Blog - n00bz Network

Friday

Jan212011

McAf.ee Link Shortner

Friday, January 21, 2011 at 4:05PM

@DaveMarcus did NOT pay me to write this.

If you are a twitter addict like me, you use a link shortner. The list of link shortners are long. Bit.ly, TinyURL, even Google has their very own goo.gl!

However...

The problem is we don't know what we are clicking on. You don't know that bit.ly/blah isn't sending you the latest serving of malware. I have kicked around the idea that this is a great attack vector. Looks like I was not the only one.

http://www.zdnet.com/blog/security/twitter-worm-hits-googl-redirects-to-fake-anti-virus/7938

Cyber thugs are using Google's link shortener to trick users into viewing malicious content with FakeAV.

I just cleaned a co-workers home netbook after they clicked the evil goo.gl link.

Note: http://www.malwarebytes.org/ is a great resource for removing. I also used Metasploit to kill the tasks because the malware prevented Malwarebytes/AV from running.

I like to beat up on the AV vendors but the truth is there is a lot of malware out there and the best way to protect yourself is to not allow it to get on your machine in the first place.

Enter mcaf.ee! http://mcaf.ee/

McAfee has a link shortener that uses their Global Threat Intelligence database to check the links to identify if they are safe or malicious.

They have a plug in for FireFox and Chrome.

If you use a twitter client, add this to other services to use mcaf.ee as your link shortener.

http://mcaf.ee/api/shorten?input_url=%@&format=text

I added it to Tweetdeck today as my default link shortener.

I use Twitterrific on my iPad and iPhone. McAf.ee isn't available for that app so if you see the bit.ly from me, you know why.

n00bz Network |

2 Comments |

tagged

McAfee in

Phishing,

Virus/Malware

Thursday

Jan202011

How to crack a Mac App

Thursday, January 20, 2011 at 12:33PM

Have you ever wondered how someone can bypass the registration on an application? Kenneth Ballengger wrote up a great post on how one can crack an app.

He notes however: He is fervently against software piracy. However, he does not believe that obscurity and ignoring the problem is an acceptable solution. I agree!

I Can Crack Your App With Just A Shell (And How To Stop Me)

n00bz Network |

Who's who of bad passwords!

Tuesday, January 18, 2011 at 4:28PM

People pick poor passwords. Try saying that 3x fast. As seen from the Gawker hack to Rockyou, people love to pick passwords that are no better then the combination that an idoit would have on his luggage.

Troy Hunt has a great write up about certain sites (Tom Tom, American Express, Singapore Air) which promote the idea that passwords MUST be poor.

http://www.troyhunt.com/2011/01/whos-who-of-bad-password-practices.html

n00bz Network |

PS3 JailBreak Step-by-Step (ver3.55)

Tuesday, January 11, 2011 at 1:03PM

I was chatting with @d1sc0rd1an today about PlayStation 3 and the latest EPIC Sony FAIL from that @fail0verflow had showcased at the 27th Chaos Communication Congress (27C3).

I got step by step instructions to run your your legally owned backups.

UPDATE as of 01/11/2010 7:20PM EST: Geohot was served with papers from Sony. The fail0verflow team has been served as well. Good luck geohot and fail0verflow. The info sec community is behind you. Also a good time to remind people to donate to the EFF.

Via- @d1sc0rd1an:

GeoHot Firmware:

Download jailbreak.zip

Copy PSUPDAT.PUP to USB drive at /PS3/UPDATE

**MAKE SURE ON STOCK 3.55 FW**

Disconnect fromthe network on PS3, insert USB drive, goto System Update via Storage

Update and wait for 9 beeps...then shuts off the console.

Reboot and you now can install packages via XMB

**Same process can be used to go back to Stock 3.55 FW** - You will notice homebrew packages left installed will still work when reverting back to stock firmware, be careful going online though...

GeoHot Tools:

cd ~

git clone https://github.com/geohot/ps3publictools

~/ps3publictools/make_package_npdrm/make linux && ~/ps3publictools/package_finalize/make linux

PATH=$PATH:~/ps3publictools/make_package_npdrm/:~/ps3publictools/package_finalize/

Fail0verflow PS3tools:

cd ~

git clone git://git.fail0verflow.com/ps3tools.git

~/ps3tools/make

PATH=$PATH:~/ps3tools/

Modifying EBOOTS and Repackaging:
• 1. copy EBOOT.BIN from USRDIR to new dir (name same as from SFO file usually BLUSXXXXX) and run unself EBOOT.BIN EBOOT.ELF {unself is from fail0verflow ps3tools}
• 2. with a Hex Editor search for 'dev_bdvd' and switch it with dev_hdd0 all entries that u can find in EBOOT.ELF {should be about 5 or so make sure to write over and not insert}

NOTE: I found some games spaced dev_bdvd as d.e.v._.b.d.v.d; If you find references to a PS3_GAME path (:/PS3_GAME/USRDIR) must overwrite PS3_GAME with your own named dir and then transfer files into that directory (:/GAME1234/USRDIR & transfer data to /dev/hdd0/game/GAME1234/USRDIR)

• 3. open PARAM.SFO with SFO EDITOR and change category to HG (hard disk game). Also write down BLUSXXXXX info - could also be BLES or BLJP etc
• 4. Copy everything from PS3_GAME/ except USRDIR to BLUSXXXXX/ {everything but USRDIR dir gets copied; copy TROPDIR, LICDIR, etc just not USRDIR}

• 5. make_self_npdrm EBOOT.ELF EBOOT.BIN BLUSXXXXX {make_self_npdrm from GeoHot Tools}

      • 6. make dir USRDIR in your BLUSXXXXX dir; copy modded npdrm'd EBOOT.BIN into USRDIR {should be only file in USRDIR}
      • 7. run 'pkg.py --contentid UP0001-BLUSXXXXX_00-0000000000000000 /BLUSXXXXX' to pkg {pkg.py from PSL1GHT SDK; pkg.py should automatically name pkg from Content-ID}
      • 8. run 'package_finalize UP0001-BLUSXXXXX_00-0000000000000000.pkg' {package_finalize from GeoHots tools}
      • 9. then install package via XMB using GeoHot FW. Don't run yet though, copy the original USRDIR contents except for the old EBOOT.BIN (of course) to /hdd0/game/BLUSXXXXX/USRDIR. After installing the package the directory will have been created. You can copy over using blackb0x ftp which also can be installed via geohots fw.

Links:

http://psl1ght.com/ - PSL1GHT SDK

http://rebug.me/?cat=6 - PSL1GHT VM by evilsperm

http://geohot.com/jailbreak.zip - GeoHot FW

https://github.com/geohot/ps3publictools - GeoHot Tools git

git://git.fail0verflow.com/ps3tools.git - Fail0verflow ps3tools

n00bz Network |

3 Comments |

26 References |

tagged

Geohot,

PS3,

d1sc0rd1an in

Hacking

Wednesday

Jan052011

virusscan_bypass.rb: Now with a lame security bulletin

Wednesday, January 5, 2011 at 1:16PM

@mubix shared a link with me earlier this morning. Security Bulletin - VSE 8.7 and earlier Metasploit payload attack

After my research and loss of faith in Anti-Virus technology, I decided to look at this further.

Let's look at the Bulletin.

McAfee is aware of a publicly disclosed attack that could disable VSE running on a customer’s machine.

There was an update to the Metasploit Framework on Christmas Eve that added a script from Mert SARICA that silently kills McAfee VirusScan as well as some other fun options. This was in revision 11411.

This isn't an attack but something an attacker could do once you click on that email link that promised you a gazillion dollars from some guy who needs your help transferring his dead cat's fortune out of a war torn condominium complex.

This attack is not a standalone attack, but acts as a payload to be chained via another attack.

Once again, at this point you are owned and Game Over already!

The attack was disclosed in a public tool.

While this is a Metasploit script, the only tool I see is the one who QA'ed the DAT file (6209).

Mitigating Factors

McAfee has released a DAT file (6209) which detects the Metasploit plug-in used to run this attack.

Updated to the latest version!

I am protected.... NOT! WTF?

The target machine is Windows XP Pro SP3... Fresh install, OS patched, installed McAfee AV and updated.

I generated a meterpreter executable and copied it to the desktop. Great On-Access Protection!

I ran the executable and now I have a session. Let's list the processes running.

I found with a pid of 916 we have McShield.exe.

Running as an Administrator, I run the script. This will upload an executable to the target and add it to the exclusion list. I am going to choose to kill McAfee all together.

It should be noted that McTray.exe was also killed so we don't get the tray icon. However on the target machine, the user would only see the tray icon silently disappear. We can confirm that McAfee is McGone by looking at the process list.

We now have full control of the target machine however probably don't want it since it has been owned and now has the Zeus Trojan.

On a reboot, McAfee is back however it requires a reboot. Trying to load McAfee again before the reboot results in a notification of ownage!

Let's recap the timeline.

Script was added 12/24: Merry Christmas

Security Bulletin was issued 12/30: Happy New Year

On 1/5 the scipt still kills McAfee AV

How can you protect yourself? Do you load Symantec?

Watch Mubix uninstall Symantec's SEP.

http://www.room362.com/blog/2010/11/16/silently-uninstall-sep.html

All of this was released in 2010 and prior. I can't wait to see what 2011 brings.

Welcome to 2011, the year of the #FAIL... again.

UPDATE 01/06/2010

It looks like the virusscan_bypass.rb scipt had a bug that caused the termination of the McShield Icon and the error box. The script has been updated.

Download the latest revision here: 11478

I grabbed it this morning and tested it out.

We have our process list before running the script.