Sunday, November 29, 2009

Conficker Eye Chart

Quite lame, but still practical maybe..huhu..

"Joe Stewart from SecureWorks has put together an effective "eye chart" that sources its graphics from sites that Conficker would block. If you can't see one or more of the images, you're either infected, or image loading in your browser has been disabled.

Firefox users can check if image loading has been disabled under Tools/Options and the Content tab. Load Images Automatically should be checked. Internet Explorer users will find it under Tools/Internet Options, then the Advanced tab. Scroll down to Multimedia, and Show Pictures should be checked.

It's a test based on the fact that Conficker blocks legitimate security Web sites. The logos are sourced remotely, so if they can't load, the sites are also likely to be blocked. If you're seeing blocked images, you should check out the CNET guide to removing Conficker--just because the botnet hasn't done much that's demonstrably malicious yet doesn't mean it can't or won't in the future."


original post: http://www.nsaneforums.com/?showtopic=18612

Eye Chart: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

Thursday, November 5, 2009

How To Cyberstalk Potential Employers

Zaman pencarian kerja untuk para graduan telah bermula... rasanya inilah masanya untuk implement tutorial dari irongeek.com ni..

How To Cyberstalk Potential Employers

Add new Partitions to Virtualbox OSE Ubuntu

1. Create new Virtual Hard Disk

Open Virtualbox OSE, go to File > Virtual Media Manager(VMM) or just Ctrl + D. Click New button on the Hard Disk Tab. Follow the instructions, until finish. Make sure this time take care about the size of the partition. And finish the procedure (choose the right partition type, name and size. Now we have created a new Virtual Hard Disk (VHD).

2. Add the new VHD to the VCO

Exit the VMM by clicking OK button. On the Virtualbox OSE, Right Click the targeted VCO, go to setting.. (Make sure the VCO is Powered Off) Go to Hard Disks. Click the Add Attachment Button (Button with + ) and your newly created VHD will be inserted automatically and finish it with OK button.

3. Start targeted VCO

The VCO will detect and install the new VHD when startup and wait until it finish and the Right Click on My Computer, choose Manage. Computer Management will be opened and go to Storage > Disk Management. Your new VHD will be in the list but labeled as Unknown. At the time you click the Disk Management, there will be a popup for Disk Initialize and go through the procedure until finish. The new VHD will be detected as Unallocated.

4. Format the new VHD

Right click the Unallocated drive and choose New Volume. Go through the Procedure until finish depends on your requirement. And now you already have new disk partition on you VCO.

Monday, November 2, 2009

Vitualbox + maltrap == pure wonders..

DLLPath: C:\Documents and Settings\Administrator\Desktop\maltrap_v0.2a\maltrap.dll
Process injected! PID: 3660
PID: 3660, All hooks are now in place!
PID: 3660, 0x00406D6E: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: SYSTEM\CurrentControlSet\Services\ferst) -> FAIL
PID: 3660, 0x00406ECB: CopyFileA(existing: C:\Documents and Settings\Administrator\Desktop\G001.exe, new: C:\WINDOWS\system32\qokqe.exe, overwrite: 00000000)
PID: 3660, 0x00406F2F: OpenSCManagerA(machName: (null), dbName: (null), access: 000F003F) -> h:0025EB58
PID: 3660, 0x00406F64: CreateServiceA(ServiceName: ferst, DisplayName: ces, Type: 00000010, StartType: 00000002, StartName: (null), Path: C:\WINDOWS\system32\qokqe.exe, Password: (null)) -> h:0025E8A0
PID: 3660, --- Service runs in its own process
PID: 3660, --- Is started automatically by the SCM during system startup
PID: 3660, 0x00406FB0: StartServiceA(hService: 0025E8A0, serviceArgs: (null)) -> SUCCESS
PID: 3660, 0x00407027: RegOpenKeyA(key: HKEY_LOCAL_MACHINE, subkey: SYSTEM\CurrentControlSet\Services\ferst) -> SUCCESS
PID: 3660, --- handle: 00000754
PID: 3660, 0x00407049: RegSetValueExA(keyHandle: 00000754, valueName: Description, data: fsr) -> SUCCESS
PID: 3660, 0x7C81F2AE: GetFileAttributesW(C:\Documents and Settings\Administrator\Desktop\G001.exe)
PID: 3660, 0x7C910A16: CreateProcessA(appName: (null), cmdLine: C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\Desktop\G001.exe > nul)
PID: 3660, --- Creating the process in suspended state...
PID: 3660, --- Resulting PID: 3692
PID: 3660, --- Escalating privileges so the process can be opened...
PID: 3660, --- Opening the process...
PID: 3660, --- Allocating memory in the process...
PID: 3660, --- Writing the DLL into memory...
PID: 3660, --- Resuming the suspended process...
PID: 3660, 0x00407548: ExitProcess(exitcode: 0)
[Termination] PID 3660 has terminated!


MalTrap is a research utility that monitors malware behavior by intercepting API calls on Windows and logging results. Though still in it's Alpha release and sparse on features, its a very interesting and useful tool.

Features

* Over 200 API’s are intercepted. Better results and little noise.
* Only relevant API parameters are displayed (highly descriptive).
* Only relevant API return values are displayed (highly descriptive).
* Created processes are monitored
* PID separation – API calls are logged based on the process
* PC shutdown attempts are prevented
* Anti-Debugging attempts are logged (SoftICE, RegMon, FileMon, Generic)
* Key-logging attempts are logged
* Internet traffic is logged and highly detailed (Winsock, FTP, HTTP, IRC, …)

a very cool tools..

download here: http://www.maltrap.com/main/download/

Video Tutorial:

video