Archive for October, 2008

ICANN unplugged Estdomain

[Read 28oct28.pdf –]

Unfortunately it was not convicted because of its cyber criminal involvement including massive malware distribution instead the termination is due to conviction of Vladimir Tsastsin, President of EstDomain in Estonia is due to credit card fraud, document forgery, and money laundering.

Now, the problem is that Estdomain appealed saying that they already changed their President prior to the conviction, which holds back their right to force ICANN to revoke the decision.

[Further Read Appeal.pdf ICANN]

Hopefully ICANN finds a way to legally prosecute it and so Estdomain will remain RIP.

Let’s see how it goes…

MS08-067 in Attackers Platform?

Amongst many other vulnerabilities discovered everyday, MS08-067 has created to much attention because it could provide remote attacker system privileges, it’s wormable and … perhaps, easy to implement? 

Sharing information is the best norm we already have and so PoC is just around the neighborhood: 

@ Metasploit
phreedom Security Researcher    

For sure, these websites encountered massive traffic and it’s not surprising if some exploit kits will release an update that will include this vulnerability.

Is this too attractive for Vxers or Gimmiv is just an isolated attack? No, idea but definitely it is still a threat. 

Further Reading:

ArborNetworks: Ms08-067-server-service-vulnerabilities-redux-and-wormability
SecuriTeam: Vulnerability in Server Service Allows Code Execution (MS08-067)
CA : MS08-067 Wormable Vulnerability…Patched

A potential new Mac Rogue AntiSpyware was caught/discovered by Sunbelt before it was able to scare other people. The rogue website currently do not serve an installer and perhaps it will cease to do so because of the early detection and awareness.

This is an indication that there is an active fraudsters interested in Mac and most likely we’ll be seeing this rogue in another name.

Report any dubious or dodgy website!

The Rise of Clickjacking

Before the name “clickjacking” was invented, most researchers already knew and had already seen this attack. As Schneier described, Clickjacking” is a stunningly sexy name. But on the other side, this is a great job for making such name that is not as technical as CSRF (Cross-site Request Forgery) – there’s something in that name that everyone can easily relate and understand (hijacking, carjacking..). With this massive buy-in, comes a spreading news and awareness to everyone.

Further reading:

Explanation of Clickjacing from Jeremiah Grossman

ClickJacking with PoC Demo

Adobe Advisory on “Clickjacking”

Interesting Example from BreakingPoint Labs

Security In Public Places

It looks funny but it is catchy and make sense! This is one of the top materials uploaded from ISC2 Cyber Exchange website  in relation with National Cyber Security Awareness Month.

October is National Cyber Security Awareness Month as is actively participated by different organization such as, US-CERT, Microsoft and many others.

Help make cyber world safe!

iPhone Users Vulnerable to URL Spoofing Attack

As I was reading my RSS feeds, I just noticed that Aviv Raff disclosed two vulnerabilities found in iPhone on Jewish new year (Oct 2). But, to my surprise the phishing vulnerability isn’t new to me, this is bit old, in fact I created a crafted email with spoofed URL on it, as inspired by its original author Juan Pablo Lopez Yacubian.

This topic has been blogged last April 24 – Zero Day Exploit: Safari Address Bar URL Spoofing

Since this vulnerability affects Safari 3.1, obviously iPhone users are affected as well. I just created this email to show that this vulnerability exist.

Notice the URL, you’ll find it creepy ‘coz in Desktop email browser you will usually see the complete URL in the lower right side bar. But in this case, the attacker can simply create a hyperlink to hide it and it’s not that obvious!

Upon clicking it, here’s what you’ll find …

Google in URL bar and Yahoo on the content ? Yes, this is the security flaw found in Safari. This happens when you input a URL containing special characters followed by “@” which indicates the actual hostname. The special characters was crafted long enough to hide the URL of the page.

However,  once you minimize the page, the URL displayed should ring a bell, that this is something fishy!

The lesson here is to be aware and stay safe!

MPEG, MP3, AVI, Video/Audio Media Files

These are urls commonly found inside malicious/infected MPEGs, MP3s, AVI, WMA and .WMV files.

h t t p:// — > redirecting to
h t t p://
h t t p://
h t t p://
h t t p://

Upon opening it will connect to any of these URL and download malicious program such as Windows_Media_Player_Flash_Codec_Plugin.exe. 

Be careful and stay safe!