Geekz Sources of IDea

[Re-link] Malicous PDF analysis e-book

2010-10-23T09:34:00.002+08:00

Well done Didier Stevens for producing this small chapters for public. I really make use of this book and hopefully i can share with others here..

it can be download here

i cant wait the full version of the book that you contribute..

Discover image details online

2010-09-01T07:41:00.005+08:00

How to check shutter count? how to check aperture size of image taken? how to check bla.. bla..? how to check itu? how to check ini?

Just upload your image at http://regex.info/exif.cgi/exif.cgi .. and all your questions regarding image details will be answered.. But i dont know and not so sure how far they protect the privacy and ownership of your image.. so far, i just upload unimportant image and quite paranoid to upload beautiful image..

For example here I uploaded an image:

and i got full complete details on that image:

and a lot more details...

and more.. dont have space to upload here..

dulu 120kmph, kini..

2010-02-20T14:54:00.004+08:00

kene snaman pipi sket lagi.. duhh

Aurora oh Aurora

2010-01-26T22:36:00.004+08:00

aurora oh aurora
pentingkah kamu itu
kenapa aku terpegun?
aurora oh aurora
selalu disanjungi
pernah ditanya mengapa?
ku tatap, berseri, berwarna hijau
yang menawan sanubari

walaupun jauh
kamu dekat di hati
pandanganku menanti mu
aurora
kamu memberi
kembali mencari

aurora oh aurora
dari manakah kamu
kekal kamu sungguh jauh
aurora oh aurora
tidak ada bunyi mu
sanggup aku tetap menunggu
terdiam kerana berwarna ungu
ku putuskan biar bisu

walaupun jauh
kamu dekat di hati
pandanganku menanti mu
aurora
kamu memberi
kembali mencari

malam ini
aku sendiri
menumpu langit sambil berkata
gembira kamu disana
ku lihat, tersenyum, berwarna merah
ku tau kau kan tamat

Policy, Standards, Practices, Guidelines, Procedures, blablabla

2010-01-24T16:21:00.006+08:00

sometimes, thinking for higher level is good for me.. management of information security skill is an adding advantage with my little security technical skill.. with sunday laziness and some boredness i start here.. and end with example..

Policies..
deliberate plan of action to guide decisions and achieve rational outcomes..
some call a short and concise what is expected. This thing stand at he higest level.. no step by step "how to". (that is standards)

Standards..
more detailed statement of what must be done to comply with policy.. including more specific details on how to comply with policy..

Practice,Guidelines, Procedures
sharing quite same definitions.. actual process of doing things.. correct or usual way of doing something or usual order followed when doing something..
this is how it looks like.. (some lazy photoshoping)

examples
for a simple example, a company policy is each employee must have strong password.. just want strong password but how? here we have standards (come with practices, guidelines and procedures) which describe what is strong password and what are the criteria and how to make it.. for example must contains at least 8 characters with combination of letters, symbols,numbers, lower and upper case letter and yada..yada..

references
M.E Whitman, H.J. Mattord, Management of Information Security, Course Technology , 978-1-4239-0130-3
Advance English Dictionary
and some web references..

BackTrack 4 Final akhirnya.

2010-01-22T16:04:00.002+08:00

"BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking.

Regardless if you’re making BackTrack your primary operating system, booting from a LiveDVD, or using your favorite thumbdrive, BackTrack has been customized down to every package, kernel configuration, script and patch solely for the purpose of the penetration tester."
Versi final ni guna kernel baru, ada tools yg lebih banyak dan jugak custom tools yg hanya boleh didapati di dalam BackTrack dan fixed kepada beberapa bugs yg sedia maklum..
boleh download kat sini: http://www.backtrack-linux.org/downloads/

flaws in our email service? be careful..

2010-01-19T23:59:00.012+08:00

just now i just playing around with a mail after capek tell a story about his friend's email had been compromised..

what i had founded was quite shocking.. it was very easy to change others password just by having their ID..

it starts here.. I just click on I can't access my account link..

Then choose My account may have been compromised.. And click next..

complete some easy captcha n email id..

complete easy form..

finally i got an email..

maybe i miss something that make this system secure in other way.. because this is just my simple lazy experiments..(thats why my English is bad also) please add any if there are any, my friends..

Earthquake can be everywhere!!

2010-01-19T20:18:00.002+08:00

There're lot of earthquake cases recently and the latest one is in Haiti.. I think government should have a syllabus in school on what to do when there are disaster especially earthquake.. (sorry if this one already implemented) ..If we cannot prevent earthquake, at least we can prevent lot of fatal death because of lack of education on how to protect ourselves during earthquake..

here i copy paste some procedure what to do during earthquake from FEMA dedicated for me as a reference in the future (who knows)..

If indoors

DROP to the ground; take COVER by getting under a sturdy table or other piece of furniture; and HOLD ON on until the shaking stops. If there isn’t a table or desk near you, cover your face and head with your arms and crouch in an inside corner of the building.
Stay away from glass, windows, outside doors and walls, and anything that could fall, such as lighting fixtures or furniture.
Stay in bed if you are there when the earthquake strikes. Hold on and protect your head with a pillow, unless you are under a heavy light fixture that could fall. In that case, move to the nearest safe place.
Use a doorway for shelter only if it is in close proximity to you and if you know it is a strongly supported, loadbearing doorway.
Stay inside until shaking stops and it is safe to go outside. Research has shown that most injuries occur when people inside buildings attempt to move to a different location inside the building or try to leave.
Be aware that the electricity may go out or the sprinkler systems or fire alarms may turn on.
DO NOT use the elevators.

If outdoors

Stay there.
Move away from buildings, streetlights, and utility wires.
Once in the open, stay there until the shaking stops. The greatest danger exists directly outside buildings, at exits, and alongside exterior walls. Many of the 120 fatalities from the 1933 Long Beach earthquake occurred when people ran outside of buildings only to be killed by falling debris from collapsing walls. Ground movement during an earthquake is seldom the direct cause of death or injury. Most earthquake-related casualties result from collapsing walls, flying glass, and falling objects.

If in a moving vehicle

Stop as quickly as safety permits and stay in the vehicle. Avoid stopping near or under buildings, trees, overpasses, and utility wires.
Proceed cautiously once the earthquake has stopped. Avoid roads, bridges, or ramps that might have been damaged by the earthquake.

If trapped under debris

Do not light a match.
Do not move about or kick up dust.
Cover your mouth with a handkerchief or clothing.
Tap on a pipe or wall so rescuers can locate you. Use a whistle if one is available. Shout only as a last resort. Shouting can cause you to inhale dangerous amounts of dust.

eatable SPAM

2009-12-27T16:54:00.002+08:00

yummy.. SPAM with honey grail..

[Paper] Companion worms on UNIX systems.

2009-12-24T12:52:00.001+08:00

http://c-skills.blogspot.com/2009/12/thoughts-on-companion-worms.html

paper by: Sebastian Krahmer

anti-shouldersurfer

2009-12-20T11:15:00.004+08:00

Google Chrome for Linux..

2009-12-09T11:46:00.006+08:00

Finally, after waiting and waiting.. and after reading the comics in the website i realize why..
It can be seen here

And can be downloaded here

support for Debian/Ubuntu/Fedora/openSUSE

Nepenthes + PHARM - SurfIDS = Test Dulu

2009-12-08T12:45:00.004+08:00

PHARM or nepenthes pharm is a client/server tool to manage, report and analyze all your distributed nepenthes instances from one interface. Sounds interesting. Before this I developed nepenthes and OpenVPN plugin for Webmin, looking foward for nepenthes client and integrate them with SurfIDS, but I think it is the end of it :-(

(click image for larger visual)

PHARM has 3 main components:

Server
Client (Implement on nepenthe honeypot)
Web Portal (View data collected from sensor)

More info and screenshot are here: http://www.nepenthespharm.com

WINWORD.EXE malware

2009-12-02T13:57:00.006+08:00

Some malware become famous because of their behaviour and now I found a malware that hide all your word documents and replace it with their copy of .exe files with the same name and icon as each of the hidden word documents before. It become dangerous when you did not set for not "hiding extensions for known file types" in folder options. It is because you cannot distinguish the changes made by the malware and it become worse when you attach the file in email and spread the malware to other computers by email. So please be aware of this malware by view the properties of the file before executing it. The malware will appear as "Application" rather than as "word documents". I'll post more on the detail of the analysis of this malware later and for this post just how to recover your file back.

First, open your command prompt by start>run and type cmd and press enter. In the command prompt, type your drive letter with double colon. (eg. if your pendrive labeled as I: in your "My Computer", just typed I: and press enter)

Then type:

dir /A:H

This command will view all the hidden files in your drive including the files that been hidden by the malware (if working properly)

Then to remove the hidden attribute of the files just type:

attrib -S -H -R *.doc

This command will remove the System Files (-S), Hidden (-H) and Read Only (-R) attributes for all .doc files int the drive. Please take note that the hidden attribute cannot be remove using properties.

Thats all for now and dont hesititate to ask if having any problems.

Conficker Eye Chart

2009-11-29T11:05:00.004+08:00

Quite lame, but still practical maybe..huhu..

"Joe Stewart from SecureWorks has put together an effective "eye chart" that sources its graphics from sites that Conficker would block. If you can't see one or more of the images, you're either infected, or image loading in your browser has been disabled.

Firefox users can check if image loading has been disabled under Tools/Options and the Content tab. Load Images Automatically should be checked. Internet Explorer users will find it under Tools/Internet Options, then the Advanced tab. Scroll down to Multimedia, and Show Pictures should be checked.

It's a test based on the fact that Conficker blocks legitimate security Web sites. The logos are sourced remotely, so if they can't load, the sites are also likely to be blocked. If you're seeing blocked images, you should check out the CNET guide to removing Conficker--just because the botnet hasn't done much that's demonstrably malicious yet doesn't mean it can't or won't in the future."

original post: http://www.nsaneforums.com/?showtopic=18612

Eye Chart: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

How To Cyberstalk Potential Employers

2009-11-05T19:36:00.001+08:00

Zaman pencarian kerja untuk para graduan telah bermula... rasanya inilah masanya untuk implement tutorial dari irongeek.com ni..

How To Cyberstalk Potential Employers

Add new Partitions to Virtualbox OSE Ubuntu

2009-11-05T11:04:00.017+08:00

1. Create new Virtual Hard Disk

Open Virtualbox OSE, go to File > Virtual Media Manager(VMM) or just Ctrl + D. Click New button on the Hard Disk Tab. Follow the instructions, until finish. Make sure this time take care about the size of the partition. And finish the procedure (choose the right partition type, name and size. Now we have created a new Virtual Hard Disk (VHD).

2. Add the new VHD to the VCO

Exit the VMM by clicking OK button. On the Virtualbox OSE, Right Click the targeted VCO, go to setting.. (Make sure the VCO is Powered Off) Go to Hard Disks. Click the Add Attachment Button (Button with + ) and your newly created VHD will be inserted automatically and finish it with OK button.

3. Start targeted VCO

The VCO will detect and install the new VHD when startup and wait until it finish and the Right Click on My Computer, choose Manage. Computer Management will be opened and go to Storage > Disk Management. Your new VHD will be in the list but labeled as Unknown. At the time you click the Disk Management, there will be a popup for Disk Initialize and go through the procedure until finish. The new VHD will be detected as Unallocated.

4. Format the new VHD

Right click the Unallocated drive and choose New Volume. Go through the Procedure until finish depends on your requirement. And now you already have new disk partition on you VCO.

Vitualbox + maltrap == pure wonders..

2009-11-02T18:10:00.008+08:00

DLLPath: C:\Documents and Settings\Administrator\Desktop\maltrap_v0.2a\maltrap.dll
Process injected! PID: 3660
PID: 3660, All hooks are now in place!
PID: 3660, 0x00406D6E: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: SYSTEM\CurrentControlSet\Services\ferst) -> FAIL
PID: 3660, 0x00406ECB: CopyFileA(existing: C:\Documents and Settings\Administrator\Desktop\G001.exe, new: C:\WINDOWS\system32\qokqe.exe, overwrite: 00000000)
PID: 3660, 0x00406F2F: OpenSCManagerA(machName: (null), dbName: (null), access: 000F003F) -> h:0025EB58
PID: 3660, 0x00406F64: CreateServiceA(ServiceName: ferst, DisplayName: ces, Type: 00000010, StartType: 00000002, StartName: (null), Path: C:\WINDOWS\system32\qokqe.exe, Password: (null)) -> h:0025E8A0
PID: 3660, --- Service runs in its own process
PID: 3660, --- Is started automatically by the SCM during system startup
PID: 3660, 0x00406FB0: StartServiceA(hService: 0025E8A0, serviceArgs: (null)) -> SUCCESS
PID: 3660, 0x00407027: RegOpenKeyA(key: HKEY_LOCAL_MACHINE, subkey: SYSTEM\CurrentControlSet\Services\ferst) -> SUCCESS
PID: 3660, --- handle: 00000754
PID: 3660, 0x00407049: RegSetValueExA(keyHandle: 00000754, valueName: Description, data: fsr) -> SUCCESS
PID: 3660, 0x7C81F2AE: GetFileAttributesW(C:\Documents and Settings\Administrator\Desktop\G001.exe)
PID: 3660, 0x7C910A16: CreateProcessA(appName: (null), cmdLine: C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\Desktop\G001.exe > nul)
PID: 3660, --- Creating the process in suspended state...
PID: 3660, --- Resulting PID: 3692
PID: 3660, --- Escalating privileges so the process can be opened...
PID: 3660, --- Opening the process...
PID: 3660, --- Allocating memory in the process...
PID: 3660, --- Writing the DLL into memory...
PID: 3660, --- Resuming the suspended process...
PID: 3660, 0x00407548: ExitProcess(exitcode: 0)
[Termination] PID 3660 has terminated!

MalTrap is a research utility that monitors malware behavior by intercepting API calls on Windows and logging results. Though still in it's Alpha release and sparse on features, its a very interesting and useful tool.

Features

* Over 200 API’s are intercepted. Better results and little noise.
* Only relevant API parameters are displayed (highly descriptive).
* Only relevant API return values are displayed (highly descriptive).
* Created processes are monitored
* PID separation – API calls are logged based on the process
* PC shutdown attempts are prevented
* Anti-Debugging attempts are logged (SoftICE, RegMon, FileMon, Generic)
* Key-logging attempts are logged
* Internet traffic is logged and highly detailed (Winsock, FTP, HTTP, IRC, …)

a very cool tools..

download here: http://www.maltrap.com/main/download/

Video Tutorial:

video

Olly SocketTrace 1.0 [OllyDbg Plugin]

2009-10-26T01:28:00.007+08:00

Dah banyak review pasal plugin ni dalam bahasa inggeris, jadi ape salahnya kalau ade review versi melayu. Baru terpikir nak tulis pasal plugin ni..

About

OllySocketTrace ni adalah plugin yg digunakan dalam Ollydbg untuk memudahkan analyst atau reverse engineer untuk mengesan aktiviti berkaitan socket di dalam sesebuah process. Aktiviti socket akan dirakam dan kemudian di"highlight" dengan warna2 unik.

Boleh kesan "socket operation":

WSASocket, WSAAccept, WSAConnect, WSARecv, WSARecvFrom, WSASend, WSASendTo, WSAAsyncSelect, WSAEventSelect, WSACloseEvent, listen, ioctlsocket, connect, bind, accept, socket, closesocket, shutdown, recv, recvfrom, send and sendto.

Cara Install n Guna

Mudah sahaja, copy n paste dll file plugin ni ke dalam folder "plugin" di folder ollydbg, dan run ollydbg.. Ia akan ada di menu plugin. Plugin ni akan buatkan "breakpoint" di mana2 socket function call yg berkaitan dan akan record sgala data yg berkaitan.. Untuk melihat hasilnya, hanya klik di menu Plugin > SocketTrace > Log..

Download: http://www.tuts4you.com/download.php?view.2442

p/s: malas nak capture screenshot la.. try la, snang je nak guna..

Latest Artwork

2009-10-20T02:01:00.008+08:00

Sambil wat java image processing, layan gambar lame dlm hd n main photoshop jap.. ni lah hasil yg ntah ape2 dariku..

jam kat dinding umah sewa lama

dan ini...

batu kat dataran seremban

dan penjara pudu pun jadi mangsa....

I'm Halal ~ Web browser for Muslims

2009-10-19T16:17:00.008+08:00

http://www.imhalal.com/

Alhamdulillah,

Ade juga akhirnya usaha nak mengislamkan search engine.. Tapi still beta version lagi..
untuk lebih maklumat pergi ke : http://imhalal.com/blog/
yang best pasal web browser ni ialah:

1. wow.. leh filter search result ikut tahap keharaman tu.. jeng jeng jeng... (klik gambar utk gambar yg lebih clear)

dan

2. wow.. leh tukar2 background la...

aiyak.. rempah nasik briani..

Virus Giler Glamer

2009-10-10T12:26:00.002+08:00

Dari blog McAfee, www.avertlabs.com aku terkesima membaca ade jugak virus maker yg giler glamer.. bese, low profile je.. tapi ade jugak yg tulis dalam code, “HELLO ANTIVIRUS MAKERS! This is XXX! Please call this sh*t YYY! Cheerz!".. macam2 la sekarang ni.. siap dah letak name glamer virus tu.. cayalah!!! aku tgh cari la ape virus tu.. nak tgk dengan mate sendiri..

Combine video.001, video.002 dengan command prompt

2009-10-01T22:00:00.005+08:00

Biasenye uploader movie akan splitkan movie diorang kepada beberapa part untuk memudahkan untuk upload movie.. selain untuk cantumkan balik movie2 ni gune tools, kite leh gune command promt. Caranya begini:

copy /b "movie_name.wmv.*" "movie_name.wmv"

tu saja.. yang penting file tu kene letak dalam folder yg sama.. ".wmv" tu leh ganti ngan file type lain yg berkenaan..

[Java] Wake on LAN

2009-10-01T16:14:00.007+08:00

On PC di rumah dari ofis adalah idaman aku sekian lama. Dan aku rase aku memang 'n00b' giler sebab baru tau pasal wake on LAN. Jadi tak salah rasenye aku post bende ni untuk panduan aku (kalau save dalam PC confirm tak jumpe cari).

Wake on Lan adalah cara 'on'kan PC remotely dengan menghantar simple UDP packet ke port 9 kat NIC yg support Wake on LAN. Nak tau support ke tak biasenye LED kat LAN socket tu masih menyala walaupun PC dah turn off. Untuk anta packet tu, leh pkai ape2 pun coding n ni aku nak share coding Java:

import java.io.*;
import java.net.*;

public class WakeOnLan {

public static final int PORT = 9;

public static void main(String[] args) {

if (args.length != 2) {
System.out.println("Usage: java WakeOnLan ");
System.out.println("Example: java WakeOnLan 192.168.0.255 00:0D:61:08:22:4A");
System.out.println("Example: java WakeOnLan 192.168.0.255 00-0D-61-08-22-4A");
System.exit(1);
}

String ipStr = args[0];
String macStr = args[1];

try {
byte[] macBytes = getMacBytes(macStr);
byte[] bytes = new byte[6 + 16 * macBytes.length];
for (int i = 0; i <>
bytes[i] = (byte) 0xff;
}
for (int i = 6; i <>
System.arraycopy(macBytes, 0, bytes, i, macBytes.length);
}

InetAddress address = InetAddress.getByName(ipStr);
DatagramPacket packet = new DatagramPacket(bytes, bytes.length, address, PORT);
DatagramSocket socket = new DatagramSocket();
socket.send(packet);
socket.close();

System.out.println("Wake-on-LAN packet sent.");
}
catch (Exception e) {
System.out.println("Failed to send Wake-on-LAN packet: + e");
System.exit(1);
}

}

private static byte[] getMacBytes(String macStr) throws IllegalArgumentException {
byte[] bytes = new byte[6];
String[] hex = macStr.split("(\\:|\\-)");
if (hex.length != 6) {
throw new IllegalArgumentException("Invalid MAC address.");
}
try {
for (int i = 0; i <>
bytes[i] = (byte) Integer.parseInt(hex[i], 16);
}
}
catch (NumberFormatException e) {
throw new IllegalArgumentException("Invalid hex digit in MAC address.");
}
return bytes;
}

}

lepas compile code ni, run code ni dengan due argument tambahan: ip adress n MAC address.
contoh:

java WakeOnLan 192.168.0.20 00:0D:61:08:22:4A

tu saja.. kalau tak success, antar 2, 3 kali sebab UDP ni maklum la.

p/s: kalau PC kat umah tu behind firewall, jgn lupe allow port 9 n jagn lupe port forwarding port 9 ke ip pc kite tu. maknenye, mase run java tu, letak ip luar (WAN IP) pastu kat firewall or adsl router tu foward port 9 ke LAN ip PC kite. (aku taktau la ape instilah sebenar ip luar tu..duhh)

The Right Brain vs Left Brain test

2009-09-06T08:15:00.004+08:00

Korang nampak gambar penari tu pusing arah jam or lawan jam?

Kalau ke arah jam, maknenye korang manggunakan otak bahagian kanan lagi banyak dari otak belah kiri dan sebaliknya kalau pusing lawan jam.

p/s: kalau due2 belah gune same banyak, adakah gambar ni tak pusing? taktau la..