-= [EdadFutura] =- v.6.0 - [beta]

Apparently has found a package capable of taking advantage of exploits vulnerabilities in the reader more used to this format, Adobe Reader.

The "PDF Xploit Pack 'ability to exploit vulnerabilities and managed centrally to the victims in which it has managed to execute arbitrary code. Very similar to the Mpack or any other product created by the malware industry, but specifically for this product.

"PDF Xploit Pack" seems to be the first package of exploits that is responsible solely to exploit and manage vulnerabilities in the Adobe PDF reader. It is important to bear in mind that the failures can be used not only by opening a PDF file that arrives by mail, but also because they allow the browser to display PDF files embedded in it through a plugin. The attackers are getting (as usual) to violate the security of legitimate pages and hide certain IFRAME inside. To be visited, is charged a special handling to link exploiting the vulnerabilities.

What was not clear from the original source is if the package takes advantage of known vulnerabilities (for which they can be protected with the latest versions of the reader) or unknown at this time.

The PDF file, when opened with the reader vulnerable, download other malware that actually contains the payload. We must remember that the PDF format because it was used as a "downloader" in February this year, and the attack proved quite popular. Zonebac install the trojan.

Just over one year ago, also took advantage of a vulnerability massively shared between Adobe Reader and Windows with Internet Explorer 7. This time it was used for the verdict, through a command line embedded in PDF, FTP download and execute code automatically when you open the file. Also that year, in June, became popular in a dazzling but short-lived junk mail in PDF format, flooding mailboxes around the world and bypassing some antispam filters that were not prepared.

Read more »

It has released a new version of Wireshark because in the past have found multiple vulnerabilities that could be exploited by a remote attacker through a series of packages specially manipulated to cause a denial of service.

Wireshark (still widely known by its former name Ethereal) is an audit-oriented analysis of traffic on networks. His popularity is very high, since it supports a large number of protocols and is easy to handle. In addition Wireshark is free software (under GPL) and runs on most Unix operating systems and compatible, as well as Microsoft Windows.

The vulnerabilities corrected in the latest version are:

* Multiple errors in epan/dissectors/packet-ncp2222.inc that could be exploited by a remote attacker to cause a denial of service packages through NCP especially manipulated. Subsequent versions of 0.9.7 to 1.0.2.

* Failure to decompress compressed with zlib packages that could cause Wireshark to stop responding. All versions between

0.10.14 and 1.0.2 would be affected, both inclusive.

* An error when reading files. Rf5 Tektronix could cause Wireshark to stop responding. Subsequent versions of 0.9.6 to 1.0.2.

We recommend you upgrade to version 1.0.3 of Wireshark, available for download from:

http://www.wireshark.org/download.html

Think about this news:

http://www.hispasec.com/unaaldia/3602/comentar

More information:

Multiple problems in Wireshark versions 0.9.7 to 1.0.2 http://www.wireshark.org/security/wnpa-sec-2008-05.html

Pablo Molina

The movement of sun has already Hacking place from which one can know the history of groups and individual s who have history echo in the security systems, emphasizing! Hispahack, The Old Guard, Restless Minds, etc ...

Everything is published using MediaWiki so the content is licensed free license GNU FDL.

The well-known laboratory Kaskersky Lab has published (in English) an article to see if our computers belonging to a network of more than 1,000,000 Zombie computers are infected without knowing it, following the manual we disinfect our system:

Spanish rule

English Rule

Instructions for locating and removing malicious software from bot Shading.

Instructions prepared by: Vitaly Kamluk, Kaspersky Lab
Date: 06.08.2008
MD5 of the sample: 9e2ef49e84bc16c95b8fe21f4c0fe41e

malicious software (with security software)

El programa malicioso se detecta con los siguientes nombres: Kaspersky Anti-Virus has been able to detect malware that supports the Shade botnet since January 30, 2008. Detection of names may vary from version to version. The malware is detected under the following names:

• Backdoor.Win32.IRCBot.bit
• Backdoor.Win32.IRCBot.biy
• Backdoor.Win32.IRCBot.bjd
• Backdoor.Win32.IRCBot.bjh
• Backdoor.Win32.IRCBot.cja
• Backdoor.Win32.IRCBot.cjj
• Backdoor.Win32.IRCBot.ckq
• Backdoor.Win32.IRCBot.cow
• Backdoor.Win32.IRCBot.czt
• Backdoor.Win32.IRCBot.ekz
• Rootkit.Win32.Agent.aet
• Trojan-Downloader.Win32.Injecter.pj
• Trojan.Win32.DNSChanger.azo
• Trojan.Win32.DNSChanger.bao
• Trojan.Win32.DNSChanger.bck
• Trojan.Win32.DNSChanger.bfo
• Trojan.Win32.DNSChanger.bjh
• Trojan.Win32.DNSChanger.bji
• Trojan.Win32.DNSChanger.bjj
• Trojan.Win32.DNSChanger.bmj
• Trojan.Win32.DNSChanger.bnw
• Trojan.Win32.DNSChanger.bqk
• Trojan.Win32.DNSChanger.bsm
• Trojan.Win32.DNSChanger.buu
• Trojan.Win32.DNSChanger.bwi
• Trojan.Win32.DNSChanger.bxd
• Trojan.Win32.DNSChanger.bxe
• Trojan.Win32.DNSChanger.bxv
• Trojan.Win32.DNSChanger.cap
• Trojan.Win32.DNSChanger.ccg
• Trojan.Win32.DNSChanger.cei
• Trojan.Win32.DNSChanger.cem
• Trojan.Win32.DNSChanger.eag
• Trojan.Win32.DNSChanger.gvb
• Trojan.Win32.Restarter.e
• Trojan.Win32.Restarter.f
• Trojan.Win32.Restarter.g
• Trojan.Win32.Restarter.h

The current sample was detected on August 6 2008 as Trojan.Win32.DNSChanger.gvb

malicious software (manually)

Sin embargo, es posible detectar la presencia del bot de control el registro del sistema. As the robot did not copy your body system, the malicious file name may vary. The name of the malicious file depends on the installer used to infect the system with a bot. Yet It is possible to detect the presence of bot control of the system registry.

Users can check the system registry by running regedit.exe and check the following registry value:

HKEY_CLASSES_ROOT \. HTC \ Content Type

System administrators of large networks can do this remotely using the command Reg.exe as follows:

The system defaults to registration (found in Windows XP Pro SP2) for HKEY_CLASSES_ROOT \. HTC \ content type is "text / x-component". If there is a different value, as "Space ()" on the record, this may mean that the machine is infected with malware Shadow bot.

Read more »

We found a vulnerability in Adobe Flash Player that could be exploited by a remote attacker to cause a denial of service.

A remote user can create a SWF file specially handled, once seen by the user would use the 'setClipboard' for repeatedly hitting arbitrary text from the clipboard, thus causing a malfunction. Besides this could cause a user to visit a Web site by mistake potentially dangerous if you try to copy and paste the URL into the address bar.

For the clipboard back to work the right way is necessary to close the browser. At present it has been found that this vulnerability is being exploited in an active way.

More information:

Adobe Flash Player setClipboard () Function Lets Remote Users Deny Service http://securitytracker.com/alerts/2008/Aug/1020724.html

Laboratory Hispasec