tag:blogger.com,1999:blog-11410011177324218282024-03-14T10:03:17.080+05:30Hyper Security"Finding your way in the Dark world of Information security.."Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.comBlogger31125tag:blogger.com,1999:blog-1141001117732421828.post-37244170136904894652011-08-11T16:04:00.002+05:302011-08-11T16:13:32.187+05:30Uncovering Win32/Momibot communicationThe malware sample i am going to be looking at today is classified as Backdoor:Win32/Momibot by Microsoft and also referred to as Backdoor/IRCNite by some other AV vendors. Packet captures of the sample from my automated sandbox results look something like this - So, basically the Trojan is communicating on TCP ports 8090 as well as 80. Forcing wireshark to decode packets with TCP port 8090 Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-8103917416753627532011-07-13T16:50:00.001+05:302011-07-13T16:50:56.712+05:30Quick look into CVE-2011-1255 Microsoft IE Time Element Memory Corruption vulnerabilityMicrosoft patched this vulnerability in June’s Patch Tuesday, but as usual an exploit has emerged for it. The M86 Security team stumbled upon an exploit in the wild and they have already done an excellent job of covering the exploit vector. I fired up Malzilla and decided to dig a little bit deeper to see how the exploit works. This is a use-after-free vulnerability that is exploited using Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-89863706015975790262011-07-10T14:14:00.003+05:302011-07-10T14:20:24.321+05:30Blocking UltrasurfAs part of maintaining Application Recognition signatures, I often get asked by customers if we have support for blocking Ultrasurf – the free proxy based anonymizer tool that is often (miss)used for bypassing content filters in enterprises. Unfortunately, blocking this over Network using IPS signatures is not possible since the traffic is encrypted. There has been good amount of analysis done Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com1tag:blogger.com,1999:blog-1141001117732421828.post-82364757907618755032010-10-29T22:12:00.003+05:302010-10-29T22:21:14.423+05:30Google Code hosting Malware componentsNothing new, It has happened in the recent past as folks at Zscaler had pointed out. But this time its not the malware itself, but part of its configuration and components being hosted on Google code servers. For those who don’t know Google code is a free, Web based platform that provides tools and resources to developers interested in working on Google-related open source software projects or Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-80573395703264604312010-09-23T15:25:00.001+05:302010-09-23T15:25:58.275+05:30After long time..Yeah, Its been a really really long time since I have written something here and I apologize for that. It’s just that I have been a hell lot busy with new stuff at work and a lot of research that I have been doing in building Malware automation Frameworks ! Plus not to mention the ton of 0days that have been piling on recently. Hopefully, I should get some more free time from now on and I will Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-23872897088507973862010-04-14T16:43:00.001+05:302010-04-14T16:49:05.898+05:30Trojan Heloag BotnetLooks like there is a new Botnet on the horizon. Win32/Heloag is treated as Backdoor Trojan by many AV companies but appears to be a new kind of Botnet that uses P2P for communicating with its peers and Bot master. Its been out there for a while now. A recent post by Arbor Networks on the Bot’s analysis actually prompted me to have a closer look at this piece of malware. Either their report is Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-67151249413898576692010-04-01T16:38:00.001+05:302010-04-01T16:38:24.761+05:30PDF Command execution vulnerabilityResearcher Didier Stevens just managed to discover that he can make PDF reader execute any command without exploiting any vulnerability ! On his blog he demonstrated how the “Launch” action parameter of PDF document can be abused to execute arbitrary command on the victims machine. Though he did not reveal complete details, his partial PoC is good enough to guess how the attack can be made Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com2tag:blogger.com,1999:blog-1141001117732421828.post-49741533699457519472010-03-25T15:46:00.001+05:302010-03-25T15:46:30.192+05:30Trying to skip the fishAutomated Web application security testing tool “skipfish” was released recently which seem to have generated a lot of attention in the “security community”. So,I decided to give it a try and install it in my lab. Unfortunately, I run very old Linux distros in my lab (like RedHat 9 for example) and I am too lazy to upgrade to newer versions. Anyways, during installation I soon realized that it’sDa'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-47578456025733295192010-03-12T17:13:00.002+05:302010-03-12T17:15:58.189+05:30CVE-2010-0188 Adobe Reader TIFF vulnerabilityThe recent Adobe reader vulnerability (CVE-2010-0188) seems to be doing lot of rounds these days. Thanks to Mila (contagio blog), I got a chance to look at the malicious PDF file. A Quick look at the stats using pdf-parser tool reveals the structure of this file - C:\Analyze>pdf-parser.py -a "2010 March Luncheon Invitation_FINAL.pdf" Comment: 4 XREF: 0 Trailer: 0 StartXref:Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-76329615531869760222010-02-16T16:15:00.004+05:302010-02-16T16:34:51.873+05:30Olympics 2010 news ending up with MalwareRecently I covered how malware authors use Blackhat SEO poisoning to distribute malware on unsuspecting victims. Since then, I have been closely monitoring the news trends and this time the bad guys are targeting is searches related to Vancouver Olympic games 2010. Tragedy struck at the Olympic games Luge (ice racing) event, when a 21 year old athlete Nodar Kumaritashvili died during a Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-36244813239894957372010-02-03T14:53:00.002+05:302010-02-05T17:03:37.266+05:30Trojan using MS SQL ??Well its my first post in 2010 :) … rather late, apologize for that. Recently came across a Trojan sample that actually connects to a Database server and does some SQL commands ! This is the first time I saw something like this. Normally, Backdoors and other malware use HTTP interfaces (POST/GET commands) to talk to their command servers, but in this case the malware was talking directly to Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com1tag:blogger.com,1999:blog-1141001117732421828.post-44160283821523205322009-12-30T16:19:00.002+05:302009-12-30T16:37:49.237+05:30Digging deep into BlackHat SEO - Part2Picking from where we left-off last time, I decided to dig deep into how the whole fake AV scam was being done. So, I fired up Wireshark as I started to browse the Google search results for Brittany Murphy. After clicking on the poisoned search result, we first land on a page that is just a html page with all the junk related to the Google search query. Depending on your internet speed, you Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-85611674228350169672009-12-24T15:33:00.002+05:302009-12-24T15:36:52.492+05:30Digging deep into BlackHat SEO – Part1It was used before for tragic news and has been seen once again now when actress Brittany Murphy passed away over the last weekend. Cybercriminals have been very effectively using SEO techniques to download malware on users machines who are trying to browse Internet looking for latest breaking news. A simple Google search for “Brittany Murphy death” reveals some interesting search results. AfterDa'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-56792174852045923682009-12-02T16:19:00.005+05:302009-12-02T18:08:17.451+05:30NetBIOS SpoofingThe other day I came across a post at skullsecurity.org that spoke about an interesting way of using NetBIOS name service for doing MiTM attack. The author showed how his tool nbpoison could be used to inject false NetBIOS information on the wire and spoof other hosts.This is very interesting form of doing MiTM as there is no arp-spoofing involved and that is good, since every Tom, Dick and Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com2tag:blogger.com,1999:blog-1141001117732421828.post-82471900526966197172009-11-20T17:55:00.002+05:302009-11-25T13:19:02.583+05:30Dissecting Zeus Botnet...Posting after a long time.. was quite busy with some presentations to make as well as with my Protocol Fuzzer script which should be ready soon. Anyways, the Zeus Botnet has been around for quite some time now and has gained some attention with its Internet Banking password stealing campaigns and Zeus Crimeware Kit ! Recently I received a sample which happened to be one of the Trojans belonging Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com3tag:blogger.com,1999:blog-1141001117732421828.post-18702922869624269882009-09-24T19:10:00.003+05:302009-09-24T19:15:16.491+05:30Interesting C&C BotNetsGone are the days when “Command & Control” Botnets were controlled using IRC channels or web servers. These days, attackers have moved to more sophisticated techniques or rather they are taking advantage of already available public infrastructure to control their army of Bots. One such case is that of a Bot using Google Groups for sending out the control commands. Discovered by a researcher Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-14639445406053293982009-09-04T15:31:00.003+05:302009-09-04T15:36:39.631+05:30Strange piece of Malware..Recently I came across two strange pieces of malware – Win32/Induc.A and Win32/Skytap.A. Well, you can’t exactly call the first one a malware because it does not do the usual malicious stuff like disabling AV’s, downloading Trojans, stealing data etc.. But it’s very interesting in the way it spreads. Win32/Induc.A is the first of its kind malware that affects Delphi compilers. For those who Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-86700834041342431052009-08-20T17:17:00.010+05:302009-08-21T17:53:58.623+05:30Discovering ActiveX Vulnerabilities -- Part 3 [The Exploit]So far we have seen how to use Dranzer for discovering vulnerabilities in ActiveX objects. In this third & final part of the series we will look at creating a real world exploit from the vulnerability we discovered while fuzzing last time. This, at times, is a very challenging task. Not all vulnerabilities are that easy to exploit. It requires quite some amount of patience and luck to get Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-24429227391631476702009-08-18T15:47:00.005+05:302009-08-18T16:07:26.211+05:30Credit Cards for sale ??Ever wondered what do malware authors gain by writing malicious code ?? Well, if this question was asked a decade ago, the answer would be slightly different than what it is today ! The so called "underground" scene was totally different from what it is today. Those days it would be for fun or showing of real hacker skills. Now-a-days it's just about earning quick bucks and big bucks !!Like Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com1tag:blogger.com,1999:blog-1141001117732421828.post-88136478288897528542009-08-12T16:36:00.019+05:302009-09-14T19:18:08.496+05:30Discovering ActiveX Vulnerabilities -- Part 2 [Fuzzing]So, continuing from where we left of last time, we will be looking at the Dranzer fuzzing tool in detail in this part. In case, you landed here directly and are wondering what this is all about, I suggest you have a look here first.Dranzer is a well documented tool and I also suggest you have look at their documentation before starting with this so that you will be familiar with it in general. Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-49013653024519018422009-08-11T17:39:00.008+05:302009-08-12T18:34:03.053+05:30Discovering ActiveX Vulnerabilities -- Part 1 [ Introduction ]Recently, I discovered a vulnerability in a ActiveX control. Before starting with the discovery, I had absolutely no clue as to how to discover and exploit vulnerabilities in ActiveX. I learned the hard way, so finally I decided to make a small tutorial that could make life easier for guys like me :) ! In this 3 part series, I will be covering how to use ActiveX fuzzers to find vulnerabilities inDa'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com1tag:blogger.com,1999:blog-1141001117732421828.post-37948730758113398882009-07-15T16:17:00.012+05:302009-07-24T15:05:01.204+05:30It's raining 0day's...Whew.. ! Last 10 days have been quite busy for security folks like me. There have been 3 incidences of 0day's being discovered recently. It all started with the DirectX ActiveX vulnerability which I blogged previously. Then later, an Microsoft office web component ActiveX vulnerability was observed to be exploited in the wild. The list of domains hosting the Microsoft exploit is published & Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-81131014941043913842009-07-07T12:16:00.005+05:302009-07-07T15:40:13.490+05:30Microsoft IE 0day ...Not again !?Sad, but true. Once again MS Internet Explorer users have to run around hiding from the MPEG2 ActiveX exploit that is lurking around exploiting this new vulnerability in "msvidctl.dll". And there is still no patch available for this critical vulnerability. I think, looking at the licensing costs, Micro$oft products should come with some sort of SLA when we buy them, like maybe fixing critical Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-15176393178704645142009-07-01T15:16:00.006+05:302009-07-01T17:57:01.496+05:30Bad news for some.. good for others..It’s said that bad news travels fast ! And no doubt it does, but generally it’s the bad guys who catch it first. Whether it is Michael Jackson's death or Swine flu pandemic or France Airline crash, malware authors don't spare anything that they can use as bait. Moment such news is out, the bad guys immediately register fake domain names and using SEO (Search Engine Optimization) attacks make sureDa'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-25660736403232503332009-06-23T16:42:00.005+05:302009-06-23T17:37:01.756+05:30A new breed of attacksIn the beginning of 2009, there was a sudden increase in new form of malware being distributed. The bad guys are now getting smarter by the day, giving rise to a new breed of attacks being carried out. All the attacks have one common thing though - they exploit victims paranoia for malware !ScarewareAlmost every month there is a new variant of these so called security or Antivirus programs. TheseDa'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0