Showing posts from June, 2011

[Avast blog] Flash malware that could fit a Twitter message

When analysing malware you are most likely to encounter samples which use all kinds of obfuscation in order to hide from antivirus software that protects your computer. This is also true for malware written in flash (more specifically, ActionScript). Flash is very popular among malware writers these days because many people use it on daily basis. Sometimes, they don’t even know it’s flash that runs all the fancy stuff which takes place on their screen! Recently I came across a sample that uses a very nice trick to hide its purpose from everyone who tries to look under its hood. What is more interesting, this sample is actually smaller than 140 bytes, which means it could fit in a Twitter message!  That is rather unusual for flash files, which tend to be considerably larger. But don’t worry, this is not a case of malware spreading through Twitter in its binary form. Maybe via malicious links, but that is another story. So apart from the small file size, what is so interesti…

[Lập trình] Microsoft Visual Studio 2005

Go to the Control Panel and launch Add/Remove Programs Remove "Microsoft SQL Server 2005 Express Edition" Remove "Microsoft SQL Server 2005 Tools Express Edition" Remove "Microsoft SQL Native Client" Remove "Microsoft Visual Studio 64bit Prerequisites Beta" (This step is needed only if Visual Studio is installed on a 64-bit machine) Remove "Microsoft Visual Studio Tools for Office System 2005 Runtime Language Pack" (This step is not needed if you have only the English Edition) Remove "Microsoft Visual Studio Tools for Office System 2005 Runtime Beta" Remove "Microsoft Device Emulator 1.0 Beta" Remove "Microsoft .NET Compact Framework 2.0 Beta" Remove "Microsoft .NET Compact Framework 1.0" Remove "Microsoft Visual Studio 2005 Professional" or other related IDE installs such as (Visual Studio Professiona…

[RAT] No pain, no gain

Dễ bỏ qua người quan trọng nhất
NÓNG VỘI Không có quý nhân Tình cảm :))

[Forensic Tool] Dropbox Reader™

Dropbox Reader consists of six Python scripts:

read_config script outputs the contents of the Dropbox config.db file in human-readable form. This includes the user's registered e-mail address and Dropbox identifier, software version information, and a list of the most-recently-changed files.read_filecache_config script outputs configuration information from the Dropbox filecache.db file. This includes information about shared directories that are attached to the user's Dropbox account.read_filejournal script outputs information about Dropbox synchronized files stored in the filecache.db file. This includes local and server-side metadata and a list of block hashes for each Dropbox-synchronized file.read_sigstore script outputs information from the Dropbox sigstore.db file, which is an additional source of block hashes.hash_blocks script produces a block hash list for any file. This block hash list can be compared to the block hashes from read_filejournal or read_sigst…

[ESET] The Social Networking/Cybersafety Disconnect

A recent Survey commissioned by ESET and conducted online by Harris Interactive from May 31-June 2, 2011 among 2,027 U.S. adults 18+ found a startling disconnect between user concerns about privacy and security and their actions on social networking sites.
To start, the study found that 69% of online social networking account owners are concerned about security on social networking sites, yet 1/3 of them have never changed their passwords for their social networking accounts and another 15% last changed their password more than one year ago.

Moreover, the survey revealed that one in ten online Americans with social networking accounts have reported that an unknown party gained unauthorized access to their social networking account to spread malicious links and comments. This is particularly alarming since unauthorized access can threaten account owner’s cybersecurity as well as that of their contacts—we’ve seen countless examples, including recent scams around the death of…

[RAT] Lulz + Anonymous = AntiSec

This is an exhortation: think beneath the surface of what you are told. The subject is Lulz Security and the Anonymous group. They have aligned themselves in the AntiSec operation against the Establishment; but before simply condemning them I would like us all to consider the issues.
Let’s look at some of the few facts we know. Firstly, there is no evidence of what most people consider to be criminal behaviour: theft for personal gain or simple wanton destruction (it is criminal behaviour simply because what they do is against the law). Rather do they consider themselves engaged in political activism on the internet, although Lulz also claims that it is just plain ‘fun’.
AntiSec is aimed at both the government establishment and what Lulz calls the whitehat security industry:
Operation Anti-Security is in effect. Join the fleet and tear the government and whitehat peons limb from limb – #antisec winds are strong.Government I understand. But why wage war against the security i…

[Lập trình] C#

[Miễn phí] You are now running Firefox 5.0


[] Forensics Level 4

Level 1
Level 2
Level 3
Level 4

The following is a wireshark trace file of an HTTP authentication forensics4.rar.
Find the username and password of the HTTP authentication and enter it below to receive credit.

The server IP is and client IP is
Wireshark is a network protocol analyzer for Unix and Windows and can be downloaded here.
Bắt đầu nào

Vấn đề rút ra là
In the context of an HTTP transaction, the basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials – in the form of a user name and password – when making a request.

Before transmission, the user name is appended with a colon and concatenated with the password. The resulting string is encoded with the Base64 algorithm. For example, given the user name Aladdin and password open sesame, the string Aladdin:open sesame is Base64 encoded, resulting in QWxhZGRpbjpvcGVuIHNlc2FtZQ==. The Base64-encoded string is transmitted and…

[] Forensics Level 3

Level 1
Level 2
Level 3

The following is a wireshark trace file of an SMTP authentication forensics3.rar.
Find the username and password of the SMTP authentication and enter it below to receive credit.

The server IP is and client IP is
Wireshark is a network protocol analyzer for Unix and Windows and can be downloaded here
Để có thể giải được level 3... Bạn cần tìm hiểu 1 chút về SMTP Authentication

Rồi, sau khi nghiên cứu... ta bắt đầu nào

9    0.430619    SMTP    S: 334 VXNlcm5hbWU6
10    0.430619    SMTP    C: QXVkaQ==
11    0.430619    SMTP    S: 334 UGFzc3dvcmQ6
12    0.430619    SMTP    C: MTIzNGFk
Thử nào :)) Vấn đề rút ra là
Extended SMTP (ESMTP), sometimes referred to as Enhanced SMTP, is a definition of protocol extensions to the Simple Mail Transfer Protocol standard. The …

[] Forensics Level 2

Level 1
Level 2

The following is a wireshark trace file of an SMTP transfer forensics2.rar.
Find the senders email address and the recipients email address of the SMTP transfer and enter it below to receive credit.

The server IP is and client IP is
Wireshark is a network protocol analyzer for Unix and Windows and can be downloaded here.

 Vấn đề:

SMTP is a core Internet protocol used to transfer e-mail messages between servers (first defined in RFC 821 in 1982). This contrasts with protocols such as POP3 and IMAP, which are used by messaging clients to retrieve e-mail.

SMTP servers look at the destination address of a message and contact the target mail server directly. Of course, this means the Domain Name Service (DNS) has to be configured correctly otherwise mail could be handed to the wrong server - potentially a big problem because, unless you have encrypted your messages, your e-mail will be in plain text!

SMTP was designed to be a…

[] Forensics Level 1

Ngồi luyện forensic tý vậy :)) 1. Reg 1 account tại 2. Check mail và thử nghiệm nào
Level 1:

The following is a wireshark trace file of an FTP authentication forensics1.rar.
Find the username and password of the FTP authentication and enter it below to receive credit.

The server IP is and client IP is
Wireshark is a network protocol analyzer for Unix and Windows and can be downloaded here. ===================================================================
Rồi... Tải cái Forensic1.rar về xem nào..........

Vấn đê chốt là:

The original FTP specification is an inherently unsecure method of transferring files because there is no method specified for transferring data in an encrypted fashion. This means that under most network configurations, user names, passwords, FTP commands and transferred files can be captured by anyone on the same network using a packet sniffer. This is a problem common to many Internet protocol spec…

[Securityoverride] WAF Bypass: SQL injection(Forbidden or not?)

This is such a wide Topic, but today were going to examine WAF bypas and SQL injection What is a WAF? A WAF is a Web Application Firewall used to filter certain malicious requests and/or keywords. Is a WAF a safe way to protect my Website? Well, thats a tough question. A WAF alone will not protect your website if your code is vulnerable, but a WAF and secure coding will. A WAF should be used as a tool in your tool shed, but you should never count on a WAF to keep attackers out because most, if not all WAF's can be bypassed with the time and
brains.Today,we will take a look into how exactly to do this

SQL comments are a blessing to us SQL injectors. They allow us to bypass alot of the restrictions of Web application firewalls and to
kill certain SQL statements to execute the attackers commands while commenting out the actual legitimate query. Some comments in

  //, -- , /**/, #, --+, -- -, ;

2)Case Changing: Some WAF's will filter only lowercase …

[Tài liệu] Anonymous attack Malaysia Government Sites

The 10 sites are:

[Tài liệu] Securelist - Spam in May 2011

May in figuresThe amount of spam in email traffic increased by 2.1 percentage points compared to April and averaged 82.9%. Phishing emails accounted for 0.02% of all mail traffic, a decrease of 0.01 percentage points compared to the previous month. Malicious files were found in 4.1% of all emails, an increase of 0.45 percentage points compared to April’s figure (read more.........)Source:

[Tài liệu] AVG community powered threat report - Q2/2011

Mobile Malware As anticipated in our last report, this year mobile malware is going to make the headlines. A lot of this may be explained by the massive and practically defenseless target posed by the exploding number of smart phones, tablets and other advanced mobile devices.  Gartner foresees that the total mobile communication devices' sales to the end user will reach ~413 million devices – this is an ‘attractive’ target for hackers. Responding to this development we noticed that cyber criminals are shifting more resources from PC to mobile. The current low security awareness among mobile users opens the door for cyber criminal to monetize quickly. Additionally, the fact that there is no need to go through the evolution of malware development which was necessary for PC targeted attacks, the knowledge and the tricks are already there. Cyber criminals just have to execute. AVG Threat labs have spotted various monetization methods criminals are using on mobile platforms. The most …

[Lượm] Download mien phi tu Scribd

<?phpfunction downloadScribd($link){$getID=explode("/",str_replace("http://","",$link));exit("<script>window.location='".$getID[2]."/download?commit=Download+Now&secret_password=K4pT3N';</script>");}echo"<form name='f' method='post' action=''>   <input type='text' name='link'>   <input type='submit' name='submit' value='Download'>    </form>";if(isset($_POST['submit'])){  downloadScribd($_POST['link']);}?> http://explorecrew.orgAll content of this web is for education purphose only. Any consequences in views of the use of scripts, techniques, codes, tutorials, and everything imaginable on this website are purely the responsibility of the user, NOT ExploreCrew. If you agree about this, continue reading. If you do…

[RAT] Muhammad Nuh Al-Azhar

Muhammad Nuh Al-Azhar
I am a forensic cop who often deal with forensic investigation on computer crime and/or computer-related crime. I have been working at Forensic Laboratory Centre (Puslabfor) of Indonesian National Police Headquarters (Mabes Polri) for more than 14 years. With this blog, I would like to share my forensic knowledge I obtained from the CHFI (Computer Hacking Forensic Investigator) at EC-Council, USA and the MSc in Forensic Informatics at the University of Strathclyde, UK, and my experience on dealing with the computer-based electronic evidence. Besides CHFI, I was also awarded professional certification of CEI (Certified EC-Council Instructor) from EC-Council, professional commendation as Senior Instructor on crime scene management from a retired forensic investigator of New York State Police, and MBCS (Professional Member of British Computer Society). I also got the award of 2010 Super Six UK Alumni from British Council - Indonesia. In order to upda…