esed nod32 serial esed nod32 antivirus nod32 turkce nod32 full indir
30 Nisan 2012 Pazartesi
Backdoor:OSX/MacKontrol.A
Backdoor:OSX/MacKontrol.A connects to a remote server to receive further instructions, without the knowledge or permission from the user.
SOURCE Boston Security Conference and Training 2012 Day 2 - Dan Geer Keynote, Android Modding and Cloud Security
Dan Geer's fantastic Keynote Speech kicked off Day 2 of SOURCE Conference Boston this morning. The talk itself was heady and complex, something to keep up with. Notable talks also were Jeremey Westerman's "Covering *aaS - Cloud Security Case Studies for SaaS, PaaS and IaaS", and Dan Rosenberg's "Android Modding for the Security Practitioner".
"The internet will never be as free as it is this morning." Dan Geer is one of the best, sharpest computing/network security speakers around. His talk descended from a high-level, lengthy, example-laden description of most every developed nation's dependency on the internet: "Dependence with respect to the internet is transitive, dependence on television is not...We are at the point where it may no longer be possible to live your life without having a critical dependence on the Internet, even if you live at the end of a dirt road but still occasionally buy nails or gasoline." And, he wound through multiple examples of failures in US systems to provide fallback options. He talked about his little local bank, whom he wrote a letter to close down the auto-created online account he wouldn't use. They, as an exception, closed it down immediately. His 401k account administrator Fidelity Investments, on the other hand, would not accept customer instructions from him in writing. The company continues to send him mailed marketing content of all kinds in writing at the address from which he sends his letters. Their auditors apparently approve of Fidelity's rejection of customer-initiated hand-written delivered communications, instead, accepting email/online chat messaging or instructions over the phone. This discussion made its way through systems design, unified field theory, and fault tolerance, eventually landing on key points that intrusion prevention is agreed not to be a workable model, instead, the elegance of "intrusion tolerance" must be built into systems, and countries and organizations that cannot build tolerance into their systems are not sustainable. Favorite quotes: "forget the banks, it is the internet that is too big to fail", "Is there room for those who choose simply to not participate in the internet?", "HTML5 is Turing complete. HTML4 is not", and "Should we preserve a manual means? Preserving fallback is prudent if not essential."
Jeremy Westerman's "Covering *aaS - Cloud Security Case Studies..." presented several design cases for Universities and other organizations. The single most important point to learn from this talk is that API key management is unfortunately not handled with as much urgency and awareness as private SSL keys for large organizations. This API key, in the context of multiple, popular single sign-on (SSO) solutions in use at large universities, is the key to tens of thousands, if not hundreds of thousands, of email accounts. Similar API key schemes are implemented on IaaS solutions like the Xen supported Amazon EC2 environment and VMWare vCloud Teramark environments. Without appropriate awareness, developers are storing that key in improper locations like the hard drive of the sign-on machine, or the developers themselves are storing keys on their development system hard drives in non-obvious places, emailing/"dropboxing" them around to each other and then simply transferring the API keys to the production environment, instead of re-issuing production API keys. It is practically imperative that these keys are taken out of the hands of developers. These loose handling practices are bad news - viral code like Sality and other viral code and worms previously high in our prevention stats have maintained functionality to steal FTP and web admin account passwords in order to silently host malicious code, encrypted or otherwise, on legitimate web sites without the owner's knowledge. In other words, developers have been effective and weak targets in the past for credential theft, enabling silent site compromise and malicious use. Most schools don't want that - I remember one unfortunate notification at a small Arts college, where the web admin really didn't want to believe that the encrypted blob of data hosted on his school's web server was a viral payload updating other students' infected systems, located there because his credentials were Sality-stolen after trying to run cracked software distributed over a P2P network. Anyway, it happens and it can be planned for and prevented.
nod32 guncel key güncel key nod32 full nod32 esed nod32 keyleri
A gift from ZeuS for passengers of US Airways
Spam
On 20 March, we detected a spam campaign targeting passengers of US Airways. Almost the entire week cybercriminals were sending users the following email allegedly from US Airways:
There is a brief description of the check-in procedure and a confirmation code is provided for online reservation.
The criminals are obviously banking on any recipients flying on the flight mentioned in the email clicking on the link "Online reservation details".
Different emails contained different links - for example, we noticed the following domains: sulichat.hu, prakash.clanteam.com, panvelkarrealtors.com.
After clicking the link a series of redirects eventually leads to a domain hosting BlackHole Exploit Kit.
Exploit:W32/D-Encrypted.Gen
A program or technique that takes advantage of a vulnerability to remotely access or attack a program, computer or server.
nod32 guncel key eset nod32 guncel key eset nod32 güncel key indir com nod32
Patch Tuesday March 2012 - Remote Desktop Pre-Auth Ring0 Use-After-Free RCE!
Patch Tuesday March 2012 fixes a set of vulnerabilities in Microsoft technologies. Interesting fixes rolled out will patch a particularly problematic pre-authentication ring0 use-after-free in Remote Desktop and a DoS flaw, a DoS flaw in Microsoft DNS Server, and several less critical local EoP vulnerabilities.
It seems to me that every time a small and medium sized organization runs a network, the employees or members expect remote access. In turn, this Remote Desktop service is frequently exposed to public networks with lazy, no-VPN or restricted communications at these sized organizations. RDP best practices should be followed requiring strong authentication credentials and compartmentalized, restricted network access.
Some enterprises and other large organizations continue to maintain a "walled castle" and leave RDP accessible for support. The problem is that RDP-enabled mobile laptops and devices will make their way to coffee shops or other public wifi networks, where a user may configure a weak connection policy, exposing the laptop to attack risk. Once infected, they bring back the laptop within the walled castle and infect large volumes of other connected systems from within. To help enterprises that may have patch rollout delays, Microsoft is providing a fix-it that adds network layer authentication to the connection, protecting against exploit of the vulnerability.
This past fall, we observed the RDP worm Morto attacking publicly exposed Remote Desktop services across businesses of all sizes with brute force password guessing. It was spreading mainly because of extremely weak and poor password selection for administrative accounts! The Morto worm incident brought attention to poorly secured RDP services. Accordingly, this Remote Desktop vulnerability must be patched immediately. The fact that it's a ring0 use-after-free may complicate the matter, but Microsoft's team is rating its severity a "1" - most likely these characteristics will not delay the development of malicious code for this one. Do not delay patch rollout for CVE-2012-0002.
Finally, for less technical readers, allow me to explain a little about what a "Remote Desktop pre-auth ring0 use-after-free RCE" really is. Remote Desktop is a remotely accessible service that enables folks to connect remotely to a Windows system and open a window to the desktop in an application as though you were sitting in front of the computer. Usually, you need to log in to the system to do that, so the system is fairly protected. Unfortunately, this bug is such that a remote attacker that can connect to the system's Remote Desktop service over the network can successfully attack the system without logging in. The "ring0" piece simply means that the vulnerable code exists deeply in the Windows system internals, or the kernel, of the operating system (most applications running on a system run in "ring3", or "user-mode"). "Use-after-free" is the type of vulnerability enabling the exploit, and this type of flaw is something that continues to be extremely difficult to weed out as predicted years ago, even as many of the more traditional low hanging stack and heap overflows have been stomped out by automated code reviews and better coding practices. And finally, RCE applies to the type of exploit enabled by the vulnerability, or "remote code execution", meaning an attacker can deliver malicious code of their choosing to the system and steal everything. There you go, "pre-auth ring0 use-after-free RCE".
Palm-sized Star Trek tech may be closer than you think
nod32 full indir nod32 full download full nod32 download est nod32 serial
Jury begins deliberations in Oracle-Google trial
A jury has started deliberations in a closely watched copyright infringement trial pitting Oracle against Google.
nod32 key esed nod32 download nod32 serialleri esed nod32 indir
Backdoor:W32/Binanen.A
A dropper Trojan that contains malicious or potentially unwanted software, which it 'drops' and installs on the affected system.
esed nod32 keys est nod32 key esed nod32 serial esed nod32 antivirus
Patch Tuesday April 2012 - Patching Multiple Web Based Client Side and Spearphishing Exposures
This month's patch Tuesday fixes a small set of critical vulnerabilities in a variety of client side software and one "important" server side Forefront UAG data leakage/information disclosure issue. Six bulletins have been created to address eleven exploitable flaws. Three of the six bulletins are top priority and should be addressed ASAP. These are the MS12-023 bulletin, patching a set of five Internet Explorer vulnerabilities leading to remote code execution, and the MS12-027 bulletin, patching the MSCOMCTL ActiveX Control currently receiving some attention as a part of very limited targeted attacks. If they must prioritize deployment, administrators should start their work here. Most folks should have automatic updates enabled and will silently receive the patches, or they can simply navigate their start menu and manually begin the Windows update process.
RCE attacks abusing these six IE and ActiveX vulnerabilities would look like web browser redirections to malicious sites hosting web pages attacking Internet Explorer and emails carrying malicious attachments constructed to appear familiar to the targeted victim. These are currently significant vectors of attack for both consumer/home and corporate Microsoft product users.
Microsoft also is recommending that administrators prioritize the Authenticode flaw and rated it critical, which could be used as a part of targeted attacks. And ActiveX controls can be delivered leveraging this vulnerability, so some distribution vectors may become enhanced. But this flaw allows for additions and modifications to existing code that in turn won't invalidate the existing signature.
A vulnerability exists in the .Net framework, allowing for XBAP applications to be run from the Internet Zone with a prompt. But anytime a decision like that is left to a user, it seems that we have a 50/50 chance of successful exploitation. The remaining vulnerabilty in the Office converter is significant and may result in RCE, but is much less likely to be attacked.
Dangerous, but manageable.
est nod32 key esed nod32 serial esed nod32 antivirus nod32 turkce
Facebook inks deal with McAfee, Symantec, others for free antivirus
The social network says its blacklist has also been augmented by the security firms, which have offered up their own URL blacklist databases.
Pirate party raid on German politics
Pirates are capturing Germany's political system.�
The party with the outlaw name started as a marginal club of computer nerds and hackers demanding online freedom, but its appeal as an anti-establishment movement has lured many young voters to the ballot boxes, catapulting it into two state parliaments in less than a year.
full nod32 esed nod32 keyleri esed nod32 key esed nod32 keys
Will the Nook Become the Windows 8 iPad Killer?
With Microsoft putting $300,000 into Barnes and Noble's Nook business, the Windows 8 maker just bought itself something that could come in handy with that whole iPad killer strategy it's got going on. The investment actually secured a few useful things for the company: books and publishers and a tablet (all things Microsoft does not yet have) which will help all sorts of Windows 8 devices draw those who would otherwise go to Amazon's Kindle Fire for its giant library of reads or others who would head to Apple for its pretty OS. ...
nod32 turkce nod32 full indir nod32 full download full nod32 download
Phishing at the Top Level
Opinion: ICANN and overbearing governments are gearing up for a major expansion of the attack surface of the DNS.
Backdoor:OSX/Olyx.C
Backdoor:OSX/Olyx.C connects to a remote server to receive further instructions, without the knowledge or permission from the user.
Trojan-Downloader:OSX/Flashback.C
Trojan-Downloader:OSX/Flashback.C poses as a Flash Player installer and connects to a remote host to obtain further installation files and configuration.
güncel nod32 keyleri nod32 guncel keyler nod32 guncel key güncel key nod32
RSA Lays Off Security, Sales Staff
Layoffs are part of an ongoing restructuring across EMC caused by acquisitions that officials estimated in 2006 might ultimately claim 1,250 jobs.
esed nod32 key esed nod32 keys est nod32 key esed nod32 serial
House hearing: U.S. now under cyberattack
Congress hears testimony warning of increasing alliances between state and non-state actors targeting U.S. national interests.
nod32 key esed nod32 download nod32 serialleri esed nod32 indir
Kaspersky: Mac security is '10 years behind Microsoft'
In an interview, the security firm's CEO says Apple has a lot more malware coming its way, and that it's not putting enough resources into protecting users.
29 Nisan 2012 Pazar
Think twice before installing Chrome extensions
Since November 2011, according to recent statistics, Google Chrome has become the most popular browser in Brazil (more than 45% of the market share).
The same has is true for Facebook, which now is the most popular social network in Brazil, with a total of 42 million users, displacing Orkut.
These two facts are enough to motivate Brazil’s bad guys to turn their attentions to both platforms. This month we saw a huge wave of attacks targeting Brazilian users of Facebook, based on the distribution of malicious extensions. There are several themes used in these attacks, including “Change the color of your profile” and “Discover who visited your profile” and some bordering on social engineering such as “Learn how to remove the virus from your Facebook profile”:
1) Click on Install app, 2) Click on Allow or Continue, 3) Click on Install now, After doing these steps, close the browser and open again
This last one caught our attention not because it asks the user to install a malicious extension, but because the malicious extension it’s hosted at the official Google's Chrome Web Store. If the user clicks on “Install aplicativo” he will be redirected to the official store. The malicious extension presents itself as “Adobe Flash Player”:
A unique ?fileless? bot attacks news site visitors
In early March, we received a report from an independent researcher on mass infections of computers on a corporate network after users had visited a number of well-known Russian online information resources. The symptoms were the same in each case: the computer sent several network requests to third-party resources, after which, in some cases, several encrypted files appeared on the hard drive.
The infection mechanism used by this malware proved to be very difficult to identify. The websites used to spread the infection are hosted on different platforms and have different architectures. None of our attempts to reproduce the infections were successful. A quick analysis of KSN statistics that might help to identify the connection between compromised resources and the malicious code being distributed did not yield any results, either. However, we did manage to find something that the news sites had in common.
nod32 full download full nod32 download est nod32 serial 64 bit nod32
One in five Macs 'infected' with malware is inaccurate
One in five Mac systems having malware is testament to the prevalence of Windows-based threats, and does not mean that one in five is "infected."
nod32 serial nod32 güncel keyleri nod32 keyleri güncel güncel nod32 keyleri
Trojan-Dropper:OSX/Revir.B
Trojan-Dropper:OSX/Revir.B drops and executes a backdoor program onto the system, while camouflaging its activity by opening a JPG file to distract the user.
Critical TCP/IP Worm Hole Dings Windows Vista
Microsoft has issued a high-priority security update to fix a pair of "critical" flaws that expose Windows users to remote code execution attacks.
nod32 serial nod32 güncel keyleri nod32 keyleri güncel güncel nod32 keyleri
Exploit:Java/Blackhole
Exploit:Java/Blackhole identifies a Java class module used as part of an exploit kit known as Blackhole.
nod32 guncel key güncel key nod32 full nod32 esed nod32 keyleri
Trojan:SymbOS/ZeusMitmo.A
When installed on a mobile phone, this trojan monitors all incoming SMS messages and acts as a backdoor for receiving commands sent by an attacker via SMS messages.
esed nod32 antivirus nod32 turkce nod32 full indir nod32 full download
Apple in talks to stream EPIX films to Apple TV
Apple is reportedly in talks to stream films owned by EPIX ? a joint venture among Paramount Pictures, Metro-Goldwyn-Mayer and Lionsgate ? across a variety of devices, including the long-anticipated iTV, according to a report from Reuters. Two people with knowledge of the negotiations told the publication that the talks are in the preliminary stages and no agreement is considered near. The Cupertino-based company is reportedly looking to beef up the content offered through its Apple TV set-top box and upcoming devices. An agreement could prove troublesome, however, due to EPIX?s $200 million agreement with Netflix, which gave the company exclusive streaming rights through September. Read
5 Reasons Microsoft SkyDrive is Better Than Google Drive
Amid the excitement over Google Drive, the search giant's new Dropbox competitor, Microsoft recently improved a similar online sync and storage service, SkyDrive. Microsoft added the ability to store files online and sync across multiple devices right from your Windows or OS X desktop. That puts SkyDrive squarely in competition with Dropbox and Drive, five years after Microsoft first introduced its online storage solution in 2007.
nod32 serial nod32 güncel keyleri nod32 keyleri güncel güncel nod32 keyleri
Trojan:BASH/QHost.WB
Trojan:BASH/QHost.WB hijacks web traffic by modifying the hosts.
full nod32 download est nod32 serial 64 bit nod32 esed nod32 4
Trojan:W32/AntiAV
Also known as a trojan horse program, this is a deceptive program that performs additional actions without the user's knowledge or permission. It does not replicate.
Rootkit:W32/Zxshell.B
Rootkit:W32/Zxshell.B is dropped by Backdoor:W32/Zxshell.A and basically functions as a protection mechanism for its main payload file.
Microsoft Security Essentials 4.0 ready for download
Microsoft made available for download a new release of its free anti-virus/anti-malware program for Windows PCs, Microsoft Security Essentials (MSE), on April 24.
The MSE 4.0 release is available via the Microsoft Download Center and the MSE Web site. (I learned of its availability from a post on Neowin today.) The latest version runs on Windows XP, Windows Vista and Windows 7.�
Backdoor:W32/Binanen.A
A dropper Trojan that contains malicious or potentially unwanted software, which it 'drops' and installs on the affected system.
nod32 güncel keyleri nod32 keyleri güncel güncel nod32 keyleri nod32 guncel keyler
Reforming the DisGrace Period
Opinion: Another step has been taken on the long, plodding path to maybe addressing the problem of Domain Tasting.
Trojan-Dropper:OSX/Revir.A
Trojan-Dropper:OSX/Revir.A drops a downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.
esed nod32 keyleri esed nod32 key esed nod32 keys est nod32 key
Trojan:W32/Ransomcrypt
Trojan:W32/Ransomcrypt is ransomware that encrypts files on the affected computer and demands payment in order to provide a password decrypting the affected files.
28 Nisan 2012 Cumartesi
Worm:W32/Downadup.AL
Worm:W32/Conficker.AL is a variant of Worm:W32/Downadup that can spread using three different methods and is capable of hiding its actions on the infected machine, as well as downloading files from remote sites.
Time to party! Windows 7 is here!
It's only a few days away. The official launch of Windows 7 is here!
And of course, that means its time to party!!! You may have heard about the Windows 7 House Parties that are being thrown all around the world. Basically thousands of small groups of people are getting together to see what Windows 7 can do.
Personally, I thought we needed to do more. So fellow MVP and friend Charlie Russel and I decided we would throw our own party. But focused on IT pros and not the consumer angle. We plan to have a lot of fun, showing the cool features of Windows 7 for IT pros like BitLocker, AppLocker and DirectAccess. We plan to bring a bunch of laptops and show new shell extensions, Powershell, new multitouch features and basically sit around and enjoy hours of Q&A for those that haven't tried it yet. We are even planning on installing Windows 7 on a guest's Macbook to show how well it does using Bootcamp on Apple hardware and even on small netbooks.
I also wanted to send a message out to the Vancouver IT community to clear up some misconceptions. This is a party hosted by Charlie and myself. This is NOT a Microsoft event. Microsoft was gracious enough to let us use their facility and even sprung for some of the cost for pizza. However, they never planned this out. Nor did the local VanTUG and VanSBS groups.
Our party is an INVITATION ONLY event. Because we are limited in our own budget and constrained in where we could have the party... we only have enough room for 75 people. So we could only allow a certain number of our friends to come. Charlie and I decided the best way to handle this would be to simply invite who we wanted, and then open it to our friends at the local user groups on a first come, first served basis. This is why there is a cap on the registration on the event, and why it booked up so quickly.
I am hearing through the grapeline that there is a LOT of descent in the Vancouver IT community who feel that Microsoft, VanTUG and VanSBS did a poor job organizing this. >LET ME BE CLEAR. This is a personal party that Charlie and I organized. If you were lucky enough to get an invitation and registered, great. But if you didn't, don't take it out on Microsoft, the local usergroups or their leaders. It's not their fault!!!
We are using our own money and time to throw this party. Please be considerate and respect that we couldn't invite all of you. I am happy to see there is so much excitement about Windows 7 and that you wanted to party with us. And I am sorry if you feel it isn't fair that you didn't get invited. Please feel free to share your own Windows 7 experience, and host your own party. We may be the only IT pro party during the Windows 7 launch, but nothing says you can't have your own!
So party on. Welcome to a new world. Welcome to Windows 7!
nod32 güncel keyleri nod32 keyleri güncel güncel nod32 keyleri nod32 guncel keyler
Rogue:W32/SystemTool
This detection identifies a malicious program, typically used to deceive users into purchasing a fake application.
nod32 full indir nod32 full download full nod32 download est nod32 serial
The Hobbit's 48 FPS Format Ruins Film's Artistry, Previewers Complain
Cinematography has advanced considerably in the decade since Peter Jackson ceased filming The Lord of the Rings, a three-part epic based on the novels of J.R.R. Tolkien, at the standard film rate of 24 frames per second.
Virus:W32/Ramnit.N
A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.
esed nod32 serial esed nod32 antivirus nod32 turkce nod32 full indir
Other:W32/False Positive
This detection was unintentionally triggered on a JavaScript file associated with Google Analytics. A Hydra exclusion for this detection (2010-12-10_01) was released at 0052 UTC on 10th December, followed by an Aquarius database update (2010-12-10_03) released at 0215 UTC which removes the detection entirely. Please ensure your database is updated to resolve this issue.
nod32 güncel key nod32 guncel key eset nod32 guncel key eset nod32 güncel key
RunAs Radio podcasts you might want to listen to
Hey guys. I noticed Twitter is a buzz with a few podcast interviews I did on RunAs Radio lately. I thought I will post the links for those of you who don't follow such tweets.
There were two interviews I did last month:
The first interview was discussion on free tools available for network monitoring and diagnostics. The second was some in depth discussion on using DirectAccess with Windows 7 and Windows Server 2008 R2. I do hope you find both interviews fun and useful.
Enjoy!
Trojan-Downloader:W32/KDV-176347
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
full nod32 esed nod32 keyleri esed nod32 key esed nod32 keys
Wireless providers side with cops over users on location privacy
The trade association representing AT&T, Verizon, and Sprint opposes a California proposal for search warrants to track mobile devices, claiming it will cause "confusion."
esed nod32 key esed nod32 keys est nod32 key esed nod32 serial
Backdoor:OSX/MacKontrol.A
Backdoor:OSX/MacKontrol.A connects to a remote server to receive further instructions, without the knowledge or permission from the user.
What financial reports reveal about entertainment
Here is a summary of recent financial reports for selected entertainment companies:
CanSecWest: Let's talk about non-targeted attacks
Today is the last day of CanSecWest - a security conference taking place in Vancouver, Canada. On Wednesday I filled in for Costin Raiu and talked about our forensics work into Duqu's C&C servers.
As I'm writing this, Google Chrome just got popped. Again. The general feeling is that $60k, even with a sandbox escape, isn't a whole lot of money for a Chrome zero-day. So, to see multiple zero-days against Chrome is quite the surprise, especially when considering the browser's Pwn2Own track record.
Separately, I found the Q&A session following Facebook's Alex Rice’s presentation immensely intriguing.
est nod32 key esed nod32 serial esed nod32 antivirus nod32 turkce
0Day Remote Password Reset Vulnerability in MSN Hotmail patched
Microsoft?s MSN Hotmail (Live) email service currently hosts over 350 million unique users.� A Vulnerability Laboratory senior researcher, Benjamin Kunz Mejri, identified a critical security vulnerability in Microsoft?s official MSN Hotmail (Live) service. A critical vulnerability was found in the password reset functionality of Microsoft?s official MSN Hotmail service.�
Backdoor:OSX/MacKontrol.A
Backdoor:OSX/MacKontrol.A connects to a remote server to receive further instructions, without the knowledge or permission from the user.
full nod32 esed nod32 keyleri esed nod32 key esed nod32 keys
Passenger Hacks NYC Taxi Computer System
The problem is more significant than GPS objections, according to the software engineer who hacked the system.
esed nod32 indir nod32 serial nod32 güncel keyleri nod32 keyleri güncel
27 Nisan 2012 Cuma
Patch Tuesday March 2012 - Remote Desktop Pre-Auth Ring0 Use-After-Free RCE!
Patch Tuesday March 2012 fixes a set of vulnerabilities in Microsoft technologies. Interesting fixes rolled out will patch a particularly problematic pre-authentication ring0 use-after-free in Remote Desktop and a DoS flaw, a DoS flaw in Microsoft DNS Server, and several less critical local EoP vulnerabilities.
It seems to me that every time a small and medium sized organization runs a network, the employees or members expect remote access. In turn, this Remote Desktop service is frequently exposed to public networks with lazy, no-VPN or restricted communications at these sized organizations. RDP best practices should be followed requiring strong authentication credentials and compartmentalized, restricted network access.
Some enterprises and other large organizations continue to maintain a "walled castle" and leave RDP accessible for support. The problem is that RDP-enabled mobile laptops and devices will make their way to coffee shops or other public wifi networks, where a user may configure a weak connection policy, exposing the laptop to attack risk. Once infected, they bring back the laptop within the walled castle and infect large volumes of other connected systems from within. To help enterprises that may have patch rollout delays, Microsoft is providing a fix-it that adds network layer authentication to the connection, protecting against exploit of the vulnerability.
This past fall, we observed the RDP worm Morto attacking publicly exposed Remote Desktop services across businesses of all sizes with brute force password guessing. It was spreading mainly because of extremely weak and poor password selection for administrative accounts! The Morto worm incident brought attention to poorly secured RDP services. Accordingly, this Remote Desktop vulnerability must be patched immediately. The fact that it's a ring0 use-after-free may complicate the matter, but Microsoft's team is rating its severity a "1" - most likely these characteristics will not delay the development of malicious code for this one. Do not delay patch rollout for CVE-2012-0002.
Finally, for less technical readers, allow me to explain a little about what a "Remote Desktop pre-auth ring0 use-after-free RCE" really is. Remote Desktop is a remotely accessible service that enables folks to connect remotely to a Windows system and open a window to the desktop in an application as though you were sitting in front of the computer. Usually, you need to log in to the system to do that, so the system is fairly protected. Unfortunately, this bug is such that a remote attacker that can connect to the system's Remote Desktop service over the network can successfully attack the system without logging in. The "ring0" piece simply means that the vulnerable code exists deeply in the Windows system internals, or the kernel, of the operating system (most applications running on a system run in "ring3", or "user-mode"). "Use-after-free" is the type of vulnerability enabling the exploit, and this type of flaw is something that continues to be extremely difficult to weed out as predicted years ago, even as many of the more traditional low hanging stack and heap overflows have been stomped out by automated code reviews and better coding practices. And finally, RCE applies to the type of exploit enabled by the vulnerability, or "remote code execution", meaning an attacker can deliver malicious code of their choosing to the system and steal everything. There you go, "pre-auth ring0 use-after-free RCE".
Flashfake Mac OS X botnet confirmed
Earlier this week, Dr.Web reported the discovery of a Mac OS X botnet Flashback (Flashfake). According to their information, the estimated size of this botnet is more than 500, 000 infected Mac machines.
We followed up with an analysis of the latest variant of this bot, Trojan-Downloader.OSX.Flashfake.ab.
It is being distributed via infected websites as a Java applet that pretends to be an update for the Adobe Flash Player. The Java applet then executes the first stage downloader that subsequently downloads and installs the main component of the Trojan. The main component is a Trojan-Downloader that continuously connects to one of its command-and-control (C&C) servers and waits for new components to download and execute.
The bot locates its C&C servers by domain names, and these names are generated using two algorithms. The first algorithm depends on the current date, and the second algorithm uses several variables that are stored in the Trojan’s body and encrypted with the computer’s hardware UUID using RC4 cipher.
We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, "krymbrjasnof.com". After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.
We cannot confirm nor deny that all of the bots that connected to our server were running Mac OS X. The bots can be only identified by a unique variable in their User-Agent HTTP header named “id”, the rest of the User-Agent is statically controlled by the Trojan. See example below:
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:9D66B9CD-0000-5BCF-0000-000004BD266A) Gecko/20100101 Firefox/9.0.1"
We have used passive OS fingerprinting techniques to get a rough estimation. More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs.
nod32 serial nod32 güncel keyleri nod32 keyleri güncel güncel nod32 keyleri
Rogue:W32/SystemTool
This detection identifies a malicious program, typically used to deceive users into purchasing a fake application.
nod32 keyleri güncel güncel nod32 keyleri nod32 guncel keyler nod32 guncel key
Republic Wireless Sending Out Invitations for Unlimited Data
Republic Wireless is a small startup that drew a lot of attention last year when it offered a $19 per month "unlimited" prepaid data plan. At the time, the plan was not truly unlimited because it came with the caveat that if you used too many minutes or megabytes you would be asked to cut down or leave altogether. That restriction has since been lifted; Republic Wireless' plans are now truly unlimited, and offer all-you-can-eat data, texting and voice minutes for $19 a month.
nod32 turkce nod32 full indir nod32 full download full nod32 download
Trojan:W32/Yakes
Trojan:W32/Yakes variants attempt to connect to and download files from remote servers.
Patch Tuesday April 2012 - Patching Multiple Web Based Client Side and Spearphishing Exposures
This month's patch Tuesday fixes a small set of critical vulnerabilities in a variety of client side software and one "important" server side Forefront UAG data leakage/information disclosure issue. Six bulletins have been created to address eleven exploitable flaws. Three of the six bulletins are top priority and should be addressed ASAP. These are the MS12-023 bulletin, patching a set of five Internet Explorer vulnerabilities leading to remote code execution, and the MS12-027 bulletin, patching the MSCOMCTL ActiveX Control currently receiving some attention as a part of very limited targeted attacks. If they must prioritize deployment, administrators should start their work here. Most folks should have automatic updates enabled and will silently receive the patches, or they can simply navigate their start menu and manually begin the Windows update process.
RCE attacks abusing these six IE and ActiveX vulnerabilities would look like web browser redirections to malicious sites hosting web pages attacking Internet Explorer and emails carrying malicious attachments constructed to appear familiar to the targeted victim. These are currently significant vectors of attack for both consumer/home and corporate Microsoft product users.
Microsoft also is recommending that administrators prioritize the Authenticode flaw and rated it critical, which could be used as a part of targeted attacks. And ActiveX controls can be delivered leveraging this vulnerability, so some distribution vectors may become enhanced. But this flaw allows for additions and modifications to existing code that in turn won't invalidate the existing signature.
A vulnerability exists in the .Net framework, allowing for XBAP applications to be run from the Internet Zone with a prompt. But anytime a decision like that is left to a user, it seems that we have a 50/50 chance of successful exploitation. The remaining vulnerabilty in the Office converter is significant and may result in RCE, but is much less likely to be attacked.
Dangerous, but manageable.
Backdoor:OSX/MacKontrol.A
Backdoor:OSX/MacKontrol.A connects to a remote server to receive further instructions, without the knowledge or permission from the user.
nod32 turkce nod32 full indir nod32 full download full nod32 download
Rootkit:W32/ZAccess
Rootkit:W32/ZAccess constantly displays advertisements on the infected machine and may silently contact remote servers to retrieve additional advertising information.
nod32 full indir nod32 full download full nod32 download est nod32 serial
This Projector Lets You Watch TV, Play Games on Any Wall
The Summer Gadget Series is presented by the Galaxy Nexus from Sprint. Android 4.0, Google Wallet and Google Play make it pure Google. Truly Unlimited data from Sprint makes it unstoppable. Check it out.
Application:W32/InstallCore
InstallCore is an advertising module that displayed targeted advertising material.
Monitoring-Tool:Android/SpyBubble.A
Monitoring-Tool:Android/SpyBubble.A is a commercially available tracking tool.
esed nod32 keyleri esed nod32 key esed nod32 keys est nod32 key
Exploit:Java/Blackhole
Exploit:Java/Blackhole identifies a Java class module used as part of an exploit kit known as Blackhole.
esed nod32 indir nod32 serial nod32 güncel keyleri nod32 keyleri güncel
Backdoor:W32/Zxshell.A
Backdoor:W32/Zxshell.A is a DLL file with an exported function ("Install"), which is called to install the backdoor.
Exploit:Java/Blackhole
Exploit:Java/Blackhole identifies a Java class module used as part of an exploit kit known as Blackhole.
indir nod32 nod32 güncel key nod32 guncel key eset nod32 guncel key
Application:W32/InstallCore
InstallCore is an advertising module that displayed targeted advertising material.
nod32 serialleri esed nod32 indir nod32 serial nod32 güncel keyleri
Microsoft Security Essentials 4.0 ready for download
Microsoft made available for download a new release of its free anti-virus/anti-malware program for Windows PCs, Microsoft Security Essentials (MSE), on April 24.
The MSE 4.0 release is available via the Microsoft Download Center and the MSE Web site. (I learned of its availability from a post on Neowin today.) The latest version runs on Windows XP, Windows Vista and Windows 7.�
esed nod32 keys est nod32 key esed nod32 serial esed nod32 antivirus
FTC hires outside lawyer to steer Google probe
The Federal Trade Commission has hired a prominent trial lawyer to oversee its broad investigation into Google's business practices, signaling the agency is troubled by what it has discovered so far in its year-old probe.
Announcing Elevation of Privilege: The Threat Modeling Game
I have had the pleasure over the past few months to spend some time playing with an early rendition of " Elevation of Privilege: The Threat Modeling Game". According to Adam, "Elevation of Privilege is the easiest way to get started threat modeling". I couldn't agree more. If you have a team that is new to the whole process of threat modeling, you will want to check it out. If you are at RSA this week, drop by the Microsoft booth and pick the game up for free. If you aren't, you can download it here.
EoP is a card game for 3-6 players. The deck contains 74 playing cards in 6 suits: one suit for each of the STRIDE threats (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service and Elevation of Privilege). Each card has a more specific threat on it. You can see a short video on how to play and some more information about the game by checking our Adam's post here. In the end, it is a game that makes it possible to have more fun when thinking about threats. And that's a good thing.
Even more impressive is that they have released the game under Creative Commons Attribution license which gives you freedom to share, adapt and remix the game. So you if you feel you can improve up this, step up and let everyone know!!
Congratulations to the SDL team at Microsoft for creating an innovative way to approach the concept of threat modeling.
5 Reasons Microsoft SkyDrive is Better Than Google Drive
Amid the excitement over Google Drive, the search giant's new Dropbox competitor, Microsoft recently improved a similar online sync and storage service, SkyDrive. Microsoft added the ability to store files online and sync across multiple devices right from your Windows or OS X desktop. That puts SkyDrive squarely in competition with Dropbox and Drive, five years after Microsoft first introduced its online storage solution in 2007.
eset nod32 güncel key indir com nod32 nod32 keyleri nod32 keyler
26 Nisan 2012 Perşembe
Backdoor:OSX/Tsunami.A
Backdoor:OSX/Tsunami.A is a distributed denial-of-service (DDoS) flooder that is also capable of downloading files and executing shell commands in an infected system.
CISPA veto recommended by White House
Not a fan of CISPA? Fear not. President Barack Obama isn?t either. A Wednesday e-mail released by the Office of Management and Budget made very clear that should the bill reach the president?s desk in its current form, "his senior advisors would recommend that he veto the bill."
nod32 guncel keyler nod32 guncel key güncel key nod32 full nod32
Zynga reports 1Q net loss, higher revenue
Online games company Zynga reported a net loss in the first quarter because of stock-compensation expenses, but adjusted earnings were better than Wall Street expected.
esed nod32 antivirus nod32 turkce nod32 full indir nod32 full download
Trojan:W32/Reveton
Trojan:W32/Reveton is a Ransomware application. It fraudulently claims to be from a legitimate law enforcement authority and prevents users from accessing their infected machine, demanding that a 'fine' must be paid to restore normal access.
esed nod32 download nod32 serialleri esed nod32 indir nod32 serial
The mystery of Duqu: Part Ten
At the end of the last year the authors of Duqu and Stuxnet tried to eliminate all traces of their activity. They wiped all servers that they used since 2009 or even earlier. The cleanup happened on October 20.
There were virtually no traces of Duqu since then. But several days ago our colleagues in Symantec announced that they found a new "in-the-wild" driver that is very similar to known Duqu drivers. Previous modifications of Duqu drivers were compiled on Nov 3 2010 and Oct 17 2011, and the new driver was compiled on Feb 23 2012.
So, the authors of Duqu are back after a 4 months break.
Duqu is back
The newly discovered driver does not contain any new functionality compared to its previous versions. The code contains only minor modifications, and they were most likely done to evade detection from antivirus programs and detection tools such as the CrySyS Duqu Toolkit. Here’s a list of changes compared to older versions:
- The code was compiled with different optimization settings and/or inline attributes of functions.
- The size of the EXE stub that is injected with the PNF DLL was increased by 32 bytes.
- The LoadImageNotifyRoutine routine now compares the module name with “KERNEL32.DLL” using hash checksums instead of simple string comparison.
- The size of the encrypted configuration block was increased from 428 to 574 bytes. There are no new fields in in the block, but the size of the registry value name (“FILTER”) field was increased. This makes the registry value name easily modifiable - probably for future use.
- The algorithm of the two subroutines that decrypt the encrypted config block, registry value and PNF DLL has been changed. This is the third known algorithm used in the Duqu encryption subroutines.
- The algorithm of the hash function for the APIs has changed. All the hash values were changed correspondingly.
Old hash function, used in previous versions of the Duqu driver:
New hash function:
The fact that the new driver was found in Iran confirms that most of Duqu incidents are related to this country.
Virus:W32/Ramnit.N
A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.
nod32 full download full nod32 download est nod32 serial 64 bit nod32
Backdoor:W32/Zxshell.A
Backdoor:W32/Zxshell.A is a DLL file with an exported function ("Install"), which is called to install the backdoor.
esed nod32 antivirus nod32 turkce nod32 full indir nod32 full download
Flashfake Mac OS X botnet confirmed
Earlier this week, Dr.Web reported the discovery of a Mac OS X botnet Flashback (Flashfake). According to their information, the estimated size of this botnet is more than 500, 000 infected Mac machines.
We followed up with an analysis of the latest variant of this bot, Trojan-Downloader.OSX.Flashfake.ab.
It is being distributed via infected websites as a Java applet that pretends to be an update for the Adobe Flash Player. The Java applet then executes the first stage downloader that subsequently downloads and installs the main component of the Trojan. The main component is a Trojan-Downloader that continuously connects to one of its command-and-control (C&C) servers and waits for new components to download and execute.
The bot locates its C&C servers by domain names, and these names are generated using two algorithms. The first algorithm depends on the current date, and the second algorithm uses several variables that are stored in the Trojan’s body and encrypted with the computer’s hardware UUID using RC4 cipher.
We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, "krymbrjasnof.com". After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.
We cannot confirm nor deny that all of the bots that connected to our server were running Mac OS X. The bots can be only identified by a unique variable in their User-Agent HTTP header named “id”, the rest of the User-Agent is statically controlled by the Trojan. See example below:
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:9D66B9CD-0000-5BCF-0000-000004BD266A) Gecko/20100101 Firefox/9.0.1"
We have used passive OS fingerprinting techniques to get a rough estimation. More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs.
full nod32 download est nod32 serial 64 bit nod32 esed nod32 4
Rootkit:W32/Zxshell.B
Rootkit:W32/Zxshell.B is dropped by Backdoor:W32/Zxshell.A and basically functions as a protection mechanism for its main payload file.
Facebook announce Antivirus Marketplace
Facebook officials are launching a site on their social network aimed at making their 900 million-plus users and their systems more secure.
Facebook, in partnership with Microsoft, McAfee, Symantec, Trend Micro and Sophos, on April 25 announced the Antivirus Marketplace, where users can download free six-month licenses or full versions of the companies? anti-malware software for six months to a year, depending on which products they choose.
esed nod32 serial esed nod32 antivirus nod32 turkce nod32 full indir
Using TS RemoteApp as an attack vector
So in today's session at SMBNation that I spoke at, I showed how to use TS RemoteApp with TS Gateway on SBS2008 to deliver remote applications through Remote Web Workplace. It is one of the most cool features in the Windows Server 2008 operating system. But we have to remember what its doing.
Part of the conversation we had was on the difference between local desktop display in TS RemoteApp vs just having a full desktop to the Terminal Server. One issue that came up was that as a RemoteApp, you can't run other applications.
Well, that is not actually true. If you think that, then a TS RemoteApp has the ability to be an attack vector for you. What do I mean? Well below is a screen shot of what happens if you hit CTRL-ALT-ENTER with the cursor focused on the RemoteApp window (in this case MS Paint running remotely):
At this point, you can run Task Manager.... then hit File->Run and run something else. In my case, I showed a few people afterwards how to start cmd and start exploring the network. Now, you will only have the privileges of the user account logged in as, but it is still something you have to be careful about. If you think a RemoteApp bundle prevents access to other application sor the network... you are wrong.
So is this bad? No. Is it really an attack vector? No. You just need to understand that when allowing ANY type of Terminal Services based access, you have to restrict the policies and access accordingly. No matter if its local or remote. Running a TS RemoteApp bundle of Office will display on the local desktop, but is STILL running on the Terminal Server. So it will be browsing the network the Terminal Server is connected to as the local net. It will also browse your own drives mapped via tsclient. So you have to remember that.
Hope thats useful. A TS RemoteApp bundle does NOT mean you won't have access to the TS desktop when displaying remotely on your personal desktop. And that's not a bad thing. TS Remote App is a convenient way to extend the workspace to your local machine, anywhere in the world. No pun intended. That's its power... and the benefit. Great remote productivity enhancement in Windows Server 2008. Use it. (Safely of course)
Adware:W32/ClickPotato.A
This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.
est nod32 key esed nod32 serial esed nod32 antivirus nod32 turkce
Trojan:Android/YZHCSMS.A
Trojan:Android/YZHCSMS.A sends SMS/MMS messages to premium rate numbers, potentially incurring unexpected/unwanted usage charges.
esed nod32 keys est nod32 key esed nod32 serial esed nod32 antivirus
Slim's America Movil to get big push from Brazil
Twenty Reasons To Jailbreak iOS 5
Jailbreaking has been a controversial issue by many for some time.� Some people today are still under the impression jailbreaking is illegal.� I am glad to inform everyone jailbreaking is 100% legal.� The only issue that could arise from jailbreaking is warranty voided.� If you take the iOS device into an Apple store in the jailbroken state, they will not cover the warranty.� However, if you restore the device before returning it to Apple the device will be covered under the warranty.� So I guess it?s a little deceiving but if you are having issue?s with your device, it wil
China's Huawei may start selling its own mobile chips
Chinese handset maker Huawei Technologies expects its smartphone chip business will help further drive revenue, signaling that the company could try to compete in the world's mobile chip market.
"In the future, whether it be mobile broadband devices, tablets, or smartphones, Huawei will be able to provide its own core chip solution," said Huawei executive vice president Eric Xu.
nod32 key esed nod32 download nod32 serialleri esed nod32 indir
25 Nisan 2012 Çarşamba
Samsung Galaxy Note headed to T-Mobile according to leaked photos
nod32 güncel keyleri nod32 keyleri güncel güncel nod32 keyleri nod32 guncel keyler
Trojan:W32/AntiAV
Also known as a trojan horse program, this is a deceptive program that performs additional actions without the user's knowledge or permission. It does not replicate.
Leap 1Q loss expands on higher interest costs
Leap Wireless International Inc., the nation's sixth largest cellphone carrier and operator of the Cricket brand, said Wednesday that its net loss in the first quarter expanded as higher interest expenses overwhelmed a smaller operating loss. The results were worse than analysts expected and Leap's shares fell.
The mystery of Duqu Framework solved
The Quest for Identification
In my previous blogpost about the Duqu Framework, I described one of the biggest remaining mysteries about Duqu - the oddities of the C&C communications module which appears to have been written in a different language than the rest of the Duqu code. As technical experts, we found this question very interesting and puzzling and we wanted to share it with the community.
The feedback we received exceeded our wildest expectations. We got more than 200 comments and 60+ e-mail messages with suggestions about possible languages and frameworks that could have been used for generating the Duqu Framework code. We would like to say a big ‘Thank you!’ to everyone who participated in this quest to help us identify the mysterious code.
Let us review the most popular suggestions we got from you:
- Variants of LISP
- Forth
- Erlang
- Google Go
- Delphi
- OO C
- Old compilers for C++ and other languages
esed nod32 antivirus nod32 turkce nod32 full indir nod32 full download
Apple growth hinges on China, new devices
nod32 full download full nod32 download est nod32 serial 64 bit nod32
OS X Mass Exploitation - Why Now?
Market share! It’s an easy answer, but not the only one.
In 2011, Apple was estimated to account for over 5% of worldwide desktop/laptop market share. This barrier was a significant one to break - Linux maintains under 2% market share and Google ChromeOS even less. This 15 year peak coincided with the first exploration by the aggressive FakeAv/Rogueware market targeting Apple computers, which we discovered and posted in April 2011 and later in May 2011, which no longer seem to be such an odd coincidence. Also, the delay in Apple malware until now most likely was not because Apple exploits were unavailable, or because the Mac OS X system is especially hardened. The 2007 "Month of Apple Bugs" demonstrated that the Mac OS X and supporting code is full of exploitable flaws. Safari, Quicktime, and other software on Apple devices is regularly exploited during pwnage contests, but widespread cybercrime attention hadn’t caught on until this past year.
At this point, we still don't know who is behind Flashfake, so we don’t know for sure that they were the same Mac OS X FakeAv/Rogueware group. Speculating that eastern euro-cybercrime is behind the botnet would be a pretty confident way to go right now. There are known groups from the region that have succeeded at wringing ad revenues from traffic hijacking. We don't believe that other sensitive data has been targeted. And the exploit distribution URLs that we are aware of have only targeted mac users. These factors limit the operational and technical needs of a financially motivated cybercrime gang.
In a sense, it would appear that their activity was somewhat similar to the Koobface or Tdss gangs. They haven't commited large unique financial crimes to attract the attention of law enforcement, and their malware contains hooks and other code to perform more sophisticated banking crime than search traffic hijacking, but they most likely were looking to make a multitude of small financial gains. On the other hand, thankfully, Apple hasn't given these guys ample notice to make their run. There can be plenty of money in that business - it is estimated that the Koobface guys ran off with millions after Facebook "outted" their operation under investigation. But based on the domain registrations we have examined, the individuals are not quite so public and they are hiding their identities while they hijack search engine traffic. The malware itself injects a number of hooks into running applications, much like the Zeus, SpyEye, and other spyware. If these were used for financial crimes, the group operating this botnet would need to organize money mules and accomplices to launder their stolen money, which would grow the group and attract the attention of other authorities.
On the technology side, Java is a big part of the puzzle. Although the Trojan is called Flashfake because users were being convinced to install the malware as an Adobe Flash update, more recent versions of the malware were being installed via client-side Java exploitation.
Three vulnerabilities were targeted with client-side exploits, none of them were 0day, which seem to have become much more difficult to come by. Besides, this set worked just as well for these operators. It is interesting to note the duration of time from the original Oracle Java security update to the Apple Java security update, and when in that timeframe the release offensive security research publicly appeared. And, when were Metasploit open source exploit modules were released targeting the related Java vulnerabilities? The windows of time may be alarming - these are not 0day exploits, but Apple simply hasn’t released patches, leaving their customers exposed to the equivalent of known 0day exploits.
2012-02-15 Oracle patches Atomic Reference Array vulnerability
2012-03-10 First Itw exploits targeting the vuln
2012-03-30 Metasploit developers add Java atomicreferencearray exploit module
2012-04-03 Apple patches their code
2011-05-12 Reported to vendor
2011-11-18 Oracle patched their Java SE
2011-11-30 Metasploit developers add "Rhino exploit" module
2011-11-30 Krebs reports operational Blackhole site with the new Java exploit
2012-3-29 Patched by Apple
"Deserializing Calendar objects"
2008-08-01 Reported to Sun with first instance of the vulnerability
2008-12-03 Sun patches their code (Sun link down)
2009-05-15 Apple patches MacOSX code
2009-06-16 Metasploit developers add Java deserialization exploit
Also on this list is a lame exploit described as a signed applet social engineering trick.
I'd prefer to call it the "the terribly confused user presented with the Java 'do you want to trust this applet?' dialog and will run anything you present them" gamble. It first became a part of the Metasploit exploit module list on 2010-01-27. Basically, these guys present the user with a file that the user thinks is a JavaUpdate provided by Apple Inc themselves, which they grant trust to perform any action on their machine. The downloader will then communicate with a couple of sites to register and download new Flashfake components. These components in turn, collect the system UUID and timestamp, then auto-generate with a crypto algorithm a set of C2 domains, along with maintaining a list of hard coded domains. A couple of the newer components inject into running processes on the system hooking software functionality and hijacking traffic, much like past TDS malware.
Kaydol:
Kayıtlar (Atom)