Web2Secure: Web Security Blog

We are non-funded group of security enthusiast who contributes and updates to community with latest security treats. Use and handle whatever links shared within website could be harmful to your systems with own risks. Feel free to use the contents for commercial or non-commercial purposes. We're very appreciating if using our useful information’s to your website by referring back to this original website. Donation or clicking on ads is most welcome to continue maintains costs for this website.

Saturday, May 22, 2010

Mebroot Variant Behaves Like TDSS - News

The TDSS malware family in itself is already a big threat to users. Known for its rootkit capabilities, TDSS constantly evolves to include more sophisticated means in order to hide its presence in an affected system. The Mebroot malware family, on the other hand, is noted for inflicting master boot record (MBR) infections.

TrendLabsSM engineers recently came across a Mebroot sample detected as TROJ_MEBROOT.SMC that installs itself in the following new but familiar way:

The main executable drops a file in the %User Temp% directory. It executes regsvr32 /s using the timeSetEvent function. It copies the said file into the Print Processor directory as %System%\spool\PRTPROCS\W32X86\{random number}.tmp. It then loads the file using API AddPrintProcessorA with the help of the SPOOLSV.EXE service. It unloads the file using API DeletePrintProcessorA then deletes it.

The routine is indeed familiar since this is how a TDSS malware installs other components onto users’ systems, the final payload of which is modifying the MBR by writing thousand of bytes of code and the malware’s image file. It then restarts the affected system by executing the command shutdown -r -f -t 0.

By modifying the MBR, the malware automatically executes once the affected system is restarted. Its image file then sets off its other routines such as connecting and sending information to a randomly generated URL even if the user is not logged in to Windows.

Upon restart, the malware will first connect to microsoft.com, time.windows.com, and yahoo.com. Once successful, it then attempts to .....................

Read Original Article

Google celebrate Pac-Man 30 years anniversary

22-May-2010 is the anniversary day for Pac-Man since released 30 years ago. :) Google also celebrated this wonderful day with changing their homepage Google logo with Pac-Man style.

You can play online at Pac-man site, pac-man.com, or at Google where they have their first interactive doodle that allows everyone to play pac-man at the search engine’s home page. You can also download pac-man from the internet and play the game while you’re offline.

reference: http://en.wikipedia.org/wiki/Pac-Man

Thursday, May 20, 2010

Jsunpack-n 0.3.2b Released

Latest Jsunpack with version 0.3.2b released, this time users can easily get the modification of codes via Google Code Subversion.

Updates 2010-05-20 version 0.3.2b

1) added INSTALL.spidermonkey.shellcode instructions. This adds improved shellcode detection.

2) updated jsunpack class options structure. New options will always use file contents instead of filenames (where possible). Also, rules are now part of the options structure.

3) socket defaulttimeout now part of jsunpack class (it was global before). If you import jsunpack, make sure to set a timeout on your own.

4) you can use jsunpack.version to get the current version string

5) new performance option (-f "fasteval") for disabling non-critical features in favor of performance

6) fixed a bug in redoevaltime option affecting performance of malicious scripts

7) fixed a pdf parsing bug for /Page related to testcase samples/pdf-numPages.file

Reference: http://jsunpack.blogspot.com/2010/05/jsunpack-n-update-032b-custom.html

Tuesday, May 18, 2010

Spam 18-May-10

195.5.161.210

0web-antispyware.com

1gig-antivirus.com

2gig-antivirus.com

50gb-antivirus.com

Spam:

59.144.118.20

www.zlaenhyzo.com

promotionrxpills.com

sloqubmel.com

thomuyqwa.com

planetdrugsdirect.com.cn

vzyubolqut.com

therxcapsules.eu

121.127.130.92

fastcyber.ru

readlamp.com

readbottle.com

carinc.ru

closedflush.com

mindblues.com

www.readlamp.com

www.carinc.ru

www.jerseynew.ru

www.readbottle.com

www.mindblues.com

www.closedflush.com

119.67.72.138

admin.awardpipe.ru

admin.batheconomy.ru

admin.beliefcat.ru

admin.birthdayhotel.ru

admin.blushcools.com

admin.brothersbottle.com

admin.dropsblow.com

admin.flushbounty.com

admin.flushfull.com

admin.forcetrain.ru

admin.imperialtree.ru

admin.lightgrape.ru

admin.oceanshort.com

admin.sonrainbow.ru

admin.trackcart.com

admin.villainmist.ru

awardpipe.ru

batheconomy.ru

beliefcat.ru

birthdayhotel.ru

brothersbottle.com

clickrich.ru

cqqek7g.acesaicb.cn

dropsblow.com

dr-maxx-man.info

dropsrain.com

flushbounty.com

flushfull.com

forcetrain.ru

imperialtree.ru

lightgrape.ru

maxedman.info

oceanshort.com

sailhope.ru

sonrainbow.ru

trackcart.com

uecawsnr.cn

villainmist.ru

7zh.uecawsnr.cn

www.dropsrain.com

80.191.84.220

admin.bevyquvjupo.com

admin.bibnabraclo.com

admin.buydiscountpills.com.cn

admin.crotrecpe.com

admin.healthwellnessmagazine.com

admin.hupfawqupke.com

admin.lojoasurzo.com

admin.mitmyjqum.com

admin.mitmyjqum.net

admin.myeplebsi.com

admin.omvouxylqe.com

admin.relcuhebi.com

admin.rhenjubad.com

admin.rucuvvaqwu.com

admin.wijvuihlumo.com

admin.wroanipnef.com

admin.wuvespuxoks.com

admin.yaflicacl.com

admin.zuvqupcuhy.com

aocfopgoh.com

atcezqus.com

bevyquvjupo.com

bibnabraclo.com

bididottoy.net

crotrecpe.com

fuadnacoct.com

futningi.com

gughixqukk.com

healthwellnessmagazine.com

hupfawqupke.com

kwywalgeky.com

lojoasurzo.com

mail.bevyquvjupo.com

mail.buydiscountpills.com.cn

mail.crotrecpe.com

mail.druggeneralstore.com

mail.healthwellnessmagazine.com

mail.hupfawqupke.com

mail.lojoasurzo.com

mail.mitmyjqum.com

mail.mitmyjqum.net

mail.mssmartstart.eu

mail.myeplebsi.com

mail.neintijl.com

mail.omvouxylqe.com

mail.rucuvvaqwu.com

mail.wijvuihlumo.com

mail.yaflicacl.com

mail.yambourzov.com

mail.zuvqupcuhy.com

mitmyjqum.com

myeplebsi.com

ns1.bevyquvjupo.com

ns1.buydiscountpills.com.cn

ns1.crotrecpe.com

ns1.healthwellnessmagazine.com

ns1.hupfawqupke.com

ns1.lojoasurzo.com

ns1.mitmyjqum.com

ns1.mitmyjqum.net

ns1.mssmartstart.eu

ns1.myeplebsi.com

ns1.neintijl.com

ns1.omvouxylqe.com

ns1.onqupidcuku.com

ns1.prufbulquo.com

ns1.rhenjubad.com

ns1.ribmecpeso.com

ns1.rucuvvaqwu.com

ns1.wijvuihlumo.com

ns1.yambourzov.com

ns1.zuvqupcuhy.com

ns2.aqwuhquxyb.net

ns2.bevyquvjupo.com

ns2.buydiscountpills.com.cn

ns2.crotrecpe.com

ns2.druggeneralstore.com

ns2.emailmedsonline.com

ns2.hupfawqupke.com

ns2.lojoasurzo.com

ns2.mitmyjqum.com

ns2.mitmyjqum.net

ns2.myeplebsi.com

ns2.neintijl.com

ns2.omvouxylqe.com

ns2.robsaxegiln.com

ns2.rucuvvaqwu.com

ns2.wijvuihlumo.com

ns2.yaflicacl.com

ns2.zuvqupcuhy.com

okvekjaiqwu.com

omvouxylqe.com

otjerlat.com

prufbulquo.com

qugoqudal.com

rhenjubad.com

robsaxegiln.com

rucuvvaqwu.com

siavbimt.com

vitamarketstore.net

wi.jonahoynox.com

wuvespuxoks.com

www.lojoasurzo.com

yambourzov.com

www.queretsxl.com

yardnight.com

www.floorduck.com

www.flushspeak.com

www.archmediagroup.ru

www.yournice.ru

www.freehomeseller.ru

www.plusmore.ru

www.floorflow.com

www.justgreatfun.ru

www.breakrounds.com

realmove.ru

yellowhouse.ru

pandasoft.ru

paperblues.com

bestnice.ru

www.storefree.ru

www.healthbestinfo.ru

www.bigeasyphoto.ru

www.onlinefast.ru

listawe.com

endwest.ru

fourteenpacification.ru

www.fiveproperitary.ru

www.carinc.ru

www.meanbusiness.ru

www.jerseynew.ru

www.sixapology.ru

capsquick.ru

www.towelswing.com

www.peopleget.ru

www.cardlamp.com

siavbimt.com

qwufotwom.com

bryobvysk.com

ameqwycfac.com

puxurbexe.com

huowovdav.com

pillhealthrxonline.net

pillspharmacytabletsdiscounts.net

pillspharmacytabletsbargain.net

rxpillstabletsdiscounts.net

rxpharmacy-usa.com

aducisynom.com

cheappillsite.com

sleepingpillsrxtablets.net

pillsonlinemarket.net

www.rxviagrapills.eu

pharmacyrxwellnessguide.com

pharmacyrxbarsworld.net

www.robsaxegiln.com

mypillsrx.com

pillsourcemedssite.com

drugspharmacyguide.com

smoucallak.com

shoprxpharmacy.net

pharmacyrxpricetablets.net

rxdrugscenter.eu

Wednesday, May 12, 2010

Microsoft Security Tuesday Patch May 2010

Microsoft released two bulletins covering two critical vulnerabilities. Both vulnerabilities can result in remote code execution. Window's users are welcome to update these patch regularly.

MS10-030

Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542)

This security update resolves a privately reported vulnerability in Outlook Express, Windows Mail, and Windows Live Mail. The vulnerability could allow remote code execution if a user visits a malicious e-mail server. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS10-031

Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (978213)

This security update resolves a privately reported vulnerability in Microsoft Visual Basic for Applications. The vulnerability could allow remote code execution if a host application opens and passes a specially crafted file to the Visual Basic for Applications runtime. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

reference: http://www.microsoft.com/technet/security/bulletin/ms10-may.mspx

Web Application Exploits and Defenses Tools

Want to beat the hackers at their own game?

Learn how hackers find security vulnerabilities!
Learn how hackers exploit web applications!
Learn how to stop them!

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:

How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).

reference: http://jarlsberg.appspot.com/