Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

AutoIT Malware. A detailed analysis

September 21, 2014, 3:19 am
$
0
0
This is a sample that came to my hands by a spam campaign, and cough in a corporate honeypot. Make a comment under this post with your email if you want a sample. Here is an overview of what you’re going to see in this post:

1) First malware file: .exe
- recognition of the executable’s type (WinRAR SFX)

2) Drops: update.exe + 3 files
- recognition of the dropped PE (AutoIT), and obfuscated AutoIT script
- making a custom python script of script de-obfuscation
- Clear AutoIT script analysis, methods and some thoughts about it.

3) LoadPE method (by the AutoIT script) using an encrypted drop
- making a custom script to decrypt the drop (RC2 encrypted usign CryptoAPI)
- analysis of the final malware. What data does it collect, which format, how does it send them and where.
- reveal some console log messages of the app by just changing it’s IMAGE_SUBSYSTEM byte from PE Header


more here..............http://www.133tsec.com/2014/09/20/autoit-malware-a-detailed-analysis/
Search

Spammers use Google redirection to sneak shady URLs through filters

September 21, 2014, 3:21 am
$
0
0
A growing technique being used especially by pill spammers is taking advantage of a trick abusing Google's URL service

more here...........http://garwarner.blogspot.com/2014/09/spammers-use-google-redirection-to.html

New files pertaining to Aaron Swartz (computer programmer, writer, political organizer and Internet Hacktivist who commited suicide in 2013) released under FOIA

September 21, 2014, 5:30 am
$
0
0
Aaron Hillel Swartz (November 8, 1986 – January 11, 2013) was an American computer programmer, writer, political organizer and Internet Hacktivist.
Swartz was involved in the development of the web feed format RSS, the organization Creative Commons, the website framework web.py and the social news site, Reddit, in which he became a partner after its merger with his company, Infogami. Swartz's later work focused on sociology, civic awareness and activism.

more here.................http://www.theblackvault.com/m/articles/view/Aaron-Swartz

Hibbs writeup – OpenToAll Practice CTF

September 21, 2014, 5:33 am
$
0
0
Recently, Eriner set up a practice CTF event for the OpenToAll CTF team, and he asked Alessandro to create a reverse engineering challenge for it. “Hibbs” is the challenge Alessandro created. It consists of an executable named Hibbs.exe. I have no idea what it will actually do, so I fire up a 64-bit Windows VM and run it.

more here............http://givemesecurity.info/2014/09/19/hibbs-writeup-opentoall-practice-ctf/

Heatmiser WiFi thermostat vulnerabilities

September 21, 2014, 8:46 am
$
0
0
A while back, I came across a page listing some vulnerabilities on Heatmiser’s Netmonitor product. I thought I’d take a quick look at the rest of their product line. This is a WiFi thermostat running version 1.2 of the firmware.

more here............http://cybergibbons.com/security-2/heatmiser-wifi-thermostat-vulnerabilities/

Reversing Tinba: World's smallest trojan-banker DGA Code

September 21, 2014, 12:58 pm
$
0
0
CSIS Security Group A/S has uncovered a new trojan-banker family which we have named Tinba (Tiny Banker) alias “Zusy”. 
Name: 1719074795.jpg Views: 106 Size: 18.3 KB

Tinba is a small data stealing trojan-banker. It hooks into browsers and steals login data and sniffs on network traffic. As several sophisticated banker-trojan it also uses Man in The Browser (MiTB) tricks and webinjects in order to change the look and feel of certain webpages with the purpose of circumventing Two factor Authentification (2FA) or tricking the infected user to give away additional sensitive data such as credit card data or TANs. 

Tinba is the smallest trojan-banker we have ever encountered and it belongs to a complete new family of malware which we expect to be battling in upcoming months. 

more here...........http://garage4hackers.com/entry.php?b=3086

Vulnerability in MyFitnessPal’s Undocumented API

September 21, 2014, 1:28 pm
$
0
0
MyFitnessPal is easily one of the most popular calorie counter apps for weight loss and nutrition tracking. I’ve been using it for a few years and love it. Their Android App and web interface is simple, easy to use, and boasts a large database of nutritional information for a variety of foods, but how secure is user information?

more here..........http://randywestergren.com/vulnerability-myfitnesspals-undocumented-api/

sslyze

September 22, 2014, 2:26 am
$
0
0
SSLyze
Fast and full-featured SSL scanner.

Description

SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify misconfigurations affecting their SSL servers.


more here..............https://github.com/nabla-c0d3/sslyze
Search

CSAW 2014 Exploit 500 writeup : xorcise

September 22, 2014, 2:29 am
$
0
0
The CSAW 2014 Exploit500 challenge was a Linux 32-bit network service for which the executable and the source code were provided (I saved a copy of the source code here). The service accepts packets defined by the structure cipher_data and first applies a decryption loop to the received data.

more here...........http://solution-36.blogspot.ca/2014/09/csaw-2014-exploit-500-writeup-xorcise.html

Quick AngularJS sandbox bypass (now fixed) writeup (and $5000 Google bug bounty!):

September 22, 2014, 3:50 am
$
0
0
In my recent research I discovered a bypass to the AngularJS "sandbox", allowing me to execute arbitrary JavaScript from within the Angular scope, while not breaking any of the implemented rules (eg. Function constructor can't be accessed directly).

The main reason I was allowed to do this is because functions executing callbacks, such as Array.sort(), Array.map() and Array.filter() are allowed. If we use the Function constructor as callback, we can carefully construct a payload that generates a valid function that we control both the arguments for, as well as the function body. This results in a sandbox bypass.


more here...............http://avlidienbrunn.se/angular.txt

MALICIOUS DOCUMENTS – PDF ANALYSIS IN 5 STEPS

September 22, 2014, 6:14 am
$
0
0
Mass mailing or targeted campaigns that use common files to host or exploit code have been and are a very popular vector of attack. In other words, a malicious PDF or MS Office document received via e-mail or opened trough a browser plug-in. In regards to malicious PDF files the security industry saw a significant increase of vulnerabilities after the second half of 2008 which might be related to Adobe Systems release of the specifications, format structure and functionality of PDF files.

more here............http://countuponsecurity.com/2014/09/22/malicious-documents-pdf-analysis-in-5-steps/

CSAW14 Reverse Engineering 300 - Weissman Write-Up

September 22, 2014, 6:17 am
$
0
0
This challenge consisted of a mystery file, weissman.csawlz that you had to extract the key out of somehow. Going from the extension it was some sort of compressed archive format. I started it after the hint was given out which confirmed that it was.

more here...........http://mmavipcre.blogspot.com/2014/09/csaw14-reverse-engineering-300-weissman.html

Paper: WhatsApp monitoring for Fun and Stalking

September 22, 2014, 6:58 am
$
0
0
If you have used WhatsApp at least once in your life, you know that there is a really lovely/shitty
(depending on the situation) feature that comes with it: you can see whether the person you are
talking to is typing, online or offline and, in the latter case, when this person was last seen online.
There is something really interesting about this feature: you can see such information even though
the other person does not know you and has never talked to you before. All you need is this
person's phone number. This happens because the value of the “Last seen” option (Settings –
Account – Privacy – Last seen) is defaulted to “Everyone”. Bear in mind that, even if you change
this option, others will still be able to know whether you are online or not.


more here................http://fgiobergia.com/papers/whatsapp.pdf

A Walkthrough for FLARE RE Challenges

September 22, 2014, 7:04 am
$
0
0
The FireEye Labs Advanced Reverse Engineering (FLARE) challenge was causing a bit of a buzz when it was announced and launched in early July. It read like a recruitment campaign for a new division within FireEye, but still a fun challenge to partake in. The challenge started ... and I was on-site at a client site for the week and forgot all about it.

Busy under the pressure of releasing the new Dissecting the Hack book, the challenge went to the back of my mind until the 24th of July. I was facing a pretty hard-hitting bit of writer's block and frustration. I agreed to let myself have a break to do the challenge for one week before getting back to my commitments.



more here..............http://www.ghettoforensics.com/2014/09/a-walkthrough-for-flare-re-challenges.html

Scaling the NetScaler

September 22, 2014, 8:01 am
$
0
0
A few months ago I noticed that Citrix provides virtual appliances to test their applications, I decided to pull down an appliance and take a peek. First I started out by downloading the trial Netscaler VM (version 10.1-119.7) from the following location

more here.............http://console-cowboys.blogspot.com/2014/09/scaling-netscaler.html
Search

Threat Spotlight: “Kyle and Stan” Malvertising Network 9 Times Larger Than Expected

September 22, 2014, 8:43 am
$
0
0
On September 8th, Cisco’s Talos Security Intelligence & Research Group unveiled the existence of the “Kyle and Stan” Malvertisement Network. The network was responsible for placing malicious advertisements on big websites like amazon.com, ads.yahoo.com, www.winrar.com, youtube.com and 70 other domains.  As it turns out, this was just the tip of the iceberg. Ongoing research now reveals the real size of the attackers’ network is 9 times larger than reported in our first blog

more here............http://blogs.cisco.com/security/kyle-and-stan-9x/

Trusts You Might Have Missed

September 22, 2014, 9:11 am
$
0
0
How often do you investigate trust relationships between Windows domains during a penetration test? You may have domain admin or other privileged access on your target and not even know it. Abusing active directory trust relationships is an effective tactic to expand access both during penetration tests and red team engagements. In this post, I’ll offer some background on domain trusts, how to enumerate and abuse them, and describe how PowerView‘s features can help you with these tasks.

more here............http://www.harmj0y.net/blog/redteaming/trusts-you-might-have-missed/

Glype proxy local address filter bypass

September 22, 2014, 11:28 am
$
0
0
------------------------------------------------------------------------
Glype proxy local address filter bypass
------------------------------------------------------------------------
Securify, September 2014

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A vulnerability has been identified in the Glype web-based proxy. Glype
has a filter to disallow users from surfing to local addresses, to
prevents users from attacking the local server/network Glype is running
on. The filter can easily be bypassed by using IPs in decimal form.

------------------------------------------------------------------------
Affected versions
------------------------------------------------------------------------
This issue has been identified in Glype 1.4.9. Older version are most
likely affected as well.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Glype was informed and a fixed version (1.4.10) is now available at
www.glype.com

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
http://www.securify.nl/advisory/SFY20140902/glype_proxy_local_address_filter_bypass.html

Glype proxy cookie jar path traversal allows code execution

September 22, 2014, 12:10 pm
$
0
0
------------------------------------------------------------------------
Glype proxy cookie jar path traversal allows code execution
------------------------------------------------------------------------
Securify, September 2014

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A path traversal vulnerability has been identified in the Glype
web-based proxy that allows an attacker to run arbitrary PHP code on the
server or to remove critical files from the filesystem. This only
affects servers that are configured to:

- store Glype cookies locally; AND
- disable PHP display_errors; AND
- allow the webserver process to write to the filesystem (document
root).

------------------------------------------------------------------------
Affected versions
------------------------------------------------------------------------
This issue has been identified in Glype 1.4.9. Older version are most
likely affected as well.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Glype was informed and a fixed version (1.4.10) is now available at
www.glype.com

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
http://www.securify.nl/advisory/SFY20140901/glype_proxy_cookie_jar_path_traversal_allows_code_execution.html 

Glype proxy privacy settings can be disabled via CSRF

September 22, 2014, 1:11 pm
$
0
0
------------------------------------------------------------------------
Glype proxy privacy settings can be disabled via CSRF
------------------------------------------------------------------------
Securify, September 2014

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------

A path traversal vulnerability has been identified in the Glype
web-based proxy that allows an attacker to run arbitrary PHP code on the
server or to remove critical files from the filesystem. This only
affects servers that are configured to:

- store Glype cookies locally; AND
- disable PHP display_errors; AND
- allow the webserver process to write to the filesystem (document
root).

------------------------------------------------------------------------
Affected versions
------------------------------------------------------------------------
This issue has been identified in Glype 1.4.9. Older version are most
likely affected as well.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Glype was informed and a fixed version (1.4.10) is now available at
www.glype.com

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
http://www.securify.nl/advisory/SFY20140902/glype_proxy_privacy_settings_can_be_disabled_via_csrf.html
Viewing all 8064 articles
Browse latest View live
Search