New IE Zero-day vulnerability exploited in the wild, infects with malware


New Internet Explorer zero-day vulnerabilities are currently being exploited in the wild in Watering Hole Attack, infects the visitors of malicious websites with malware, Security researchers at FireEye Labs warn.
 
One of the vulnerability is an Information leakage that affects windows IE8 in Windows XP and IE9 in windows 7.  The exploit sends timestamp retrieved from the PE headers of msvcrt.dll" which is being used for choosing exploit.

The second one is memory access vulnerability designed to work on IE 7 and 8 in Windows XP, and Windows 7.  The researchers also discovered the vulnerability affects IE 7,8, 9 and 10.

After successful exploitation, he shellcode used in the exploit launches rundll3d.exe and inject malicious code.  The malicious code then downloads and runs malware file from attacker's server.

Almost Half of Tor sites compromised by FBI [Exclusive details]

As many of you might know the US has been pushing for the extradition of Eric Eoin Marques who an FBI agent has called as "the largest facilitator of child porn on the planet."

But most of you might not know that he is also the owner of "freedom hosting" the largest hosting provider for .onion sites within the TOR network . This means that all the sites hosted by "freedom hosting" are at the hands of the FBI. As you can see from the above linked article freedom hosting has been accused of hosting child pornography for a very long time.

I also have a fair idea on how the FBI did the "impossible", tracing a person who is using Tor.And they further might have found details on all the people visiting sites hosted by freedom hosting. First have a look at what a person posted on pastebin on Aug 3rd http://pastebin.com/pmGEj9bV he says he found this code in the main page of "freedom host" this further links to this exploit http://pastebin.mozilla.org/2776374 .





This is my analysis of the exploit ( I have not looked into it deeply as I am busy with my exams)
1. It is a 0 day for the Firefox version that comes as default with the "TOR Browser Bundle"
2. The code says "version >=17 && version <18" checks if the browser is the right version that the exploit works on .

It also has an another check
var i = navigator.userAgent.indexOf("Windows NT");
        if (i != -1)
                return true;
        return false;




3.It also manages to gather the Real IP of the user and possibly execute a malicious payload that might give the attacker full access to the system.
4. This exploits works because the people at TOR project had made it such that Javascript is loaded by the built in browser by default (this was not the case before and people who had their "no script" plugin with proper setting "disallowed" are safe)
5.Please note that is NOT a zero day for the TOR network but rather an exploit for the Firefox version that most TOR users are running.

Tor's official reply: https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting


Though the action's done by the FBI to take down child pornography in the TOR network is appreciated by all of us, many of the legitimate sites hosted by freedom hosting are also down .They should make sure that what they do does not kill the freedom and anonymity that the TOR network stands for.


Edit 1: Here are a few other deeper analysis I found --> http://pastebin.mozilla.org/2777139 , http://tsyrklevich.net/tbb_payload.txt

PS: If you have anything more that you would like to be added to this article or any corrections you can contact me on Twitter https://twitter.com/SuriyaMe 

Ichitaro zero-day Vulnerability exploited in the wild, targets Japan users


JustSystems Corporation, the developer of one of the top Japanese word processor Ichitaro, announced that Arbitrary code execution vulnerbility in Ichitaro is being exploited in the wild.

When an user open a malicious document that exploits this vulnerability, the malware will be dropped in the victim's machine. The malware can delete your data , warns JustSystems.

In a report, Symantec said they have seen the exploitation in the wild since mid-January. The attack targets Japan users.

Malicious Attachment - Image Credits:Symantec
According to their report, the attack starts with an archive file contains the following files: A clean Ichitaro document (.jtd file), A modified JSMISC32.DLL file with a hidden attribute, A malicious DLL file with a hidden attribute and a .jtd file extension.

When the .jtd document is opened on a vulnerable computer, it executes the modified JSMISC32.DLL that further launches the malicious DLL file with the .jtd file extension.

Ichitaro users are advised to download and apply the patch from JustSystems, to protect against this exploit.