Latest Stories

from Marco Crotta
"Hello

I recently wrote a small C program to modify PCAP files
to forge them and use them for test and so on
It allows you to change:
- IP address of packet
- Mac address of packet
- time of the capture
- Mbit/second
- Packets/second"
download here....

Hi folks,

I keep getting requests offline for more innocent searches, so here are some from the last couple of days. Enjoy...

coal furnace with gas insert - fake codec
road trip - neosploit
pearl shop - neosploit
high capacity battery pack - fake codec/ rootkit
eyelashes + adhesive - fake codec
camping turon gate - fake codec
greenville gremlins - fake codec
blueberry jam - mpack/ icepack
school closings in illinois parents - search engine hijack
las vegas wedding photographers - mdac  read more »

Can't you see the pattern emerging??

Seriously though, uplink.space.com (careful) has had an iframe injected into it, and it's reaching out to another seemingly hacked site (www.forvideo.at - careful),

and launching a encrypted javascript  read more »

Hi folks,

hat-tip to Ståle Fagerland of Norman for noticing this article...

http://joongangdaily.joins.com/article/view.asp?aid=2886846  read more »

I'm kidding, I'm kidding!!!!!!!

Update number 2: Feb 26, 2008, 6:30am est

Dang, that was quick. Some of the sites, such as St Kilda, and the Geelong Cats sites, are now correctly marked as clean. They're not all correct though ... the Brisbane Lions site is still incorrectly marked as dangerous, for example, but that was still quick for the others, and we hope that all will shortly be corrected. Shout-outs to google for reacting quickly!

Update number 1:  read more »

Hi folks,

Here are some of the Innocent Searches that might get you into trouble from just today. There are rather a lot of them...

AREA MEASUREMENT - wrong choice gets a link to a known exploit site
recipe for bine turkey - what's a bine turkey? anyway, wrong choice gets a rootkit
currency converter - rootkit
americanexpress/activate - rootkit
sixth avenue electronics - rootkit
deltashuttle - rootkit
blue licenses holding - rootkit
office depot links paper templates - rootkit
knitted or crocheted dachshund patterns - rootkit  read more »

Hi folks,

I'm sure most people know about the horrific attack on the poor NYC psych. In the news tonight, we noticed that the police had arrested someone named David Tarloff for allegedly being the perp. With the web being what it is, we often find that if you look quickly, you can find personal pages about these people, often before the police get them taken down. Ok, it's a little morbid, but it's interesting at the same time.

So, when we googled for David Tarloff, here was the result...  read more »

Hi folks,

We've been following up on the new Neosploit that we reported last night. This was actually a pretty high-profile site, so we wanted to notify them. We couldn't find a contact point on the hacked domain, but we found another subdomain that had an online support chat option, and we gave it a try. The conversation was sufficiently funny that we grabbed a screen capture (anonymized to protect the innocent). You might have to double-click it to read it, but it's worthwhile...  read more »

Hi folks,

We noticed a couple of Alabama county websites have been hacked, with a Neosploit call out to a website in Germany.

The two websites are...

hxxp://www.co.blount.al.us/ and
hxxp://www.blountrevenue.com/

(The actual exploit server in Germany seems to be 404 at the moment, but you should still be careful)

The second one is more interesting, particularly given the time of year. The front page looks like this ...  read more »

Correction: Sorry folks... there's so much happening at the moment, I've merged a couple of kits in my mind. It's not a mix of vbscript and javascript. It's just javascript, and thus far, we've only seen one exploit come out of it ... a mouldy, old MS06-014, although we expect there are more than that. The rest of the write-up is reasonably accurate, and we'll continue to correct things as we find more.

Hi folks,  read more »

Note: One of our users, John Thomson (no relation as far as I know :-) ) noticed this first and brought it to our attention. His blog entry is here ...
http://www.roundtripsolutions.com/blog/2008/02/06/317/forth-road-bridge-website-hacked/

Sorry John! :-)

Hi folks,

Sometime between the 1st Feb 2008, and the 3rd of Feb 2008, the official website for the Forth Estuary Transport Authority was hacked an obfuscated iframe, using Neosploit encoding, was injected.  read more »

Can't you see the pattern emerging??

Seriously though, uplink.space.com (careful) has had an iframe injected into it, and it's reaching out to another seemingly hacked site (www.forvideo.at - careful),

and launching a encrypted javascript  read more »

Google has shipped a new version of its Chrome browser to fix three high-risk security holes that expose web surfers to malicious hacker attacks.  read more »

Hi folks,

Here are some of the Innocent Searches that might get you into trouble from just today. There are rather a lot of them...

AREA MEASUREMENT - wrong choice gets a link to a known exploit site
recipe for bine turkey - what's a bine turkey? anyway, wrong choice gets a rootkit
currency converter - rootkit
americanexpress/activate - rootkit
sixth avenue electronics - rootkit
deltashuttle - rootkit
blue licenses holding - rootkit
office depot links paper templates - rootkit
knitted or crocheted dachshund patterns - rootkit  read more »

Hi folks,

We noticed a couple of Alabama county websites have been hacked, with a Neosploit call out to a website in Germany.

The two websites are...

hxxp://www.co.blount.al.us/ and
hxxp://www.blountrevenue.com/

(The actual exploit server in Germany seems to be 404 at the moment, but you should still be careful)

The second one is more interesting, particularly given the time of year. The front page looks like this ...  read more »

from Marco Crotta
"Hello

I recently wrote a small C program to modify PCAP files
to forge them and use them for test and so on
It allows you to change:
- IP address of packet
- Mac address of packet
- time of the capture
- Mbit/second
- Packets/second"
download here....

or at least the Idaho variant.

Hi folks,

One of our in-house jokes is that the only real way to be safe on the Internet is to sell all your computers and move to Montana.

Regretably, today we noticed that the innocent and bucolic sounding boise.com was showing up as carrying a link to a known exploit site.

Thinking it couldn't possibly be so, we went to look at the website thusly...  read more »

Hi folks,

I'm sure most people know about the horrific attack on the poor NYC psych. In the news tonight, we noticed that the police had arrested someone named David Tarloff for allegedly being the perp. With the web being what it is, we often find that if you look quickly, you can find personal pages about these people, often before the police get them taken down. Ok, it's a little morbid, but it's interesting at the same time.

So, when we googled for David Tarloff, here was the result...  read more »

(Sorry... the alliteration bug bit me)

Hi folks,

Last night, as the title suggests, we found a new version of Neosploit. It has two new exploits, one uses a clsid of EEE78591-FE22-11D0-8BEF-0060081841DE, which appears to be the ActiveVoice ActiveX dll from Microsoft, and the other clsid is 5F810AFC-BB5F-4416-BE63-E01DD117BD6C, which is the Music Jukebox control from Yahoo.

The most recent ActiveVoice exploit seems to be from about June 2007, but the most recent JukeBox exploit is from Feb 2008, so that's kind of interesting.  read more »

Hi folks,

Our friends at Sunbelt have blogged about a massive push of malware here ... http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html

We agree. This is the same stuff we talk about when we talk about innocent searches, mostly anyway, and it must be working because there's a huge push at the moment. Please bear in mind that we see this nearly every day, but here are today's innocent searches...  read more »