Hunting for Web Exploits: ActiveX controls, LinkedIn, and you

07.26.2007 - 3:01 PM
New ActiveX control vulnerabilities surface and are exploited for nefarious purposes every day. Just two days ago, an ActiveX control vulnerability in LinkedIn's IE toolbar was published along with a proof-of-concept exploit code. What are they exactly, and how do attackers use them? This post will focus on a vulnerabilities that exist in ActiveX controls. We will see how and why attackers hunt for vulnerabilities like these, and how to exploit them.
Read more »

NTOS.EXE : Analysis of the "Ransom Encryption"

07.20.2007 - 11:12 AM
A few weeks ago, we blogged about NTOS.EXE and its custom packer: http://www.websense.com/securitylabs/blog/blog.php?BlogID=134 Websense detected a new variant of NTOS.EXE this past weekend. This time, we don't discuss the packer, which is unpacked by our generic unpacker anyway, but instead discuss the blackmail feature of this trojan. Here is the list of file extensions targeted by the trojan: 12m 3ds 3dx 4ge 4gl 7z a a86 abc acd ace act ada adi aex af3 afd ag4 ai aif aifc aiff ain aio ais akf alv amp ans ap apa apo app arc arh arj arx asc asm ask au bak bas bb bcb bcp bdb bh bib bpr bsa btr bup bwb bz bz2 c c86 cac cbl cc cdb cdr cgi cmd cnt cob col cpp cpt crp cru csc css csv ctx cvs cwb cwk cxe cxx cyp db db0 db1 db2 db3 db4 dba dbb dbc dbd dbe dbf dbk dbm dbo dbq dbt dbx dfm djvu dic dif dm dmd doc dok dot dox dsc dwg dxf dxr eps exp f fas fax fdb fla flb frm fm fox frm frt frx fsl gtd gif gz gzip ha hh hjt hog hpp htm html htx ice icf inc ish iso jar jad java jpg jpeg js jsp key kwm lst lwp lzh lzs lzw ma mak man maq mar mbx mdb mdf mid mo myd obj old p12 pak pas...
Read more »

An Open Book

07.09.2007 - 7:39 AM
Nine months ago, Facebook announced that the site was no longer the exclusive domain of those elite with a verified ".edu" address. It did not take long for a number of grim predictions to form regarding the future of Facebook. A significant number of existing users met the announcement with an outcry over the impending demise of their Facebookian utopia. One of the common points for many of the predictions was that Facebook would be crushed under the weight of an onslaught of spammers. Open registration would indeed provide access to spammers, but Facebook was also neglecting its key demographic: A certain Websense employee who was still in high school when he decided he was too cool for school and instead opted to begin exchanging code for paychecks. He appreciates the invite; Thanks, Mark! But Facebook engineers showed a little ingenuity and, with improved privacy options and some very aggressive spam filtering, the site has largely retained its reputation as "Spam Proof". The initial furor over open registration quickly subsided as it became clear that the accuracy of the doomsday predictions was on par with one of Miss Cleo's prophecies. Most people are now in agreement that open registration was a Good Thing. Developers! Developers! Developers! Developers! Developers! ... Developers? Last month, Facebook continued the trend of opening up their site with the release of their Developer API – dubbed "Platform". Once again, a vocal minority was convinced that Facebook was on the verge of perishing. However, I threw on some rose-colored shades and promptly ignored the nays...
Read more »