Core Security found a pretty spectacular vulnerability in Vmware. If you have shared folders with the guest OS a program running inside the VM can modify any file on the host. Given how dependent we are on VMs for malware analysis it would be a good idea to upgrade. Hats off to Core for finding this bug.
"A vulnerability was found in VMware's shared folders mechanism that grants users of a Guest system read and write access to any portion of the Host's file system including the system folder and other security-sensitive files. Exploitation of this vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it."
While checking my email yesterday at Hotmail I got an email from a nicole smith. The email was an attachment of what appeared to be a valid jpg file: "nicole256.jpg". When I put my mouse on the image I noticed the link on the status bar was not to the "nicole256.jpg" file but instead to another site "hxxp://220.127.116.11/pics/nicole256.php". needless to say, it was a spoofed link to an "exe" file. I downloaded the file and scanned it with avp kav 7.0 with the very latest definitions and it found nothing. Nope, not even as suspicious. I have included 3 screenshots: what appeared as a suspicious string of the source code of the hotmail page and 2 screen captures of the scan from virus total, several scanners did register it as malware and a couple as suspicious. Is this a new technique/method of infecting? For a long time now, hotmail had always restricted almost all attachments but this one seemed to get by with no problem.
I'm looking to write snort and clamav signatures for it, but have yet to find a sample.
Just found out this blog, and I have a strong intuition that this belongs to a terrorist group (mujahideen / taliban / al-qaeda) ??
Few more sites found ...
and a terrorist magazine: http://18.104.22.168/uploads/teaqny_magazine1.zip
Update: Will try to add random terrorist encryption tools download if I get my hands on them in a while ...
Many people have heard of it, seen it, and may have tried it.. But do they really know what it does? Because there are still a lot of people who do not know what RFI (Remote File Inclusion) actually is, or does, I have decided to write a little(?) tutorial about it. It will basically just explain and 'show' how RFI actually works, and help you understand the basics.
After reading this, you should be able to recognize RFI's, and you will be able to find and use it. At least, that's what I think.
Since this is my first 'tutorial', I would like to have your opinion on it, so leave me a comment.
The Mpack toolkit has been uploaded to rapidshare. I searched the database and found only the dreamhack tool (the compiled form) and I thought it would make sense to upload the source for our members ;)
Click here to download the source code from Rapidshare
OC Download c0ff6e3db8afa6bf598e54afe351d795 (rename extension to .rar)
Just tried it on a machine, the contents of the archive are,
Anyone have a copy of this yet ?
Anyone have a sample of the new PDF windows 0day?