Splinter(ed)cell...

Not only security companies and networking websites are targeted by bad guys.
UbiSoft announced on twitter that splintercell.com had been hacked.

Indeed, instead of the usual splintercell's homepage, a "nice" Russian message was there to welcome visitors...

And obvioulsy, the traditional message to be sure that the hacker's name won't be forgotten...

 Surely a lot of work ahead for the UbiSoft guys :)

I'm so l33t...when I'm admin

I initially thought it was a sort of joke and finally realised that it was something supposed to be serious.

The French school ESIEA has organised a challenge called PWN2RM (sounds familiar?).
The goal was to disable some anti-virus software. Mmmm, why not, it's trendy after all :)

The PDF is just amazing.

First, one can say that they surely needed at least 10 minutes to make such beautiful slides...
Just joking, the real fun begins at slide  3.

1. Gain SYSTEM privileges (“at” command)
2. Stop the service (net stop)

Oh man!!! That's l33t.
So, tell me, your target is what, Windows XP? And you can stop a service once you got system privileges. Wow, congratulations!
But hold on, you were talking about disabling AV products, right? What's the link with any product here?

Another really funny bit:

•  So far, hasn’t been disabled
•  NtOpenSection() is blocked (used to
    access PhysicalMemory mapping)
•  But XXXXX doesn’t block kernel driver
    loading, so it’s only a matter of time

Ok, I'd translate this to "Well, we know it's possible to do cool stuff with a kernel driver but we have no clue whatsoever how to write one"

Slide 5, one can read:

• Disabled through
  \Device\PhysicalMemory (an XP-only
  trick, wouldn’t work on Vista/7)

Ok, so the target was indeed Windows XP.

Guys, just for your information, one only needs SeDebugPrivileges to read from / write to the kernel memory on WinXP (you know, DKOM, etc... ring a bell?).
So, what's interesting here? What's new? That you ran "at" to get a system shell?
Tell me what one _can't_ do once SYSTEM on an XP box?
Seriously...

I don't even understand why this school accepted to put that *** on its website...

I'm so looking forward to your next slides!
What will it be? "Bypassing Javascript authentication"?

At least you made me smile...

More on (moron) rogue AV...

It's one of the most prevalent malware in the wild (often referred to as "scareware").
It's very simple but unfortunately works pretty well.

It looks like a security product (most likely an anti-virus or an anti-spyware) and happily detects hundreds threats / viruses / whatever nasty you can think about when it comes to your computer.
The trick appears when you finally click on "Clean" to get rid of all those viruses. You get redirected to a webpage asking for you credit card details...
Needless to say that those fake AVs exist only for this: stealing your money.

Don't be fooled. If you want a real AV product, go for the well known brands. There are even free AVs.
In the case you are somewhat tech-savvy, check whois databases.
Domain names used for serving malware are never up for a long time.A brand new domain name is always suspicious.

Here's an example of a rogue AV, stupidly called Soft-Cop.
The installer is a NSIS package that is surprisingly small for an AV product (61489 bytes).

Once installed, it happily runs a full scan and obviously finds hundreds of imaginary threats as shown below.

Geez! That's a lot for my freshly installed Windows :)

The guy(s) behind this is(are) so stupid that they even show off the infected file paths. Cool, let's have a look...

Mmmm, am I day-dreaming or what?
Those files do exist on my hard-drive (well, they didn't before the scan)
Ok, nothing to get excited about. That piece of crap just generates random file names, creates these files and fills them up with random bytes.
Not sure what's the purpose of that to be honest...anyway...

Another "hacker" trick is to make users think that running processes are from Microsoft (one can put whatever he wants in PE resources).
Oh man... Ok, why not, but in this case, could you at least give some plausible names to your files?!?!

Do you guys think that anyone could believe that SoftComp.exe is the Windows Calculator? O_o
What the hell are you smoking?

Last but not least, let's scare users a little bit!
Like other rogues, our lame brand new friend displays annoying alerts pushing you to happily give your money...

Rogue AVs are a real threat. Many end-users just can't make the difference between a real security software and a rogue. And unfortunately, some of them end up giving away their credit card details.
That's the sad part of the story.

Now, this is another point of view.
I've seen many rogues. They're all the same...
Shitty code, stupid so-called "tricks", two-cent social engineering...

Yeah, from the bottom of my heart, you guys, writing scarewares, you really suck.
But thank you so much!
Having a look at your shit in a disassembler is even better than reading The Daily WTF. :D

But still, you suck...

Missing milw0rm?

Well, milw0rm is gone. Sad isn't it?
Some time ago I wrote a quick blog about it and a quite interesting comment just got posted. (cheers!)

Yeah! You can smile again and add inj3ctor.com to your bookmarks :)

EICAR 2010 will be held in France

Good news for all the French IT-sec dudes out there, EICAR 2010, named "ICT Security: Quo Vadis?" will take place at ESIEA in Paris.
Not cheap at all but usually a really good conference.

Go get your pass! :)

Some apple juice

It's kinda old now but this write-up about Apple from Ted Dziuba is really cool.

I really like what this guy writes on The Register. Very straightforward :)

If you got a minute, have a look at it, it's worth a read.

"Damn viruses!"...

...must be what the IT guys at the London Council have been yelling for days.

As reported by The Register, the London Council has been kinda shaken by Conficker.

Well, there are actually three things way to common in the aforementioned article:
- The infection vector is a USB stick plugged in by an employee
- The infection spread over the network, guess why...
- No anti-virus software has blocked the infection, guess why...

Then, once again:
- It is _really_ useful to make anyone using a computer understand that personal and corporate data / media _must_ not be mixed
- Security patches are _truly_ important. Yeah, I heard too many times "You don't understand, it's not that easy to patch on those big heterogeneous networks". People saying that kind of nonsense are just stupid...or lazy...or both...
- AVs exist for a good reason...

Security is often not that hard... but requires a working brain :)

Snow Leopard is out...

...and comes with plenty of nice stuff for Mac geeks.

Well, the cool thing is that Apple finally got rid of its old PPC code. Snow Leopard is said to be designed for Intel CPUs and will only work on those. Was about time but that's a good thing.

But the real funkiness in this new release is the so-called malware protection. Hey, hold on, some malware protection in MacOS? Sounds cool!
Er...no. In fact, it sounds more like a weird joke.

With virtually no effort on your part, Mac OS X offers a multilayered system of defenses against viruses and other dangerous malware.

Mmm is it not a bit too much?

Bearing in mind that, in order to avoid detection, malware often come in billions of variants, and that this protection is very unlikely to updated as it's part of the OS, I doubt their so-called protection will be really efficient.

On top on this, how many? Two malwares!?!? Is that this "multilayered system of defenses against viruses and other dangerous malware"? You gotta be joking...

Ok, last point, this feature works only with a set of applications shipped with MacOS like Safari, Mail or Entourage. How can we call this a protection system?

No, I'm trying my best but still can't get the point...

If you want to filter network connections, you get a firewall. If you want to get rid of the spam, you get an anti-spam.
You're a Mac user and are scared of malwares? Get an antivirus...

EDIT: more info and links here.

Wanna loose an eye? There's an app for that...

You surely all heard about those iPhones whose battery tends to blow up unexpectedly. Nice...

Looks like a replay of those Sony batteries that would end up as a stack of ashes after burning like hell...

Anyway, Apple said that the reported incidents were due to an "external force".
Hahaha yeh, I'm sure a Jedi has for mission to break as many iPhones as he can :)

Many iPhone customers have complained about those sudden explosions.
Mainly in France but as well in the UK, Holland and Sweden. But no, they surely all have smashed their iPhone...
One man even got a piece of his iPhone's screen in the eye... Still, no. That dude must have put this piece of screen in his eye himself...

Wanna waste a lot of money in some gadget that might harm you badly? There's the iPhone for that!

Fed up with autorun worms? You might want to patch...

Microsoft had such a great idea when they introduced the autorun functionality...

From a funky behaviour, it turned out to be a pain for administrators and surely the first thing that Windows users get rid of.

Well, actually, not everyone disables it.

And that's why worms exploiting this functionality to replicate are so successful.
One may know only Visual Basic and be as good at programming as I am at cooking (a real tragedy, I tell you...), she still can rely on the autorun to ensure that her piece of code will have a long life on corporate networks.

But here comes our saviour. A few months ago, Microsoft announced that this functionality would be re-thought in Windows 7, allowing autorun only for optical drives.
Good move men!
Windows XP, 2k3 and Vista users can download and install a (finally available!) patch on their system.

Go admins, patch up!
But hey, don't get too excited.
Why? Mmm here's one example: Many USB sticks present themselves as optical drives and thus, are not affected at all by this patch. And it's just one example...

Anyway, guys, deploy this patch through your network, it's worth it.