Skip to main content

Posts

Showing posts from 2015

Trojan distributed as 8 Ball Pool game hack

The Dell SonicWALL Threats Research team has received a sample of a backdoor Trojan posing as a game hack. Cheats for games often contain malware and that might not come as a surprise to many. But as a game becomes more popular, cybercriminals take advantage of eager gamers with a promise to help unlock abilities or perhaps accumulate enough credits to buy something to progress in a game and these shortcuts make them more appealing. The sample we received is posing as a cheat to a top ranking free sports game. In fact, searching for 8 Ball Pool game online yields keywords suggestions such as "hack" and "cheats." Infection Cycle The Trojan arrives as a file named "hack 8 ball pool.exe." Upon execution, it copies itself to the following directory: %TEMP%\chrome.exe In order to start after reboot the Trojan adds the following keys to the registry: HKLM\software\microsoft\windows\currentversion\run[8ce73491bf190a3fd7028c92bd3331b1]...

Allowing WeChat to Sign Up and to get QR Code for login in SonicWall

SonicWall's Application Control block some required Application for WeChat Application. So that Mobile Device users using WeChat will not be able to Sign Up in you network and they will get "Connection error. Check your network settings." For those who already has account also will not able to sign in by using QR code. Laptop/Desktop WeChat user also will encounter the error as below. To solve these issue, you need to Unblock/Allow the Applications from below Application Signature List in your SonicWall. Application Category : Proxy-Access (27) Application : Proxy-Access HTTP (966) Application Signature : Proxy-Access HTTP Proxy -- HTTP Proxy POST (9685) You still need to Allow/Exclude below IP Address lists from Application Control List of your SonicWall.(In fact, WeChat used many IP Addresses and need to check logs and add some more if your issue not resolve yet by adding below list.) 203.205.129.101 203.205.147.168 203.205.151.160 140.206.1...

Increased Online Shopping and Increased Malicious Email Threats

As usual, online shopping website are discounting for year ends after ThanksGiving Day, Black Friday and Cyber Monday. As a result, spammer also launch spam campaign to find the victim via online shopping. Below are guide for "How to stay safe" at online and "Best practices for avoiding email scams". How to Stay Safe An important skill to stay safe online is how to identify fraudulent domain names used in malicious links in emails. Scammers will usually try to deceive end users by disguising the true second-level domain, by prepending legitimate, familiar names to the beginning of hostnames. Appearing to come from a legitimate sources, the malicious email will contain links to sites that host exploit code with the hope that the user have unpatched systems and vulnerable web browsers, and the goal of compromising the user's system. Other attack vectors come directly in email attachments--word docs, executables, and other infected files. Best practices for avoid...

Microsoft Word Remote Code Execution Vulnerability (CVE-2015-0097)

Remote code execution vulnerability exists in Microsoft Office software and is caused when the Office improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code CVE-2015-0097 .   To exploit this vulnerability the user has to be tricked into visiting the attacker's website by clicking on a link. Another scenario could be downloading and opening specially crafted MS office email attachment. Microsoft Word, Excel and Powerpoint contains a remote code execution vulnerability because it is possible to reference documents such as Works document (.wps) as HTML. It will process HTML and script code in the context of the local machine zone of Internet Explorer which leads to arbitrary code execution.  Once the user opens the office document the attacker is able to perform actions in security context of the logged in user.  When the user ope...

NTP Daemon Vulnerabilities

NTP is a protocol designed to synchronize the clocks of computers over a network. The NTP Project produces a reference implementation of the NTP protocol and implementation documentation through a largely volunteer effort. NTP uses a hierarchical, semi-layered system of time sources. Each level of this hierarchy is termed a "stratum" and is assigned a number starting with zero at the top. The NTP Project conducts Research and Development in NTP and produces the Official Reference Implementation of NTP along with the Implementation Documentation. A few weeks ago, ntp-4.2.8p4 was released which fixed multiple vulnerabilities. "NTP Daemon Arbitrary File Overwrite" , which addresses CVE-2015-7703 Description: If ntpd is configured to allow for remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password, it's possible for an att...

How to stop "Wireless SSID" from broadcasting in Ruckus ZoneDirector and remove from APs

If you want to disable the Wireless SSID from broadcasting and remove on all Access Points, please follow below steps in your Ruckus ZoneDirector. - Login to ZoneDirector - Click "Configure" and go to "WLANs" - Fine "WLAN Groups" under "WLANs" Section - If you are using "System Default Group", just select it and edit. Then uncheck the SSID which you want to disable from bradcast and remove from all APs and Click "OK". - If you are using "Custom Group", just same as above step. Now your SSID has been disabled and removed from all Access Points. You can verify by going to Dashboard and checking "Most Recent System Activities" . That's all. Have a good time. (Be knowledgeable, pass it on then)

Troubleshooting unable to PING issue on Cisco RV215W

I had to configure and install one Meg@POP router at site office. Configuration is very simple. Just WAN, LAN and Static Routing. After all configuration was done, I can PING from router and client to SingTel Side IP and HQ side IP but not from them. I had to reviewed simple configuration repeatedly and unable to find any wrong. But after check the Firewall setting since this router has security feature included. Then realized "Block WAN Request" option checkbox was checked and need to uncheck. After I unchecked it and save, SingTel and HQ can PING to this router successfully. Thanks God. So if you are having same issue like me while configuring Cisco RV215W Wireless VPN Router, just do no forget to uncheck that "Block WAN Request" and save to able to PING from outside. Have a good time. (Be knowledgeable, pass it on then)