Archive | October, 2010

Critical 0-day Vulnerability In Adobe Flash Player, Reader & Acrobat

The New Acunetix V12 Engine


Well this seems to be a frequently recurring theme, yes there is yet another critical 0day vulnerability in Adobe products – pretty much across the board this time.

It was that long ago that a critical flaw in Flash put Android phones at risk. The core vulnerability exists in Flash but it’s being actively exploited in Adobe Reader via the usual pdf route.

The vulnerability exists across all OS versions (including Android), but as usual the active exploitation seems to be taking place on the Windows platform.

Adobe has confirmed reports that yet another unpatched vulnerability in the latest versions of its ubiquitous software is being actively exploited to infect end users with data-stealing malware.

The vulnerability exists in Adobe’s Reader document viewer and Flash Media Player for Windows, OS X and Unix operating systems, Adobe warned on Thursday. According to independent researchers, it is being exploited in the wild against Reader for Windows to install a nasty trojan known as Wisp, which according to Microsoft, steals sensitive user data and installs a backdoor on compromised systems.

The vulnerability itself resides in Adobe’s Flash Player, which is available as stand alone software and is also embedded into Reader. According to researcher Mila Parkour of the Contagio Malware Dump blog, poisoned PDF documents are circulating that drop two malicious binaries onto Windows machines that open the document files.

A screenshot identified the two files as nsunday.exe and nsunday.dll. A Virus Total scan showed just 15 of 42 antivirus programs were detecting the malicious EXE. She didn’t say whether the attacks succeed against more recent versions of the OS, which Microsoft has designed to withstand many of the most common types of exploits.

This vector comes to pass as Flash player is also embedded into Adobe Reader, so by using a malicious PDF file with the AuthPlay exploit – they can trigger the Flash player flaw and drop malware into the OS.

There is information on how to disable the AuthPlay functionality at the bottom of the Adobe advisory:

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

Basically you need to go to the Adobe Reader directory and delete the AuthPlayLib.bundle (Windows/Mac OSX) or libauthplay.so.0.0.0. (linux) file.


Adobe said it planned to patch the vulnerability in Flash during the week of November 9 and in Reader during the week of November 15. The schedule is puzzling, since Reader has been confirmed to be under attack and Flash has not been confirmed.

In the meantime, users can protect themselves by using an alternate document viewer, such as Foxit. For those who must use Reader, Adobe said they can mitigate attacks by removing functionality known as AuthPlay, by following the instructions near the bottom of this advisory. Adobe provided no temporary measures Flash users can follow.

It’s been a bad couple of years for Adobe’s security team, which has gotten repeatedly hammered by critical vulnerabilities that are exploited by criminals to install malware on users’ machines. Three weeks ago, the company issued a fix for a security flaw in Reader that was also under attack by a highly sophisticated exploit. Last month, Adobe fixed a critical vulnerability in Flash that was also being used to compromise end user computers.

Adobe is also in the process of developing a patch for a code-execution bug in its Shockwave Player. By many researchers’ reckoning, Reader is among the world’s most exploited applications, in close competition with Oracle’s Java framework and, of course, various Microsoft programs.

From recent attacks it seems Adobe Reader and Flash are amongst the most exploited applications, especially when it comes to serious vulnerabilities that allow code-execution.

The new generation Adobe Reader with Sandbox Feature can’t come soon enough.

There’s also more here:

Hackers exploit newest Flash zero-day bug

Source: The Register

Posted in: Exploits/Vulnerabilities, Malware, Windows Hacking

Topic: Exploits/Vulnerabilities, Malware, Windows Hacking


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


Firesheep Download – Session Hijacking Tool For Windows

Use Netsparker


A huge wave has been made by this Firesheep in the mainstream media this week as it makes session hijacking a click and go procedure for Windows. It was released at Toorcon 12 and is simply a Firefox Add-on.

Firesheep Download - Session Hijacking Tool For Windows


What is Firesheep?

Stealing sessions/passwords and so on is something we’ve been able to do for a LONG time using Wireshark or Ettercap on a hub based or WiFi network running without encryption. But now with Firesheep anyone can do it, and they can do it VERY easily, which is somewhat scary. It is incredibly easy to use, download the add-on, login to a public WiFi spot and click a button…you’ll then be shown images and usernames of various people using networks such as Facebook, Twitter, Flickr, bit.ly, Google and Amazon. With a double-click on their image, you’ll be logged in as them immediately.

Firesheep is free and open source and works on Mac OS X and Windows with Linux support being promised soon. The download rate of this add-on is epic with over 320,000 downloads in 3 days.

How to Protect Against Firesheep?

I expect you already know how to protect yourself from this kind of attack, but if you don’t…use a high-quality VPN like PureVPN whenever you are on a public Wifi spot! If you don’t have VPN access or can’t be arsed to set one up just make sure you force SSL/TLS on every site you surf – but do note to protect against this attack, you have to encrypt the entire session and not just the initial authentication.

Google has a secure search option too here – https://encrypted.google.com/

You can find the slides from the Toorcon 12 presentation here:

Hey Web 2.0: Start protecting user privacy instead of pretending to


Firesheep Session Hijacking Requirements

Windows users are required to install WinPcap.

Download Firesheep to Hack Facebook

You can download Firesheep v0.1 here:

firesheep-0.1-1.xpi

Or read more here.

Posted in: Hacking Tools

Topic: Hacking Tools


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


Hackers Exploit Unpatched Firefox 0day Using Nobel Peace Prize Website

Use Netsparker


It’s been a while since Firefox has been in the news, but this is a fairly high profile case involving the Nobel Peace Prize website. It seems there is a race condition vulnerability in the latest versions of Firefox (including 3.6.11) that allows remote exploitation.

In this case it was used via an iFrame on nobelpeaceprize.org which then downloaded malware to the visitors machine using a multi-exploit back-end which amongst others also leveraged this 0day Firefox exploit.

Malicious hackers have exploited an unpatched vulnerability in the latest version of Firefox to attack people visiting the Nobel Peace Prize website, a Norway-based security firm said on Tuesday.

Mozilla representatives confirmed a “critical vulnerability” in versions 3.5 and 3.6 of the open-source browser. It came several hours after the organization members were said to have made the same admission on this password-protected Bugzilla page. According to Einar Oftedal, a detection executive at Norman ASA in Oslo, the official website for the Nobel Peace prize, nobelpeaceprize.org, was compromised so that it contained an iframe link to a malicious server.

“This iframe has a multi exploit backend and serves exploits for Firefox, including a working remote exploit for Firefox 3.6.11,” he said in an instant message to The Register. “We didn’t see any 0day for IE,” he added, referring to Microsoft’s browser.

Mozilla claims they will address this issue soon and past history dictates that a patch will come out within a few days, so look forwards to Firefox 3.6.12 by the end of the week. It seems to be a fairly advanced and targeted attack.

Of course the conspiracy theorists will say that the attack was carried out by the Chinese Government as their way of complaining that the most recent Nobel Peace Prize was given to a Chinese dissident named Liu Xiaobo.


He said the attack exploited a race condition vulnerability in Firefox to force end users to install malware his firm has dubbed Belmoo. The Windows executable was created on Sunday and attempts to connect to several internet addresses, according to his analysis.

If the addresses resolve, “the malware attaches a command shell to the opened socket, giving an attacker access on the local computer with the same rights as the logged on user.” If not, the malware will exit.

If Norman’s report proves accurate, it’s the first time in recent memory attackers have exploited an unpatched vulnerability in Firefox. Most so-called zero-day attacks are perpetrated against Adobe Reader or Flash Player, Microsoft software and to a lesser extent Oracle’s Java. The report is also unusual because the attack didn’t appear to target other applications, as is typical with exploit packages.

Hours after the reports surfaced, Mozilla said it would issue a fix as soon as possible. In the meantime, users can protect themselves by disabling JavaScript altogether or installing the NoScript extension that allows users to control which websites are permitted to run JavaScript.

As per usual you can protect yourself against this flaw by using NoScript or disabling JavaScript functionality in your browser.

It’s been a while since there’s been a serious bug in Firefox, most of the recent ones have not been exploitable or have involved passive activities like data leakage and clickjacking.

Source: The Register

Posted in: Exploits/Vulnerabilities, Malware, Web Hacking

Topic: Exploits/Vulnerabilities, Malware, Web Hacking


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


The Social-Engineer Toolkit (SET) – Computer Based Social Engineering Tools

Use Netsparker


The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

SET is a menu driven based attack system, which is fairly unique when it comes to hacker tools. The decision not to make it command line was made because of how social-engineer attacks occur; it requires multiple scenarios, options, and customizations. If the tool had been command line based it would have really limited the effectiveness of the attacks and the inability to fully customize it based on your target. Let’s dive into the menu and do a brief walkthrough of each attack vector.


This is an extremely complete and advanced toolkit, which also harnessed the power of Metasploit and Ettercap and it provides following attack vectors:

  • Spear-Phishing Attack Vector
  • Java Applet Attack Vector
  • Metasploit Browser Exploit Method
  • Credential Harvester Attack Method
  • Tabnabbing Attack Method
  • Man Left in the Middle Attack Method
  • Web Jacking Attack Method
  • Multi-Attack Web Vector
  • Infectious Media Generator
  • Teensy USB HID Attack Vector

You can find some tutorials and videos on how to get up and running and use SET here:

Social Engineering Resources

You can download SET using SVN.

Or read more here.

Posted in: Hacking Tools, Social Engineering

Topic: Hacking Tools, Social Engineering


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


Malware Pushers Abuse Firefox Warning Page

Use Netsparker


This is a pretty neat attack from the malware pushes leveraging on the ignorance of the average user – which in all honestly is a safe bet most of the time! You could consider it a Social Engineering attack as it’s taking something that’s familiar and changing it to deliver malware.

I’m sure all the Firefox users reading have at some point or another been faced with the warning screen that tells you a site is not safe to visit, the red page which states in big white letters “Reported Attack Page!”.

Hackers have subverted warnings generated by Firefox about dangerous sites to punt fake anti-virus portals.

Surfers straying onto a web page offering the “Security Tool” rogue anti-virus are offered a warning page that convincingly mimics the genuine Firefox block page. The site offers supposed updates for Mozilla’s technology that are actually scareware packages.

If Windows users apply these updates they will be falsely warned that their system is infected and continuously nagged into buying worthless scareware packages that serve only to line the pockets of cyber-scammers.

The rogue application will automatically attempt to install itself on the machines of prospective marks in cases where scripts are enabled, net security firm F-Secure warns.

Personally I’d say this attack would be pretty effective, my only question would be – how would the user land on that site in the first place? I guess through the normal channels (e-mail spam, facebook wall worms and so on).

After landing the user would realize they’ve been spammed/scammed and see the Firefox warning…then download the ‘security update’ and install it – unknowingly pwning themselves in the process.


Firefox’s genuine attack warning technology is all server-side and never requests that users download updates. The attack relies, in part, on the ignorance of the majority of potential victims on this point.

The attack is a rare but not unprecedented attempt by malware slingers to use Firefox features to push their wares. Previous attacks by the same gang have involved tricking users into downloading scareware in the guise of a supposed Firefox/Flash update.

The malware is offered from a page designed to trick Firefox users into thinking their browser software has just been updated but that they still need to apply a Flash Player patch, which is actually a rogue anti-virus installation utility. The sneaky tactic, first spotted back in July, is explained in more detail in a blog post by F-Secure.

It just goes to show the bad guys are pretty creative when it comes to new ways to trick people into installing their malware, I wonder what we’ll see next?

The full entry by F-Secure can be seen here:

Reported Attack Site! – Security Tool’s Latest Trick

Source: The Register

Posted in: Malware, Social Engineering, Spammers & Scammers

Topic: Malware, Social Engineering, Spammers & Scammers


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


NSDECODER – Automated Website Malware Detection Tool

The New Acunetix V12 Engine


NSDECODER is a automated website malware detection tool. It can be used to decode and analyze an URL to see if it host to malware. Also, NSDECODER will analyze which vulnerability has been exploited and the original source address of malware.

Functions

  • Automated analysis and detection of website malware.
  • Detection for plenty of vulnerabilities.
  • Log export supports HTML and TXT format.
  • Ability to deeply analyze JavaScript.

You can download NSDECODER here:

nsdecoder_gui_v1.0.zip

Or you can read more here.

Posted in: Countermeasures, Malware, Web Hacking

Topic: Countermeasures, Malware, Web Hacking


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.