Web2Secure: Web Security Blog

We are non-funded group of security enthusiast who contributes and updates to community with latest security treats. Use and handle whatever links shared within website could be harmful to your systems with own risks. Feel free to use the contents for commercial or non-commercial purposes. We're very appreciating if using our useful information’s to your website by referring back to this original website. Donation or clicking on ads is most welcome to continue maintains costs for this website.

Friday, April 30, 2010

SafeBoot Windows 7 With REG File

What is going to do if your Windows 7 key SafeBoot corrupted or boot failure? For stability and safety, better backup a copy of Windows 7 SafeBoot registry key.

I'm now publishing registry key(.reg) with the SafeBoot from Windows 7.

Download the registry key if you want to have a copy. or merge it into registry by double-click on "SafeBoot-Windows-7.reg" file.

or you can import registry key using command console too..

Monday, April 19, 2010

Rouge Antivirus 19-April Spam

91.121.64.93

*.allty.com

*.allty.com.block-on-msn.com

*.block-on-msn.com

*.bloquer-messenger.com

*.bloquer-msn.com

*.bloquermsn.com

*.clips-rap.com

*.com.block-on-msn.com

*.contactsquibloque.com

*.trailers-jeux-videos.com

*.videos-droles.info

*.videos-filles-sexy.com

*.videos-manga.net

*.videos-people.com

*.videos-sport-extreme.com

allty.com

allty.com.block-on-msn.com

block-on-msn.com

blocked-messenger.com

bloquer-messenger.com

bloquer-msn.com

bloquermsn.com

clips-rap.com

com.block-on-msn.com

contact.clips-rap.com

contact.trailers-jeux-videos.com

contact.videos-droles.info

contact.videos-filles-sexy.com

contact.videos-manga.net

contact.videos-people.com

contact.videos-sport-extreme.com

contactsquibloque.com

imakeringtones.com

matt.allty.com

matt.allty.com.block-on-msn.com

metavidz.com

ns25426.ovh.net

trailers-jeux-videos.com

video-sex-hard.net

videos-droles.info

videos-filles-sexy.com

videos-manga.net

videos-people.com

videos-sport-extreme.com

waza.fr

web1-1.allty.com

www.bloquer-messenger.com

www.bloquer-msn.com

www.bloquermsn.com

www.clips-rap.com

www.contactsquibloque.com

www.trailers-jeux-videos.com

www.videos-filles-sexy.com

www.videos-manga.net

www.videos-people.com

yushop.com

69.172.201.2

2009-anti-virus-download.com

2009-edition.org

2009-version.info

anti-virus-solution.org

dealsmint.com

free-anti-virus-software.com

free-antivirus2009.com

full-edition.info

get-muzic.com

limewire-2010.info

limewire-2010.net

music-access.info

muzic-share.com

org-eng.info

pdf-platinum.info

wire2009.com

www.anti-virus-solution.org

85.12.46.124

adwarekill24.com

antispywareweb.net

antivirus-center.net

avsoftcore.com

eliminater2009pro.com

ns1.adwarekill24.com

ns1.antivirus-center.net

ns1.avsoftcore.com

ns1.internet-antivirus.net

ns1.virusdetector2010.com

ns1.web-antivirus.net

virusdetector2010.com

web-antivirus.net

winvantivirus.com

www.adwarekill24.com

www.antispywaresnet.com

www.antivirus-center.net

www.avsoftcore.com

www.internet-antivirus.net

www.virusdetector2010.com

www.web-antivirus.net

85.12.46.125

ns2.2010-antivirus.net

ns2.adwarekill24.com

ns2.antivirus-center.net

ns2.avsoftcore.com

ns2.internet-antivirus.net

ns2.virusdetector2010.com

ns2.web-antivirus.net

85.12.46.126

2010-antivirus.net

antisspywarescenter.com

go-antivirus.com

internet-antivirus.net

ns1.2010-antivirus.net

www.2010-antivirus.net

Disable Autorun/AutoPlay For Removable Drives in Windows 7

One of the basic steps you must do after fresh installing Windows Operating Systems, for here I emphasize in Windows 7. One of the common infection method is through removable devices like USB, the risk is higher especially if you share same USB drives with different machines (included infected malware pwned machines). :)

Antivirus installed on your machines won't help if the there don't have any detection definition on that particular malware executable files in your USB drives. Executable files will be activated once Windows autorun feature enabled when USB plug-in.

Below is the steps on how to disable "Autorun" for removable devices in Windows 7.

1. Launch Run dialogue box by pressing win + r , then type gpedit.msc and press Enter.

2. Navigate to Computer Configuration --> Administrative Templates --> Windows Components

3. Double click on "Turn off Autoplay", choose "Enabled" and make sure select "All drives" from the drop down menu Autoplay on option.

4. Click "Apply" to end your configuration here. Enjoy!

Disable AutoPlay Feature.

- Un-check the highlighted box and click "Save" to end configuration.

Friday, April 16, 2010

Fireshark Plugin Decode Malicious Web

Reference: ITworld.com

April 15, 2010, 10:41 AM — IDG News Service —

A computer security researcher has released a plugin for Firefox that provides a wealth of data on Web sites that may have been compromised with malicious code.

The plugin, called Fireshark, was released on Wednesday at the Black Hat conference. The open-source free tool is designed to address the shortcomings in other programs used to analyze malicious Web sites, said Stephan Chenette, a principal security researcher at Websense, which lets Chenette develop Fireshark in the course of his job.

Hackers often target legitimate Web sites with code that can either infect a machine with malicious software or redirect a user to a bad Web page.

Websense specializes in detecting Web pages that have been infected, as many site administrators don't know that their sites are harmful to visitors or have difficulty reverse-engineering malicious code. Fireshark will "show you the exact details of a mass compromise," Chenette said.

Over the last 12 months, the number of newly compromised Web sites has increased about 225 percent, Chenette said.

"That means attackers are controlling more content that ever before that is being fed to users."

Fireshark must be run in a virtual machine in order to prevent an infection. Users can input a list of Web sites for investigation. Fireshark then exposes the Web sites' code.

That harmful code is often obfuscated, so it is difficult to tell what it actually does, Chenette said. But the obfuscated code has to run in the browser in order to work. Fireshark exposes the code, which normally can't be viewed, when it runs in the browser's memory.

"I became frustrated at the publicly available tools," Chenette said. "I heard the outcry from the community that there are not the correct tools to reverse the obfuscated content."

Once the code has been exposed, it's then possible to do more investigation and see if other Web sites are affected, Chenette said. Fireshark will show vulnerabilties and exploits on Web sites.

Many Web sites will be infected with code that either delivers malware or redirects users to bad Web sites. The tools also generate maps of those redirections, which can give clues as to who may be behind the attacks.

Fireshark collects the data in a ".yml" file, which is similar to an XML file, Chenette said. The ".yml" file can then be integrated into other security analysis tools, Chenette said. The data that Fireshark collects is all held locally, and none of it is shared with Websense.

Fireshark is available to download.

Tuesday, April 13, 2010

Rouge Antivirus 14-April Spam

IP address: 195.78.108.100

akprotect.in

all-tube-porn.biz

all-tube-porn.com

all-tube-porn.info

all-tube-porn.net

all-tube-porn.org

fjprotect.in

free-tube-adult.com

hot-porn-tube.biz

hot-porn-tube.info

hot-porn-tube.org

hot-tube-porn.com

i-tunesclub.com

keprotect.in

kgrtj.in

kiprotect.in

ktiwe.in

ktsoft.eu

kwprotect.in

meprotect.in

my-adult-tube.com

my-free-tube.com

my-tunesclub.com

nuprotect.in

online-porn-tube.com

online-tube-porn.com

packspft.in

pohsoft.info

porn-tube-adult.com

porn-tube-free.com

privacypoint.info

pyesoft.in

qlcleaner.eu

qxltsoft.in

retdownload.info

riupdate.info

rkdefender.eu

roeload.eu

siosoft.in

tkyjsoft.in

tmclean.info

tube-adult-free.net

www.qlcleaner.eu

www.tube-adult-free.org

ykrwsoft.in

IP Address:79.135.152.101

antivirspluss.org

av-scaner-online3k.org

avp-scanner.org

avscanners.org

eav-scanner.org

eav-scanners.org

mail.antivirspluss.org

mail.av-scaner-online3k.org

mail.avp-scanner.org

mail.avscanners.org

mail.eav-scanner.org

mail.eav-scanners.org

mail.myav-scaner.org

mail.netav-scaner-online.org

mail.online-scanner-freemap.org

mail.onlinescanerr.org

mail.thriftyav-scaner-online.org

myav-scaner.org

netav-scaner-online.org

online-scanner-freemap.org

onlinescanerr.org

thriftyav-scaner-online.org

Monday, April 12, 2010

Using Wget to surf SEO attacked websites link

There have couple of ways used to detect malicious redirects to malicious sites. For me, the safety way is used wget command-line tools. This tools works at Linux, Mac and Windows as well. You can simulate the traffic like normal browsers do by configuring such as referer, agent-string, and etc.

Example,

# wget --referer=http://www.google.com "http://www.malicioussite.com/"

# wget --referer=http://www.yahoo.com "http://www.malicioussite.com/"

Faking user-agent with Wget

wget --refer=http://www.google.com --user-agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)" "http://www.malicioussite.com/"

It is important to include user agent string because more and more sites excluding browsing by "unapproved" browsers.

Example:

wget -k -m --referer=http://www.google.com --user-agent="Mozilla/5.0 (Windows; U; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" "http://visualflowdesigns.com/ecuuz.php?t=polish+president+killed"

--18:40:06-- http://visualflowdesigns.com/ecuuz.php?t=polish+president+killed

=> `visualflowdesigns.com/ecuuz.php@t=polish+president+killed'

Resolving visualflowdesigns.com... done.

Connecting to visualflowdesigns.com[66.96.131.146]:80... connected.

HTTP request sent, awaiting response... 302 Moved Temporarily

Location: http://slv9a0.xorg.pl/in.php?t=cc&d=10-04-2010_x_1023&h=visualflowdesigns.com&p=http%3A%2F%2Fwww.google.com [following]

--18:40:07-- http://slv9a0.xorg.pl/in.php?t=cc&d=10-04-2010_x_1023&h=visualflowdesigns.com&p=http%3A%2F%2Fwww.google.com

=> `slv9a0.xorg.pl/in.php@t=cc&d=10-04-2010_x_1023&h=visualflowdesigns.com&p=http@3A@2F@2Fwww.google.com'

Resolving slv9a0.xorg.pl... done.

Connecting to slv9a0.xorg.pl[87.248.163.54]:80... connected.

HTTP request sent, awaiting response... 302 Found

Location: http://www3.firesafe6.xorg.pl?p=op2dcWtaraLFapWfZlahqJ51yGGTlGjJU8%2FXoA%3D%3D [following]

--18:40:08-- http://www3.firesafe6.xorg.pl/?p=op2dcWtaraLFapWfZlahqJ51yGGTlGjJU8%2FXoA%3D%3D

=> `www3.firesafe6.xorg.pl/index.html@p=op2dcWtaraLFapWfZlahqJ51yGGTlGjJU8@2FXoA@3D@3D'

Resolving www3.firesafe6.xorg.pl... done.

Connecting to www3.firesafe6.xorg.pl[78.46.218.251]:80... connected.

Tools:

- wget (Download link)

Sunday, April 11, 2010

Google block SEO-ing "Plane Crash Polish President"

Another good effort performed by Google's anti-SEO, it able to filter out SEO related to recently news "Plane Crash Polish President" keywords.

Below is the screen-shot captured by entering keyword "Plane Crash Polish President", hundred thousand of query were founded from this keyword search.

Good to Google users for reduced their risk from SEO attack while surf in Internet.

Thursday, April 8, 2010

Facebook Apps redirecting to Phishing Site

Don't simply add whatever Facebook application that appear from unknown person. You will redirecting to phishing site like below ... At last, change your Facebook password ASAP after you realized.

IP address: 173.45.80.53

35.50.2d.static.xlhost.com

adsl-internet.free0host.com

brihgtekr.free0host.com

findmeet.free0host.com

fszcm.free0host.com

hobax254.free0host.com

kappa.free0host.com

lisaredcup.free0host.com

meetyou.free0host.com

millionairemoney.free0host.com

mx.free0host.com

nortoncrein.free0host.com

ns2.free0host.com

orange-adsl.free0host.com

pootel.free0host.com

rengomeet.free0host.com

seo-tube.com

tazerildob.free0host.com

thierry1.free0host.com

unewsazxer.free0host.com

webmastercoop.net

yapyy.free0host.com

Pages