Pinpoint- Tool to find malicious objects

Many online website host malwares or link to a malicious file without their knowledge. Normally this may takes some time to find out the compromised files. Pinpoint is a tool that you can use to scan and identify the infected files. The tool will list all external javascripts, javascript redirects or any iFrame on the targeted website.

Pinpoint have the following options:

  • Disable Compression – sends the HTTP request without the encoding option
  • Enable Entropy – performs the entropy check
  • Ignore Safe Sites – ignores common sites that host frameworks, ads, and other legitimate content so it doesn’t get downloaded
  • Ignore CSS – ignores external CSS files so that it doesn’t get downloaded

pinpoint

This tool will be useful especially if you are using external plugins that may contain a risk to visitors. you can download pinpoint over this link: http://www.kahusecurity.com/tools/

Share

Netflix phishing page hosted to steal credit card details

Netflix is a cloud service that is widely used for watching movies online. over this week a new phishing compaign have been spotted by Malwarebytes that is targeting Netflix customer to grab sensitive information of subscribers. The phishing page is asking user to insert credit card credential as a way to verify user information. obviously all sensitive information are going to be sent to the cyber-criminal who controls the spoofed webpage.

The fake page URL is long so if browser will display only the first part of the link he will find it quite authentic http://netflix.co.uk.account.validation…

Netflix3-965x395Netflix fake page sourced Malwarebytes

While many web browser include anti-phishing technology and this will block similar pages but it is always important to verify links before submitting any sensitive information and be sure that you have the https enabled to encrypt your connection with the website. The phishing domain is registered with “Crazy Domains  FZ-LLC” registrar and at the moment the hostage removed this fake page.

Share

New Release – OCLHashcat 1.30

Over this week a new release have been announced for OCLHashcat. this tool is widely used for penetration testing and password recovery. the new version is OCLHashcat 1.30 has an improvement in the performance with additional  algorithms. New algorithms are:

  • md5($salt.md5($pass))
  • Mediawiki B type
  • Kerberos 5 AS-REQ Pre-Auth etype 23
  • Android FDE
  • scrypt
  • Password Safe v2
  • Lotus Notes/Domino 8

oclhashcatThere is also support for Skype and PeopleSoft password recovery where testing should be made with access to the system. you can download the tool directly on the official website http://hashcat.net/oclhashcat/

Share

Fake Evernote Extension found in Google chrome store

Security researchers at Malwarebytes are alerting of a new evernote fake application that infect users and install trojan on the operating system. the plugin will add a web extension on Google chrome , Torch, and Comodo Dragon browsers. usually any user can search for extensions in the chrome store and he will find the application he needs for adding more functionality on the web browser.

The plugin claims to be the legitimate  Evernote.com but it is called “Evernote Web,” to make it similar to the real extension. clicking on the plugin will not take user to the login page of evernote but instead it will run malicious java script that makes user get several annoying advertisements and take victim to install malicious programs.

fake_evernote_chrome_storeFake evernote extension at chrome store sourced Malwarebytes

37  out of 54 security programs identify the extension to be an adware but the problem is not only in the advertisement because many malicious plugin are used to spy on users navigation to have victim browser history and then can be sold in the black market. The best way for protecting your system is by installing all security patches that will fix vulnerabilities on your system, Use security software with up to date signature definition and make sure that the security software scans your web navigation to stop any threat at an early stage.

Share
VT image

New release YARA 3.0

Over this week a new version of Yara have been released. YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.

The new features include the following:

  • Support for modules
  • PE module
  • Cuckoo module
  • Some improvements in the C API
  • More comprehensive documentation
  • BUGFIX: Start anchor (^) not working properly with the “matches” operator
  • BUGFIX: False negative with certain regular expressions
  • BUGFIX: Improper handling of nested includes with relative pathes
  • BUGFIX: \s character class not recognizing \n, \r, \v and \f as spaces
  • BUGFIX: YARA for Win64 scanning only the first 4GB of files.
  • BUGFIX: Segmentation fault when using nested loops
  • BUGFIX: Segmentation fault caused by invalid characters in regular expressions
  • BUGFIX: Segmentation fault while scanning some processes in Windows
  • BUGFIX: Segmentation fault caused by regexp code spanning over non-contiguous memory pages

YARA is used by VirusTotal Malware Intelligence Services and you can install Yara by following this link: https://github.com/plusvic/yara/releases/tag/v3.0.0

Share

“Suspicious sign in prevented” Spam That Links to Malware

New spoofed email has been spotted over this week by TrendMicro that claims to be sourced from Gmail and alert users about a suspicious activity been detected on their email accounts. The email claims a login to gmail account from an unrecognized device with the time of login and source to be from Chicago and invite user to follow a malicious link.

The spam include links pointing to Google Drive a cloud service that is hosting html file used to gather information on victim machine including type of browser and operating system. this to classify victims machine so cybercriminal will leverage the malicious payload associated with the system in use.

Malicious payload will install a backdoor which steals email credentials and user names and passwords. it will also allow attacker to have a key-logger installed on victim machine to have all activities on infected system. According to the blog post attackers are changing hosted files on Google drive within several days. this makes it updated according to their need and to avoid detection by security programs.

login3Spoofed email screenshot by Trendmicro

Cloud hostage have been a good way for distributing malwares because they are not going to be black listed by spam filters which makes the link arrive to targeted users and it can be changed at any time without tracking the source of attackers. If you receive a similar message make sure to ignore and delete the spam and it is possible to report the case to Google so they remove the malicious files.

Share
viproy

Viproy – VoIP Penetration Testing Kit

VoIP security testing is important to verify the quality of your system before it is moved into production. One of the tool that you can consider for pentest VoIP is Viproy.  This tool have been presented on DefCON and include the following:

  1. Finding and Identifying SIP Services
  2. Identifying SIP Software and Vulnerabilities
  3. Identifying Valid Target Numbers, Users, Realm
  4. Unauthenticated Registration (Trunk, VAS, Gateway)
  5. Brute Forcing Valid Accounts and Passwords
  6. Invite Without Registration
  7. Invite Spoofing (After or Before Registration, Via Trunk)
  8. Testing DDoS attack to verify is the system resilient

You can use the tool with Kali with an installation script that you can find with the package or to copy “lib” and “modules” folders’ content to Metasploit root directory. to find more information about this tool follow this link http://www.viproy.com/

Share