dollars javascript code – yet another Javascript obfuscation method for cc...
January 25, 2011 – Update: a detailed analysis also where is reported my post: Internet Explorer exSploit Milk codes http://utf-8.jp/public/20101106/avtokyo.pptx October 5, 2010: From MDL forum, I...
View Articledollars javascript code – yet another Javascript obfuscation method for cc...
Trying to find some common factors in the pages included in the compromised sites (as indicated in the previous post (http://extraexploit.blogspot.com/2010/10/dollars-javascript-code-yet-another.html)...
View ArticleSome domains for the LICAT / Murofet / Trojan/ZBOT.B threat
Update (2 November): A deep and very itneresting analysis from Trend Micro:...
View ArticleCVE-2010-3765 - proof of concept - update
October, 29 1010 - UPDATE: the working exploit (in according with BugX blog): http://bugix-security.blogspot.com/2010/10/firefox-exploitcve-2010-3765.html October, 28 2010 For those who still do...
View ArticleCVE-2010-3962 - yet another Internet Explorer RCE
Update - November, 12 2010: Amnesty International Hong Kong Website Injected With Latest Internet Explorer 0-day...
View Articlefull disclosure xpl.pdf Adober Reader 9.4 poc - printSeps() - cve-2010-4091
November 26,2010 – Update: Thank you, Mario, but our printSeps() is in another castle !...
View Articlecve-2010-4091 – printSeps - exploitation attempts
November 26, 2010 – update: This is a very useful presentation (from Immunity Sec) where is possible get some methods for approach the reversing of Java script engine in Adobe Reader context:...
View Articlecve-2010-4091 exploited ?
November 24, 2010 – Update: Looking for other exploiting attempts I found a Malwaretracker sample where the PDF seem spread via URL that contains: filepdf.php@v=zday The following analysis report...
View Articlecve-2010-4091 exploited ? – 0.1
Trying to reversing the shell code contained within the PDF that seem exploit CVE-2010-4091, in according with the sample reported by MalwareTracker, it’s been founded the following URL:...
View Articlecve-2010-4091 exploited ? – 0.2 – Adobe Reader 9.3.0
Starting from the malwaretracker sample (see my previous posts) seem that edx and ecx are set to some interesting values:
View ArticleLOIC 1.1.1.15 - Crafted C&C Channel Topic Could Lead A Crash
Following the trend of these days I played (locally) with one of the latest release of LOIC (Low Orbit Ion Cannon DDOS Tool). Inserting a long (not so) string on the topic of a C&C irc channel,...
View Articlesome considerations on Ettercap source code repository breach
Recently it’s been released a new issue of a zine called “owned and exposed” (http://www.exploit-db.com/papers/15823/). I have to admit I laughed a lot when I saw this picture. I think that the picture...
View Articlethe sourceforge entry point seems still active
February 3, 2011 - Update: A discussion on e107 official web site: http://e107.org/comment.php?comment.news.878 February 2, 2011 - Update: Just another evidence of the sourceforge breach used by a web...
View ArticleEgypt Telecom AS isolation - BGPlay show it ?
January 31, 2011 – Update: An interesting snapshot of Egyptian's malware activity. ASN 20928 appears like still active Egypt's malware activity post internet...
View ArticleEgypt Telecom back online– ASN8452 TE DATA– prefix 81.10.0.0/17
The prefix 81.10.0.0/17 “ALL-Routes” seems announced again to the rest of the world via Telecom Italia Sparkle Autonomous System (ASN 6762). Here the animation made with BGPlay: The time range is...
View Articlemmspicture.ru - mobile malware depot
Following a well known mailing list (clean-mx aka viruswatch) it was been retrieved the following URL: http://mmspicture.ru/mms112/mms112.jar (md5: 33EA90E2029478D47D33409B5F48E4EB) The JAR file is...
View Articlecve-2011-0609 - bugix blog analysis
April 4, 2011 - Update: RSA has release a blog post where is described that in the recently data-breach is been used this issue: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ March 15, 2011: A...
View ArticleFlashUtil10m_Plugin.exe command line crash
Is interesting observing how nowadays some old style bug are still available. I think that this one is not a security bug but a deeper investigation is left to all whose are interested.Anyway is...
View ArticleDroidKungFu - just some piece of code
Following the trend of the moment, I play a bit with the sample of DroidKungFu retrieved from the contagiodump malware sample repository. For obtaining the JAR archive I used dex2jar...
View ArticleTDSS - SRVs list
I just found via pastebin (http://pastebin.com/jWDhEfGB) a domains list related to TDSS. The SRVs , in according with this analysis http://resources.infosecinstitute.com/tdss4-part-2/, are the C&C...
View Articlean old bug for a new job ? CVE-2004-0194
A couple of months ago I receive an interesting challenge for get the final (I think) step in the job selection path for a big company (not a well known exploit research company but probably if you...
View ArticleOperation Shady RAT - HTran
HTran and the Advanced Persistent Threat http://www.secureworks.com/research/threats/htran/ The code http://www.pudn.com/downloads119/sourcecode/windows/network/detail508294.html. (appears also in the...
View ArticleDigiNotar facts - just some links
DigiNotar Certificate Authority breach “Operation Black Tulip” http://t.co/VC91bjo DigiNotar CA compromise...
View Articlethe last/final touch!
It's very sad to recognize and discover that the screenshots on my blog, which for some reason have been saved in the "Gallery" of my Android mobile phone, once cleared from there, will be deleted from...
View Articleextraexploit memories
Months and years ago, I spent a lot of nights trying to expose what the cyber security was (is) on the field and not just from an academic point of view, although, my first blog post was quiet close to...
View Article