Google has released patch for the master key vulnerability to third party Android Mobiles, but google's Nexus devices still remain vulnerable against mater key exploits. Android user are advised not to download apps from 3rd party app markets. You can use the python version of the scanner (download link) to check for the exploits that exploit this vulnerability.
A simple web search will give details about this vulnerability.
Download Python version of the scanner;
MasterKey Exploit Scanner
I recommend you to develop Android version of this simple tool to use in your Android mobiles.
Tuesday, July 23, 2013
Wednesday, May 15, 2013
How to remove qvo6?
This blog post will help you to remove Qvo6.com adware from your web browsers Chrome, Firefox and Chrome.
Qvo6 adware gets installed in your machine with many freeware programs. This adware is a browser hijacker capable of changing your browser homepage to www.Qvo6.com.
The same website will also get open in every new tab you open in your browser.
1. Uninstall Freewares that install Qvo6 adware:
a. Open Control panel > Programs and Features
b. Then serach for programs eSave Security Control, Qvo6 toolbar, New Tabs Uninstall, Desk 365 (or) BrowserProtect and uninstall it.
2. Remove from program shortcuts:
a. Right click the shortcuts for Firefox / Chrome / Internet explorer, in the drop down menu select Properties. In target tab remove "http://www.qvo6.com/?utm_source=b&utm_medium=tti&.."
b. Click Apply to save the changes.
3. Remove from Windows Registry:
a. Click Start > Run and type REGEDIT
For Firefox:
b. Go to the Registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command"
c. on the right pane you can find Default key. Modify the Data value to remove "http://www.qvo6.com/?utm_source=b&utm_medium=tti&.." from it.
For Chrome:
b. Go to the Registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command
c. on the right pane you can find Default key. Modify the Data value to remove "http://www.qvo6.com/?utm_source=b&utm_medium=tti&.." from it.
For Internet Explorer:
b. Go to the Registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
c. on the right pane you can find Default key. Modify the Data value to remove "http://www.qvo6.com/?utm_source=b&utm_medium=tti&.." from it.
d. Go to the Registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN
e. On the right side pane edit all the key values to remove "http://www.qvo6.com/?utm_..."
Qvo6 adware gets installed in your machine with many freeware programs. This adware is a browser hijacker capable of changing your browser homepage to www.Qvo6.com.
The same website will also get open in every new tab you open in your browser.
1. Uninstall Freewares that install Qvo6 adware:
a. Open Control panel > Programs and Features
b. Then serach for programs eSave Security Control, Qvo6 toolbar, New Tabs Uninstall, Desk 365 (or) BrowserProtect and uninstall it.
2. Remove from program shortcuts:
a. Right click the shortcuts for Firefox / Chrome / Internet explorer, in the drop down menu select Properties. In target tab remove "http://www.qvo6.com/?utm_source=b&utm_medium=tti&.."
b. Click Apply to save the changes.
3. Remove from Windows Registry:
a. Click Start > Run and type REGEDIT
For Firefox:
b. Go to the Registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command"
c. on the right pane you can find Default key. Modify the Data value to remove "http://www.qvo6.com/?utm_source=b&utm_medium=tti&.." from it.
For Chrome:
b. Go to the Registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command
c. on the right pane you can find Default key. Modify the Data value to remove "http://www.qvo6.com/?utm_source=b&utm_medium=tti&.." from it.
For Internet Explorer:
b. Go to the Registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
c. on the right pane you can find Default key. Modify the Data value to remove "http://www.qvo6.com/?utm_source=b&utm_medium=tti&.." from it.
d. Go to the Registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN
e. On the right side pane edit all the key values to remove "http://www.qvo6.com/?utm_..."
Friday, June 15, 2012
Wednesday, August 10, 2011
Combating Packers and cryptors through Memory Scanning
In recent days almost all the malwares are protected by packers or cryptors to protect it from security scanners. The malware analysts waste lot of time in analyzing same malware variants protected by different packers. Memory scanning can be employed to fight against such type of samples.
Vejovis is a project that was started to develope an user mode memory scanning tool "MeMMoN - A Process Memory Scanning Tool". It scans the memory of all the processes in the system. It can be downloaded from the below link.
Download Link
Vejovis is a project that was started to develope an user mode memory scanning tool "MeMMoN - A Process Memory Scanning Tool". It scans the memory of all the processes in the system. It can be downloaded from the below link.
Download Link
Friday, March 18, 2011
Reversing Android Applications
In the recent weeks we are witnessing a massive increase in the amount of malwares for android mobiles. Most of the malwares sent SMS to premium mobile numbers. Before getting into reversing android applications let us see how they can be developed. Android os is based on modified version of Linux Kernel.Android uses Dalvik Virtual Machine(DVM) to execute all android applications.
The android applications can be developed using Java in Android SDK. The tool dx included in Android SDK transforms JAVA .class files to Android .dex(Dalvik Executables) files. Then the .dex files are archived usins zip to form .apk(Android apps) files. To get the .dex file and the rest of the resource files of the andoid application, unarchive the .apk file.
Unlike Windows PE files in Android you can get the source code of android applications from the available .apk files. Here we are going to employ a trick through which we can get the source code of Android apps.
The first step is converting the .apk file to .jar(JAVA Archive). Then using JAVA Decompiler to get the source of the class files that are transformed to form the .dex file and later to .apk file.
To convert .apk to .jar we can use Dex2Jar(Google code project).
/>Dex2Jar <%file name%>
Then finally we can use JAVA Decompiler to get the JAVA source code.
Reference:
http://www.android.com/
http://developer.android.com/guide/basics/what-is-android.html
http://en.wikipedia.org/wiki/Android_%28operating_system%29
http://www.dalvikvm.com/
http://java.decompiler.free.fr/
http://code.google.com/p/dex2jar/
The android applications can be developed using Java in Android SDK. The tool dx included in Android SDK transforms JAVA .class files to Android .dex(Dalvik Executables) files. Then the .dex files are archived usins zip to form .apk(Android apps) files. To get the .dex file and the rest of the resource files of the andoid application, unarchive the .apk file.
Unlike Windows PE files in Android you can get the source code of android applications from the available .apk files. Here we are going to employ a trick through which we can get the source code of Android apps.
The first step is converting the .apk file to .jar(JAVA Archive). Then using JAVA Decompiler to get the source of the class files that are transformed to form the .dex file and later to .apk file.
To convert .apk to .jar we can use Dex2Jar(Google code project).
/>Dex2Jar <%file name%>
Then finally we can use JAVA Decompiler to get the JAVA source code.
Reference:
http://www.android.com/
http://developer.android.com/guide/basics/what-is-android.html
http://en.wikipedia.org/wiki/Android_%28operating_system%29
http://www.dalvikvm.com/
http://java.decompiler.free.fr/
http://code.google.com/p/dex2jar/
Wednesday, November 10, 2010
Windows "DbgHelp.dll" Export name stack overflow vulnerability
Vulnerability in Microsoft Windows XP Dbghelp.dll(version 5.x) has been exploited by malwares to thwart debugging by researchers. The Dbghelp.dll is the Windows Image Helper dynamic linking library. This dll was being used by almost all the debuggers and disassemblers. The code that reads export function name fails to check the function name length before moving the data into the stack.
The malware authors have exploited this Remote code execution vulnerability with a specially crafted executable file with malicious export table. The exploit code exits the Olly debugger while it was trying to load this executable. Certain IRC bots are coming with this anti debugging(loading) protection. The latest version of Olly Debugger comes with this vulnerable dll.
To exploit this vulnerability the export function name must be greater than 2104 bytes. The interesting thing is malwares are coming with export function name longer than this size. The malware which I have seen had TLS call back function. The malware author tried to hide this exploitation trick by setting a TLS call back function so as to make us think the anti debugging trick would be lying in TLS function. The IDA pro debugger version 5.1.x itself is using the Dbghelp.dll version 6.x. I don't know what version of this dll other debuggers are using.
I kindly request the malware reversers particularly those who use Olly debugger to reverse malwares to use the new version of Dbghelp.dll(6.x and above).
The malware authors have exploited this Remote code execution vulnerability with a specially crafted executable file with malicious export table. The exploit code exits the Olly debugger while it was trying to load this executable. Certain IRC bots are coming with this anti debugging(loading) protection. The latest version of Olly Debugger comes with this vulnerable dll.
To exploit this vulnerability the export function name must be greater than 2104 bytes. The interesting thing is malwares are coming with export function name longer than this size. The malware which I have seen had TLS call back function. The malware author tried to hide this exploitation trick by setting a TLS call back function so as to make us think the anti debugging trick would be lying in TLS function. The IDA pro debugger version 5.1.x itself is using the Dbghelp.dll version 6.x. I don't know what version of this dll other debuggers are using.
I kindly request the malware reversers particularly those who use Olly debugger to reverse malwares to use the new version of Dbghelp.dll(6.x and above).
Subscribe to:
Posts (Atom)