tag:blogger.com,1999:blog-11410011177324218282026-01-24T18:09:17.280+05:30"Finding your way in the Dark world of Information security.."Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.comBlogger31125tag:blogger.com,1999:blog-1141001117732421828.post-37244170136904894652011-08-11T16:04:00.002+05:302011-08-11T16:13:32.187+05:30

The malware sample i am going to be looking at today is classified as Backdoor:Win32/Momibot by Microsoft and also referred to as Backdoor/IRCNite by some other AV vendors. Packet captures of the sample from my automated sandbox results look something like this - So, basically the Trojan is communicating on TCP ports 8090 as well as 80. Forcing wireshark to decode packets with TCP port 8090

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-8103917416753627532011-07-13T16:50:00.001+05:302011-07-13T16:50:56.712+05:30

Microsoft patched this vulnerability in June’s Patch Tuesday, but as usual an exploit has emerged for it. The M86 Security team stumbled upon an exploit in the wild and they have already done an excellent job of covering the exploit vector. I fired up Malzilla and decided to dig a little bit deeper to see how the exploit works. This is a use-after-free vulnerability that is exploited using

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-89863706015975790262011-07-10T14:14:00.003+05:302011-07-10T14:20:24.321+05:30

As part of maintaining Application Recognition signatures, I often get asked by customers if we have support for blocking Ultrasurf – the free proxy based anonymizer tool that is often (miss)used for bypassing content filters in enterprises. Unfortunately, blocking this over Network using IPS signatures is not possible since the traffic is encrypted. There has been good amount of analysis done

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com1tag:blogger.com,1999:blog-1141001117732421828.post-82364757907618755032010-10-29T22:12:00.003+05:302010-10-29T22:21:14.423+05:30

Nothing new, It has happened in the recent past as folks at Zscaler had pointed out. But this time its not the malware itself, but part of its configuration and components being hosted on Google code servers. For those who don’t know Google code is a free, Web based platform that provides tools and resources to developers interested in working on Google-related open source software projects or

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-80573395703264604312010-09-23T15:25:00.001+05:302010-09-23T15:25:58.275+05:30

Yeah, Its been a really really long time since I have written something here and I apologize for that. It’s just that I have been a hell lot busy with new stuff at work and a lot of research that I have been doing in building Malware automation Frameworks ! Plus not to mention the ton of 0days that have been piling on recently. Hopefully, I should get some more free time from now on and I will

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-23872897088507973862010-04-14T16:43:00.001+05:302010-04-14T16:49:05.898+05:30

Looks like there is a new Botnet on the horizon. Win32/Heloag is treated as Backdoor Trojan by many AV companies but appears to be a new kind of Botnet that uses P2P for communicating with its peers and Bot master. Its been out there for a while now. A recent post by Arbor Networks on the Bot’s analysis actually prompted me to have a closer look at this piece of malware. Either their report is

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-67151249413898576692010-04-01T16:38:00.001+05:302010-04-01T16:38:24.761+05:30

Researcher Didier Stevens just managed to discover that he can make PDF reader execute any command without exploiting any vulnerability ! On his blog he demonstrated how the “Launch” action parameter of PDF document can be abused to execute arbitrary command on the victims machine. Though he did not reveal complete details, his partial PoC is good enough to guess how the attack can be made

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com2tag:blogger.com,1999:blog-1141001117732421828.post-49741533699457519472010-03-25T15:46:00.001+05:302010-03-25T15:46:30.192+05:30

Automated Web application security testing tool “skipfish” was released recently which seem to have generated a lot of attention in the “security community”. So,I decided to give it a try and install it in my lab. Unfortunately, I run very old Linux distros in my lab (like RedHat 9 for example) and I am too lazy to upgrade to newer versions. Anyways, during installation I soon realized that it’s

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-47578456025733295192010-03-12T17:13:00.002+05:302010-03-12T17:15:58.189+05:30

The recent Adobe reader vulnerability (CVE-2010-0188) seems to be doing lot of rounds these days. Thanks to Mila (contagio blog), I got a chance to look at the malicious PDF file. A Quick look at the stats using pdf-parser tool reveals the structure of this file - C:\Analyze>pdf-parser.py -a "2010 March Luncheon Invitation_FINAL.pdf" Comment: 4 XREF: 0 Trailer: 0 StartXref:

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-76329615531869760222010-02-16T16:15:00.004+05:302010-02-16T16:34:51.873+05:30

Recently I covered how malware authors use Blackhat SEO poisoning to distribute malware on unsuspecting victims. Since then, I have been closely monitoring the news trends and this time the bad guys are targeting is searches related to Vancouver Olympic games 2010. Tragedy struck at the Olympic games Luge (ice racing) event, when a 21 year old athlete Nodar Kumaritashvili died during a

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-36244813239894957372010-02-03T14:53:00.002+05:302010-02-05T17:03:37.266+05:30

Well its my first post in 2010 :) … rather late, apologize for that. Recently came across a Trojan sample that actually connects to a Database server and does some SQL commands ! This is the first time I saw something like this. Normally, Backdoors and other malware use HTTP interfaces (POST/GET commands) to talk to their command servers, but in this case the malware was talking directly to

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com1tag:blogger.com,1999:blog-1141001117732421828.post-44160283821523205322009-12-30T16:19:00.002+05:302009-12-30T16:37:49.237+05:30

Picking from where we left-off last time, I decided to dig deep into how the whole fake AV scam was being done. So, I fired up Wireshark as I started to browse the Google search results for Brittany Murphy. After clicking on the poisoned search result, we first land on a page that is just a html page with all the junk related to the Google search query. Depending on your internet speed, you

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-85611674228350169672009-12-24T15:33:00.002+05:302009-12-24T15:36:52.492+05:30

It was used before for tragic news and has been seen once again now when actress Brittany Murphy passed away over the last weekend. Cybercriminals have been very effectively using SEO techniques to download malware on users machines who are trying to browse Internet looking for latest breaking news. A simple Google search for “Brittany Murphy death” reveals some interesting search results. After

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-56792174852045923682009-12-02T16:19:00.005+05:302009-12-02T18:08:17.451+05:30

The other day I came across a post at skullsecurity.org that spoke about an interesting way of using NetBIOS name service for doing MiTM attack. The author showed how his tool nbpoison could be used to inject false NetBIOS information on the wire and spoof other hosts.This is very interesting form of doing MiTM as there is no arp-spoofing involved and that is good, since every Tom, Dick and

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com2tag:blogger.com,1999:blog-1141001117732421828.post-82471900526966197172009-11-20T17:55:00.002+05:302009-11-25T13:19:02.583+05:30

Posting after a long time.. was quite busy with some presentations to make as well as with my Protocol Fuzzer script which should be ready soon. Anyways, the Zeus Botnet has been around for quite some time now and has gained some attention with its Internet Banking password stealing campaigns and Zeus Crimeware Kit ! Recently I received a sample which happened to be one of the Trojans belonging

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com3tag:blogger.com,1999:blog-1141001117732421828.post-18702922869624269882009-09-24T19:10:00.003+05:302009-09-24T19:15:16.491+05:30

Gone are the days when “Command & Control” Botnets were controlled using IRC channels or web servers. These days, attackers have moved to more sophisticated techniques or rather they are taking advantage of already available public infrastructure to control their army of Bots. One such case is that of a Bot using Google Groups for sending out the control commands. Discovered by a researcher

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-14639445406053293982009-09-04T15:31:00.003+05:302009-09-04T15:36:39.631+05:30

Recently I came across two strange pieces of malware – Win32/Induc.A and Win32/Skytap.A. Well, you can’t exactly call the first one a malware because it does not do the usual malicious stuff like disabling AV’s, downloading Trojans, stealing data etc.. But it’s very interesting in the way it spreads. Win32/Induc.A is the first of its kind malware that affects Delphi compilers. For those who

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-86700834041342431052009-08-20T17:17:00.010+05:302009-08-21T17:53:58.623+05:30

So far we have seen how to use Dranzer for discovering vulnerabilities in ActiveX objects. In this third & final part of the series we will look at creating a real world exploit from the vulnerability we discovered while fuzzing last time. This, at times, is a very challenging task. Not all vulnerabilities are that easy to exploit. It requires quite some amount of patience and luck to get

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-24429227391631476702009-08-18T15:47:00.005+05:302009-08-18T16:07:26.211+05:30

Ever wondered what do malware authors gain by writing malicious code ?? Well, if this question was asked a decade ago, the answer would be slightly different than what it is today ! The so called "underground" scene was totally different from what it is today. Those days it would be for fun or showing of real hacker skills. Now-a-days it's just about earning quick bucks and big bucks !!Like

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com1tag:blogger.com,1999:blog-1141001117732421828.post-88136478288897528542009-08-12T16:36:00.019+05:302009-09-14T19:18:08.496+05:30

So, continuing from where we left of last time, we will be looking at the Dranzer fuzzing tool in detail in this part. In case, you landed here directly and are wondering what this is all about, I suggest you have a look here first.Dranzer is a well documented tool and I also suggest you have look at their documentation before starting with this so that you will be familiar with it in general.

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-49013653024519018422009-08-11T17:39:00.008+05:302009-08-12T18:34:03.053+05:30

Recently, I discovered a vulnerability in a ActiveX control. Before starting with the discovery, I had absolutely no clue as to how to discover and exploit vulnerabilities in ActiveX. I learned the hard way, so finally I decided to make a small tutorial that could make life easier for guys like me :) ! In this 3 part series, I will be covering how to use ActiveX fuzzers to find vulnerabilities in

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com1tag:blogger.com,1999:blog-1141001117732421828.post-37948730758113398882009-07-15T16:17:00.012+05:302009-07-24T15:05:01.204+05:30

Whew.. ! Last 10 days have been quite busy for security folks like me. There have been 3 incidences of 0day's being discovered recently. It all started with the DirectX ActiveX vulnerability which I blogged previously. Then later, an Microsoft office web component ActiveX vulnerability was observed to be exploited in the wild. The list of domains hosting the Microsoft exploit is published &

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-81131014941043913842009-07-07T12:16:00.005+05:302009-07-07T15:40:13.490+05:30

Sad, but true. Once again MS Internet Explorer users have to run around hiding from the MPEG2 ActiveX exploit that is lurking around exploiting this new vulnerability in "msvidctl.dll". And there is still no patch available for this critical vulnerability. I think, looking at the licensing costs, Micro$oft products should come with some sort of SLA when we buy them, like maybe fixing critical

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-15176393178704645142009-07-01T15:16:00.006+05:302009-07-01T17:57:01.496+05:30

It’s said that bad news travels fast ! And no doubt it does, but generally it’s the bad guys who catch it first. Whether it is Michael Jackson's death or Swine flu pandemic or France Airline crash, malware authors don't spare anything that they can use as bait. Moment such news is out, the bad guys immediately register fake domain names and using SEO (Search Engine Optimization) attacks make sure

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0tag:blogger.com,1999:blog-1141001117732421828.post-25660736403232503332009-06-23T16:42:00.005+05:302009-06-23T17:37:01.756+05:30

In the beginning of 2009, there was a sudden increase in new form of malware being distributed. The bad guys are now getting smarter by the day, giving rise to a new breed of attacks being carried out. All the attacks have one common thing though - they exploit victims paranoia for malware !ScarewareAlmost every month there is a new variant of these so called security or Antivirus programs. These

Da'H4ckerhttp://www.blogger.com/profile/13001174515870605619noreply@blogger.com0