tag:blogger.com,1999:blog-1523707327337901416Thu, 17 Sep 2015 06:29:38 +0000malwarereverse engineering0dayconficker.ebotnetCVE-2009-4324exploitmebroottorpigmalware analysispdfCVE-2010-0249CVE-2010-4091pocprintSepssinowalAurorafirefoxrootkitAPTAS8452Black Hat SeoDDOSDLL hijackingEgypt TelecomInternet isolationasbgpbotbreachbulkbin.cnconficker.gencyberwardata breachebnvnos.comhd moorejavascript-analytics.commobile malwarerbnsourceforgewaledac318xAndroidBackdoor.PirpiBoCVE-2004-0194CVE-2010-0806CVE-2010-3765CVE-2010-3962DroidKungFuEgyptExploit-ComeleHTRANLATVIALicatMurofetOperation Shady RATRSASpyEyeTDSSVB.AAG TrojanZbot.Bafcoreanonopsbgplaybugcensorshipchinachymine.aconficker.ccorefloodcve-2010-2568cve-2011-0609cyberwarfarecymrudebuggingdiginotardllhijackingdownadup.gene107eldorado rootkitencodingentrypointettercapexploiexploitingexploitsexposedflashflash player.full disclosurefuzzinginfoircjavakorealeechersloiclsassmassive spreadingmemory corruptionmetasploitmmspicture.ruownedpaimeipbotprintSeps()pushbotrobtexroguerussian business networkscriptsql injectionstuxnettldvispavmwarexpl.pdfhttp://extraexploit.blogspot.com/noreply@blogger.com (extraexploit)Blogger98125tag:blogger.com,1999:blog-1523707327337901416.post-3195789813827618024Fri, 02 Nov 2012 21:58:00 +00002015-05-21T05:50:41.733-07:00Months and years ago, I spent many nights trying to expose what the cyber security was (is) avoiding the  academic perspective, although, my first post was quite close to an academic point of view   (the top cc tld called by conficker.C). I can remember a lot of posts never completed and tons and tons of grammar ,spelling and language mistakes... however I hope that something is still remained http://extraexploit.blogspot.com/2012/11/extraexploit-memories.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-7445088261888353752Fri, 27 Jan 2012 07:18:00 +00002012-01-29T03:54:47.074-08:00It's very sad to recognize and discover that the screenshots on my blog, which for some reason have been saved in the "Gallery" of my Android mobile phone, once cleared from there, will be deleted from the Google cloud! Someone could confirm this ? This blog has been to me a lot although I have ceased to update it ... but with this last touch .. I almost want to finalize it. what remains of my http://extraexploit.blogspot.com/2012/01/last-touch.htmlnoreply@blogger.com (extraexploit)1tag:blogger.com,1999:blog-1523707327337901416.post-9161919654827941976Tue, 06 Sep 2011 10:38:00 +00002011-09-15T01:49:44.225-07:00APTcyberwardata breachdiginotar DigiNotar Certificate Authority breach “Operation Black Tulip” http://t.co/VC91bjo  DigiNotar CA compromise http://community.websense.com/blogs/securitylabs/archive/2011/08/30/diginotar-ca-compromise.aspx  Certificate hacker probably paid by Iran, say victimised firms http://computerworld.co.nz/news.nsf/security/certificate-hacker-probably-paid-by-iran-say-victimized-firms DigiNotar http://extraexploit.blogspot.com/2011/09/diginotar-facts-just-some-links.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-2086860530408859319Thu, 04 Aug 2011 09:18:00 +00002011-08-04T02:49:34.099-07:00APTcyberwarHTRANOperation Shady RATHTran and the Advanced Persistent Threat http://www.secureworks.com/research/threats/htran/ The code  http://www.pudn.com/downloads119/sourcecode/windows/network/detail508294.html. (appears also in the Secureworks analysis) What follows it's an abstract of the code: http://extraexploit.blogspot.com/2011/08/operation-shady-rat-htran-is-this-code.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-6652975876595834124Mon, 04 Jul 2011 13:12:00 +00002012-01-26T23:19:52.755-08:00CVE-2004-0194encodingexploit A couple of months ago I receive an interesting challenge for get the final (I think) step in the job selection path for a big company (not a well known exploit research company but probably if you are reading this post you are using once of their os). The challenge it consist in the writing an exploit for the CVE-2004-0194. Obviously, at the first step I did follow, was a good googling acrivityhttp://extraexploit.blogspot.com/2011/07/old-bug-for-new-job-cve-2004-0194.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-3741072392835435700Wed, 22 Jun 2011 14:13:00 +00002011-06-22T13:49:31.299-07:00TDSSI just found via pastebin (http://pastebin.com/jWDhEfGB) a domains list related to TDSS. The SRVs , in according with this analysis http://resources.infosecinstitute.com/tdss4-part-2/, are the C&C from where bots receive commands.What's sound a bit strange is that the content in the pastebin above match with the syntax used in the configuration file of the rootkit. Anyway is possible count 2514 http://extraexploit.blogspot.com/2011/06/tdss-srvs-list.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-7768553909932247716Tue, 07 Jun 2011 12:33:00 +00002012-01-26T23:33:33.877-08:00AndroidchinaDroidKungFumobile malwareFollowing the trend of the moment, I play a bit with the sample of DroidKungFu retrieved from the  contagiodump malware sample repository. For obtaining the JAR archive I used dex2jar (http://code.google.com/p/dex2jar/downloads/list) after that I extracted the Dalvik Executable Format embedded in the APK. Once obtained the JAR file is very easy obtain the clear code with (for example) Java http://extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-4857918347350799840Fri, 18 Mar 2011 14:19:00 +00002011-03-18T07:21:10.622-07:00bugflash player.Is interesting observing how nowadays some old style bug are still available. I think that this one is not a security bug but a deeper investigation is left to all whose are interested.Anyway is sufficient pass a single char as command line parameter to this FlashUtil10m_Plugin.exe (also called Flash Player Installer/Uninstaller) for generate a crash. If you are Admin appear something like the http://extraexploit.blogspot.com/2011/03/flashutil10mpluginexe-command-line.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-2905440232448788400Tue, 15 Mar 2011 16:00:00 +00002011-04-04T07:42:13.818-07:00cve-2011-0609data breachRSAApril 4, 2011 - Update: RSA has release a blog post where is described that in the recently data-breach is been used this issue: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ March 15, 2011:  A researcher has just added a very interesting analysis about this 0day: bugix blog cve-2010-0609 analysis - by villys777 http://bugix-security.blogspot.com/2011/03/http://extraexploit.blogspot.com/2011/03/cve-2011-0609-bugix-blog-analysis.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-8816299686305873099Sun, 06 Mar 2011 12:13:00 +00002011-03-16T18:48:09.066-07:00mmspicture.rumobile malwareFollowing a well known mailing list (clean-mx aka viruswatch) it was been retrieved the following URL: http://mmspicture.ru/mms112/mms112.jar (md5: 33EA90E2029478D47D33409B5F48E4EB) The JAR file is already detected from Virustotal. Playing a bit around the URL path is possible retrieve another JAR file: http://mmspicture.ru/mms113/mms113.jar The MD5 (4CC0EBCE1428EE3649C67A13734F2EDE) of thishttp://extraexploit.blogspot.com/2011/03/mmspictureru-mobile-malware-depot.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-4178313689334547061Wed, 02 Feb 2011 20:36:00 +00002011-02-02T15:33:58.876-08:00AS8452Egypt TelecomInternet isolationThe prefix 81.10.0.0/17 “ALL-Routes” seems announced again to the rest of the world via Telecom Italia Sparkle Autonomous System (ASN 6762). Here the animation made  with BGPlay: The time range is between the 29 of January 2011 00:00 and 2 of February 2011 08:00 PM (local time). For more info on bgplay see my previous post http://extraexploit.blogspot.com/2011/01/http://extraexploit.blogspot.com/2011/02/egypt-telecom-back-online-asn8452-te.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-6341740085920559177Fri, 28 Jan 2011 13:45:00 +00002011-02-02T12:48:19.059-08:00AS8452bgplaycensorshipcyberwarfareEgyptEgypt TelecomInternet isolationJanuary 31, 2011 – Update: An interesting snapshot of Egyptian's malware activity. ASN 20928 appears like still active Egypt's malware activity post internet shutdownhttp://www.unveillance.com/latest-news/egypts-malware-activity-post-internet-shutdown/ Why One Egyptian ISP is Still Online http://newsgrange.com/why-one-egyptian-isp-is-still-online/ January 29, 2011 – Update: I try to make thehttp://extraexploit.blogspot.com/2011/01/egypt-telecom-as-isolation-bgplay-show.htmlnoreply@blogger.com (extraexploit)2tag:blogger.com,1999:blog-1523707327337901416.post-7905162261028762228Sat, 22 Jan 2011 20:34:00 +00002011-02-03T01:26:49.005-08:00botbotnetbreache107entrypointsourceforgeFebruary 3, 2011 - Update: A discussion on e107 official web site: http://e107.org/comment.php?comment.news.878 February 2, 2011 - Update: Just another evidence of the sourceforge breach used by a web bot. At least , from the following screenshot, seems that the entrypoint was detected by a web vuln scanner bot. The following figure shown a well known method by web bots to post in some http://extraexploit.blogspot.com/2011/01/sourceforge-entry-point-seems-still.htmlnoreply@blogger.com (extraexploit)2tag:blogger.com,1999:blog-1523707327337901416.post-7191218177705762554Wed, 29 Dec 2010 18:06:00 +00002010-12-30T00:03:04.940-08:00botbreachettercapexposedownedpbotsourceforgeRecently it’s been released a new issue of a zine called “owned and exposed” (http://www.exploit-db.com/papers/15823/). I have to admit I laughed a lot when I saw this picture. I think that the picture above is the truth of what the security field is today. Anyway , ending my personal considerations, I would show you a mind map that I made during a past research on web bot http://extraexploit.blogspot.com/2010/12/some-considerations-on-ettercap-source.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-6591326666264634186Tue, 14 Dec 2010 09:33:00 +00002010-12-14T17:24:39.787-08:00anonopsDDOSloicFollowing the trend of these days I played (locally) with one of the latest release of LOIC (Low Orbit Ion Cannon DDOS Tool). Inserting a long (not so) string on the topic of a C&C irc channel, there seems to be a memory corruption condition.  The screen shot above show a crafted topic that trigger the issue. The impacted tested released is the 1.1.1.15. A few more details related to the .NET http://extraexploit.blogspot.com/2010/12/loic-11115-buffer-overflow.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-7080032269034200183Tue, 30 Nov 2010 11:15:00 +00002010-11-30T03:17:25.258-08:000dayCVE-2010-4091pdfpocprintSepsStarting from the malwaretracker sample (see my previous posts) seem that edx and ecx are set to some interesting values: http://extraexploit.blogspot.com/2010/11/cve-2010-4091-exploited-02-adobe-reader.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-5056704185624649049Thu, 25 Nov 2010 16:43:00 +00002010-11-26T02:33:08.983-08:000dayCVE-2010-4091pdfpocprintSepsTrying to reversing the shell code contained within the PDF that seem exploit CVE-2010-4091, in according with the sample reported by MalwareTracker, it’s been founded the following URL: http://212.117.168.89/ad/fi_16.php From Robtex: The URL above at this time is down or not more available. Did really exploited for retrieve malware from http://extraexploit.blogspot.com/2010/11/cve-2010-4091-exploited-01.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-1957385644476162943Fri, 19 Nov 2010 14:40:00 +00002010-11-24T14:00:08.301-08:00CVE-2010-4091pdfpocprintSepsNovember 24,  2010 – Update: Looking for other  exploiting attempts I found a Malwaretracker sample where the PDF seem spread via URL that contains:  filepdf.php@v=zday The following analysis report the objects used within this PDF (that is different from the fulldisclosure PDF): http://www.malwaretracker.com/pdfsearch.php?hash=0398e68507882a38a26a341058c94653&submit=Search November 22 http://extraexploit.blogspot.com/2010/11/cve-2010-4091-exploited.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-5718083974596246122Fri, 12 Nov 2010 00:57:00 +00002010-11-27T15:59:23.027-08:000dayCVE-2010-4091pdfprintSepsNovember 26, 2010 – update: This is a very useful  presentation (from Immunity Sec) where is possible get some methods for approach the reversing of  Java script engine in Adobe Reader context: Attacking Embedded Languages http://www.immunitysec.com/downloads/ID_reCON_2008.odp November 16, 2010 – update: In previous post I didn’t report where is the place in the http://extraexploit.blogspot.com/2010/11/cve-2010-4091-printseps-exploitation.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-5163498914798326035Thu, 04 Nov 2010 15:24:00 +00002010-11-27T15:51:01.429-08:000dayCVE-2010-4091exploitpdfprintSeps()xpl.pdf November 26,2010 – Update: Thank you, Mario, but our printSeps() is in another castle ! http://esec-lab.sogeti.com/dotclear/index.php?post/2010/11/26/Thank-you-Mario-but-our-printSeps%28%29-is-in-another-castle November 22, 2010 – Update: Who’s looking for eggs in your PDF?  (reported also in  cve-2010-4091 exploited ?) http://labs.m86security.com/2010/11/http://extraexploit.blogspot.com/2010/11/full-disclosure-xplpdf-adober-reader-94.htmlnoreply@blogger.com (extraexploit)2tag:blogger.com,1999:blog-1523707327337901416.post-5246424657732455201Wed, 03 Nov 2010 16:09:00 +00002010-11-12T01:35:27.214-08:000dayBackdoor.PirpiCVE-2010-3962Update - November, 12 2010: Amnesty International Hong Kong Website Injected With Latest Internet Explorer 0-day http://community.websense.com/blogs/securitylabs/archive/2010/11/10/Amnesty-International-Hong-Kong-Website-Injected-With-Latest-Internet-Explorer-0_2D00_day-.aspx Update - November, 5 2010: CVE-2010-3962 - BindShell proof of concept: http://www.offensive-security.com/0day/http://extraexploit.blogspot.com/2010/11/cve-2010-3962-yet-another-internet.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-4432438860368456209Thu, 28 Oct 2010 09:40:00 +00002010-10-29T03:05:11.577-07:000dayCVE-2010-3765exploitfirefoxpocOctober, 29 1010 - UPDATE: the working exploit (in according with BugX blog):  http://bugix-security.blogspot.com/2010/10/firefox-exploitcve-2010-3765.html     October, 28 2010 For those who still do not know .. The proof of concept for CVE-2010-3765 is the following:   More details at: https://bugzilla.mozilla.org/show_bug.cgi?id=607222. The issue seem resolved with Firefox http://extraexploit.blogspot.com/2010/10/cve-2010-3765-proof-of-concept.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-4687804388596796065Thu, 14 Oct 2010 15:24:00 +00002010-11-02T03:22:14.915-07:00LicatMurofetZbot.BUpdate (2 November): A deep and very itneresting analysis from Trend Micro: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/file-patching_zbot_variants_-_zeus_2.0_levels_up__oct_2010_.pdf Update (15 October):  ThreatExpert has release the domain name generation algorithm for MUROFET/Licat http://blog.threatexpert.com/2010/10/domain-name-generator-for-murofet.html http://extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-5681959278754853763Wed, 06 Oct 2010 14:12:00 +00002011-01-23T06:02:26.657-08:00Black Hat SeoTrying to find some common factors in the pages included in the compromised sites (as indicated in the previous post (http://extraexploit.blogspot.com/2010/10/dollars-javascript-code-yet-another.html) there is evidence of a large number of sites that are suffering the same problem. In particular, using keywords that are common to many of these malicious pages, you have the following results: http://extraexploit.blogspot.com/2010/10/dollars-javascript-code-yet-another_06.htmlnoreply@blogger.com (extraexploit)0tag:blogger.com,1999:blog-1523707327337901416.post-2941473789882491532Tue, 05 Oct 2010 23:17:00 +00002011-01-25T02:16:38.719-08:00January 25,  2011 – Update: a detailed analysis also where is reported my post: Internet  Explorer exSploit Milk codes http://utf-8.jp/public/20101106/avtokyo.pptx October 5, 2010: From MDL forum, I get a post where a user (many thanks to Edgar) has been reported a strange Javascript code injected in some Italian web site. Specifically the message is located at the following URL:  http://http://extraexploit.blogspot.com/2010/10/dollars-javascript-code-yet-another.htmlnoreply@blogger.com (extraexploit)3