Month: June 2015

PunkSPIDER, the crawler that scanned the Dark Web

Posted on Updated on

Security experts developed their PunkSPIDER, a Tor crawler, that already scanned more than 7000 domains and discovered numerous vulnerabilities.
We have discussed several times about the Tor anonymizer network and the way it is exploited by criminal crews to sell any kind of illegal product and service.

Last week, an automated scanner dubbed PunkSPIDER was launched in the Tor network to uncover security issues in hidden services.

PunkSPIDER, the crawler that scanned the Dark Web
PunkSPIDER, the crawler that scanned the Dark Web

PunkSPIDER was developed by the hackers Alejandro Caceres and Amanda Towler in an effort to improve the overall security of the serviced hosted on the popular anonymizing networks.

We’re just beginning, but the potential of PunkSPIDER is remarkable. A few years ago I have developed something similar, the Artemis Project, and I strongly believe that such a project can provide amazing results.

PunkSPIDER scanned about 7,000 .onion domains in only three hours.

“You might notice that’s not a lot of sites. If there’s one thing we’ve learned from Memex it’s that the number of Hidden Services [sites that hide their server location using the Tor network]up at any time has been greatly overestimated.” Caceres told to Forbes.

The experts made available the results of the crawling activity in a Google-like search tool, such kind of results could aid security experts and law enforcement in the fight against illegal activities in the Dark Web. The discovery of a security hole in a hidden service could be exploited by hackers to compromise these websites and investigate on their operators.

The experts provided as example the case of one vulnerable site crawled by the PunkSPIDER that contained “a weird subset of child porn”.

PunkSPIDER, the crawler that scanned the Dark Web
PunkSPIDER, the crawler that scanned the Dark Web

“After looking through them there is at least one that we’d like to share with law enforcement before releasing it publicly.” Caceres told FORBES.

Let’s give a look to the findings of the scan made by the researchers, on 7,000 scanned domains nearly 2,100 were affected by more than 50 security vulnerabilities.
“Of those 2,100 sites roughly 50 had vulnerabilities, with 100 flaws uncovered in total. “This is lower than our normal dataset, I suspect because many .onion sites are just single-page websites with static HTML on them and hardly any kind of attack surface on the application side. Some sites were also just totally blank.” said Careces.



Zeus Banking Trojan Variant Goes Completely Undetected

Posted on

A variant of Zeus banking Trojan found recently by malware analysts emerged totally invisible to antivirus engines at the time of the assessment.

Zeus, also known as Zbot, is well known in the security industry since 2007 and made millions of victims since. Its versatility allowed the creation of Gameover Zeus (GoZ), which captured banking information and was also used to distribute CryptoLocker ransomware.

The activity of both GoZ and Cryptolocker was disrupted in early June 2014, during Operation Tovar, an effort involving multiple law enforcement agencies and private security firms.

Detection is bound to increase quickly

Stephen Ramage from PricewaterhouseCoopers discovered that the latest version of Zeus was delivered via Neutrino exploit kit, a web-based attack tool that takes advantage mostly of unpatched versions of Flash Player browser plugin to funnel in a malicious payload.

The researcher learned that the sample was a variant of Zeus by running it through the analysis platform at, which showed that it created mutexes matching the banking Trojan

Zeus Banking Trojan Variant Goes Completely Undetected
Zeus Banking Trojan Variant Goes Completely Undetected

Uploading the sample to VirusTotal showed that none of the antivirus products in the collection could identify the piece of malicious.

Things are changed at the moment, as reports that at least one security solution at VirusTotal flags the file.

Recently registered domain indicates a fresh campaign

Ramage’s research also revealed that check-in response from Neutrino includes base64 encoded data pointing to a domain (sells-store[.]com) registered on June 1, indicating that the malicious campaign is new.

He also found that the registrant’s name, Wuxi Yilian LLC, has been used for taking other domains, many of them used for malicious purposes.

Ramage released signatures for Suricata and Snort IDS (Intrusion Detection System) for both the second stage infection, when the executable is downloaded and the command and control (C&C) server contacted by Zeus.


‘MEDJACK’ tactic allows cyber criminals to enter healthcare networks undetected

Posted on

This year has already been marked by data breaches at multiple major healthcare organizations, including CareFirst BlueCross BlueShield and Anthem. While these providers have pointed to various causes and attacks as the source of their compromises, not yet has it become prominent news that medical organizations’ devices might be the true culprit behind many already and soon-to-be-discovered breaches.

A report from TrapX found that a majority of organizations are vulnerable, if not already victim to MEDJACK, or “medical device hijack.” Essentially, the company wrote, attackers maneuver though healthcare systems’ main networks by initially exploiting outdated and unpatched medical devices, such as an X-ray scanner or blood gas analyzer. They build backdoors into the systems through these internet-connected devices.

TrapX published a report on "medical device hijack," or MEDJACK, which allows attackers to build backdoors into healthcare providers' networks
TrapX published a report on “medical device hijack,” or MEDJACK, which allows attackers to build backdoors into healthcare providers’ networks

“Our scientists have observed that you could manufacture an attack, designed specifically for several models of a specific medical device, and then launch that attack,” wrote Carl Wright, general manager at TrapX in an email to “That, combined with the difficulty in diagnosis and remediation, and the very high value of healthcare data, create a near perfect target for organized crime.”

Through various case studies, TrapX found that while many hospitals, for example, maintain solid IT departments with firewalls and other security solutions, these vulnerable medical devices are often left without patching. Generally, the security team is unable to fully view the device console or operating system, and because these machines often run for days, there’s never a time to disconnect them entirely.

Plus, most defense suites don’t protect the devices, and even if they did, TrapX wrote, things can get messy when unanticipated security software is added to a device. It could impact FDA approval or create additional liability for the hospital.

“Every malware infection that connects a network to an outside attack, in the United States, is a serious event and most likely would be categorized by that healthcare institution as a security event under their HIPAA operating procedures,” Wright said. “Given that patient data is at risk, the medical device manufacturer needs to indicate exactly how they will respond to mitigate the situation so that a data breach can be contained or stopped, and normal hospital operations can resume.”

Wright noted that healthcare organizations, once aware of the MEDJACK threat, need to devise a security strategy. Additionally, professionals should ask the device vendors how they support and can help mitigate these attacks. Ask if they are using digitally signed software, he said, and evaluate the devices’ lifecycles to determine whether it might be time to purchase new products.

This is not a problem going away any time soon, Wright said. Nearly every time his team went into ahealthcare institution, it found instances of MEDJACK, which, more often than not, was unknown to the administrative and IT teams.


Locker ransomware author quickly apologizes, decrypts victims’ files

Posted on

Almost as quickly as reports of new ransomware, dubbed “Locker,” prompted security experts to warn users of the threat, the author of the malware posted a message on Pastebinapologizing for resulting scams.

Along with their apology posted on Saturday, the malware author “Poka BrightMinds” also dumped the complete database of the malware’s decryption keys, so that victims could restore their “locked” files. The author added that automatic decryption of some files would start on Tuesday at midnight, and that, as of the posting, “most of the keys weren’t even used,” but that “all distribution of new keys has been stopped.”

Details about the Locker ransomware surfaced last week, after a lengthy thread on, which discussed the malware and included screenshots of the warning messages to victims.

Symantec, which analyzed ransom payments made via Bitcoin, said that the author only made $169 from victims before closing up shop.
Symantec, which analyzed ransom payments made via Bitcoin, said that the author only made $169 from victims before closing up shop.

In Tuesday email correspondence with, security researcher Lawrence Abrams, the creator and owner of, confirmed that “the Locker developer kept their promise and decrypted everyone who was still infected for free,” that day.

Locker was previously known to run silently run on victims’ computers until it was activated. At that point, the malware would employ RSA encryption to lock users’ files.

Symantec, which analyzed the ransom payments victims made via Bitcoin, said in a Tuesday blog post that the author only made $169 from victims before closing up shop, speculating that “the sudden change of heart” by the author may have been brought on for a number of reasons, such as fear that law enforcement were on their tracks, that the risk of getting caught was not worth their earnings, or that the command-and-control infrastructure for the malware itself was compromised.

Another option?

“The malware author actually regretted their actions,” Symantec added.

“Crypto ransomware malware authors have been known in the past to have a conscience, as we highlighted in an earlier blog: ‘OMG a Ransomcrypt Trojan with a Conscience!’” the blog post said.


Cómo prevenir la infección de malware como Criptlocker, Ransomware sin ayuda de antivirus

Posted on

Puede prevenir contra malware como CryptoWall, TeslaCrypt, Alpha Crypt, CryptoDefense, Locker, Ransomware con ayuda de Políticas de restricción de software fácilmente según profesionales de servicios de seguridad informática.
Directivas de restricción de software (SRP) nos permiten prevenir ejecución de software o malware través de políticas de grupo de la red. Vamos a implementar directivas de restricción de software (SRP) para bloquear los archivos ejecutables como de Ransomware o Locker malware en los áreas específicos acuerdo con capacitación de hacking ético en México. Cualquier administrador de la red puede implementar políticas de grupo junto con SRP. Eso le daría más control sobre los software que un usuario de la de red puede instalar.



Explica un experto de forense digital que para abrir el Editor de políticas de seguridad local, haga clic en el botón Inicio y escriba directiva de seguridad local y seleccione el resultado de la búsqueda que aparece.

Expanda Configuración de seguridad y, a continuación, haga clic en la sección de Políticas de restricción de software. Si usted no ve los artículos en el panel derecho, como se muestra arriba, usted tendrá que añadir una nueva política. Para ello haga clic en el botón Acción y seleccione nuevas políticas de restricción de software. Esto luego habilitar la política y el panel derecho aparecerá como en la imagen de arriba. A continuación, debe hacer clic en la categoría Reglas adicionales y haga clic en el panel derecho y seleccione Regla de nueva ruta. A continuación, debe agregar una regla de ruta para cada uno de los elementos que se enumeran a continuación.


Regla de Ruta
Regla de Ruta

A continuación se presentan algunas reglas de ruta que se sugieren se utiliza no sólo para bloquear las infecciones por correr, sino también para bloquear los archivos adjuntos de ser ejecutado cuando se abre en un cliente de correo electrónico.

Vamos a crear las reglas que alcanzarán al software sobre el que desea aplicar una restricción.


Bajo regla de nueva ruta, introduzca %AppData%\*. Exe.

En nivel de seguridad: seleccione ‘no permitido’.

Ingrese una descripción No permita que los ejecutables que se ejecuten desde %AppData%.


Bajo regla de nueva ruta, introduzca %ProgramData%\*. Exe.

En nivel de seguridad: seleccione ‘no permitido’.

Ingrese una descripción No permita que los ejecutables que se ejecuten desde %ProgramData%.



Bajo regla de nueva ruta, introduzca %LocalAppData%\*. Exe por Windows 7/8/Vista.

%UserProfile%\ Configuración \*.exe por Windows XP.

En nivel de seguridad: seleccione ‘no permitido’.

Ingrese una descripción No permita que los ejecutables que se ejecuten desde %LocalAppData%.



Bajo regla de nueva ruta, introduzca %LocalAppData%\Temp\Rar*\*.exe por Windows 7/8/Vista.

%UserProfile%\Configuración\Temp\Rar*\*.exe por Windows XP.

En nivel de seguridad: seleccione ‘no permitido’.

Ingrese una descripción No permita que los ejecutables que se ejecuten desde WinRAR.


Bajo regla de nueva ruta, introduzca %LocalAppData%\Temp\7z*\*.exe por Windows 7/8/Vitsa.

%UserProfile%\Configuración\Temp\7z*\*.exe por Windows XP.

En nivel de seguridad: seleccione ‘no permitido’.

Ingrese una descripción No permita que los ejecutables que se ejecuten desde 7zip.



Bajo regla de nueva ruta, introduzca %LocalAppData%\Temp\wz*\*.exe por Windows 7/8/Vitsa.

%UserProfile%\Configuración\Temp\wz*\*.exe por Windows XP.

En nivel de seguridad: seleccione ‘no permitido’.

Ingrese una descripción No permita que los ejecutables que se ejecuten desde Winzip.



Bajo regla de nueva ruta, introduzca %LocalAppData%\Temp\*.zip\*.exe por Windows 7/8/Vitsa.

%UserProfile%\Configuración\Temp\*.zip\*.exe por Windows XP.

En nivel de seguridad: seleccione ‘no permitido’.

Ingrese una descripción No permita que los ejecutables que se ejecuten desde Windows Zip .

Es posible que algunas aplicaciones legítimas ya no funcionen. Esto se debe a que algunas compañías instalan erróneamente sus aplicaciones bajo perfil de un usuario en lugar de en la carpeta de programa al que pertenecen profesionales de servicios de seguridad informática. Debido a esto, las directivas de restricción de software evitarán aquellas aplicaciones que se ejecute.

Si una directiva de restricción de software está bloqueando un programa legítimo, usted tendrá que crear una regla de ruta para el ejecutable de un programa concreto y establezca el nivel de seguridad como todo permitido.

Mike Stevens, profesor de capacitación de hacking ético menciona que hay nuevo kit de solucionar problema de Ransomware y es disponible para todos. Pueden leer más sobre ransomware removal kit aquí.



Facebook, Twitter, Instagram, YouTube hit by Linux/Moose Malware

Posted on

ESET researchers caught Linux/Moose, a malware family primarily targeting Linux-based consumer routers, but also known to infect other Linux-based embedded systems. Once infected, the compromised devices are used to steal unencrypted network traffic and offer proxying services for the botnet operator. You can read more on this phenomenon in an in-depth security research paper titled ‘Dissecting Linux/Moose’ now available on ESET Ireland’s blog.

In practice, these malicious capabilities are used to steal HTTP cookies to perform fraudulent actions on Facebook, Twitter, Instagram, YouTube and other sites, which include generating non-legitimate follows, views andlikes.”

Linux/Moose is a novelty when you consider that most embedded threats these days are used to perform DDoS attacks,”explains Olivier Bilodeau, Malware Researcher at ESET.

Facebook, Twitter, Instagram, YouTube hit by Linux/Moose Malware
Facebook, Twitter, Instagram, YouTube hit by Linux/Moose Malware

What’s more, according to ESET researchers, this type of malware has the capabilities to reroute DNS traffic, which enables man-in-the-middle attacks from across the Internet. Moreover, the threat displays out-of-the-ordinary network penetration capabilities compared to other router-based malware. Moose also has DNS hijacking capabilities and will kill the processes of other malware families competing for the limited resources offered by the infected embedded system.

Considering the rudimentary techniques of Moose employed to gain access to other devices, it seems unfortunate that the security of embedded devices doesn’t seem to be taken more seriously by vendors. We hope that our efforts will help to better understand how the malicious actors are targeting their devices,” concludes Bilodeau.

ESET®, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 26 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin “VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET NOD32 technology holds the longest consecutive string of the VB100 awards of any AV vendor. ESET has also received a number of accolades from AV-Comparatives, AV-TEST and other testing organizations and reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.

The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. More information is available from the ESET Press Center.


Mac bug makes rootkit injection as easy as falling asleep

Posted on

Respected Apple hacker Pedro Vilaça has uncovered a low-level zero day vulnerability in Mac computers that allows privileged users to more easily install EFI rootkits.

Vilaça says the attack, first thought to be an extension of previous research rather than separate zero day, took advantage of unlocked flash protections when machines go into sleep mode.

“Apple’s S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle,” Vilaça says in a post.

“It means that you can overwrite the contents of your BIOS from userland a rootkit EFI without any other tricks other than a suspend-resume cycle, a kernel extension, flashrom, and root access.

Apple hacker reveals cracker 0day rootkit whacker
Apple hacker reveals cracker 0day rootkit whacker

“The bug can be used with a Safari or other remote vector to install an EFI rootkit without physical access [provided] a suspended happens in the current session … you could probably force the suspend and trigger this, all remotely. That’s pretty epic ownage.”

Apple has been contacted for comment.

Flash locks are removed when machines enter a sleep state for about 30 seconds or more, allowing attackers to update the flashrom contents from userland including EFI binaries.

Affected models include the MacBook Pro Retina, and Pro, and MacBook Airs, each running the latest EFI firmware updates.

Some of the latest machines are not affected leading Vilaça to think Apple is aware of the vulnerability.

“If they (Apple) indeed knew about the bug – because I don’t believe it’s a coincidence not working in latest machines – then they keep their pattern of not patching older versions,” he says.

The hacker has some tools that can be used to compare firmware against stock images in a bid to detect compromises, but it is not a complete defense against the attacks.

He says Apple should follow the lead of Google with its Chromebook and attempt to validate the integrity of underlying hardware, not just the software running on top.