Archive | November, 2013

Another IE 0-Day Hole Found & Used By In-Memory Drive By Attacks


So another IE 0-Day has been uncovered, and is in use in the wild for drive-by attacks on unwitting web users. I have to say, technically speaking, this attack is rather impressive – in terms of the exploit, the delivery method and the way that it runs.

It retrieves the PE headers from a DLL then returns a specific version of the exploit to the DLL file, after that it doesn’t ever write to the disk and only executes in memory directly. This makes it extremely hard for anti-virus scanners to spot it.

The down-side is the attacks lose the persistence aspect, as if the infected user reboots their machine – the malware code is basically gone.

Security researchers have discovered new zero-day vulnerabilities in Internet Explorer that are already being harnessed by hackers to run a new type of drive-by attack.

FireEye, the security firm that discovered the attack method, said that the flaw is present in various versions of Internet Explorer 7, 8, 9 and 10, while running Windows XP or Windows 7.

“The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution,” FireEye explains. “It is one vulnerability being exploited in various different ways.”

The IE flaw is unpatched and separate from the TIFF image-handling zero-day vulnerability that surfaced late last month – which is also under active attack.

Malware slung via the latest exploit is designed to load directly into the memory of victimised Windows PC, bypassing the hard drive. The tactic makes it harder for antivirus software or similar security tools to detect and block the attack.

The attackers are probably under the assumption that the same user will probably visit the same site again, and get reinfected – even after a reboot. The exploit also contains a large multi-stage shellcode payload, to avoid downloading further code (and thus writing to the disk).

In terms of forensics, this also makes it extremely hard to identify infected endpoints as the malware running in memory only leaves little to no artifacts.


However, simply rebooting compromised machines would appear to remove them from the botnet, so what this new type of attack gains in stealth, it loses in persistence. FireEye posits that “the use of this non-persistent first stage may suggest that the attackers were confident that their intended targets would simply revisit the compromised website and be[come] re-infected”.

One of the sites spreading the exploit covers national and international security policy, according to FireEye. This, and other instances of the attack method, make it more than likely we are looking at some type of state-backed cyber-espionage campaign, it says.

The infrastructure used in the attack shares similarities with the earlier Operation DeputyDog assaults against targets in Japan and China, claims FireEye. The same hacking crew is suspected of involvement in a high profile hack against whitelisting firm Bit9.

If anything, the latest assaults are even more sophisticated.

More stuff you can read about if you are interested in this topic:

Return-oriented programming
APT – Advanced Persistent Threat

You can find the original info and blog post here:

New IE Zero-Day Found in Watering Hole Attack

And a very technical look at the techniques used here:

Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method

Source: The Register

Posted in: Exploits/Vulnerabilities, Malware, Windows Hacking

Topic: Exploits/Vulnerabilities, Malware, Windows Hacking


Latest Posts:


SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)
Binwalk - Firmware Security Analysis & Extraction Tool Binwalk – Firmware Security Analysis & Extraction Tool
Binwalk is a fast and easy to use Python-based firmware security analysis tool that allows for firmware analysis, reverse engineering & extracting of firmware.


aidSQL – PHP Application For SQL Injection Detection & Exploitation


aidSQL a PHP application provided for detecting security holes in your website/s. It’s a modular application, meaning that you can develop your very own plugins for SQL injection detection & exploitation.

The tool provides pen-testing capabilities for MS-SQL 2000, MySQL 5 and the author promises to add Oracle 10g support – but that doesn’t seem to be happening.

You can view a demo of the app here:

The output from Wavsep for aidSQL can also be seen here:

aidSQL vs Wavsep

You can download aidSQL here:

aidsql-devel-20130527.tgz

Or read more here.

Posted in: Database Hacking, Hacking Tools, Web Hacking

Topic: Database Hacking, Hacking Tools, Web Hacking


Latest Posts:


SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)
Binwalk - Firmware Security Analysis & Extraction Tool Binwalk – Firmware Security Analysis & Extraction Tool
Binwalk is a fast and easy to use Python-based firmware security analysis tool that allows for firmware analysis, reverse engineering & extracting of firmware.


Anonymous Targets Singapore For Proposed Internet Licensing Rules


So the latest news in South East Asia is that someone claiming to be affiliated with Anonymous is waging a digital war against Singapore due to their proposed Internet licensing rules, which are akin to backdoor censorship.

You can see the Youtube video here:

The Anonymous Legion Threatens Singapore Government

They already started by attacking one of the major Singaporean newspapers, the Straits Times – which was successfully defaced.

Straits Times Hacked by Anonymous

The full protest and expected action by Anonymous should take place tomorrow, November 5th – the day synonymous with Guy Fawkes.

A hacktivist claiming to be part of Anonymous has backed a call by Google, Facebook and others to scrap proposed internet licensing rules in Singapore which have been described as state censorship by the back door.

In a YouTube video, the figure argues that “no government has the right to deprive their citizens the freedom of information”, and calls on “fellow Singaporean brothers and sisters” to protest on 5 November if the licensing proposals aren’t binned.

The hacktivist, who goes by the name ‘The Messiah’, has already been at work, defacing a web page of Singaporean newspaper The Straits Times with the message: “Dear ST: You just got hacked for misleading the people!”

It seems The Messiah wasn’t happy with the way the paper reported the video, after it “chose to conveniently modify the sentence ‘war against the Singapore Government’ into ‘war against Singapore’.”

The new Licensing Regime, which was revealed earlier this year by the Singaporean government, will require online news sites reporting on the city state to put up a “performance bond” of S$50,000 and “comply within 24 hours to MDA’s directions to remove content that is found to be in breach of content standards”.

It’ll be interesting to see if they target more corporations or governmental organizations, the media in Singapore lies somewhere between the two – with the majority of the mainstream media being owned in part or somehow controlled by the government.

The licensing scheme seems to be some kind of effort to control the smaller or so called ‘independent’ or ‘alternative’ news outlets online, which do cause a lot of problems in oppressive countries.


Singapore’s government, which has been formed by the same party for over 50 years, either directly or indirectly owns traditional media. The new rules have therefore been seen as an attempt to bring to heel foreign owned and independent sites which locals read for less-likely-to-be-sanitised news.

The licensing proposals have already garnered strong opposition. Over 130 Singaporean web sites blacked out their home pages in June and activists attended a #FreeMyInternet rally in the city state’s Hong Lim park.

The Asia Internet Coalition, which lists Google, Facebook, Yahoo and others among its members, has also been highly critical.

The coalition wrote in an open letter to communications minister Yaacob Ibrahim in July that the proposed rules “could unintentionally hamper Singapore’s ability to continue to drive innovation, develop key industries in the technology space and attract investment”.

Despite its façade as a shiny, modern Asian nation, Singapore ranks a lowly 149th on Reporters Without Borders’ Press Freedom Index 2013, sandwiched by Iraq and Russia.

Singapore already ranks extremely lowly in the press freedom index, and this move, if successful, is likely to push it even lower. Singapore as a whole is known as being a pretty tech-forward and Internet savvy nation, so it’ll be interesting to see how tight their cyber-security is and if Anonymous can make any serious in-roads.

As always we shall wait and see.

Source: The Register

Posted in: Legal Issues, Privacy, Web Hacking

Topic: Legal Issues, Privacy, Web Hacking


Latest Posts:


SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)
Binwalk - Firmware Security Analysis & Extraction Tool Binwalk – Firmware Security Analysis & Extraction Tool
Binwalk is a fast and easy to use Python-based firmware security analysis tool that allows for firmware analysis, reverse engineering & extracting of firmware.