exploited wild from internet. Download the Microsoft patch from http://support.microsoft.com/kb/960714
You may get more detail from official website http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
So, update your windows systems ASAP to prevent your systems from being exploit. This vulnerability is currently being actively exploited wild from internet. Download the Microsoft patch from http://support.microsoft.com/kb/960714
You may get more detail from official website http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
Acer offer nc.exe as official driver ?
My friend share this interesting to me today when he looking for Acer Desktop drivers in official Acer Support Website.
He found that Acer website offering nc.exe as one of their driver site. It looks like their website was compromised and nc.exe file was dropped in C:\ path.
Just for information, netcat is one of the famous tool used to open port and listening port. Hackers use this tool to open target machien port once executed and use to transfer malicious file to target machines.
Below is the result that I get after I submitted to www.virustotal.com
He found that Acer website offering nc.exe as one of their driver site. It looks like their website was compromised and nc.exe file was dropped in C:\ path.
Just for information, netcat is one of the famous tool used to open port and listening port. Hackers use this tool to open target machien port once executed and use to transfer malicious file to target machines.
Below is the result that I get after I submitted to www.virustotal.com
Wednesday, December 17, 2008
F-Secure released Exploit Shield (Beta) to protect Browsers.
One of my favorite security provider, F-Secure released application called Exploit Shield, this application released in Beta stage. According to their press, the solution will prevent most popular usage browsers Internet Explorer (IE) and Firefox browser (FF) from any vulnerabilities exploit.
This product really catching my attention since they claim it can tackle for the 0Day browsers vulnerability.However, Exploit Shield seem only cover just for few vulnerabilities shield, how about for the pass vulnerabilities found since last few years?
Lets have try this product and install in your systems.
The solution can be download from F-Secure lab.
This product really catching my attention since they claim it can tackle for the 0Day browsers vulnerability.However, Exploit Shield seem only cover just for few vulnerabilities shield, how about for the pass vulnerabilities found since last few years?
Lets have try this product and install in your systems.
The solution can be download from F-Secure lab.
Monday, December 15, 2008
SearchWiki make your searching more powerful !
Giant Google released new feature on search engine with called 'SearchWiki', I personally prefer on this feature, because it customize my preference based on personal rating. The more you 'Promote' for particular URL, it will shift top from the others.
SearchWiki provide you ability to re-ranking, deleting, adding on search results. It will showed rating gave by other people as well once you click either on 'Promote' or 'Remove'.
Other than that, SearchWiki also provide feature to let you add new favoriteable Web Address (URL) result for next searching using SearchWiki. You may make notes on your search results and list all the personal results using 'See all my SearchWiki notes'. SearchWiki also provide your ability to see community collected the search results by click on 'See all notes for this SearchWiki'.
SearchWiki provide you ability to re-ranking, deleting, adding on search results. It will showed rating gave by other people as well once you click either on 'Promote' or 'Remove'.
Other than that, SearchWiki also provide feature to let you add new favoriteable Web Address (URL) result for next searching using SearchWiki. You may make notes on your search results and list all the personal results using 'See all my SearchWiki notes'. SearchWiki also provide your ability to see community collected the search results by click on 'See all notes for this SearchWiki'.
Sunday, December 14, 2008
Microsoft released IE 0Day Exploits temprorarily solutions
Huidan website recently published an article about the how Microsoft released temporarily solutions on how to prevent recently IE 0Day. This because there don't have any patches yet to overcome 0Day vulnerability.
The vulnerability cause by OLEDB32.dll file,
Reference: http://huaidan.org/archives/2609.html#more-2609
The vulnerability cause by OLEDB32.dll file,
1. SACL technique(Applied inVista)
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
Save the file as BlockAccess_x86.inf, then execute it SecEdit /configure /db BlockAccess.sdb /cfg
where
2. Disable Row Position technique
Delete registry in registry. HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}
3. Unregister DLL technique
Execute the following command Regsvr32.exe /u "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"
4. Permission access technique
Execute the following command cacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /E /P everyone:N
Execute 3 below command in Vista Operating Systems:
takeown /f "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"
icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /save %TEMP%\oledb32.32.dll.TXT
icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll" /deny everyone:(F)
Ref:Vulnerability applied on below Operating Systems and Applications
- Windows Internet Explorer 7
- Windows Internet Explorer 7 for Windows XP
- Windows Internet Explorer 7 for Windows Server 2003
- Windows Internet Explorer 7 for Windows Server 2003 IA64
- Windows Internet Explorer 7 in Windows Vista
- Windows Internet Explorer 8 Beta
- Microsoft Internet Explorer 6.0 Service Pack 2
- Microsoft Internet Explorer 6.0 Service Pack 1
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 5.01 Service Pack 4
- Windows Server 2008 Datacenter without Hyper-V
- Windows Server 2008 Enterprise without Hyper-V
- Windows Server 2008 for Itanium-Based Systems
- Windows Server 2008 Standard without Hyper-V
- Windows Server 2008 Datacenter
- Windows Server 2008 Enterprise
- Windows Server 2008 Standard
- Windows Web Server 2008
- Windows Vista Service Pack 1, when used with:
- Windows Vista Business
- Windows Vista Enterprise
- Windows Vista Home Basic
- Windows Vista Home Premium
- Windows Vista Starter
- Windows Vista Ultimate
- Windows Vista Enterprise 64-bit Edition
- Windows Vista Home Basic 64-bit Edition
- Windows Vista Home Premium 64-bit Edition
- Windows Vista Ultimate 64-bit Edition
- Windows Vista Business 64-bit Edition
- Microsoft Windows Server 2003 Service Pack 1, when used with:
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Datacenter x64 Edition
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, Standard x64 Edition
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003 Service Pack 2, when used with:
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003, Datacenter x64 Edition
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, Standard x64 Edition
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows XP Service Pack 2, when used with:
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Professional
- Microsoft Windows XP Service Pack 3, when used with:
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Professional
Reference: http://huaidan.org/archives/2609.html#more-2609
Google Chrome version 1.0.154.36 released
Google Chrome version 1 released just for few days! I updated from previous version to latest version. However, I haven't run any PoC vulnerabilities found in the previous Chrome version yet.
For those who would like to try for latest Google Chrome, you may download from Google Chrome official website.
For those who would like to try for latest Google Chrome, you may download from Google Chrome official website.
Saturday, December 13, 2008
KL Rapid's LRT ticket system halted
Recently, I found something interesting when visiting at Kuala Lumpur, I found out one of the Rapid' LRT ticket system is halt operated when purchased ticket for my destination.
Thursday, December 11, 2008
Microsoft's 2008 last Tuesday Patches
Microsoft released their last 2008 cycles patches this weeks, this batch come with several critical patches to saves the clients machines for coming Christmas. Some patches for Offices and Operating SystemsDoes it really saves client and server machines from exploits during Christmas? :)
I would like see any PoC released for these vulnerabilities and will posts here for references... :P
MS08-070 - Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution
MS08-071 - Vulnerabilities in GDI Could Allow Remote Code Execution
MS08-072 - Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution
MS08-074 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution
MS08-075 - Vulnerabilities in Windows Search Could Allow Remote Code Execution
MS08-076 - Vulnerabilities in Windows Media Components Could Allow Remote Code Execution
MS08-077 - Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege
Reference: Microsoft Security Bulletin
I would like see any PoC released for these vulnerabilities and will posts here for references... :P
MS08-070 - Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution
MS08-071 - Vulnerabilities in GDI Could Allow Remote Code Execution
MS08-072 - Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution
MS08-074 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution
MS08-075 - Vulnerabilities in Windows Search Could Allow Remote Code Execution
MS08-076 - Vulnerabilities in Windows Media Components Could Allow Remote Code Execution
MS08-077 - Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege
Reference: Microsoft Security Bulletin
Tuesday, December 2, 2008
CA False Positive on Youtube catch other security vendor attention?
CrunchGear released a post regarding virus is infecting certain embedded YouTubes video. The virus name called Actns/Swif.T (CA) and some said it look after IE browsers. The virus will redirect back to phishing website and installs Antivirus 2009.
However, CA-Computer Associates identifying certain files detected in YouTubes video as malicious code return False Positives.
Although this posted was identified as False Positive, it catch security vendors attention to update their products to prevent from any similar issue. To be sure their customers are always protected by their security solutions without any returning any harms.
Resource: http://www.crunchgear.com/2008/12/02/actnsswift-virus-affecting-embedded-youtube-vids/
However, CA-Computer Associates identifying certain files detected in YouTubes video as malicious code return False Positives.
Although this posted was identified as False Positive, it catch security vendors attention to update their products to prevent from any similar issue. To be sure their customers are always protected by their security solutions without any returning any harms.
Resource: http://www.crunchgear.com/2008/12/02/actnsswift-virus-affecting-embedded-youtube-vids/
Subscribe to:
Posts (Atom)