Archive for February, 2012

Since last release in October, Metasploit added 54 new exploits, 66 new auxiliary modules, 43 new post-exploitation modules, and 18 new payloads.

Metasploit 4.2 now ships with thirteen brand new payloads, all added to support opening command sessions and shells on IPv6 networks. In addition, Metasploit’s existing arsenal of payloads has been updated to support IPv6 as well. With this release comes a pile of new modules targeting VMware vSphere/ESX SOAP interface, as well as a pair of new brute force modules to audit password strength for both vmauthd and Virtual Web Services.

Metasploit 4.2 now ships with fourteen new resource scripts, nearly all of which were provided by open source community contributors. These scripts demonstrate the power of Metasploit’s extensible architecture, allowing programmatic Metasploit module usage through the powerful Ruby scripting language.

Flashback Trojan

Posted: February 24, 2012 in Analysis

This year has been relatively silent with regard to malware in OS X, but today security and antivirus firm Intego reported that the criminals behind the Flashback Trojan have been hard at work releasing new variants to their malware package. The seventh variant of Flashback has been identified, which shows it is using new and unique techniques for infecting Macs.

Flashback is a Trojan horse attack that, according to Intego, now uses numerous methods for infecting Mac systems. First it will try to take advantage of Java security holes to install itself, but if you do not have Java installed (OS X 10.7 and later are shipped without a Java runtime), then it will try to use various social engineering methods to trick users, such as disguising itself as a legitimate Adobe Flash installer and displaying certificates that appear to be from Apple in order to coerce people to run the Trojan installers.

Flashback certificatesFlashback now tries using false Apple certificates to trick users into installing it.(Credit: Intego)

Once installed, the Trojan will inject code into Web browsers and other specified applications like Skype in attempts to harvest passwords and other information from those who use these programs. Luckily the affected programs generally crash, which is a good indicator that something is wrong with them and they will need to be reinstalled or otherwise addressed; however, there is chance that if infected the Trojan might have been successful at getting the information it was after.

While the level of Mac malware is exceptionally minimal in regard to the malware scene for the entire PC industry, it is out there, so be cautious about what you download and open on your system. If you are uncertain about whether your system is safe, then you can always install a malware scanner and keep it up to date with the latest malware definitions. You do not need to set the scanner to always scan your system, but instead can have it monitor your downloads folder, e-mail, and other locations that might be more apt to have malware should you run into it.

This latest news on Flashback adds to the few reports we’ve seen this year, and it is likely that more will follow. Last year saw the most malware to date being released for OS X, suggesting a potential increase in attack attempts on Mac users that will continue through the upcoming year. However, while malware is higher overall for OS X, there is also speculation that malware releases may come in opportunistic bubbles rather than follow a steady increase in marketshare of Apple’s Mac platform, though it may be too soon to make such conclusions based on the data that is available.

Regardless, it is good to be prepared for threats should they arise. Even though OS X is relatively devoid of malware (and has no viral malware), treat any new files you download with caution, and do not install or run anything on your system unless you know and trust exactly where it came from.

To help Mac users out with this effort, Apple is gearing up for in increases in malware by adding new anti-malware features to OS X. Its XProtect technology, released in OS X 10.6 Snow Leopard, has gained automatic updating in the past year, and more recently Apple has announced Gatekeeper in the upcoming OS X Mountain Lion release, which will allow users to block all programs except for those from trusted sources from running on their systems.
Read more:

The Apache Software Foundation officially released the Apache 2.4 today as the first major update to this leading open-source web-server in more than a half-decade. Apache 2.4 is slated to deliver superior performance to its 2.2 predecessor and better compete with the growingly-popular NGINX web-server. It is the first major release of Apache in six years, coincides with the software’s 17th anniversary.

Besides much faster performance, among the many enhancements to the Apache 2.4 HTTP Server is better a-synchronous support in its core, run-time loadable MPMs, reduced memory usage compared to Apache 2.2.x, several new modules, enhancements to existing modules, and much more.
This release delivers a host of evolutionary enhancements throughout the server that our users, administrators, and developers will welcome,” Apache server vice president Eric Covener wrote in a statement. “We’ve added many new modules in this release, as well as broadened the capability and flexibility of existing features“.
The Foundation claims that numerous enhancements make Apache HTTP Server v2.4 ideally suited for Cloud environments. These include:
• Improved performance (lower resource utilization and better concurrency)
• Reduced memory usage
• Asyncronous I/O support
• Dynamic reverse proxy configuration
• Performance on par, or better, than pure event-driven Web servers
• More granular timeout and rate/resource limiting capability
• More finely-tuned caching support, tailored for high traffic servers and proxies.

For those web administrators out there, details on some of the new Apache 2.4 features are available from the Apache documentation. The brief official announcement is available here.

Windows 8 Picture Password

Posted: February 22, 2012 in Analysis, Best Practices

Password to log in to your computer has come in different forms, initially we had and still have text passwords, where one uses the keyboard to type, then the finger print scanners (bio metric) were introduced, then there is face recognition (I am not sure how far this was successful), and now with Windows 8, Microsoft has introduced a new way to enter your passwords and its called Picture Passwords Smile. This is one of the newest and coolest features I have used so far. Its not that difficult to configure either (that’s the best part)

The idea behind this feature is that, you will have to select a picture and up to 3 different gesture combinations that you use to interact with it. These interactions can be either in a circular form or just lines, for an example, in a picture you can start connecting all your family members faces with a line and that can be a password or may be circle the face of your best friend.

How to do?

  • Click on the Control Panel App
  • Tap on Users
  • Create Picture Password
  • Enter your password
  • Once the account is authenticated it will give you an overview on the Picture password feature and will allow you to choose the picture
  • Select the Picture and position it and click use this picture
  • Create you gestures and confirm the gestures (Circles, lines and taps)

Once you receive the success message then you are done Smile

Below video would give more detailed info

What is DNS (Domain Name System) ? is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. When you enter a domain name, such as , in your web browser address bar, your computer contacts DNS servers to determine the IP address for the website. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration. DNS and DNS Servers are a critical component of your computer’s operating environment without them, you would not be able to access websites, send e-mail, or use any other Internet services.

What is DNSChanger ? a small file about 1.5 kilobytes , DNSChanger is a trojan that will change the infected system’s Domain Name Server (DNS) settings, in order to divert traffic to unsolicited, and potentially illegal sites. This Trojan is designed to change the ‘NameServer’ Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan.
When ? The DNSChanger malware was first discovered around 2007, and since this time has infected millions of computers, around 500,000 of them being in the U.S., and through these computers the criminals have reportedly pulled in around $14 million in stolen funds. The FBI has uncovered a network of rogue DNS servers and has taken steps to disable it.The FBI is also undertaking an effort to identify and notify victims who have been impacted by the DNSChanger malware.
Who are infected and Technical Info ? Both Windows and MacOS users are at risk for this infection because it exploits your browser, not your operating system.Here are some known hostile IP address pairs used by the DNS Changer malware: – – – – – –
Why its not easy Remove this Trojan ? One consequence of disabling the rogue DNS network is that victims who rely on the rogue DNS network for DNS service could lose access to DNS services, So This Process will start on March 8 by FBI.
Why 8th  March 2012 After the take down of the DNSChange Botnet, in November 2011, the FBI obtained a court order allowing the FBI to set up a temporary DNSChanger Command & Control network. The court order expires on March 8th, 2012. Unless the FBI obtains a new court order allowing them to continue operating the temporary network, the network will be turned off. Resulting in millions of computers, world-wide, no longer being able to access the Internet.
How to check manually that your System is Infected or Not ? The best way to determine if your computer has been affected by DNSChanger is to have them evaluated by a computer professional.
Avira cooperated also with the German Federal Office for Information Security (BSI) and published the tool also on the special website created to check if the DNS requests are made to the right Besides the website, users can also OK DNS, the DNS-repair tool from the Avira website to download here.
After 8th March all computer will be Secured ? According to FBI, It is quite possible that computers infected with this malware may also be infected with other malware. The establishment of these clean DNS servers does not guarantee that the computers are safe from other malware. The main intent is to ensure users do not lose DNS service.

Track your Mobile phone

Posted: February 18, 2012 in Analysis


Cellular phones have become a ubiquitous means of communications with over 5 billion users worldwide in2010, of which 80% are GSM subscribers. Due to theiruse of the wireless medium and their mobile nature, thosephones listen to broadcast communications that could reveal their physical location to a passive adversary.
University of Minnesota researchers found a flaw in AT&T and T-Mobile cell towers that reveals the location of phone users. The attack, described in a Research paper (Click to Download Pdf), is most useful for determining whether a target is within a given geographic area as large as about 100 square kms or as small as one square kilometer. It can also be used to pinpoint a target’s location but only when the attacker already knows the city, or part of a city, the person is in.

Ph.D. student Denis Foo Kune says, “Cell phone towers have to track cell phone subscribers to provide service efficiently. For example, an incoming voice call requires the network to locate that device so it can allocate the appropriate resources to handle the call. Your cell phone network has to at least loosely track your phone within large regions in order to make it easy to find it“.
The messages contain I.D. codes. In order to match the codes to the cell phone number, researchers called the phone three times. The code that appeared three times in the same time period in which researchers were listening in is most likely the code of the cell phone.“From there we can use that I.D. to determine if you’re around a certain area or if you’re on a particular cell tower,” he said.
The process requires a feature cellphone and a laptop, running the open-source Osmocom GSM firmware and software respectively, along with a cable connecting the two devices. It also uses a separate cellphone and landline.
The attackers use the landline to call the target’s cellphone when it’s located near the same LAC as the equipment and use the laptop output to monitor the broadcasts that immediately follow over the airwaves to page the target phone.
The implications of this research highlight possible personal safety issues. The group explains their work in a recently presented at the 19th Annual Network & Distributed System Security Symposium and was titled “Location Leaks on the GSM Air Interface”. The group has also contacted AT&T and Nokia with some low-cost options that could be implemented without changing the hardware.


Armitage is a graphical cyber attack management tool for Metasploit that visualizes your targets, recommends exploits, and exposes the advanced capabilities of the framework. Armitage aims to make Metasploit usable for security practitioners who understand hacking but don’t use Metasploit every day. If you want to learn Metasploit and grow into the advanced features, Armitage can help you.