I thought this blog by fin1te explaining XSS on Facebook via PNGs was a great read, and worth the time of anybody interested in the topic.
The attackers will continue to evolve to evade detection and the good guys like us better stay on top of our game if we hope to stop (or even just detect) this madness!
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Friday, January 29, 2016
Saturday, January 23, 2016
PUM.Optional.HomepageControl
Let's say you run Malwarebytes and get this alert.
PUM.Optional.HomepageControl, HKU\...\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage, 1, Good: (0), Bad: (1),,[...]
PUM stands for Potentially Unwanted Modification. This doesn't mean it's necessarily malicious. In fact in most cases this particular alert is probably normal and expected. Especially for example if you work at a company that automatically sets your homepage to their website. The reason Malwarebytes alerts you is for awareness since there are some pieces of malware that purposely alter your home page , for example setting it to their malicious site, or changing your search engine, etc.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
PUM.Optional.HomepageControl, HKU\...\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage, 1, Good: (0), Bad: (1),,[...]
PUM stands for Potentially Unwanted Modification. This doesn't mean it's necessarily malicious. In fact in most cases this particular alert is probably normal and expected. Especially for example if you work at a company that automatically sets your homepage to their website. The reason Malwarebytes alerts you is for awareness since there are some pieces of malware that purposely alter your home page , for example setting it to their malicious site, or changing your search engine, etc.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Hijack.ControlPanelStyle ForceClassicControlPanel
Let's say you run Malwarebytes and get this alert.
Hijack.ControlPanelStyle, HKU\...\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ForceClassicControlPanel, 1, , [...]
All by itself this is likely just a false positive since ForceClassicControlPanel simply is a true false (1,0) value that determines if you use the newer style Control Panel view or the Classic View. Now if this showed up with a bunch of other infections, then perhaps it could be related as this shows up with infections that force classic control panel thus making it harder to navigate around and remove the malware.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Hijack.ControlPanelStyle, HKU\...\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ForceClassicControlPanel, 1, , [...]
All by itself this is likely just a false positive since ForceClassicControlPanel simply is a true false (1,0) value that determines if you use the newer style Control Panel view or the Classic View. Now if this showed up with a bunch of other infections, then perhaps it could be related as this shows up with infections that force classic control panel thus making it harder to navigate around and remove the malware.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Scripting Website Screenshot Captures
cutycapt is a nice tool that can allow you to script or automate collecting screenshots of websites.
As an example, after you download or install cutycapt (or use an OS like Kali that already has it installed) then you type
cutycapt --url=http://neonprimetime.blogspot.com --out=neo.png
And boom you have a screenshot in a png file.
Now add this command to some python script for example and you could in theory grab screenshots of an entire website if needed.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
As an example, after you download or install cutycapt (or use an OS like Kali that already has it installed) then you type
cutycapt --url=http://neonprimetime.blogspot.com --out=neo.png
And boom you have a screenshot in a png file.
Now add this command to some python script for example and you could in theory grab screenshots of an entire website if needed.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Wednesday, January 20, 2016
Dridex 120205 Letter-response A3 2-2 Tim@plan4print.co.uk
Dridex email with VBA Macro Microsoft Word attachment seen this morning.
Attachment was 120205 Letter-response A3 2-2.doc
sender Tim Speed
Subject Emailing: 120205 Letter-response A3 2-2
callouts to hxxp://www.lassethoresen.com
dynamoo blogs a bit about it here
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Attachment was 120205 Letter-response A3 2-2.doc
sender Tim Speed
Subject Emailing: 120205 Letter-response A3 2-2
callouts to hxxp://www.lassethoresen.com
dynamoo blogs a bit about it here
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Tuesday, January 19, 2016
User-Agent: Python-urllib/2.7
If you've ever seen an HTTP request in your logs like this and wondered what they are
GET / HTTP/1.1
Accept-Encoding: identity
Host: www.mywebsite.com
Connection: close
User-Agent: Python-urllib/2.7
The most common explanation is, based on the user-agent, that somebody wrote a python script (or is using somebody else's) that is hitting your website. You can learn more about the urllib2 at this link. It states that "By default urllib2 identifies itself as Python-urllib/x.y" which is what you see here, that somebody has Python 2.7 installed and ran a command or script that utilized that library's default user-agent string when connecting.
Whether it's malicious or not is another story. It could be a security researcher just doing his thing and saving the world, or it could be a bad guy reconing or poking/prodding your site, or it could be some joe-blow script kiddie just grabbing somebody else's script and experimenting across the Internet.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
GET / HTTP/1.1
Accept-Encoding: identity
Host: www.mywebsite.com
Connection: close
User-Agent: Python-urllib/2.7
The most common explanation is, based on the user-agent, that somebody wrote a python script (or is using somebody else's) that is hitting your website. You can learn more about the urllib2 at this link. It states that "By default urllib2 identifies itself as Python-urllib/x.y" which is what you see here, that somebody has Python 2.7 installed and ran a command or script that utilized that library's default user-agent string when connecting.
Whether it's malicious or not is another story. It could be a security researcher just doing his thing and saving the world, or it could be a bad guy reconing or poking/prodding your site, or it could be some joe-blow script kiddie just grabbing somebody else's script and experimenting across the Internet.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Split Linux/Putty into 2 screens
Just wanted to share some linux 101 basics. Ever been in a linux/putty session and you Split Linux/Putty into 2 screens so you can to 2 tasks at a time?
As an example, in 1 screen you want to run some backups which are going to take a while, while in the other screen you want to do some actual work.
Type screen to start the screen program
Hit Ctrl-a then let go of those keys and hit upper case S to split the screen into 2
Hit Ctrl-a then let go of those keys and hit Tab to move your cursor to the 2nd screen
Hit Ctrl-a then let go of those keys and hit lowercase c to start a 2nd screen in that bottom window
Now you're free to Ctrl-a Tab back and forth between the 2 screens while doing 2 different tasks.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
As an example, in 1 screen you want to run some backups which are going to take a while, while in the other screen you want to do some actual work.
Type screen to start the screen program
Hit Ctrl-a then let go of those keys and hit upper case S to split the screen into 2
Hit Ctrl-a then let go of those keys and hit Tab to move your cursor to the 2nd screen
Hit Ctrl-a then let go of those keys and hit lowercase c to start a 2nd screen in that bottom window
Now you're free to Ctrl-a Tab back and forth between the 2 screens while doing 2 different tasks.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Subscribe to:
Posts (Atom)