Saturday, May 22, 2010

Mebroot Variant Behaves Like TDSS - News

The TDSS malware family in itself is already a big threat to users. Known for its rootkit capabilities, TDSS constantly evolves to include more sophisticated means in order to hide its presence in an affected system. The Mebroot malware family, on the other hand, is noted for inflicting master boot record (MBR) infections.

TrendLabsSM engineers recently came across a Mebroot sample detected as TROJ_MEBROOT.SMC that installs itself in the following new but familiar way:

The main executable drops a file in the %User Temp% directory. It executes regsvr32 /s using the timeSetEvent function. It copies the said file into the Print Processor directory as %System%\spool\PRTPROCS\W32X86\{random number}.tmp. It then loads the file using API AddPrintProcessorA with the help of the SPOOLSV.EXE service. It unloads the file using API DeletePrintProcessorA then deletes it.

The routine is indeed familiar since this is how a TDSS malware installs other components onto users’ systems, the final payload of which is modifying the MBR by writing thousand of bytes of code and the malware’s image file. It then restarts the affected system by executing the command shutdown -r -f -t 0.

By modifying the MBR, the malware automatically executes once the affected system is restarted. Its image file then sets off its other routines such as connecting and sending information to a randomly generated URL even if the user is not logged in to Windows.

Upon restart, the malware will first connect to microsoft.com, time.windows.com, and yahoo.com. Once successful, it then attempts to .....................

Read Original Article

Google celebrate Pac-Man 30 years anniversary

22-May-2010 is the anniversary day for Pac-Man since released 30 years ago. :) Google also celebrated this wonderful day with changing their homepage Google logo with Pac-Man style.


You can play online at Pac-man site, pac-man.com, or at Google where they have their first interactive doodle that allows everyone to play pac-man at the search engine’s home page. You can also download pac-man from the internet and play the game while you’re offline.

reference: http://en.wikipedia.org/wiki/Pac-Man

Thursday, May 20, 2010

Jsunpack-n 0.3.2b Released

Latest Jsunpack with version 0.3.2b released, this time users can easily get the modification of codes via Google Code Subversion.


Updates 2010-05-20 version 0.3.2b

1) added INSTALL.spidermonkey.shellcode instructions. This adds improved shellcode detection.
2) updated jsunpack class options structure. New options will always use file contents instead of filenames (where possible). Also, rules are now part of the options structure.
3) socket defaulttimeout now part of jsunpack class (it was global before). If you import jsunpack, make sure to set a timeout on your own.
4) you can use jsunpack.version to get the current version string
5) new performance option (-f "fasteval") for disabling non-critical features in favor of performance
6) fixed a bug in redoevaltime option affecting performance of malicious scripts
7) fixed a pdf parsing bug for /Page related to testcase samples/pdf-numPages.file


Tuesday, May 18, 2010

Spam 18-May-10

195.5.161.210

0web-antispyware.com
1gig-antivirus.com
2gig-antivirus.com
50gb-antivirus.com

Spam:
59.144.118.20

www.zlaenhyzo.com
promotionrxpills.com
sloqubmel.com
thomuyqwa.com
planetdrugsdirect.com.cn
vzyubolqut.com
therxcapsules.eu

121.127.130.92

fastcyber.ru
readlamp.com
readbottle.com
carinc.ru
closedflush.com
mindblues.com
www.readlamp.com
www.carinc.ru
www.jerseynew.ru
www.readbottle.com
www.mindblues.com
www.closedflush.com


119.67.72.138

admin.awardpipe.ru
admin.batheconomy.ru
admin.beliefcat.ru
admin.birthdayhotel.ru
admin.blushcools.com
admin.brothersbottle.com
admin.dropsblow.com
admin.flushbounty.com
admin.flushfull.com
admin.forcetrain.ru
admin.imperialtree.ru
admin.lightgrape.ru
admin.oceanshort.com
admin.sonrainbow.ru
admin.trackcart.com
admin.villainmist.ru
awardpipe.ru
batheconomy.ru
beliefcat.ru
birthdayhotel.ru
brothersbottle.com
clickrich.ru
cqqek7g.acesaicb.cn
dropsblow.com
dr-maxx-man.info
dropsrain.com
flushbounty.com
flushfull.com
forcetrain.ru
imperialtree.ru
lightgrape.ru
maxedman.info
oceanshort.com
sailhope.ru
sonrainbow.ru
trackcart.com
uecawsnr.cn
villainmist.ru
7zh.uecawsnr.cn
www.dropsrain.com


80.191.84.220


admin.bevyquvjupo.com
admin.bibnabraclo.com
admin.buydiscountpills.com.cn
admin.crotrecpe.com
admin.healthwellnessmagazine.com
admin.hupfawqupke.com
admin.lojoasurzo.com
admin.mitmyjqum.com
admin.mitmyjqum.net
admin.myeplebsi.com
admin.omvouxylqe.com
admin.relcuhebi.com
admin.rhenjubad.com
admin.rucuvvaqwu.com
admin.wijvuihlumo.com
admin.wroanipnef.com
admin.wuvespuxoks.com
admin.yaflicacl.com
admin.zuvqupcuhy.com
aocfopgoh.com
atcezqus.com
bevyquvjupo.com
bibnabraclo.com
bididottoy.net
crotrecpe.com
fuadnacoct.com
futningi.com
gughixqukk.com
healthwellnessmagazine.com
hupfawqupke.com
kwywalgeky.com
lojoasurzo.com
mail.bevyquvjupo.com
mail.buydiscountpills.com.cn
mail.crotrecpe.com
mail.druggeneralstore.com
mail.healthwellnessmagazine.com
mail.hupfawqupke.com
mail.lojoasurzo.com
mail.mitmyjqum.com
mail.mitmyjqum.net
mail.mssmartstart.eu
mail.myeplebsi.com
mail.neintijl.com
mail.omvouxylqe.com
mail.rucuvvaqwu.com
mail.wijvuihlumo.com
mail.yaflicacl.com
mail.yambourzov.com
mail.zuvqupcuhy.com
mitmyjqum.com
myeplebsi.com
ns1.bevyquvjupo.com
ns1.buydiscountpills.com.cn
ns1.crotrecpe.com
ns1.healthwellnessmagazine.com
ns1.hupfawqupke.com
ns1.lojoasurzo.com
ns1.mitmyjqum.com
ns1.mitmyjqum.net
ns1.mssmartstart.eu
ns1.myeplebsi.com
ns1.neintijl.com
ns1.omvouxylqe.com
ns1.onqupidcuku.com
ns1.prufbulquo.com
ns1.rhenjubad.com
ns1.ribmecpeso.com
ns1.rucuvvaqwu.com
ns1.wijvuihlumo.com
ns1.yambourzov.com
ns1.zuvqupcuhy.com
ns2.aqwuhquxyb.net
ns2.bevyquvjupo.com
ns2.buydiscountpills.com.cn
ns2.crotrecpe.com
ns2.druggeneralstore.com
ns2.emailmedsonline.com
ns2.hupfawqupke.com
ns2.lojoasurzo.com
ns2.mitmyjqum.com
ns2.mitmyjqum.net
ns2.myeplebsi.com
ns2.neintijl.com
ns2.omvouxylqe.com
ns2.robsaxegiln.com
ns2.rucuvvaqwu.com
ns2.wijvuihlumo.com
ns2.yaflicacl.com
ns2.zuvqupcuhy.com
okvekjaiqwu.com
omvouxylqe.com
otjerlat.com
prufbulquo.com
qugoqudal.com
rhenjubad.com
robsaxegiln.com
rucuvvaqwu.com
siavbimt.com
vitamarketstore.net
wi.jonahoynox.com
wuvespuxoks.com
www.lojoasurzo.com
yambourzov.com
www.queretsxl.com


yardnight.com
www.floorduck.com
www.flushspeak.com
www.archmediagroup.ru
www.yournice.ru
www.freehomeseller.ru
www.plusmore.ru
www.floorflow.com
www.justgreatfun.ru
www.breakrounds.com
realmove.ru
yellowhouse.ru
pandasoft.ru
paperblues.com
bestnice.ru
www.storefree.ru
www.healthbestinfo.ru
www.bigeasyphoto.ru
www.onlinefast.ru
listawe.com
endwest.ru
fourteenpacification.ru
www.fiveproperitary.ru
www.carinc.ru
www.meanbusiness.ru
www.jerseynew.ru
www.sixapology.ru
capsquick.ru
www.towelswing.com
www.peopleget.ru
www.cardlamp.com


siavbimt.com
qwufotwom.com
bryobvysk.com
ameqwycfac.com
puxurbexe.com
huowovdav.com
pillhealthrxonline.net
pillspharmacytabletsdiscounts.net
pillspharmacytabletsbargain.net
rxpillstabletsdiscounts.net
rxpharmacy-usa.com
aducisynom.com
cheappillsite.com
sleepingpillsrxtablets.net
pillsonlinemarket.net
www.rxviagrapills.eu
pharmacyrxwellnessguide.com
pharmacyrxbarsworld.net
www.robsaxegiln.com
mypillsrx.com
pillsourcemedssite.com
drugspharmacyguide.com
smoucallak.com
shoprxpharmacy.net
pharmacyrxpricetablets.net
rxdrugscenter.eu

Wednesday, May 12, 2010

Microsoft Security Tuesday Patch May 2010

Microsoft released two bulletins covering two critical vulnerabilities. Both vulnerabilities can result in remote code execution. Window's users are welcome to update these patch regularly.

MS10-030

Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542)

This security update resolves a privately reported vulnerability in Outlook Express, Windows Mail, and Windows Live Mail. The vulnerability could allow remote code execution if a user visits a malicious e-mail server. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.


MS10-031

Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (978213)

This security update resolves a privately reported vulnerability in Microsoft Visual Basic for Applications. The vulnerability could allow remote code execution if a host application opens and passes a specially crafted file to the Visual Basic for Applications runtime. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Web Application Exploits and Defenses Tools

Want to beat the hackers at their own game?

  • Learn how hackers find security vulnerabilities!
  • Learn how hackers exploit web applications!
  • Learn how to stop them!

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:

  • How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
  • How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).

reference: http://jarlsberg.appspot.com/