CVE-2010-2568 will need to have a LNK file with a malicious dll to cause harm. Feeling the urgency of parsing the LNK file to trace any present dll, we modified a small portion of the code from metasploit’s project to make it run independently from the metasploit framework. The original code is here. The main […]
FIRST AGM and Annual Conference 2010
The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the wider global security community. The conference also creates opportunities for networking, collaboration, and sharing technical information and management practices. Just as importantly, the conference enables attendees […]
Honeynet Project Annual workshop 2010
The Annual Honeynet Project workshop this year was held at Mexico City, Mexico. The workshop enables chapters from all over the globe to meet, discuss ideas, share experiences and develop our toolsets for data collection and analysis. It is an extremely valuable and unique event, where chapters from around 20 countries find the time to […]
DIONAEA:submission module
Mark Schloesser spoke about Dionea during his presentation at the FIRST-TC KL 2009, last December and that got us really excited. A few MyCERT folks had a chance to do a ‘class’ with him as well and got some exposure with the its internal. We are replacing some of the nepenthes instances with Dionaea . […]
Dionaea: Auto Start Script on Ubuntu
Getting Dionaea to run should be very straightforward for most people. One of the thing we need for our project is As for us, to get our Dionaea appliance running properly, one the feature we need is to get Dionaea service running when the OS is booting. Below is the script for it (shameless ripped […]
Mass SQL Injection And Asprox Bot
Asprox is one of the botnet that implements mass sql injection to inject malicious *.js script into MSSQL database server. Normally Asprox bot will search for any vulnerable (sql injection, of course) *.asp script to inject the malicious *.js script and iframe into database. Typical sql injection is similar to log below: GET /page.asp?id=425;d EcLaRe […]
Microsoft DirectShow msvidctl.dll 0day
Another 0-day was released in-the-wild targeting Microsoft Internet Explorer. The bug is inside msvidctl.dll when working with media file (*.gif have been used in the wild exploitation). Below is the in-the-wild exploit analyzed by us (we modified the shellcode to %uxcccc). Figure 1.0 showed the exception handler is executed and will pointing to our jump […]
Conficker.C and DNS
We have been working to track conficker’s dns queries in order to identify infected machines/network with conficker.c. Tracking a 50K DNS names and 500++ queries from each conficker is a bit troublesome when u have to record all the DNS queries (200M records/day) and compare it with 50K/day conficker.c domain names.:). The main idea of […]
Conficker: The other not so famous Variant A
There are lot more discussions are going on for Conficker variant C (ConfickerC) due to 1st April. Why 1st april?. The 1st april is the day ConfickerC should call home for updates. The domain name generator algorithm used by ConfickerC is making blocking or detecting live ConfickerC update servers is becoming harder when it will […]