Author Archives: Jorden

TextPayMe – The paypal for 2006?

Filed under Misc, Uncategorized

SignUp at TextPayMe

Well, what can I say about this handy little service. When I first read it, I thought this is pointless. Then I sat and thought about it for a few days. Yeah! This is useful, How many times have I been busy working or on the road and my girlfriend says, “Jordan, can you please transfer me 100.00 for my hair and nails?” True, normally I would laugh it off and advise to get a part time job, however on a special day I might feel so inclined.

Good news? Of course, the good news is they’re going to give you a free 5.00 for signing up. Not that 5.00 makes me start to river dance, but the fact that I can sign up for free and transfer money for free all from my cell phone. So if nothing more give it a try, if you think it’s pointless give it a try for FREE and prove yourself right!

I enjoy it. If this is something you enjoy click on the banner below and let the txt being!

SignUp at TextPayMe

0-Day : IE 6.0 SP2 (mshtml.dll) DoS exploit (PoC)

Filed under Security News, Security Programs, Windows

Another exicting day for Internet Explorer surfer!

This morning we’re going to list a DoS exploit released in the wild early this morning. This exploit isn’t as serious as the one we went over yesterday regarding WMF. I concider this DoS exploit more of an annoyance than a threat. Not to mention this only effects IE users, however it affects all of you at this point. First we’re going to list the code for this exploit, discovered by rgod and then we’ll go over recommended solutions and followup with the PoC.


< .head.>
< .style.>< .!-- #page div p:first-child:first-letter { border-bottom: 2px ridge #F5DEB3; } //-->
< ./style.>
< ./head.>
< .body.>< .div id="page">

< .strong.>suntzu< ./strong.>< ./p.>< ./div.>< ./p.>< ./div.>

As you can see this is a very simple attack and very easy to create. The good news is, I don’t see many people using this exploit for any benefits at most and annoyance, but who knows this could escalate into something bigger. However, since the WMF exploit is public now, I think the malicious users will be focusing on that bad boy.

Recommended Solution:
Mozilla Firefox 1.5 Final [ download ] w/ NoScript [ info] [download]

I know this isn’t a solution for die hard Internet Explorer users. However regardless the reason, we recommend using multiple browsers for different browsing habits. If your extra patanoid you can even go as far as running VMWARE Workstation 5.5.

Proof Of Concept:
Crash Internet Explorer 6.0

Note: clicking this link using Internet Explorer is pointless unless you actually want to crash you browser. We are unaware of any way around this using Internet Explorer as of now. If you know otherwise, please advise…

0-Day Exploit : MS/IE – WMF Remote Code – Fix!

Filed under Downloads, Security News, Security Programs, Windows

A little spice to the end of 2005… Christmas was nice spending it with family, securing their computers, the usual for holidays with the family. Only if it was that easy this year, as of this morning a new exciting exploit was released. The good news is my current configuration wasn’t affected by this annoyance. So, we’re going to list the advisory released by FrSIRT and let you review that, then we’ll move forward to steps to take for protecting yourself. Also, look at the end for references.

Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-28

Technical Description

A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to an error in the rendering of Windows Metafile (WMF) image formats, which could be exploited by attackers to remotely take complete control of an affected system by convincing a user to open a malicious WMF file using a vulnerable application (e.g. Windows Picture and Fax Viewer), or visit a specially crafted Web page that is designed to automatically exploit this vulnerability through Internet Explorer.

Note : This unpatched vulnerability is currently being exploited in the wild.


Affected Products

Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition


The FrSIRT is not aware of any official supplied patch for this issue.



Vulnerability reported in the wild by noemailpls


2005-12-28 : Original Advisory

Tech-Security Explains:
As shown by FrSIRT, there is no real solution for this until we receive a patch to fully resolve the issue. However, there are steps you can take in protection yourself. I’m running Firefox 1.5 Final w/ NoScript extension and configured browser settings (mentioned in an early thread) and when I went to one of the infected site, I wasn’t hit by the exploit.

Want to start thinking about secure browsing?? Good it’s about time…

Update your anti-virus software 1-3 times a day, this way if you do get infected by this exploit, you’ll have protection shortly afterwards. not good enough? I agree…

Tech-Security Recommended Fix:
For safe browser…I would recommend installed VMWARE and install a fresh copy of Windows. This enables you to browser within the VMWARE isntance of Windows, allowing nothing to enter into your production OS version. This is a great idea for browsing and testing exploits/infected programs. Just be sure you keep your VMWARE Workstation updated too.

Protect yourself:
VMWARE Workstation 5.5
[ more info ] . [ download ]

Easiest Fix:
Windows Media File Viewer | [disable] . [enable]

This is more of a temp solution, which is why we recommend VMWARE, it might seem like a hassle at first, but no more than if you get infected with a serious virus. Atlease VMWARE is a one-time deal.

IceSword…The Best Rootkit Defender?

Filed under Downloads, Security News, Security Programs, Windows

IceSword 1.2

Look out people! Over the past few months people have heard more and more about rootikits. I’ve been dealing with rootkits for some time now and after having numerous friends infected by Sony’s rootkit, I decided it’s time to help educate the prey. Now, hopefully you’re not sitting there saying, “Prey?? I use Norton Internet Security and if your suggestion that a rootkit can bypass that, I have news for you!” My response would be a standard “laugh out loud” followed by blocking your IP from my website. No, seriously regardless of your current protection, it’s not enough. Rootkits change on a regular basis to bypass AntiVirus software along with the popular antirootkit software.

I recommend using 3 useful rootkit utilties in your hunt for the invisable rootkit. I do not recommend only using one of the three, or even two of the three. I say three, for the fact that incase the nifty rootkit infecting your system was updated to bypass one or two of my recommendation, you would have a 3rd opinion. Now that I’ve explained myself and hopefully conveinced you to install, update, and run these utilties on a weekly basis we’ll move forward with testing.

Note: Click links below to download software.

Our Test Enviornment:
- Windows XP SP2 (fully updated)
- Sygate Personal Firewall Professional (.dll injection detection)
- Kaspersky AntiVirus Professional (script detection)
- All-Seeing Eye (Best system monioring tool around)
- Spyware and other tools not listed.

Programs under the spotlight:
- Rootkit Revealer [info] | [download]
- BlackLight [info] | [download]
- IceSword English [info] | [download]

Rootkit under oath:
Lil Rob’s album “Twelve Eighteen” released by Upstairs Records.

All 3 softare programs detect the rootkit, however none of them removed it. Blacklight allows you to rename the files, but the junk is still there. Rootkit Revealer lets you know where all the files are so you can manually remove the files in DOS and the registry entries using PSEXEC. Finally my personal favorite IceSword, this program displays a lot more information than the other two, however it’s for more advance users. On this note, exactly why I recommend using ALL three for detection and IceSword for advance removal.

I’m interested to hear what others think about IceSword and your techniques for battling rootkits!

Ophcrack 2.1 – LiveCD (Linux) & 2.1 Install (Win)

Filed under Downloads, Security Programs

Ophcrack LIVE CD & Ophcrack 2.1

Rainbow Table

A Windows password cracker based on the faster time-memory trade-off using rainbow tables. This is an evolution of the original Ophcrack 1.0 developed at EPFL. Ophrack 2.0 comes with a GTK+ Graphical User Interface and runs on Windows as well as on Linux.

Brute Force a windows password… forget it, that’s based on a list of possible passwords and can take forever. Use NT Offline Reset to reset the password… sure that’s great and all, except what if you just want to know the current password w/o erasing the original?

I tested both the LIVECD version and the Windows installer. Both of them have benefits; LiveCD is a must if the computer is offline or shutdown when you want to test your password security. However, the LiveCD is version 0.9a so it’s a little outdated. The Windows installed was just updated to 2.1 and released on 12/06/05, so it’s really nice to have the latest. If you’re truly testing your password security the Windows Installer is the way to go, however if you can’t get into your computer and need to crack that password, the LIVE CD is the way to go. Either way, it cracked a random password within 5 minutes.

Live CD: This is a great option, it’s a linux bootable cd on Ubuntu distro. All you have to do is burn this ISO image to a CD reboot your computer, go into BIOS and make sure you have your computer to check for CDROM before HD. Now, it will load the distro and if a SAM file is found start cracking right away. When I tested this way it took less than 5 minutes to crack my brothers administrator password.

Download: Ophcrack 0.9a – Live CD ISO

Windows Installer Version: This is nice if you have a fast windows box around the house or office. Installer is 3MB however you have to select which tables you want to download. The larger table is around 700 MB download, so it takes a few minutes. Once it’s done you have options;

* encrypted SAM: dumps the hashes from the SAM and SYSTEM files retrieved from a Windows machine while booting on another disk. Note that in this case you do not need to know a Windows administrator password to get the hashes.
* local SAM (only for the Windows version of Ophcrack 2.0): dumps the hashes from the Windows machine the program is running on. You need to be administrator of your local machine for this to work.
* remote SAM (only for the Windows version of Ophcrack 2.0): dumps the hashes of a remote Windows machine, provided you know the username and password of an administrator and the name of a share.

Download: Ophcrack 2.1 – Windows Installer

Firefox 1.5 Final – Exploit & PoC : Easy Fix!

Filed under Security News, Security Programs, Windows

Today, a minor DoS (Denial of Service) exploit was released. Showing how even Firefox 1.5 Final, which was just released 11/29/05 is vulnerable to attacks. I say, “minor” for the fact that you have a choice whether or not you’re affected by this type of DoS atack or not.

PacketStorm and their research has paid off again!

Basically firefox logs all kinda of URL data in it’s history.dat file,
this little script will set a really large topic and Firefox will then
save that topic into it’s history.dat.. The next time that firefox is
opened, it will instantly crash due to a buffer overflow — this will
happen everytime until you manually delete the history.dat file — which
most users won’t figure out.

this proof of concept will only prevent someone from reopening
their browser after being exploited. DoS if you will. however, code
execution is possible with some modifcations.

Okay, so you would have to click a link or try and access a vulnerable website for this to take affect. Now, with the default installation of Firefox 1.5 Final, your browser would crash on you and when attempting to open your browser again you would experience another browser crash. Are you being hacked? No, this is an annoyance… Enough with the small talk, lets go over what needs to be done to prevent this attack and future attacks like this from affecting you! Put an end to the abuse!

Technically you have 2 options to resolve this issue:

1) You can simply open Firefox click ‘Tools’ > ‘Options’ > Select the ‘Privacy’ button and check everything (The only two that have to be checked are, ‘Browser History’ & ‘Clear private data when closing Firefox’).

Firefox Privacy

- This will clear the browser history everytime Fixfox closes. So, if you did run across this DoS attack while browsing, your browser will crash, but the data was cleared upon crashing. This isn’t the best option because you’re still losing your current searches and have been annoyed by the exploit. This is why step 2 is the only way to go…

2) A great firefox extension called, No Script offers protection over Javascripts from running on your system from untrusted sites. What this program use, is when you access a website that wants to run javascript on your system it blocks it and prompts you, giving you the option to “always allow from the site” or to “temporarily allow from the site.” So when this exploit tried to run against me, I knew I didn’t want to allow this javascript to run and continued browsing without being affected at all. Now, before you go out and get all browser happy read up on this program and get this extension installed on your computer!

No Script Logo

Download: Install this bad boy now!
More Information: What is it?

Manual removal: (example:) C:\Documents and Settings\techsec\Application Data\Mozilla\Firefox\Profiles\4rbeef38.default\history.dat

The history.dat file is 10,153 KB once code is successful ran, deleting it clears it as well.

This seems to affect previous version of Firefox also, so please be sure to protect yourself before testing the PoC on your computer!

Test Yourself: Think you’re secure? (modified script of the original from ZipLock)

Rootkit Detection – Why be a victim of Sony abuse?

Filed under Uncategorized

Over the last month we’ve all watched websites blow up with Anti-Sony this and rootkit that. Well the thing is, Sony isn’t the first to use a rootkit. Virus creators have been using rootkits to hide viruses from detection for sometime now. Victims of the Sony rootkit are people who were caught with the cyber pants down in a cyber prison… not recommended.

So, before you feel sorry for yourself or anyone else that had to play that Celine Dion CD on your computer. Do yourself a favor and take the necessary procedures to protect yourself.

1) WindowsUpdates. If you don’t stay current with Windows updates , there is no hope.

2) Antivirus protection – You need to set your antivirus software to check for updates on a daily basis. I set mine to check on the hour every hour. Another tip, check and make sure your Antivirus software doesn’t have the word “Norton” in it. You’d have better luck asking your magic 8 ball if you’re infected.

3) Download Rootkit Revealer & Blacklight. Run these bad boys once a week to check for rootkits. Be sure to check with the vendor for updates, these 2 products are updated frequently.

4) Before install ANY software, take the 5-10 minutes to read the EULA and make sure you know what your accepting.

5) Stop trying to download the Paris Hilton video off Limewire, consider taking this approach like playing the lotto. You have 10,000+ video’s all claiming to be the same, however they are all different sizes. So, if you pick the right one, you might be okay, however the other 99.9% are infected.

These are 5 basic steps to take in preventing virus infections and rootkits from ruling your computer. If you’re wanting to donate your computer resources, I recommend one of the SETI projects.

Phishing & the <>< test!

Filed under Uncategorized

Things have changed in the game of online phishing. A few years back It was as simple as spoofing an e-mail with a link to a site that look just like the site you thought you were going too, add a little javascript to remove the address toolbar and nobody knew the difference. Today it’s a different story, studies show only 4% of internet users can spot phished emails 100% of the time.

I know what your thinking…You’re sitting there saying only morons took that survey, which is why I provided a link for you to test yourself.

Phishing IQ Test: MailFrontier’s Test

Mozilla Firefox 1.5 Final

Filed under Uncategorized

Firefox hit its second major milestone Tuesday with the release of version 1.5, arriving just over a year after the alternative browser debuted at 1.0. The update sports Mozilla’s new Gecko 1.8 rendering engine to speed up Web surfing, along with a myriad of other fixes and improvements.

Notable changes in Firefox 1.5 include the ability to reorder tabs, faster back and forward buttons, a feature to clear personal data, improved accessibility and popup blocking, along with support for more Web standards such as SVG, CSS 2 and CSS 3, and JavaScript 1.6. Firefox 1.5 is available now for Windows, Mac OS X and Linux.

Awesome news! I’m not an IE hater nor a Mozilla lover. Simply put, I enjoy using both browsers for different tasks. I have to admit being able to organize my tabs is a huge plus for a freak like myself. I have to recommend an extension for Firefox called NoScripts.

Plugin: NoScript [download] [info]

Download: Firefox 1.5 Final


Filed under Misc, Personal


FightAIDS@Home (Launched November 21, 2005)
FightAIDS@Home is a project focused on using computation methods to identify candidate drugs that have the right shape and chemical characteristics to block HIV protease. This approach is called “Structure-Based Drug Design”, and according to the National Institute of General Medical Sciences, it has already had a dramatic effect on the lives of people living with AIDS.

I was never one for the SETI@HOME space projects back in the day. However, now that Berkley is controlling the SETI project and the fact that this is for AIDS rather than Extraterrestrial Intelligence. I decided to go ahead and donate my computers idle time to this research project. My uncle being infected with HIV for over 15 years, I know the importance of this research and for something that doesn’t cost me a penny, I cannot turn my head. If this is something you feel you’re interested in, I highly recommend helping out for this cause.

More Information: FIGHTAIDS@Home or World Community Grid

Download: Join the Fight