Latest Stories

Hi folks,

We noticed a couple of Alabama county websites have been hacked, with a Neosploit call out to a website in Germany.

The two websites are...

hxxp://www.co.blount.al.us/ and
hxxp://www.blountrevenue.com/

(The actual exploit server in Germany seems to be 404 at the moment, but you should still be careful)

The second one is more interesting, particularly given the time of year. The front page looks like this ...  read more »

Hi folks,

I'm sure most people know about the horrific attack on the poor NYC psych. In the news tonight, we noticed that the police had arrested someone named David Tarloff for allegedly being the perp. With the web being what it is, we often find that if you look quickly, you can find personal pages about these people, often before the police get them taken down. Ok, it's a little morbid, but it's interesting at the same time.

So, when we googled for David Tarloff, here was the result...  read more »

Correction: Sorry folks... there's so much happening at the moment, I've merged a couple of kits in my mind. It's not a mix of vbscript and javascript. It's just javascript, and thus far, we've only seen one exploit come out of it ... a mouldy, old MS06-014, although we expect there are more than that. The rest of the write-up is reasonably accurate, and we'll continue to correct things as we find more.

Hi folks,  read more »

Hi folks,

I keep getting requests offline for more innocent searches, so here are some from the last couple of days. Enjoy...

coal furnace with gas insert - fake codec
road trip - neosploit
pearl shop - neosploit
high capacity battery pack - fake codec/ rootkit
eyelashes + adhesive - fake codec
camping turon gate - fake codec
greenville gremlins - fake codec
blueberry jam - mpack/ icepack
school closings in illinois parents - search engine hijack
las vegas wedding photographers - mdac  read more »

Hi folks,

MalwareAlarm is so common now, we decided to give it it's own vid. Remember, it's not really scanning your pc, it's just pretending to, but it does a very good job of pretending. Enjoy...

Cheers

Roger

Today i come to know about Hex Ray decompiler
i think it only works with the IDA pro and can generate pseudo code from the assembly.i think this what makes RE easier.consider a case of diffing two dlls,i know there is halvar flaks bindiff but that requires you to understand and digg through the assembly code while hex ray makes it easy to genrate the pseudo code and then you can easily determine the changes.  read more »

Hi folks,

hat-tip to Ståle Fagerland of Norman for noticing this article...

http://joongangdaily.joins.com/article/view.asp?aid=2886846  read more »

Hi folks,

We've been following up on the new Neosploit that we reported last night. This was actually a pretty high-profile site, so we wanted to notify them. We couldn't find a contact point on the hacked domain, but we found another subdomain that had an online support chat option, and we gave it a try. The conversation was sufficiently funny that we grabbed a screen capture (anonymized to protect the innocent). You might have to double-click it to read it, but it's worthwhile...  read more »

Dear Users,
update:i have removed tht due to some functionality problem.
I have added the support for voting down the stories which you don't like.I hope it will help to identify what you like and what you don't and then i can take proper actions.

Regards,
SecGeek

Correction: Sorry folks... there's so much happening at the moment, I've merged a couple of kits in my mind. It's not a mix of vbscript and javascript. It's just javascript, and thus far, we've only seen one exploit come out of it ... a mouldy, old MS06-014, although we expect there are more than that. The rest of the write-up is reasonably accurate, and we'll continue to correct things as we find more.

Hi folks,  read more »

Hi folks,

Today we found what might be the ultimate irony... a spyware product where the home page has been hacked, and is installing someone else's rootkit!

The product is one of those spy-on-your-spouse/kids/employees things that says it's stealthy (in other words, _it's_ supposed to be a rootkit itself), and the home page has a chunk of escaped javascript  read more »

from Marco Crotta
"Hello

I recently wrote a small C program to modify PCAP files
to forge them and use them for test and so on
It allows you to change:
- IP address of packet
- Mac address of packet
- time of the capture
- Mbit/second
- Packets/second"
download here....

*UPDATE* I placed the wrong PoC, I had several of test cases and the one below should work.

Abstract.  read more »

from Marco Crotta
"Hello

I recently wrote a small C program to modify PCAP files
to forge them and use them for test and so on
It allows you to change:
- IP address of packet
- Mac address of packet
- time of the capture
- Mbit/second
- Packets/second"
download here....

Hi folks,

Our friends at Sunbelt have blogged about a massive push of malware here ... http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html

We agree. This is the same stuff we talk about when we talk about innocent searches, mostly anyway, and it must be working because there's a huge push at the moment. Please bear in mind that we see this nearly every day, but here are today's innocent searches...  read more »

Hi folks,

As you've probably noticed, Storm is back for Christmas. There are only two noteworthy points about it.

The first is that they've added another fairly new exploit to it, and that is for something called GomPlayer, or the Gretech Online Movie Player, which is apparently very popular in South Korea.

The exploit is from October 2007, and is explained here, http://www.milw0rm.com/exploits/4579, but the key point is that if you're using GomPlayer, you're potentially vulnerable.  read more »

Hi folks,

Here are some of the Innocent Searches that might get you into trouble from just today. There are rather a lot of them...

AREA MEASUREMENT - wrong choice gets a link to a known exploit site
recipe for bine turkey - what's a bine turkey? anyway, wrong choice gets a rootkit
currency converter - rootkit
americanexpress/activate - rootkit
sixth avenue electronics - rootkit
deltashuttle - rootkit
blue licenses holding - rootkit
office depot links paper templates - rootkit
knitted or crocheted dachshund patterns - rootkit  read more »

Update: We should note that CA has offered a patch for this vulnerability. What is not clear is how widely adopted that patch is.

Hi folks,

On about March 17, 2008, some folks, such as frsirt started talking about a vulnerability in dll/ ocx used in various CA products. See here http://www.frsirt.com/english/advisories/2008/0902 , for example.

Today we found it in the wild, in none other than a new NeoSploit framework.

This means several things...

Firstly, the Neo developers are _very_ active.  read more »

Hi folks,

As you've probably noticed, Storm is back for Christmas. There are only two noteworthy points about it.

The first is that they've added another fairly new exploit to it, and that is for something called GomPlayer, or the Gretech Online Movie Player, which is apparently very popular in South Korea.

The exploit is from October 2007, and is explained here, http://www.milw0rm.com/exploits/4579, but the key point is that if you're using GomPlayer, you're potentially vulnerable.  read more »

from Marco Crotta
"Hello

I recently wrote a small C program to modify PCAP files
to forge them and use them for test and so on
It allows you to change:
- IP address of packet
- Mac address of packet
- time of the capture
- Mbit/second
- Packets/second"
download here....