The malware was dropped by some fake AV website.

Injecting into the legitimate website some harvesting code as seen here is, I'm sure, exponentially more effective at harvesting credentials than redirecting to a fake banking site.

If I get time I'll follow up with some info about the fake AV site.

Cheers,
/dean

Looks like Twitter is making an effort to fight malicious URLs and attacks taking advantage of twitter to spread. Any effort is good in this day and age. A few things I'd do differently would be to disable the URL in the email that is sent to the user informing them that their tweet is being removed. The drive-by url was live and clickable in the email I received.

Also, I'm assuming that Twitter is using something like the Google Malware API to check for malicious urls in the posts. The assumption would be that they are following the links in the shortened URLs like bit.ly, etc...

How about sites that redirect to a drive-by url or a compromised legitimate site with iframes embedded?

Since everyone else is doing it...

Top 10 posts of of the year 12/26/2008 - 12/26/2009 - blogspot

Adding your own exploits and modules in Metasploit
http://carnal0wnage.blogspot.com/2008/07/adding-your-own-exploits-in-metasploit.html

Gray Hat Python: Python Programming for Hackers and Reverse Engineers Book Review
http://carnal0wnage.blogspot.com/2009/05/gray-hat-python-python-programming-for.html

Dumping Memory to Extract Password Hashes

Many many things are happening coming up at the end of January / begining in Washington DC.

First HD Moore and I will be giving our Tactical Exploitation class at Blackhat DC Jan 31st - Feb 1st. If you are interested in learning how to hack without exploits, some old and esoteric techniques, and whatever crazy new thing HD is working on, then sign up and hang out with us!

Next I have been working hard with the Blackhat folks to setup the second ever Metasploit Track. We have a great line up of speakers on a wide variety of Metasploit topics.

Metasploit and Money
HD Moore - Metasploit
HD will talk about the joining of Metasploit and Rapid7 as well as all the tons of new features that have been going into MSF.

---

Neurosurgery With Meterpreter

On a recent pentest one of the findings that came up (actually it seems like this finding is on every pentest) is the web server allowing SSLv2.

In the course of doing the report I of course wanted to point to a good reason why this was the case. It was actually difficult to find a CVE/CVSS/etc to say why its bad, in fact I never did. Kind of the same with allowing VRFY on your SMTP server. We all know its bad, but where is the proof.

Nevertheless, here are some links that were useful in understanding the problem.

http://www.foundstone.com/us/resources/whitepapers/wp_ssldigger.pdf

So just wanted to paste a few links to various views on the security community I have a come across lately.

The Extinction of Hackers by FX
http://www.phenoelit.net/extinction.html

The established community and its rules have the effect of distracting young hackers from their own, personal goals. You are not accepted as a hacker if you run Windows (there are very few exceptions). If you are not an established and respected person, you must run at least Linux, but never one of the large distributions like RedHat or Suse, even if your goal is hacking in the Microsoft .NET environment.


Hey I'm as vain as the next security dude in the community so let's see how I can stroke my own ego with metasploit!!

Metasploit has awesome banners. Once you load it up you'll get your random banner or you can just keep typing banner to randomly get one. If you don't like hdm's banner hotness, you can always roll your own. And thanks to msf in color its never been easier to sexy up your ascii art.

I wanted to see carnal0wnage when I started it up.

Step one. Find and open banner.rb in your favorite editor. banner.rb is located in %msfdir%/lib/msf/ui (do I need to tell you to make a backup of the orig?)

Step two. Go to ascii art generator of choice and pick a few pimp ass ascii logos for whatever you want (even though metasploit is pretty damn cool as it is)

Did a blog post on Decompiling Flash Files with SWFScan, the blog is jacking up the formatting, so if you want to see it, check it out on the old blog (hopefully I wont have to do this too much)

http://carnal0wnage.blogspot.com/2009/11/decompiling-flash-files-with-sw...

Well, probably "more" I honestly didn't look.

So there is blurb on the metasploit unleashed course on using timestomp. Unfortunately it leads you to believe that blanking the MACE values on a file or whole directory is better than hiding in plain sight. I suppose this can be debated (so feel free).

But... timestomp has a few other options worth discussing, notably setting MACE times from a file or individually setting attributes or setting all four attributes at once to a MACE time of your choosing.

meterpreter > timestomp

Usage: timestomp file_path OPTIONS

Stephen Fewer has pushed up a jsp reverse and jsp bind shell.

http://dev.metasploit.com/redmine/projects/framework/repository/show/modules/payloads/singles/java

I'm not sure of all the ways to use them but the easiest way is to just output the shell to raw and just upload it to a web server or for an example with an exploit check out the adobe robohelp exploit.

http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/http/adobe_robohelper_authbypass.rb