Exploring the Duqu Bot

The Duqu trojan is composed of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised computer and to download and run additional programs.

Duqu vs Stuxnet

Attribute	Duqu	Stuxnet
Infection Methods	Unknown	USB (Universal Serial Bus) PDF (Portable Document Format)
Dropper Characteristics	Installs signed kernel drivers to decrypt and load DLL files	Installs signed kernel drivers to decrypt and load DLL files
Zero-days Used	None yet identified	Four
Command and Control	HTTP, HTTPS, Custom	HTTP
Self Propagation	None yet identified	P2P (Peer to Peer) using RPCs (Remote Procedure Call) Network Shares WinCC Databases (Siemens)
Data Exfiltration	Add-on, keystrokelogger for user and systeminfo stealing	Built-in, used for versioning and updates of the malware
Date triggers to infect or exit	Uninstalls self after 36 days	Hard coded, must be in the following range: 19790509 => 20120624
Interaction with Control Systems	None	Highly sophisticated interaction with Siemens SCADA control systems

Like Stuxnet, Duqu attacks Windows systems using a zero-day vulnerability. The installer file is aMicrosoft Word (.doc) that exploits the Win32k TrueType font parsing engine and allows execution. Duqu Malware targets one of the problems in T2EMBED.DLL, which is a TrueType font parsing engine.

How Does Duqu Spreads ? 

Duqu doesn't spread on its own. In one known case, Duqu was installed by a document attachment which was delivered via an e-mail message.

What are indicators of a Duqu infection?

Duqu contains a backdoor that steals information. Infostealers need to send the stolen info back somehow. Careful infostealers try to make the transfer look innocent in case somebody is watching network traffic. Duqu hides its traffic by making it look like normal web traffic. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.
Duqu connects to a server (206.183.111.97 a.k.a. canoyragomez.rapidns.com – which used to be in India) and sends an http request. The server will respond with a blank JPG image. After which Duqu sends back a 56kB JPG file called dsc00001.jpg and appends the stolen information (encrypted with AES) to the end of the image file.Read more about the jpeg here

Name	File Size	MD5
jminet7.sys	24,960 bytes	0eecd17c6c215b358b7b872b74bfd80
netp191.pnf	232,448 bytes	b4ac366e24204d821376653279cbad8
netp192.pnf	6,750 bytes	94c4ef91dfcd0c53a96fdc387f9f9c3
cmi4432.sys	29,568 bytes	4541e850a228eb69fd0f0e924624b24
cmi4432.pnf	192,512 bytes	0a566b1616c8afeef214372b1a0580c
cmi4464.pnf	6,750 bytes	e8d6b4dadb96ddb58775e6c85b10b6c
<unknown>   (sometimes referred to as keylogger.exe)	85,504 bytes	9749d38ae9b9ddd81b50aad679ee87e
nfred965.sy	24,960 bytes	c9a31ea148232b201fe7cb7db5c75f5
nred961.sys	unknown	f60968908f03372d586e71d87fe795c
adpu321.sy	24,960 bytes	3d83b077d32c422d6c7016b5083b9fc
iaStor451.sys	24,960 bytes	bdb562994724a35a1ec5b9e85b8e054f

(The byproducts in the Table  have been collected from multiple Duqu variants and would not be present on a single infected computer.)

Why DUQU ? 

The name “Duqu” was assigned to this malware because the keylogger program creates temporary files that begin with the prefix “~DQ”. A computer infected with Duqu may have files beginning with “~DQ” in Windows temporary directories.

References - 

www.pcworld.com/businesscenter/article/243405/microsoft_leaves_duqu_worm_exploit_unpatched.html

http://www.f-secure.com/weblog/archives/00002264.html

http://technet.microsoft.com/en-us/security/advisory/2639658

http://www.securelist.com/en/blog/208193197/The_Mystery_of_Duqu_Part_Two

http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit

http://en.wikipedia.org/wiki/Duqu

Sony claims to have a more stronger PSN than before

Sony one of the biggest organizations that was badly hit by cyber attacks.The hackers gave complete boom to the personals credentials of its customers and showed the truth about the security used by this entertainment and electronics giant.According to the CEO of Sony Mr. Howard Stringer claims the PlayStation Network is more secure than ever.

"I'm pleased to tell you that the PSN is more secure and better than ever," Stringer said at a news conference at the IFA electronics show here. "We are aggressively expanding its content. We have more than 3 million new customers since the network came back online, and sales are exceeding what we had before the cyberattacks.",he said

Lets see if this time the SONY is really secured or the hackers whitewash their pockets again.

Skype Zeroday HTML/Javascript code injection

Noptri Public Security has released a working Skype zero day vulnerability with POC for Skype. Skype users need be aware of this vulnerability.

Vendor:

=======

Skype - http://www.skype.com/





Affected Product:

=================

Skype in version <= 5.5.0.113





Affected Platforms:

===================

Windows (XP, Vista, 7)

Problem Description:

====================

Skype suffers from a persistent code injection vulnerability due to a lack

of input validation and output sanitization of following profile entries:

    

    [+] home

    [+] office

    [+] mobile

POC of Skype 0day vulnerability 

The following HTML codes can be used to trigger the described vulnerability:



--- SNIP ---



    [+] Home Phone Number:

    <b>INJECTION HERE</b>



    [+] Office Phone Number:

    <center><i>INJECTION HERE</i></center>

    

    [+] Mobile Phone Number:

    <a href="#">INJECTION HERE</a>



--- SNIP ---

By using this code An attacker could for example inject HTML/Javascript code. It has not been verified though, if it's possible to hijack cookies or to attack the underlying operating system. Attacker could give a try using extern .js files

Sony Developer Network Source Code Leaked by LulzSec

After the recent attack on Sony the LulzSec boomed it again they breached into Sony web properties, the self proclaimed “world’s leaders in high-quality entertainment at your expense” Lulzsec just released a full 54MB archive consisting of Sony Computer Entertainment’s Developer network source code. Lulzsec tweeted their latest accomplishment just under hour ago.

While Lulzsec claims that the archive comprises of the Developer network source code, a commentator on Hacker News mentions that the archive consists of Website source code rather than the actual PSN code.

Download the Sourcecode of sony developer network here -http://www.mediafire.com/?ev1zo010c020764

Social Networking and Security Risks

The popularity of Social Networking websites have been increased drastically.Every one from child to old are on a Social Networking website.Facebook,Twitter are some of them who are popular now a days.They can be used for professional networking  job searches , Internet Marketing etc...These Social Networking sites can be a very good source for entertainment and learning purpose but it also have it's own security risks about which many are not aware till now.These security risks can be very dangerous for general peoples and children's.

Previously i had gone deep into the Facebook scams spread over the world wide web on which i posted a article at my blog.Now I will aware you guys about the Social Networking Security Risks through my article exclusive on hackersbay.in

WHAT ARE SOCIAL NETWORKING WEBSITES ?

Social networking websites function like an online community of internet users. Depending on the website in question, many of these online community members share common interests in hobbies, religion, or politics. Once you are granted access to a social networking website you can begin to socialize. This socialization may include reading the profile pages of other members and possibly even contacting them. 

There are a variety of people in these websites whom we don't know..Online meeting is not enough to understand and study a people if he a right guy to do friendship with..There is always a risk of Blackmailing,Malware Spreading,Identity Theft etc..


Generally peoples who are aware of the risks and dangers  of Social Networking can take his way out of these crimes done via Social Networking and the Peoples not aware about this will surely be a prey...


There is a maximum of Social Engineering used by the Hackers in these crimes


=============================================================================
DANGERS/RISKS OF SOCIAL NETWORKING.

Facebook

Events and Questions

You must be knowing about the famous scam that was on Facebook some days before "View Who Viewed your Profile" . I remember i got more than 20 invites for that event..These events can be used by the hackers as a source through which they can use their social engineering skills on you.You cannot even know they are hackers and using their skills on you ... The new Facebook feature "Questions" will even help them

Now lets take a Example

You are invited to a Event called "About me" or A friend asked you through the Question feature..

They will include some questions because the topic itself tell About Me

1. What was my most embarrassing moment?
2. Which City you were born ?
3. What was the name of my first elementary school?
4. What was my favorite pet’s name?
5- What is your father's name


These question are not harmful to answer in a general conversation with your friends or relatives.But if you look at the questions carefully they are security questions asked in the SOCIAL NETWORKING SITES. Using this sensitive information to the secret questions they can access your account and you will be ruined.

You can read this story and think how you can suffer  

 Facebook Applications

Applications Facebook offers thousands of applications that its users can install and run. These applications include calendars that allow Friends to be reminded when it’s your birthday, tools to send Friends online greeting cards, quizzes on myriad topics and much more.





These Applications look totally harmless but in some cases it is not they are used by hackers to deliver malicious contents to your computer This holds true not only to Facebook, but also to other social networking sites and to the Internet in general, when downloading from the Web or opening attachments in email messages. Therefore, make certain that your computer has a proper and functional firewall, as well as up-to-date antivirus/anti-malware software, and only install or run these applications if they are from a trusted source or approved by your corporate IT department. We call them JAVA APPLETS or JAVA DRIVE-BY

TWITTER 

Twitter is an online application that allows you to post brief comments (tweets) on any topic. Other users on the Twitter network can become a follower of your tweets, such that they receive the updates whenever you send them.  Twitter Twitter is used for professional purpose so the risks here differs from Facebook.Generally Twitter is used by the celebrities,Companies they tweet their updates every time.Some body told me some one tweeted his twitter when the Osama kill mission started.

The employes may even tweet something that may be harmful for their company.The companies should keep a eye on the employes tweets or the tweets may be harmful for their future.


FRAUDS and HOAXES
weather it is Facebook or Twitter the online banking or day-to-day purchases, be aware of emails that claim to be from these sites but are actually hoaxes and may contain malicious content. If have received numerous emails that seems to be from  bank, yet are actually sent by a spammer in the hopes of obtaining the online username and password.

The messages may even contain an attached ZIP file that recipients are asked to open to see who invited them. The attachment will contain some Trojans and Malwares which can cause damage to your computer giving your sensitive information to the hacker

URL SHORTENING

Another form of hoax involves the shortening, of URLs in email messages or on websites  such as our favorites: Facebook,  Twitter.Often times, the links that we want to post can get very long, making them unwieldy or impossible to type in the small space allotted by the network sites. To get around this, third-party services such as http://tinyurl.com/ or http://bit.ly/ will “encode” the URL into a much shorter version.example - http://www.facebook.com/sauravhacker will turn into http://adf.ly/1PnMZ

Although the benefit of URL shortening is obvious, there is also a security risk associated with it, in that the shortened URL really does not tell you the true destination of the link. You only find out once you get there, which may be too late if that site happens to contains drive-by malware or content which should not be viewed by “sensitive” eyes. Therefore, make certain that you click on shortened URLs only if you trust the sender. Never click on them if they are contained in spam messages or on sites that you have any reason to consider suspicious.

You can use any longurl service also to long the shortened url.

PROTECTION

Use Different Passwords, Change Them Often: Each of your social networking sites as well as all other important websites should have different, complex password assigned to them, and they should be changed regularly. Since people often use the same password on multiple sites, one compromised account could easily lead to compromising other accounts.

Don’t Blindly Give Out Your Credentials: There are a lot of third party web-based services out there that make use of your social networking services. In the past, the only way for this to occur was to give your credentials to these services. This works, so long as these third party services weren’t somehow compromised, or worse, the services were not what they seemed to be.


Keep Your Operating System, Browser Patched: Ensure you have applied all the latest patches from Microsoft, Apple, or whomever supplies your computer’s underlying operating system. Ensure you are using the latest version of your web browser.  If you are using Internet Explorer–especially if you are using Internet Explorer version 6, as is standard on Windows XP, try using a third party browser such as Firefox or Google Chrome.

Browser Plugins Can Help: If you are using Firefox, there are plugins that can help expand those “short” URLs so you can see where it is they will take you. like LongURL

Antivirus: Always use a updated version of antivirus / Anti malware / anti rootkit . The updated version will be having it;s virus database updated which will help you recognizing and deleting those.


Click on links you trust from - Always click on links if you got from a trusted guy because the other links may contain trojans in them or even phishers.


 If you are aware about the Social Networking Risks you are secured from the hacker.It is not that i only mentioned about Facebook and Twitter means the risks are only on them. These risks exists in all the social networking sites but the hackers target the most popular which now a days is Facebook and Twitter

I missed something ?? Please tell me through your precious comments 


 References and Credits
-Phone Boy 
-Brad Dinerman
-Saurav

Mozilla Firefox4.0.1 First Security Update

Mozilla Released it's first release of Mozilla Firefox Firefox 4.0.1 which is a open source browser.

Fourteen flaws have been found in Firefox 4.0.1 from which 13 flaws are categorized as critical Vulnerabilities and one is mentioned low impact Vulnerability.

The biggest category of fixed vulnerabilities in Firefox 4.0.1 are memory safety related issues, with 10 identified flaws.

"Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products," Mozilla warned in its advisory. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." 

You can check their warning here - Here

The high impact category of flaws is in WebGL and its related WebGLES graphics library. Mozilla is providing three fixes for WebGLES flaws in the Firefox 4.0.1 update.

 As opposed to the critical memory flaws that Mozilla is patching with the Firefox 4.0.1 release, the XSLT flaw will not lead to arbitrary code execution. According to Mozilla, the XSLT flaw could have been used by an attacker to help launch some form of memory corruption that could possibly make another attack more reliable.  

The Firefox 4.0.1 release is the first update to Mozilla's browser since Firefox 4 release in March. Firefox developers are currently on Firefox 5, which may release at JUNE last

How to Disable Geolocation in Specific Programs

Geolocation is a rather secret feature of some browsers and toolbars. It allows the creator of that program to get a fix on the location of your computer to within a few meters of where you actually live.

If you want to see how to disable geolocation on Twitter, Thunderbird,Internet ExplorerX, Apple Safari , GMAIL , etc. Please go to the Source. 

- Facebook (initially just for the iPhone client):

• Goto Privacy Settings
• Click ‘Custom’
• Click ‘Custom Settings’
• Disable ‘Places I check in’
• Disable ‘People here now’
• Disable ‘Friends can check me in to places’

 - Google Chrome:
• Goto the ‘Customize and control Google Chrome’ icon (the little blue wrench on the top right)
• Goto ‘Options’
• Goto ‘Under the Bonnet’
• Choose ‘Content Settings’
• Choose ‘Location’
• Check ‘Do not allow any site to track my physical location’

- Mozilla Firefox:
• Type ‘about:config’ in the address bar (without the ‘’)
• Discard the warning by hitting ‘yes’
• [1] Scroll down until you reach ‘geo.enabled’ or you can simply search for 'geo.enabled'
• Doubleclick the item and it will change from its default value ‘True’ to ‘False’
• [2] Scroll down until you reach ‘geo.wifi.uri’or you can simply search for 'geo.wifi.uri'
• Rightclick the Value of ‘geo.wifi.uri’ and click ‘Modify’
• Type in ‘localhost’ and hit ‘OK’

Detecting Google hacking against your Website

Google or other search engines have been used for many purposes such as finding useful information, important websites and latest news on different topics, Google index a huge number of web pages that are growing daily. From the security prospective these indexed pages may contain different sensitive information.

Google hack involves using advance operators in the Google search engine to locate specific strings of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications.
GHH is a “Google Hack” honeypot. GHH is designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources so it implements honeypot theory to provide additional security to your web presence.
To install the Google Honeypot on your website you follow the install instructions. This allows you to monitor attempts by malicious attackers to compromise your security. The logging functions that GHH implements allows you, the administrator, to do what you like with the information. You can use the attack database to gather statistics on would-be-attackers, report activities to appropriate authorities and temporarily or permanently deny access to resources.

European Space Agency (ESA.INT) Hacked – Full Disclosure

( European Space Agency )

The European Space Agency (ESA), established in 1975, is an intergovernmental organisation dedicated to the exploration of space, currently with 18 member states. Headquartered in Paris, ESA has a staff of more than 2,000 with an annual budget of about €3.99 billion / $5.65 billion US dollars (2011).
ESA’s space flight program includes human spaceflight, mainly through the participation in the International Space Station program, the launch and operations of unmanned exploration missions to other planets and the Moon, Earth observation, science, telecommunication as well as maintaining a major spaceport, the Guiana Space Centre at Kourou, French Guiana, and designing launch vehicles. The main European launch vehicle Ariane 5 is operated through Arianespace with ESA sharing in the costs of launching and further developing this launch vehicle.
More here.

******************************************************************
(+) Authors : TinKode
(+) WebSite : TinKode27.BayWords.Com
(+) Date    : 17.04.2011
(+) Hour    : 17:17 PM
(+) Targets : www.esa.int (European Space Agency)
(+) Document: ESA.int Full Disclosure (Hacked)
(+) Method  : UnKn0Wn
******************************************************************

Text Files:

• Main informations about server.  Click here.
• Main accounts from ESA.INT (Root Accounts,  Emails, FTPs,  Admins,  Editors,  etc). Click here.

Emails:

Preview of Root accounts,  Emails,  FTPs,  etc:

[Root Account]
---------------------------------------------------------------------
Username = root
Password = *8009BCFDDF013C178B831737138F2A3D8E652B8E (SHA1)

[DB Accounts]
---------------------------------------------------------------------
Username = jbossuser
Password = 49c6641168b072d0

Username = psocrat
Password = 49c6641168b072d0 

Username = root
Password = 49c6641168b072d0 

Username = jbossuser
Password = 7fe05ad56133d52b 

Username = psocrat
Password = 7fe05ad56133d52b 

[Administrator Account]
---------------------------------------------------------------------
username = rnay06
password = eduxxxr3
admin    = y

[Editor account]
---------------------------------------------------------------------
Username = editor
Password = editor2005

[FTP Accounts]
---------------------------------------------------------------------
Password : service2004
Username : nrtservice
Webserver: localhost
Protocol : scp

Username : riverusr
Password : usrriver
WebServer: styx.esrin.esa.it
Protocol : ftp

Username : mapinject
Password : .mapinject
Webserver: ssems1.esrin.esa.int
Protocol : sftp

Password : fire
Username : wfaa
WebServer: twin.esrin.esa.int
Protocol : ftp

Password : MMvomir07.
Username : uvomir
Webserver: 193.204.231.156
More     : http://whois.domaintools.com/193.204.231.156
Protocol : sftp

Password : 12qwas
Username : kimv
Webserver: kes.esrin.esa.int
Protocol : ftp

Password : Bk7Wdkf6hY
Username : emathot
Webserver: testlab4.esrin.esa.int
Protocol : ftp

Password : MecoGPOD123
Username : MecoGPOD
Webserver: metheny.esrin.esa.int
Protocol : ftp

Password : brteon
Username : betlem
Webserver: uranus.esrin.esa.it
Protocol : ftp

Password : ch9l
Username : ftpriv
Webserver: uranus.esrin.esa.int
Protocol : ftp

Password : .mapinject
Username : mapinject
Webserver: ssems1.esrin.esa.int
Protocol : sftp

Password : esa2004
Username : Olivier
Webserver: dummy.server.esa.int
Protocol : ftp

Password : .passWIL
Username : wilkinsa
Webserver: esa-mm.esa.int
Protocol : ftp

The ESA Logs:

source:tinkode

Microsoft Security Essentials

Brief Description


Microsoft Security Essentials provides real-time protection for your home or small business PC that guards against viruses, spyware, and other malicious software.

Overview

Microsoft Security Essentials is a free* download from Microsoft that is simple to install, easy to use, and always kept up-to-date so you can be assured your PC is protected by the latest technology.

Microsoft Security Essentials runs quietly and efficiently in the background so you’re free to use your Windows-based PC the way you want—without interruptions or long computer wait times.

Before installing Microsoft Security Essentials, we recommend that you uninstall other antivirus software already running on your PC. Running more than one antivirus program at the same time can potentially cause conflicts that affect PC performance.

*Your PC must run genuine Windows to install Microsoft Security Essential


DOWNLOAD for 64 bit

for 32 bit

Cracking Password-Protected ZIP Files

This tutorial for Ubuntu or Backtrack users to crack password-protected zip files with wordlists. 

1. Install FCrackZIP packages.
   -  apt-get install fcrackzip
2. Crack it with Dictionary or Brute Force Attack.
   - Brute Force Attack.

•      fcrackzip -v zipfiles.

   - Dictionary Attack.

•      fcrackzip -v -D -p /pentest/passwords/wordlists/wordlists zipfiles.

      *** Wordlist is the file that contain a lists of words (one word per line)
      *** My wordlist is /pentest/passwords/wordlists/wordlists
3. That's you crack the file.

Mobile Security:Hakin 9 E-Book

Hakin9 is a free, online, monthly publication on IT Security. The magazine is published in English and is available in the Internet as a FREE download. It is a source of advanced, practical guidelines regarding the latest hacking methods as well as the ways of securing systems, networks and applications.

• Passware Forensic Kit 10.3 Review by MICHAEL MUNT
• SpyShelter Application review by DAVID KNIFE
• How to use Netcat by MOHSEN MOSTAFA JOKAR
  Netcat is a network utillity for reading and writing network connections that support TCP and UDP protocol. Netcat is a Trojan that opens TCP or UDP ports on a target system and hackers use it with telnet to gain shell access to the target system.
• Security – Objectives, Process and Tips by RAHUL KUMAR GUPTA
  In a world where business is moving towards e-commerce and happening over the Internet, B2B, B2C, and C2C applications have always been an area of major security concern due to the pitfalls of HTTP security and the number of integration points.
• The Backroom Message That’s Stolen Your Deal by YURY CHEMERKIN
  Do you want to learn more about bigwig? Is someone keeping secrets from you? Need to silently record text messages, GPS locations and call info of your child or employee? Catch everybody at whatever you like with our unique service.
• Smartphones Security and Privacy by REBECCA WYNN
  All the threats that attack your enterprise computer centers and personal computer systems are quickly encompassing mobile devices.
• Defending Cell Phones and PDA’s by GARY S. MILIEFSKY
  We’re at the very early stages of Cell Phone and PDA exploitation through ‘trusted’ application downloads, Bluetooth attacks and social engineering. With so many corporations allowing these devices on their networks or not knowing how to block their gaining access to corporate and government network resources, it’s a very high risk situation.
• Special report: My RSA Conference 2011 Trip Report by GARY S. MILIEFSKY
  Annual Trek to the Greatest INFOSEC Show on Earth. What’s New and Exciting Under the Big Top of Network Security.
• Mobile Malware Trends and Analysis by JULIAN EVANS
  Over the past few years there has been much speculation about when mobile malware will start to proliferate, but as yet it doesn’t appear to have happened. Over the past 12 months though there has been some interesting developments concerning mobile malware. This feature will look at some of these and also highlight some of the mobile trends. Firstly let us look at the mobile malware life cycle.
• Why are Zero-Days Such a Big Deal? by MATTHEW JONKMAN
  Sounds like a stupid question at first. They’re a big deal because they’re vulnerabilities, and vulnerabilities are bad. Right? So why do we freak out about zero-days?
• Death Knell Sounds For Traditional Tokens by Andrew Kemshall
  There is an often used phrase that the stars have aligned but, in 2011, it is the technology that has come together to hammer the final nail into the physical tokens’ coffin. The cynical among you would argue that this statement has been made before and yes, I concede that tokens have survived and are still prevalent, so, why is this year different? Let’s examine the evidence.

Don’t know why netcat is referred to a Trojan in here though! Inorder to download the free magazine, you need to be registered with the site. So, what are you waiting for? Go ahead and register yourselves and download the free e-book here.