header

root@server:~# dd if=/dev/hacking of=/dev/wired bs=1337k

Welcome
38.103.63.60
News
Index
Archive of 2008
Texts
Attack
Defense
Advisories
Malicious
Others
Releases
Hacking/Cracking
Administration/Defense
Malicious codes
Exploits
Others
Others
About
Staff
Imprint
Multimedia
Feed
RSS 2.0
Members blogs
SkyOut
Tatsumori
Komarov
Security news/vuln. alerts
Rootsecure
Securiteam
Secunia
Securitytracker
Securityfocus
Gnucitizen
Zone-H
Vuln./exploit databases
OSVDB
Milw0rm
Secwatch
Securityvulns
Packetstorm
Exploitsearch
Virus code databases
Netlux
VX Chaos
Trojanfrance
Blogs (AntiVirus/Security)
F-Secure
Symantec
Avertlabs
Viruslist
ESET
Ha.ckers
Offensive Computing
NewOrder
Rootkit
Electronical magazines
Phrack
(IN)SECURE
K_1ine
bUTCHERED fR0M iNSiDE
Die Datenschleuder
Commercial magazines
Hakin9
2600
Xakep
Affiliated pages
Perforin
SecuMania
Hosting provided by
Nexpa.de
31st - March - 2008 - 20:50

EOF != VIRUS

eof

Looking at the referers collected by Webalizer on core-security.net I found an interesting one: [www.tecchannel.de/sicherheit/news/1750870/]. Tecchannel is a german news site, that focuses on computers and technology and has also a special news site for security relevant topics. Now the interesting thing comes. They reported the bug, that Izee has found back in 2006 to disable the Taskmanager in Windows XP SP2 (maybe earlier versions, too, but fixed in Windows Vista SP0/SP1). A sample PoC exploit for this has been released on Core Security on the 14th of March ([archive]), coded by me (SkyOut).

Now the funny thing! They wrote the following:

Im Jahre 2006 entdeckten die Schreiber des EOF-Virus eine Möglichkeit,
den Taskmanager abstürzen zu lassen.

Translated into english it means this:

In the year 2006 the writers of the EOF-Virus found a possibility
to crash the Taskmanager.

Just for your information: EOF IS NOT A VIRUS! It is a virus writing group, founded by RadiatioN and me in 2006. Somehow it made me smile to read this, but I am happy, that they reported the problem and especially made clear how ignorant Microsoft reacted to this problem.

30th - March - 2008 - 22:40

Cold boot attacks

Everyone has talked about it in the last weeks: Cold boot attacks! I thought to inform you about it as well if you haven't read on this on another site before. The idea is simple and interesting as well: Imagine you use an encryption software such as FileVault on MAC OS X to protect your private files. The file system is encrypted, but the key is stored in the DRAM. Now you switch off your notebook and think the key in the DRAM is erased, don't you? That's where it gets interesting. The key will remain readable for seconds or even minutes in the DRAM. When you cool down the temperature you can make it last even longer. So imagine the following attack scenario: A thief breaks into a computer company and steals a notebook, which is not turned off. Now he just opens the notebooks hardware, freezes the DRAM and then dumps all of the information stored on it. He has now any time he needs to find the key and can then access all data saved on the drive.

For a demonstration of all this watch the video provided by the university of Princeton:

30th - March - 2008 - 19:30

EnDeRE released

Our member Veda has released the first beta version of his tool "EnDeRE", which stands for "ExplaiN/DEscribe Regular Expressions". The tool is very helpful in understanding complex regular expressions of different dialects/languages, such as POSIX, Perl, Python, Ruby and many more. Some are not implemented, yet, but are planned to be implemented soon. To give you an example, what the tool does, let's look at some sample, that is provided by EnDeRE. This it the way the RegEx looks normally:

/^group^(grp2(foo|bar)+e[s\nS]caped\n%sed\(escaped
\bgrouping\)null\0(_$QL(3\s4)){1,3})class[\s]?EnDe$/mg

Now explained by EnDeRE it might look like this:

/	# start/end of expression

^	# start of line/string/page
group^
(	# start grouping (#1)
	grp2
	(	# start grouping (#2)
		foo
		|	# or
		bar
	)	# end grouping
	
	+	# at least one, more are optional
	e
	[	# start character class
		s
		\n	# \n character (newline)
		S
	]	# end character class
	caped
	\n	# \n character (newline)
	%sed\(escaped 
	\b	# start of word
	grouping\)null\0	
	(	# start grouping (#3)
		_$QL
		(	# start grouping (#4)
			3
			\s	# white spaces [space, tab]
			4
		)	# end grouping
		
	)	# end grouping
	
	{	# start quantifier range
		1,3
	}	# end quantifier range
	
)	# end grouping
class
[	# start character class
	
	\s	# white spaces [space, tab]
	
]	# end character class

?	# one allowed, but it is optional
EnDe
$	# end of line/string/page

/	# start/end of expression

m	# multiline mode

g	# global matches

This can be very helpful in some circumstances and therefore stay tuned for newer versions of it. The first version you can find [here]!

29th - March - 2008 - 00:40

SecuMania.org

secumania

Yesterday I got an Email by x1ng from SecuMania.org asking for an affiliation with his site. I looked over the site a bit and at least from what I could see the first minutes I liked it. It is a nice site to keep up-to-date in the IT (Security) world as it features information on latest Linux, Microsoft, Technology etc. news and provides information on latest vulnerabilities and exploits. You can therefore now find their link on the right side under "Affiliated pages". Take a look!

26th - March - 2008 - 21:25

Geekend

chaosknoten

Last weekend the Chaos Computer Club Mainz has organised the so called Geekend for Eastern. It was a meeting, that everyone was invited to join and hang around. Different people brought their computers and notebooks with them and connected to the LAN and the world wide web. There were MAC OS X, different Linux and Windows machines around there. It was a quite nice atmosphere. About 20 people joined the event day and night. I joined there Saturday evening and used my MAC to chat a bit and relax. We watched the movie "Crank", which was quite fine to me, even I knew it before.

The only thing I didn't like was, that some of the guests coming, who were not part of the CCCMZ, consumed a lot of drugs, mostly weed. Just the moment you entered the room you smelled it and all over the table little pieces of weed were spread. Well... If people really need this, why not, but sometimes I wonder why every hacker event has to do with drugs, shouldn't the computers connect us together and not the drugs?

Maybe it is only because I saw people destroying their life with drugs, that I am now that critical about it. Could be... Anyway I enjoyed seeing some people from old times! Greets to Xnor, Nec, Abaki, Coffman and Qwert667!

21st - March - 2008 - 22:30

Updates, updates, updates

vistasymbol

The last days were full of new updates coming out for the software I am using. First of all the Wave0 has hit the net, which is the way Microsoft calls the first Windows Vista Service Pack. Many news sites reported, that it will be automatically installed on the users computer next month. But this wasn't the case and I had to install it this weekend when my Update manager informed me about it.

applesymbol

Furthermore Apple released major security fixes for MAC OS X. All in all about 46 bugs have been fixed with the Security Update 2008-002 v1.0, which you can download manually [here]. As if this wouldn't be enough the new Safari is out in version 3.1 and I installed it, too.

All this wasn't really problematic, but when you have to do it several times because different people are asking you to help them as they are too scared to do those updates themselves and need your help, then it can be quite disturbing somehow. But that's what you have to pay for being known as a geek: Everyone is searching for help and asks YOU! But as a friend you should do it, shouldn't you? So I did it again and again. Update for update. But now it's enough. Job done!

18th - March - 2008 - 22:00

From cyberspace to government

On the Weblog of F-Secure I found an interesting article on a russian person called Dmitry Ivanovich Golubov, who has been very active at carderplanet.com, which is not reachable anymore. Under the handle "script" he sold stolen credit cards there. The interesting thing is, that he now came out of prison and is now working with the newly formed "Internet Party of Ukraine". From a cyber criminal to a politician? Interesting change indeed! The only thing, that makes F-Secure worry about is, that he would be immune against prosecution for criminal activities if he gets a seat in the government.

D. I. Golubov today: golubov

Anyway, I don't want to make a statement here if I am pro or against this movement. What I was more interested in are the advertisements, that F-Secure showed on their website, which were part of carderplanet.com. It is very amazing to see how professional they were working, with advertisements made in Flash and looking very good. If you want to see it yourself, have a look here:

Advertisement #1: [Open]
Advertisement #2: [Open]
Advertisement #3: [Open]

Enough from my side, more in the next days and be sure: Things will come, be prepared!

15th - March - 2008 - 00:45

The way VX looks like

If you ever wanted to know how computer viruses look like, it is now the time to watch them. Message Labs has brought several pictures of viruses online to show the public how the imagine a virus. The images are really beautiful in some way and worth looking at. I give you two examples here, that I liked personally.

MyDoom: mydoom StormWorm: stormworm

To see more go the gallery of Message Labs. Or look at the projects website, called Malwarez.

14th - March - 2008 - 19:30

Windows XP SP2 Taskmgr bug

Back in 2006 Izee of the EOF virus writing team discovered a possibility to crash the Windows Taskmanager. It was easily done by setting a REG_BINARY value in the Registry of Windows to 0x00. The key is the following:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager:Preferences

If you set it to 0x00, 0x00, 0x00... the Taskmanager will crash on the next startup. I (skyout) have therefore coded an exploit and used it back in 2006 in one of my first viruses as a very basic technique to hide my process to the user. Then we waited for a long time without using this bug anymore. With the release of Windows Vista we tested it again and it was fixed. In 2008 now, exactly in February, I got in contact with Microsoft Germany and informed them about the bug. They told me, that they will work on it, but for weeks not even an email came back. Now it is time for making this public! Now this bug is open for every person and everyone can use it and put pressure on Microsoft to fix it.

Here you can find the exploit: [taskmgr_dos.c]

13th - March - 2008 - 21:45

Hello World!

In the name of the team of CORE SECURITY (tatsumori, veda and me (skyout)) I am proud to officially announce this new project. The website shall be a place for everyone interested in the art of hacking and vxing and everything else, that has to do with computer technology. After closing www.smash-the-stack.net after one interesting year, I am happy about this new and even bigger (group based) project, that everyone is invited to watch out for.

The site features an archive section, where you can permanently link to and a blog (you are right here). Furthermore a RSS 2.0 feed has been implemented. The website itself has been developed using valid XHTML 1.0 Transitional and valid CSS 2.0.

The site has been tested with the following browser and works fine:

* Firefox 2/3
* Opera 9
* Internet Explorer 6/7
* Konqueror
* Iceape
* Swiftweasel
[maybe many more...]

Copyright © 2008 by SkyOut (Marcell Dietl)