VUPEN Researchers Said: They Have First Zero-Day Exploit for Windows 8 & Internet Explorer 10

VUPEN Researchers Said: They Have First Zero-Day Exploit for Windows 8 & Internet Explorer 10

Everyday the users of Microsoft newly launched and so far most advanced windows operating system, I mean Windows 8 are increasing. But we have to keep in mind the security threats are also increasing in parallel. Recently well known French IT security firm Vupen, also known as controversial bug hunters and exploit sellers claimed to have Zero-day exploit of Windows 8. Experts at Vupen Security took credit of cracking the low-level security enhancements featured in Windows 8, Microsoft's latest operating system. According a tweet made by the official account of Vupen Security said it already has a Windows 8 exploit on offer. "Our first 0day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers. Welcome #Windows8" 

Apparently, the exploit combines several unpatched (0-day) security holes in the new version of Windows and the bundled Internet Explorer 10 browser to inject malicious code into systems via specially crafted web pages. Also VUPEN CEO and head of research Chaouki Bekrar sent out a pair of ominous Tweets yesterday claiming to have developed the first zero-day exploit for Windows 8 and Internet Explorer 10, both released Oct. 26. Bekrar hints the exploit is a sandbox bypass for IE10 with ASLR, DEP and anti-ROP mitigations enabled. “We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations,” Bekrar wrote. 

The exploit allegedly bypasses all of Windows 8's malware protection features: for example the Address Space Layout Randomization (ASLR) function that Microsoft has extended in the current edition of Windows to cover more system areas and offer improved randomisation. Vupen claims that the exploit also bypasses the Data Execution Prevention (DEP) and ROP features as well as Internet Explorer's sandbox-like Protected Mode. A patch for the exploited holes may not become available in the foreseeable future: Vupen said that it discovered the vulnerabilities itself and doesn't plan to disclose them to Microsoft. The company is only offering its exploit to its paying customers, among them government investigation authorities. Should Microsoft close the holes, the elaborate exploit would significantly decrease in value.

-Source (The-H & threatpost)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">VUPEN Researchers Said: They Have First Zero-Day Exploit for Windows 8 & Internet Explorer 10"https://www.voiceofgreyhat.com/2012/11/VUPEN-Researchers-Have-0Day-Exploit-for-Windows8-IE10.html</a>

Zero-Day Vulnerability in Opera Browser Found By Vázquez

José A. Vázquez, Security expert has released the details of a critical security hole in the Opera browser which can be exploited to inject malicious code. He says that he found the hole and notified the developers with a proof of concept a year ago. However, the expert said that Opera decided not to close the hole.
Vázquez thinks that the Opera developers might have tested his version 10.6 exploit with the current version 11.x, which may have caused the exploit to malfunction. Instead of contacting Opera again, Vázquez has adapted the exploit for the current version 11.51 of Opera and has released it as a Metasploit module. This means that, in principle, anyone can now exploit the vulnerability.

• To download the Metasploit Module Click Here

The hole is caused by a memory flaw when processing SVG content within framesets. Simply visiting a compromised web page is enough for a system to become infected with malicious code. Vazquez said that the exploit is successful in 3 out of 10 cases. With the pre-alpha version of Opera 12, the exploit managed to inject malicious code in 6 out of 10 cases.

Vázquez released a the 0day Exploit of Opera Browser 10,11 & 12. You can download that by clicking the following link.

• 0day Exploit Opera (Pastebin)

• 0day Exploit Opera (Exploit-db)

By releasing the exploit, the security expert is forcing the browser developers into action. Later Opera respond and released a security update.

-News Source (spa-s3c)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Zero-Day Vulnerability in Opera Browser Found By Vázquez"https://www.voiceofgreyhat.com/2011/10/zero-day-vulnerability-in-opera-browser.html</a>

BlackHole Exploit Kit 2.0 Released !! (Collection of Latest Exploit Modules)

BlackHole Exploit Kit 2.0 Released !! (Collection of Latest Exploit Modules)

BlackHole exploit kit - which is so far recognized as the most successful exploit kit that includes a collection of exploits to take advantage of vulnerability in the target's machine to download malwares & infect the victim, now became more power full as The BH developers have unleashed a new version of their exploit toolkit on the net. With BlackHole 2.0, the software has been "rewritten from scratch" to fool antivirus & firewall, said the unknown developers in a Russian-language release announcement on Pastebin. In their posting, they advertise new features such as temporary exploit URLs that are only valid for a few seconds, making them harder to analyse. The other features are also quite worthy and makes it a quite faster exploit kit like the new version doesn’t rely on plugindetect to determine the Java version installed. This will speed up the malware download routine. As the link to the malicious payload was easily identified by security software earlier, the BlackHole 2.0 comes with a feature that allows the customer to choose the link. The creators of the exploit kit claim that this way none of the commercial antivirus solutions is able to detect it. Old exploits that were causing the browser to crash have been removed. 

A total of 16 improvements have been claimed to be done in BlackHole’s administrator panel. Now it’s faster, statistics are easier to view, and mobile phones and Windows 8 have been added to allow customers to see precisely what types of devices are infected. The price for the services are quite comparative. All you need is criminal intent and money. The toolkit can now even be rented for a $50 a day and will then run on a server that is owned by the BlackHole team. The annual licence fee for criminals who use their own servers is $1,500. Detailed information about BH 2.0 can be here. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">BlackHole Exploit Kit 2.0 Released !! (Collection of Latest Exploit Modules)"https://www.voiceofgreyhat.com/2012/09/BlackHole-Exploit-Kit-2.0-Released.html</a>

Google Announced 'Pwnium 2' & Increased Prize Money $2m To Exploit Chrome

Google Announced 'Pwnium 2' & Increased Prize Money $2m To Exploit Chrome

Few days ago we got the result of Microsoft hosted Blue Hat Security contest, where Microsoft awarded a bunch of hackers and gave away an amount of  $260,000. Immediately after this event, Internet giant Google   has upped the ante in its industry-leading cash-for-security-bugs program with hefty bonuses and a hacking contest that will award up to $2 million worth of prizes to people who successfully exploit its Chrome browser. In the official Chromium blog, Google has announced the plan for Pwnium 2. According to a blog post by Chris Evans, Software Engineer at Google- Pwnium 2 will be held on Oct 10th, 2012 at the Hack In The Box 10 year anniversary conference in Kuala Lumpur, Malaysia.

This time, Google be sponsoring up to $2 million worth of rewards at the following reward levels:

• $60,000: “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself. 
• $50,000: “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows kernel bug. 
• $40,000: “Non-Chrome exploit”: Flash / Windows / other. Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. 
• $Panel decision: “Incomplete exploit”: An exploit that is not reliable, or an incomplete exploit chain. For example, code execution inside the sandbox but no sandbox escape; or a working sandbox escape in isolation. For Pwnium 2, we want to reward people who get “part way” as we could definitely learn from this work. Our rewards panel will judge any such works as generously as we can. 

Exploits should be demonstrated against the latest stable version of Chrome. Chrome and the underlying operating system and drivers will be fully patched and running on an Acer Aspire V5-571-6869 laptop (which we’ll be giving away to the best entry.) Exploits should be served from a password-authenticated and HTTPS Google property, such as App Engine. The bugs used must be novel i.e. not known to us or fixed on trunk. Please document the exploit. 

We also like to give you reminder that earlier in this year Google had increased vulnerability bounties in Anniversary of Vulnerability Reward Programbe. Also PayPal, Facebook & many other has already started this paid bug bounty program.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google Announced 'Pwnium 2' & Increased Prize Money $2m To Exploit Chrome"https://www.voiceofgreyhat.com/2012/08/Google-Announced-Pwnium2-Increased-Priz-Money.html</a>

Egyptian Hackers Selling Zero-day Exploit of Yahoo Mail For $700

Egyptian Hackers Selling Zero-day Exploit of Yahoo Mail For $700

Those people who wander in many underground hackers community, knows very well that several unethical equipment such as Botnet, Zero-day exploit, black hole exploit kit, malware, undisclosed vulnerabilities and so on were sold there for different prices. Those products were generally priced between $5-$500, but today I will talk about an expensive product, which listed itself top on the black market. I am talking about a new cross-site scripting exploit that enables attackers to steal cookies and access Yahoo email accounts. According to the blog post of Krebs on Security -A zero-day vulnerability in yahoo.com that lets attackers hijack Yahoo! email accounts and redirect users to malicious Web sites offers a fascinating glimpse into the underground market for large-scale exploits. The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. The hacker posted the following video to demonstrate the exploit for potential buyers. 

“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!” -said the hacker.  

In response Ramses Martinez, director of security at Yahoo!, said the challenge now is working out the exact yahoo.com URL that triggers the exploit, which is difficult to discern from watching the video. “Fixing it is easy, most XSS are corrected by simple code change,” Martinez said. “Once we figure out the offending URL we can have new code deployed in a few hours at most.”

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Egyptian Hackers Selling Zero-day Exploit of Yahoo Mail For $700"https://www.voiceofgreyhat.com/2012/11/Egyptian-Hacker-Selling-Zero-day-Exploit-of-Yahoo-Mail.html</a>

Google engineers deny Chrome hack exploited browser's code

Several Google security engineers have countered claims that a French security company found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser.

Several Google security engineers have countered claims that a French security company found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser.

Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year.

Google's official position, however, has not changed since Monday, when Vupen announced it had successfully hacked Chrome by sidestepping not only the browser's built-in "sandbox" but also by evading Windows 7's integrated anti-exploit technologies.

"The investigation is ongoing because Vupen is not sharing any details with us," a Google spokesman said today via email.

But others who work for Google were certain that at least one of the flaws Vupen exploited was in Flash's code, not Chrome's.

"As usual, security journalists don't bother to fact check," said Tavis Ormandy, a Google security engineer, in atweet earlier today . "Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug."

"It's a legit pwn, but if it requires Flash, it's not a Chrome pwn," tweeted Chris Evans, a Google security engineer and Chrome team lead, using the security-speak term for compromising an application or computer.

Justin Schuh, whose LinkedIn account also identifies him as a Google security engineer, chimed in with , "No one is saying it's not a legit exploit. The point is that it's not the exploit [Vupen] claimed."

When asked to confirm the source of the vulnerabilities it exploited, Vupen was blunt in its refusal to share any information.

"We will not help Google in finding the vulnerabilities," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions. "Nobody knows how we bypassed Google Chrome's sandbox except us and our customers, and any claim is a pure speculation."

Last year, Vupen changed its vulnerability disclosure policies when it announced it would no longer report bugs to vendors -- as do many researchers -- but instead would reveal its work only to paying customers.

Today's Twitter back-and-forth between Google's engineers and Bekrar grew heated at times.

"When it comes to critical vulnerabilities, all software vendors/devs (including Google) always try to downplay the findings," Bekrar said on Twitter .

"I was thinking something similar about researchers who inflate their accomplishments," Schuh replied , also on Twitter, to Bekrar.

The point made by Ormandy, Evans and Schuh was that Vupen didn't exploit a bug in Chrome's own code, but in Flash, which has been partially sandboxed in the stable version of the browser since early March 2011 .

While the Google engineers seemed to acknowledge that a bug in Flash was involved in Vupen's exploit, they also defended the sandbox technology -- meant to isolate Flash from the rest of the computer -- even as it apparently failed to prevent an attack.

"The Flash sandbox blog post went to pains to call it an initial step," said Evans. "It protects some stuff, more to come. Flash sandbox [does not equal] Chrome sandbox."

The blog Evans referred to was published in December 2010 , where Schuh and another Google developer, Carlos Pizano said, "While we've laid a tremendous amount of groundwork in this initial sandbox, there's still more work to be done."

Chrome's Flash sandbox is currently available only in the Windows version of the browser; Google has promised to implement it in the Mac and Linux editions, but has not yet done so.

While Bekrar later hinted that Vupen's exploit did leverage a Flash vulnerability, he said the attack code also took advantage of at least one other bug. "[Chrome's] built-in plug-ins such as Flash are launched inside the sandbox which was created by Google, so finding and exploiting a Flash or a WebKit vulnerability will fall inside the sandboxes and will not circumvent it," he wrote. "A sandbox bypass exploit is still required."

Chrome has a reputation as a secure browser, in large part because of its sandbox technology. Chrome is the only browser to have escaped unscathed at the last three Pwn2Own hacking contests, the annual challenge hosted by the CanSecWest conference in Vancouver, British Columbia, and sponsored by HP TippingPoint's bug bounty program.

In March 2011, no one took on Chrome at Pwn2Own, even though Google had offered a $20,000 prize to the first researcher who hacked the browser and its sandbox.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google engineers deny Chrome hack exploited browser's code"https://www.voiceofgreyhat.com/2011/05/google-engineers-deny-chrome-hack.html</a>

Armageddon (DDoS Botnet) Started Integrating Apache Killer Exploit

Armageddon (DDoS Botnet) Started Integrating Apache Killer Exploit

The latest version of Denial of Service Bot (DDoS) named Armageddon integrates a relatively new exploit known as Apache Killer. Armageddon is a Russian malware family exclusively designed to launch DDoS attacks. Because it is sold as a toolkit on underground forums, there is more than one Armageddon-powered botnets on the Internet. Aside from the Apache Killer exploit, the latest Armageddon version also incorporates other application-layer DDoS techniques that target popular Internet forum platforms like vBulletin or phpBB, however these are not particularly ground-breaking.

The Apache Killer exploit was released in August 2011. It exploits a vulnerability in the Apache Web server by sending a specially crafted "Range" HTTP header to trigger a denial-of-service condition. The attack is particularly dangerous because it can be successfully executed from a single computer and the entire targeted machine needs to be rebooted in order to recover from it. The vulnerability exploited by Apache Killer is identified as CVE-2011-3192 and was patched in Apache HTTPD 2.2.20, a week after the exploit was publicly released. Apache 2.2.21 contains an improved fix.

Recommendation:-
System administrators should upgrade their Apache servers to the latest available version or should implement known work arounds. "There is an update to the Apache mod_security module that attempts to address this type of attack by filtering requests with 'Range' headers that are too large.

-Source (PC World)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Armageddon (DDoS Botnet) Started Integrating Apache Killer Exploit"https://www.voiceofgreyhat.com/2012/03/armageddon-ddos-botnet-started.html</a>

Security firm exploits Chrome zero-day to hack browser, escape sandbox

 French security company Vupen said today that it's figured out how to hack Google's Chrome by sidestepping not only the browser's built-in "sandbox" but also by evading Windows 7's integrated anti-exploit technologies.

Google said it was unable to confirm Vupen's claims.

"The exploit ... is one of the most sophisticated codes we have seen and created so far, as it bypasses all security features including ASLR/DEP/Sandbox," said Vupen in a blog post Monday. "It is silent (no crash after executing the payload), it relies on undisclosed ('zero-day') vulnerabilities and it works on all Windows systems."

Vupen posted a video demonstration of its exploit on YouTube.

According to Vupen, its exploit can be served from a malicious Web site. If a Chrome user surfed to such a site, the exploit executes "various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level."

Vupen used the Windows Calculator only as an example: In an actual attack, the "calc.exe" file would be replaced by a hacker-made payload.

Historically, Chrome has been the most difficult browser to hack, primarily because of its sandbox technology, which is designed to isolate Chrome from the rest of the machine to make it very difficult for a hacker to execute attack code on the PC.

For example, Chrome has escaped unscathed in the last three Pwn2Own hacking contests, an annual challenge hosted by the CanSecWest conference in Vancouver, British Columbia, and sponsored by HP TippingPoint's bug bounty program.

Last March, a team from Vupen walked away with a $15,000 cash prize afterhacking Safari, the Apple browser that, like Chrome, is built on the open-source WebKit browser engine.

But no one took on Chrome at 2011's Pwn2Own, even though Google had offered a $20,000 prize to the first researcher who hacked the browser and its sandbox.

The Vupen attack code also bypassed Windows 7's ASLR (address space layout randomization) and DEP (data execution prevention), two other security technologies meant to make hackers' jobs tougher.

Vupen said it would not publicly release details of the exploit, or the unpatched bug(s) in Chrome. "This code and the technical details of the underlying vulnerabilities will not be publicly disclosed," said Vupen. "They are shared exclusively with our Government customers as part of our vulnerability research services."

Last year, Vupen changed its vulnerability disclosure policies when it announced it would no longer report bugs to vendors, but instead would reveal its research only to paying customers.

Other security experts reacted today to the news of one or more Chrome zero-days, and to Vupen's practice of providing details only to its clients.

"I suppose that means we have a known Chrome 0-day floating around. That's fun," said Jeremiah Grossman, CTO of WhiteHat Security, in a Twitter message today.

"That also means for that the [government] is outbidding Google for bug bounties," Grossman added in a follow-up tweet.

"For now, the [government] still has more money than Google," chimed in Charlie Miller, the only researcher who has won cash prizes at four straight Pwn2Own contests.

Google, like rival browser maker Mozilla, runs a bounty program that pays independent researchers for reporting flaws in Chrome. Last month, Google paid out a record $16,500 in bounties for bugs it patched in a single update. In the first four months of 2011, Google spent more than $77,000 on bug bounties.

Google cited Vupen's policy of not reporting flaws as the reason it could not verify the French firm's assertions.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Security firm exploits Chrome zero-day to hack browser, escape sandbox"https://www.voiceofgreyhat.com/2011/05/security-firm-exploits-chrome-zero-day.html</a>

JailbreakMe 3.0 Exploit for ipad 2 Leaked out

The long-awaited JailbreakMe 3.0 exploit has finally been released but not officially according to a report a beta tester for the software leaked the exploit online the last night. Suffice to say the Dev team nor Comex came forward to validate its authenticity 

According to the News Source:- 

"..Supporting iOS 4.2.1-4.3.3, in short, we don't recommend you to use the exploit, until it has been officially verified. If you want to see it in action however to prove its existence we have got a short in less-than 2 minutes look at JailbreakMe 3.0 right after the break. 

[Update] - Reader Dave (@Dave Flash) notes that the leaked exploit was also available for iPad earlier today, using a different .PDF file from the site mentioned. However, this now appears to have been pulled.

@razorianfly also worked om my 1st gen iPad.

@razorianfly Well, you have to use a different PDF from that site http://rfly.co/m2kz5H

… but it appears to have been pulled.

[update 2] 9to mac that the exploit only appears to work on Wi-Fi Only iPad 2 models, offering up the screen shot below as proof of the jailbreak method.  

[update 3] success stories coming in. @Baisarro notes...

@razorianfly hey Arron! it worked for me with ipad 2 wi-fi iOS, no problems "

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">JailbreakMe 3.0 Exploit for ipad 2 Leaked out"https://www.voiceofgreyhat.com/2011/07/jailbreakme-30-exploit-for-ipad-2.html</a>

Hackers Subvert Google Chrome Sandbox

On Monday, French vulnerability research firm Vupen said that it has discovered a way to circumvent the sandbox in the Google Chrome browser. The sandbox is designed to prevent attackers from exploiting arbitrary code via the browser.

According to Vupen, the exploit it created "bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0 day) vulnerabilities discovered by Vupen, and it works on all Windows systems (32-bit and x64)." ASLR and DEP refer to two attack mitigation technologies: address space layout randomization (ASLR), for preventing attackers from easily locating local files to exploit, and data execution prevention (DEP) for preventing attackers from executing arbitrary code.

Vupen, however, didn't provide specific details of the attack. Rather, the company said that it's only releasing details of the proof-of-concept exploit to its government customers. "For security reasons, the exploit code and technical details of the underlying vulnerabilities will not be publicly disclosed. They are exclusively shared with our government customers as part of our vulnerability research services," it said.

For everyone else, Vupen uploaded a video demonstration of the attack to its website, which shows Chrome v11.0.696.65 being exploited when a user visits a Web page containing the exploit code. For the purposes of the demonstration, the exploit code downloads the Calculator application from a remote location, then launches it on the user's PC, outside the sandbox.

Asked for comment on the flaw itself, or the potential risk it poses to Chrome users, Google demurred. "We're unable to verify Vupen's claims at this time as we have not received any details from them," said a spokesperson for Google, via email. "Should any modifications become necessary, users will be automatically updated to the latest version of Chrome.

Google has a reputation for rapidly patching Chrome, helped in no small part--given the prevalence of Adobe Flash, Reader, and Acrobat bugs--by its having first dibs on Adobe patches.

Exploiting Chrome has evidently been on the Vupen researchers' minds. In March, they won a prize in thePwn2Own hacking contest by compromising Apple Safari in five seconds, which earned them $15,000. But they could have sweetened the pot by $5,000 if they had hacked Google Chrome, which hadn't been cracked during three years' worth of Pwn2Own contests.

At least part of that fact could be due to Google running its own bug bounty program, which now pays anywhere from $500 to $3,133.70 for information on particularly egregious vulnerabilities in or clever exploits of its products. Vupen not submitting the details of the bug it discovered leaves open the possibility that someone else might submit the information in return for the reward.

But Vupen's move also illustrates the market dynamics at work behind vulnerability research. Namely, a company such as Vupen builds its business by attracting subscribers to its software vulnerability information service, meaning that its revenue relates directly to the quality, timeliness, and--sometimes--exclusivity of its bug notices.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Hackers Subvert Google Chrome Sandbox"https://www.voiceofgreyhat.com/2011/05/hackers-subvert-google-chrome-sandbox.html</a>

BlackHole Exploit Kit 1.0.2 is now Available

BlackHole exploit kit is yet another in an ongoing wave of attack toolkits flooding the underground market. The kit first appeared on the crimeware market in September of 2010 and ever since then has quickly been gaining market share over its vast number of competitors. In fact, many antivirus vendors now claim that this is one of the most prevalent exploit kits used in the wild. Even Malware Domain List is showing quite a few domains infected with the BlackHole exploit kit. TDS or Traffic Direction Script. While this is not an entirely new concept in attack toolkits the TDS included her is much more sophisticated and powerful than those in other kits. A TDS is basically an engine that allows redirection of traffic through a set of rules. For example, a user can set up a set of rules that redirect flow to different landing pages on their domain. These rules could be based on operating system, browser, country of origin, exploit, files, etc. One rule might redirect traffic to page A for all users that are running Windows OS from XP to Vista and running IE 8, while another rule can redirect Windows 7 users to page B. Those were just simple example rules.

More advanced rules could set expiration dates for certain payloads and replace them with new ones when the date is reached. The TDS included in BlackHole even goes the extra step and allows you to create traffic flows based on these rules and provides management interface for the flows. A savvy malicious user with a lot of experience could easily utilize this rule engine to increase their infection numbers.From a web application standpoint BlackHole is built just like other kits, consisting of a PHP and MySQL backend. Since the majority of web servers run on the LAMP stack this enabled for very easy applicationdeployment. The user interface for this kit is a cut about the rest, and it definitely looks nicer than almost any other attack kit.

Download BlackHole Exploit Kit 1.0.2 here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">BlackHole Exploit Kit 1.0.2 is now Available"https://www.voiceofgreyhat.com/2011/05/blackhole-exploit-kit-102-is-now.html</a>

Recently Found Java Vulnerability Is Being Added Into 'BlackHole' Exploit Kit

Security researcher and journalist Brian Krebs has found evidence that a recently discovered vulnerability in Java is being added to the 'BlackHole' exploit kit. The vulnerability was discovered a few weeks ago and makes use of the Rhino Script Engine to run arbitrary code outside the sandbox. Following a patch released by Oracle, the exploit works against all but the latest versions of Java.

Although there is evidence suggesting that this exploit is currently only used to target computers running Windows, the fact that Java is cross-platform makes these vulnerabilities popular for those who want to attack other operating systems, such as Mac OS X. Java exploits are therefore commonly used in exploit kits such as 'BlackHole'. This kit, which can be bought on the black market, attempts to gain access to the victim's system via exploits in commonly used browser add-ons such as Java, Flash and Adobe Reader. It is usually embedded into legitimate but hacked websites via hidden iframes, making those who avoid the more obscure corners of the Internet just as vulnerable to such attacks. Making sure software is always up to date (or in the case of Java, as Krebs suggests, uninstalled when not needed) is thus an essential step Internet users should take to keep their computers secure.

The sad irony is that 'customers' of 'BlackHole' are having their kits automatically 'patched' to include this latest exploit, Krebs found on underground forums. This is yet another sign of how cybercriminals have become as professional as legitimate software companies. 

For more information click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Recently Found Java Vulnerability Is Being Added Into 'BlackHole' Exploit Kit"https://www.voiceofgreyhat.com/2011/11/recently-found-java-vulnerability-is.html</a>

Linux kernel (OMAP4) Vulnerabilities, Affected Distribution Ubuntu 10.10

kernel incorrectly handled certain VLAN packets leading to a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. EFI GUID partition table was not correctly parsed leading to  A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges.

=============================================
Ubuntu Security Notice USN-1220-1
September 29, 2011

linux-ti-omap4 vulnerabilities
=============================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.10

Summary:
Multiple kernel flaws have been fixed.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:-

Ryan Sweat discovered that the kernel incorrectly handled certain VLAN
packets. On some systems, a remote attacker could send specially crafted
traffic to crash the system, leading to a denial of service.
(CVE-2011-1576)
Timo Warns discovered that the EFI GUID partition table was not correctly
parsed. A physically local attacker that could insert mountable devices
could exploit this to crash the system or possibly gain root privileges.
(CVE-2011-1776)
Dan Rosenberg discovered that the IPv4 diagnostic routines did not
correctly validate certain requests. A local attacker could exploit this to
consume CPU resources, leading to a denial of service. (CVE-2011-2213)
Dan Rosenberg discovered that the Bluetooth stack incorrectly handled
certain L2CAP requests. If a system was using Bluetooth, a remote attacker
could send specially crafted traffic to crash the system or gain root
privileges. (CVE-2011-2497)
Mauro Carvalho Chehab discovered that the si4713 radio driver did not
correctly check the length of memory copies. If this hardware was
available, a local attacker could exploit this to crash the system or gain
root privileges. (CVE-2011-2700)
Herbert Xu discovered that certain fields were incorrectly handled when
Generic Receive Offload (CVE-2011-2723)
Time Warns discovered that long symlinks were incorrectly handled on Be
filesystems. A local attacker could exploit this with a malformed Be
filesystem and crash the system, leading to a denial of service.
(CVE-2011-2928)
Dan Kaminsky discovered that the kernel incorrectly handled random sequence
number generation. An attacker could use this flaw to possibly predict
sequence numbers and inject packets. (CVE-2011-3188)
Darren Lavender discovered that the CIFS client incorrectly handled certain
large values. A remote attacker with a malicious server could exploit this
to crash the system or possibly execute arbitrary code as the root user.
(CVE-2011-3191)

-News Source (Ubuntu) 

 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Linux kernel (OMAP4) Vulnerabilities, Affected Distribution Ubuntu 10.10"https://www.voiceofgreyhat.com/2011/10/linux-kernel-omap4-vulnerabilities.html</a>

Analysis of an Osama bin Laden RTF Exploit

Targeted/semi-targeted attacks have been utilizing exploits against Microsoft's "RTF Stack Buffer Overflow Vulnerability" (CVE-2010-3333) since last December. The vulnerability was patched last November in security bulletin MS10-087.
Many of the attacks we've seen which exploit CVE-2010-333 have used topical subject lines.
And this week is no different. So of course, there's an Osama bin Laden RTF exploit circulating in the wild which uses the subject: "FW: Courier who led U.S. to Osama bin Laden's hideout identified".
The file name is called: "Laden's Death.doc" and appears as so:



When the RTF file is opened, the exploit executes shellcode and drops a file named server.exe inside C:/RECYCLER and executes it.

C:/RECYCLER/server.exe does the following:

  •  Drops a file in the system's temp folder: vmm2.tmp
  •  File vmm2.tmp is renamed and moved to c:\windows\system32\dhcpsrv.dll
  •  Makes registry modifications in an attempt to hijack the DHCP service.

It attempts to connect to a C&C hosted at ucparlnet.com.

The payload has the ability to:

  •  Download additional malware
  •  Connect and send sensitive data back to remote servers
  •  Act as a trojan proxy server

The folks at contagio malware dump report that "It was sent to many targets in the US Government today".

Checking our back end shows that some of our customers have also been exposed. Our detection name for the exploit is Exploit:W32/Cve-2010-3333.G and the RTF payload is detected as Trojan:W32/Agent.DSKA.

As always, the usual advice applies, exercise caution when opening attachments, patch/update your MS Word/Office, and make sure your antivirus is up to date.

You can see more examples of CVE-2010-3333 attacks at contagio.

Updated to add: Here's a picture of an email spreading this document. This was sent to analysts in Washington, D.C. The picture was published by Lotta Danielsson-Murphy. Do note that the sender information in the email is forged.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Analysis of an Osama bin Laden RTF Exploit"https://www.voiceofgreyhat.com/2011/05/analysis-of-osama-bin-laden-rtf-exploit.html</a>

Yahoo Mail Hit By XSS Exploit Putting 400 Million Users At Risk

Yahoo Mail Hit By XSS Exploit Putting 400 Million Users At Risk

Yet again mistrust growing in between the large number of Yahoo users, as it has been continuously failed to protect its customers from cyber attack. Late in last year we have seen that the two major services of Yahoo get compromised, which affects millions of its registered users across the globe. First it was Yahoo Voice, which get hacked while putting 450K users at high risk. Then it was the time for Yahoo Mail, where few Egyptian hacker figured out serious XSS vulnerabilities in Yahoo Mailing service  that lets attackers steal cookies from Yahoo Webmail users. Later cyber criminals made product while exploring that loop holes, that so called product or widely known as exploit was made available at high price in underground market and forums. As expected Yahoo immediately patched these loopholes, but now it seems they did not learn lesson from the decent past. 

You all may be wondering! what happened? Again the security of Yahoo fallen victim in front of hackers.  Shahin Ramezany, a hacker and independent security researcher have figure out a DOM-Based XSS vulnerability in Yahoo Mail that is exploitable in all major browsers. Ramezany tweeted about this issue whihc links to an YouTube video, where he demonstrated the hack. Shahin Ramezany also claimed that the exploit have put more than 400 Million yahoo users at risk. 

As soon as this story get spotted, Yahoo immediately responds the matter, in their official release a Yahoo spokesman said "We’ve been looking into it and the US have now confirmed that they are investigating too. They will be in touch if there is a comment – otherwise I recommend that if users are concerned then they should change their passwords immediately." 

Later Yahoo said that thy have plugged the security hole. In their statement the spokesperson added, “At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed. In addition, we are investigating recent reports of increased abusive traffic and will work diligently to fix any vulnerabilities that are found. Concerned users are encouraged to change their passwords to a safe password that combines letters, numbers, and symbols.”

But this issue did not get completely resolved, as immediately after the fix release of Yahoo, Shahin Ramezany said that the fix is not good enough, and the Yahoo Mail exploit is still active. In his twitter he said "not effective enough and users are still [at] risk," since the proof-of-concept code can be easily tweaked to continue attacks. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Yahoo Mail Hit By XSS Exploit Putting 400 Million Users At Risk"https://www.voiceofgreyhat.com/2013/01/Yahoo-Mail-Hit-By-XSS-Exploit.html</a>