On 24 Feb 2009, Microsoft released their emergency zero-patch for Microsoft Excel. At the same day after Microsoft announced their press release, security vendor such as Symantec researcher received few crafted excel samples that exploiting the excel vulnerability and drop binary file on systems.
Reference:
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/vulnerabilities_exploits/article-id/189
Microsoft Advisory:
http://www.microsoft.com/technet/security/advisory/968272.mspx
Thursday, February 26, 2009
Thursday, February 19, 2009
Bogus Pharmaceutic and Security website spreads
Bogus Pharmaceutic and Security websites:
IP Address: 88.85.66.170
Domains:
*.stimulhosting.com
247-meds.com
abouthealthy.com
afmstore.com
alfapills.com
all-medication.com
artelimbo.com
buy-pharmacy.info
calidrugs.net
cvs-pharmacy.biz
drugswebonline.com
echeap-drugs.com
erexo.com
extracheapdrugs.com
firm-pharmacy.com
freewebdav.com
ftonk.com
genericdrugsareus.com
gldpharmacy.com
govardwool.com
hiltonreality.com
hiltonrealityshow.com
hiltonsreality.com
hiltonsrealityshow.com
idrugmall.com
janomestaging.com
jofk.com
lamisiloral.com
love-pharmacy.org
many-shop.com
mchest.com
medical-st.com
medications.stimulhosting.com
medm.net
millionswantsex.com
my-web-pills.com
onlinepharmacyfda.com
order-cheap-meds.com
orgasm-drugstore.com
ovvl.com
parcialis.com
pharma37.com
pharmacy-54.com
pharmacytop.com
pharmacyvia.net
pharmamexpills.com
pharmamixx.com
pharmocean.com
pharmyork.com
pill-s.net
pills-buy-now.com
retreadthreads.com
rksu.com
rpvo.com
rx-review.com
s-pills.com
sabulose.com
shinkatech.com
sleline.com
stimulhosting.com
takeyourdrug.com
thedrugmarket.com
thepharmacy24.com
top-medications.com
ukusdrugs.com
unkp.com
usadrugsite.com
vkak.com
wkum.com
worldsbestpharmacy.net
wvvd.com
your-tablets.com
IP Address: 203.117.111.95
Domains:
antivirusxp09.com
crackexe.com
dolciaba.com
hellfire.com
klasniepiski.ru
mail.antivirusxp09.com
mail.crackexe.com
mail.dolciaba.com
mail.hellfire.com
mail.megatubexxx.net
mail.secure123.org
mail.sg-networks.com
mail.tissueonline.com
mail.ulasma.us
mail.ventai.com
mail.vogiz.com
mail.warez2.com
mail.wjw.org
mail.wrt.org
megatubexxx.net
ns1.abchost2000.com
ns1.sg-networks.com
ns2.abchost2000.com
secure123.org
sg-networks.com
tissueonline.com
ulasma.us
ventai.com
vogiz.com
warez2.com
wrt.org
www.klasniepiski.ru
www.megatubexxx.net
www.moment-exchange.com
www.ulasma.us
www.warez2.com
www.wjw.org
onlinepharmacy4u.org
allrxs.org
cheap-tramadol.us
*.klasniepiski.ru
IP Address: 216.117.193.16
Domains:
*.blogdrive.com
carmenesconde.blogdrive.com
comunicacion.blogdrive.com
counterfactual.blogdrive.com
cuentos-cortos.blogdrive.com
feddereeskamp.blogdrive.com
idolenthusiast.blogdrive.com
jobstuff.blogdrive.com
lovelet.blogdrive.com
medusa.blogdrive.com
rayjay2380.blogdrive.com
sapodeotrozopo.blogdrive.com
swirl.blogdrive.com
thelab.blogdrive.com
tribesportsclub.blogdrive.com
w02.blogdrive.com
ip-216-117-193-16.static.keyway.net
IP Address: 216.117.193.17
Domains:
*.blogdrive.com
carmenesconde.blogdrive.com
comunicacion.blogdrive.com
counterfactual.blogdrive.com
cuentos-cortos.blogdrive.com
feddereeskamp.blogdrive.com
idolenthusiast.blogdrive.com
jobstuff.blogdrive.com
lovelet.blogdrive.com
medusa.blogdrive.com
rayjay2380.blogdrive.com
sapodeotrozopo.blogdrive.com
swirl.blogdrive.com
thelab.blogdrive.com
tribesportsclub.blogdrive.com
w02.blogdrive.com
ip-216-117-193-17.static.keyway.net
IP Address:216.117.193.18
Domains:
*.blogdrive.com
carmenesconde.blogdrive.com
comunicacion.blogdrive.com
counterfactual.blogdrive.com
cuentos-cortos.blogdrive.com
feddereeskamp.blogdrive.com
idolenthusiast.blogdrive.com
jobstuff.blogdrive.com
lovelet.blogdrive.com
medusa.blogdrive.com
rayjay2380.blogdrive.com
sapodeotrozopo.blogdrive.com
swirl.blogdrive.com
thelab.blogdrive.com
tribesportsclub.blogdrive.com
w02.blogdrive.com
ip-216-117-193-18.static.keyway.net
IP Address:91.186.21.140
Domains:
mail.suche-project.eu
suche-project.eu
91-186-21-140.static.as29550.net
IP Address: 88.85.66.170
Domains:
*.stimulhosting.com
247-meds.com
abouthealthy.com
afmstore.com
alfapills.com
all-medication.com
artelimbo.com
buy-pharmacy.info
calidrugs.net
cvs-pharmacy.biz
drugswebonline.com
echeap-drugs.com
erexo.com
extracheapdrugs.com
firm-pharmacy.com
freewebdav.com
ftonk.com
genericdrugsareus.com
gldpharmacy.com
govardwool.com
hiltonreality.com
hiltonrealityshow.com
hiltonsreality.com
hiltonsrealityshow.com
idrugmall.com
janomestaging.com
jofk.com
lamisiloral.com
love-pharmacy.org
many-shop.com
mchest.com
medical-st.com
medications.stimulhosting.com
medm.net
millionswantsex.com
my-web-pills.com
onlinepharmacyfda.com
order-cheap-meds.com
orgasm-drugstore.com
ovvl.com
parcialis.com
pharma37.com
pharmacy-54.com
pharmacytop.com
pharmacyvia.net
pharmamexpills.com
pharmamixx.com
pharmocean.com
pharmyork.com
pill-s.net
pills-buy-now.com
retreadthreads.com
rksu.com
rpvo.com
rx-review.com
s-pills.com
sabulose.com
shinkatech.com
sleline.com
stimulhosting.com
takeyourdrug.com
thedrugmarket.com
thepharmacy24.com
top-medications.com
ukusdrugs.com
unkp.com
usadrugsite.com
vkak.com
wkum.com
worldsbestpharmacy.net
wvvd.com
your-tablets.com
IP Address: 203.117.111.95
Domains:
antivirusxp09.com
crackexe.com
dolciaba.com
hellfire.com
klasniepiski.ru
mail.antivirusxp09.com
mail.crackexe.com
mail.dolciaba.com
mail.hellfire.com
mail.megatubexxx.net
mail.secure123.org
mail.sg-networks.com
mail.tissueonline.com
mail.ulasma.us
mail.ventai.com
mail.vogiz.com
mail.warez2.com
mail.wjw.org
mail.wrt.org
megatubexxx.net
ns1.abchost2000.com
ns1.sg-networks.com
ns2.abchost2000.com
secure123.org
sg-networks.com
tissueonline.com
ulasma.us
ventai.com
vogiz.com
warez2.com
wrt.org
www.klasniepiski.ru
www.megatubexxx.net
www.moment-exchange.com
www.ulasma.us
www.warez2.com
www.wjw.org
onlinepharmacy4u.org
allrxs.org
cheap-tramadol.us
*.klasniepiski.ru
IP Address: 216.117.193.16
Domains:
*.blogdrive.com
carmenesconde.blogdrive.com
comunicacion.blogdrive.com
counterfactual.blogdrive.com
cuentos-cortos.blogdrive.com
feddereeskamp.blogdrive.com
idolenthusiast.blogdrive.com
jobstuff.blogdrive.com
lovelet.blogdrive.com
medusa.blogdrive.com
rayjay2380.blogdrive.com
sapodeotrozopo.blogdrive.com
swirl.blogdrive.com
thelab.blogdrive.com
tribesportsclub.blogdrive.com
w02.blogdrive.com
ip-216-117-193-16.static.keyway.net
IP Address: 216.117.193.17
Domains:
*.blogdrive.com
carmenesconde.blogdrive.com
comunicacion.blogdrive.com
counterfactual.blogdrive.com
cuentos-cortos.blogdrive.com
feddereeskamp.blogdrive.com
idolenthusiast.blogdrive.com
jobstuff.blogdrive.com
lovelet.blogdrive.com
medusa.blogdrive.com
rayjay2380.blogdrive.com
sapodeotrozopo.blogdrive.com
swirl.blogdrive.com
thelab.blogdrive.com
tribesportsclub.blogdrive.com
w02.blogdrive.com
ip-216-117-193-17.static.keyway.net
IP Address:216.117.193.18
Domains:
*.blogdrive.com
carmenesconde.blogdrive.com
comunicacion.blogdrive.com
counterfactual.blogdrive.com
cuentos-cortos.blogdrive.com
feddereeskamp.blogdrive.com
idolenthusiast.blogdrive.com
jobstuff.blogdrive.com
lovelet.blogdrive.com
medusa.blogdrive.com
rayjay2380.blogdrive.com
sapodeotrozopo.blogdrive.com
swirl.blogdrive.com
thelab.blogdrive.com
tribesportsclub.blogdrive.com
w02.blogdrive.com
ip-216-117-193-18.static.keyway.net
IP Address:91.186.21.140
Domains:
mail.suche-project.eu
suche-project.eu
91-186-21-140.static.as29550.net
Wednesday, February 18, 2009
MS09-002 IE 7 Memory Corruption PoC
MS09-002 PoC was unveiled through internet by hosted in China. According to Milw0rm source, the PoC can be obtained from http://www.chengjitj.com/bbs/images/alipay/mm/jc/jc.html
Below is how the scripts works.
Reference:
http://milw0rm.com/exploits/8077
http://packetstormsecurity.org/0902-exploits/msie7-poc.txt
Below is how the scripts works.
Reference:
http://milw0rm.com/exploits/8077
http://packetstormsecurity.org/0902-exploits/msie7-poc.txt
Wednesday, February 11, 2009
Microsoft Tuesday Patch for February 2009
Microsoft released their second waves of security patches for their products. Two crititical and two important rated among the four patches. IE 7, Exchange Server 2000-2007 are products that sit in the critical line, while MS SQL Server and Office Visio categoried in important line.
Critical:
MS09-003 - Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)
Important:
MS09-005 - Vulnerabilities in Microsoft Office Visio Could Allow Remote Code Execution (957634)
Tuesday, February 10, 2009
Malware Related 10-Feb-09
Malicious link that still active on 10-Feb-09
w08.css(Trojan)
http://www.virustotal.com/analisis/2cde77f0b7b729cd3fdd3ad70504c247
wl.css(Trojan)
http://www.virustotal.com/analisis/fa91380212f425fe1e85fdfdf904307b
Disclaimer:
- http:// dudu03.cn
- http:// go.chajian01.cn
- http:// go.keke03.cn
- http:// go.keke05.cn
- http:// keke01.cn
- http:// keke02.cn
- http:// keke03.cn
- http:// keke05.cn
- http:// tt-09.com
- http:// ttfabb.com
- http:// ttfafb.com
w08.css(Trojan)
http://www.virustotal.com/analisis/2cde77f0b7b729cd3fdd3ad70504c247
wl.css(Trojan)
http://www.virustotal.com/analisis/fa91380212f425fe1e85fdfdf904307b
Disclaimer:
Whatever url links that posted above contain malicious files/trojan/virus that could harm your systems and information be stolen;Usage:URL links that posted only used for IT security officers, researchers and personal collection only. Any farmful actions totally prohibited. Used it with your own risks and wisely. Whatever risks, and consequences is totally out from web owner responsibility.
Sunday, February 8, 2009
Kaspersky.com database was hacked , SQL Injection !!
Update: Kaspersky hire 3rd party database Penetrated tester to investigate their website according to CNET news. Kaspersky hire David Litchfield who is leading authorities on database security to conduct audit on related systems.
Database for the Kaspersky security vendor was hacked with SQL Injection, below is list of tables listed.
Tables List:
codes
users
vouchers
affectstable
bugs_settings
bugshistory
bugstable
builds
categories
commentstable
computertable
editions
filestable
frontpage
grouptable
ignoretable
milestones
paks
pmtable
priority
repfielddetail
repfields
repfieldset
repoptiondetail
repoptions
repquick
severity
statustable
substable
userstable
admin_users
best_buy
cms
cyberCrimeRegs
email_list
fr_link
fr_link_import
interview_request
k_test_users
kbfaq
kbfaq_import
kbrub
kbrub_bu
kbrub_import
login_stats
menu
menu_relations
menus
node
partners
partners_bu
portal_cms_prod_ann
portal_cms_recent_articles
portal_cms_whats_new
portal_product_orders
product_names
retail_login_stats
retail_partners
retail_users
se_login_stats
se_partners
se_users
setup
shopping_com_sales
smnr_items
smnr_items_bu
trials
trials_bu
trials_downloaded_new
trials_rpts
users
users_bu
it_hardware
activation_code_problem
admin_users
best_buy
cms
cyberCrimeRegs
e5users
email_list
fr_link
fr_link_bu
fr_link_import
interview_request
k_test_users
kbfaq
kbfaq_bu
kbfaq_import
kbrub
kbrub_bu
kbrub_import
kbtop_pop
login_stats
menu
menu_relations
menus
ms_crm_files
ms_crm_files_support
ms_crm_intermediary
ms_crm_intermediary_bu
ms_crm_intermediary_support
node
opt_out
partners
partners_bu
portal_cms_prod_ann
portal_cms_recent_articles
portal_cms_whats_new
product_names
retail_login_stats
retail_partners
retail_users
se_login_stats
se_partners
se_users
setup
shopping_com_sales
smnr_events
smnr_items
smnr_items_bu
test_users
test_users_new
trials
trials_bu
trials_downloaded
trials_downloaded_new
trials_rpts
users
users_bu
virus_watch
columns_priv
db
func
help_category
help_keyword
help_relation
help_topic
host
proc
procs_priv
tables_priv
time_zone
time_zone_leap_second
time_zone_name
time_zone_transition
time_zone_transition_type
user
codes
stores
stores_bu
users
Reference: HackerBlog
Database for the Kaspersky security vendor was hacked with SQL Injection, below is list of tables listed.
Tables List:
codes
users
vouchers
affectstable
bugs_settings
bugshistory
bugstable
builds
categories
commentstable
computertable
editions
filestable
frontpage
grouptable
ignoretable
milestones
paks
pmtable
priority
repfielddetail
repfields
repfieldset
repoptiondetail
repoptions
repquick
severity
statustable
substable
userstable
admin_users
best_buy
cms
cyberCrimeRegs
email_list
fr_link
fr_link_import
interview_request
k_test_users
kbfaq
kbfaq_import
kbrub
kbrub_bu
kbrub_import
login_stats
menu
menu_relations
menus
node
partners
partners_bu
portal_cms_prod_ann
portal_cms_recent_articles
portal_cms_whats_new
portal_product_orders
product_names
retail_login_stats
retail_partners
retail_users
se_login_stats
se_partners
se_users
setup
shopping_com_sales
smnr_items
smnr_items_bu
trials
trials_bu
trials_downloaded_new
trials_rpts
users
users_bu
it_hardware
activation_code_problem
admin_users
best_buy
cms
cyberCrimeRegs
e5users
email_list
fr_link
fr_link_bu
fr_link_import
interview_request
k_test_users
kbfaq
kbfaq_bu
kbfaq_import
kbrub
kbrub_bu
kbrub_import
kbtop_pop
login_stats
menu
menu_relations
menus
ms_crm_files
ms_crm_files_support
ms_crm_intermediary
ms_crm_intermediary_bu
ms_crm_intermediary_support
node
opt_out
partners
partners_bu
portal_cms_prod_ann
portal_cms_recent_articles
portal_cms_whats_new
product_names
retail_login_stats
retail_partners
retail_users
se_login_stats
se_partners
se_users
setup
shopping_com_sales
smnr_events
smnr_items
smnr_items_bu
test_users
test_users_new
trials
trials_bu
trials_downloaded
trials_downloaded_new
trials_rpts
users
users_bu
virus_watch
columns_priv
db
func
help_category
help_keyword
help_relation
help_topic
host
proc
procs_priv
tables_priv
time_zone
time_zone_leap_second
time_zone_name
time_zone_transition
time_zone_transition_type
user
codes
stores
stores_bu
users
Reference: HackerBlog
XP Antivirus and System Guard 2009
Another few rouge antivirus that still exists in the line..
xp-police.com
www.dldnssg09.com
www.dlsg09.com
www.dlsgd3.com
www.getsgd2.com
www.getsgd3.com
www.getsysgd09.com
www.gosgd3.com
www.prdnssg09.com
www.sg10scanner.com
www.sg11scanner.com
www.sg9scanner.com
www.sgproduct.com
www.sgproductm.com
www.sgviralscan.com
www.spywareguard2009.com
www.spywareguard2009m.com
www.systemguard2009.com
www.systemguard2009m.com
xp-police.com
www.dldnssg09.com
www.dlsg09.com
www.dlsgd3.com
www.getsgd2.com
www.getsgd3.com
www.getsysgd09.com
www.gosgd3.com
www.prdnssg09.com
www.sg10scanner.com
www.sg11scanner.com
www.sg9scanner.com
www.sgproduct.com
www.sgproductm.com
www.sgviralscan.com
www.spywareguard2009.com
www.spywareguard2009m.com
www.systemguard2009.com
www.systemguard2009m.com
Friday, February 6, 2009
Valentine-ware !
As you know, Happy Valentine Day just around the corner. People start keep sending valentine e-card to their friends for that special day. And of course, malware will propagate as well by entice users download file from malicious site by click on their lovely images.
All the files content(md5)are same with different name.
hxxp://bestgoodnews.com/ ->you.exe
hxxp://www.bestgoodnews.com/ ->onlyyou.exe
hxxp://bestlovelong.com/ ->meandyou.exe, youandme.exe
hxxp://www.bestlovelong.com/ ->love.exe
@:~/Desktop$ md5 you.exe
9feea0d0497010d4aa55dcba83d8d9f2 you.exe
@:~/Desktop$ md5 love.exe
9feea0d0497010d4aa55dcba83d8d9f2 love.exe
@:~/Desktop$ md5 meandyou.exe
9feea0d0497010d4aa55dcba83d8d9f2 meandyou.exe
@:~/Desktop$ md5 youandme.exe
9feea0d0497010d4aa55dcba83d8d9f2 youandme.exe
@:~/Desktop$ md5 onlyyou.exe
9feea0d0497010d4aa55dcba83d8d9f2 onlyyou.exe
Be safe and Happy Valentine !!!
All the files content(md5)are same with different name.
hxxp://bestgoodnews.com/ ->you.exe
hxxp://www.bestgoodnews.com/ ->onlyyou.exe
hxxp://bestlovelong.com/ ->meandyou.exe, youandme.exe
hxxp://www.bestlovelong.com/ ->love.exe
@:~/Desktop$ md5 you.exe
9feea0d0497010d4aa55dcba83d8d9f2 you.exe
@:~/Desktop$ md5 love.exe
9feea0d0497010d4aa55dcba83d8d9f2 love.exe
@:~/Desktop$ md5 meandyou.exe
9feea0d0497010d4aa55dcba83d8d9f2 meandyou.exe
@:~/Desktop$ md5 youandme.exe
9feea0d0497010d4aa55dcba83d8d9f2 youandme.exe
@:~/Desktop$ md5 onlyyou.exe
9feea0d0497010d4aa55dcba83d8d9f2 onlyyou.exe
Be safe and Happy Valentine !!!
Wednesday, February 4, 2009
Can you differential rouge antivirus and legitimate antivirus?
Can you differential between rouge antivirus and legitimate antivirus? Some of you may do differential, and most you will have not idea how to differential between it...
With the sophisticated skills that 'bad' guys had, lots of fake window dialog are display and attempting to entice users click on their dialog. When 'Ok' or 'Cancel' or 'Close' dialog button were clicked, this will redirect users to malicious site, which will install the program. Some website will download the program automatically (drive-by installation) on users systems !
Tips:
1. Before install any new antivirus on your systems, please refer to "http://www.virustotal.com/sobre.html". Most of the legitimate antivirus will be listed and used to scan malicious file. If your program is not belong to the list. BE AWARE and 'SHIFT + DEL' when necessary.
Other than VirusTotal that provide similar functionality, refer to http://www.web2secure.com/2008/09/free-online-multiple-av-scan.html
2. Once you noticed that your system getting slow, unstable, computer security settings changed after installed unknown antivirus program. QUICKLY uninstall the unknown antivirus program. Install any legitimate trial version of antivirus or free version of antivirus may help you temporarily clean your systems from any malicious file.
PS: I not get any benefit from VirusTotal, and VirusTotal just one of my personal favourite website. :D
With the sophisticated skills that 'bad' guys had, lots of fake window dialog are display and attempting to entice users click on their dialog. When 'Ok' or 'Cancel' or 'Close' dialog button were clicked, this will redirect users to malicious site, which will install the program. Some website will download the program automatically (drive-by installation) on users systems !
Tips:
1. Before install any new antivirus on your systems, please refer to "http://www.virustotal.com/sobre.html". Most of the legitimate antivirus will be listed and used to scan malicious file. If your program is not belong to the list. BE AWARE and 'SHIFT + DEL' when necessary.
Other than VirusTotal that provide similar functionality, refer to http://www.web2secure.com/2008/09/free-online-multiple-av-scan.html
2. Once you noticed that your system getting slow, unstable, computer security settings changed after installed unknown antivirus program. QUICKLY uninstall the unknown antivirus program. Install any legitimate trial version of antivirus or free version of antivirus may help you temporarily clean your systems from any malicious file.
PS: I not get any benefit from VirusTotal, and VirusTotal just one of my personal favourite website. :D
Rouge AntiMalwareGuard , RapidAntivirus09 and 'partner'
Don't let rouge antivirus harm your computer ! All of these rouge antivirus have different names and directory, but their purpose is same !
http://www.rapidantivirus09.com/
http://www.rapidantivirus.com/
http://www.rapid-antivir2009.com/
http://www.rapid-antivirus-2009.com/
http://www.rapid-antivirus.com
http://antivirus2009plus.com/
http://extraantivir.com/
http://www.antimalwareguardplus.com/
http://www.antimalwareguard-plus.com/
http://www.antimalwareguardsolution.com/
http://www.antimalwareguardsolutions.com/
http://www.antispywareexpertplus.com/
http://www.antispywareexpertsolution.com/
http://www.antispywareexpertsolutions.com/
http://www.pcprivacycleaner-plus.com/
http://www.xpboosterpro.com/
http://www.yourpcprivacycleanerplus.com/
http://www.yourpcprivacycleanerpro.com/
http://www.rapidantivirus09.com/
http://www.rapidantivirus.com/
http://www.rapid-antivir2009.com/
http://www.rapid-antivirus-2009.com/
http://www.rapid-antivirus.com
http://antivirus2009plus.com/
http://extraantivir.com/
http://www.antimalwareguardplus.com/
http://www.antimalwareguard-plus.com/
http://www.antimalwareguardsolution.com/
http://www.antimalwareguardsolutions.com/
http://www.antispywareexpertplus.com/
http://www.antispywareexpertsolution.com/
http://www.antispywareexpertsolutions.com/
http://www.pcprivacycleaner-plus.com/
http://www.xpboosterpro.com/
http://www.yourpcprivacycleanerplus.com/
http://www.yourpcprivacycleanerpro.com/
Subscribe to:
Posts (Atom)