CSM just release another free services for checking DNSChanger trojan existence. By just simply visiting the following website you will be notice whether your current PC/notebook is infected with DNSChanger malware or not.
If your PC is clean you will be notice as ‘Congratulation!’ with green background otherwise you will be detected as red background. They also provided a free removal tools for Mac and Windows users.
Just reading and share something before I’m going to sleep. It is basic understanding about next generation of Windows called Windows 8. Pretty good for advanced user to known little bit more ‘in-depth’ how Windows folder, registry, users and system variables, and so on works and located. For malware analyst its probably good to known for future malware infection cases.
http://propellerheadforensics.files.wordpress.com/2012/04/thomson_windows-8-forensic-guide.pdf
GAMBAR CONTOH!
Apakah perisian ini?
Perisian ini diberinama Antap v1.0 (Alpha). Secara asasnya perisian kecil ini akan cuba mendapatkan pautan Youtube dari laman web tertentu yang memerlukan anda klik pautan ‘Share’ atau ‘Like’ terlebih dahulu untuk menonton video tersebut.
Kenapa perlunya perisian ini?
Ada sesetengah pengguna mungkin tidak berminat untuk menggunakan perkhidmatan web tertentu yang memerlukan anda menekan butang ‘Share’ atau ‘Like’ terlebih dahulu sebelum boleh menonton video kegemaran anda. Teknik sesetengah laman web ini hanya untuk mendapatkan jumlah pelawat yang secara rambang sahaja.
Secara asasnya, kesemua video tersebut telah di host kan di laman Youtube.com. Kebanyakan laman web 3rd party ini direka untuk mendapatkan jumlah pengguna dari ‘Like’ atau ‘Share’ secara rambang oleh pengguna.
Sesetengah pengguna akan mendapati ianya sangat mengganggu (Annoying). Berikut antara laman web yang digunakan:
1. www.melayu.tv
2. www.melayutv.info
3. www.melayutv.com
4. www.melayutv.org
5. www.dailymotion.com (By pass Digg Facebook App)
6. www.digg.com (By pass Digg Facebook App)
7. www.zapkolik.com (By pass Zakolik Facebook App)
8. atau pautan yang disalin dari facebook.
Bagaimana cara menggunakannya?
Ikuti langkah mudah berikut:
1. Muat turun perisian ini. (Perisian ini memerlukan .Net Framework 2.0 untuk digunakan – Klik sini sekiranya belum ada)
2. Run terus perisian ini. Lihat imej dibawah.
3. Dapatkan URL yang anda ingin menonton video tersebut. Copy dan paste pada program Antap ini. Lihat contoh imej dibawah:
ATAU
4. Kemudian klik butang GO! dan Youtube link akan terpapar.
5. Jadi, hanya perlu klik pada pautan Youtube tu untuk menonton. Selamat mencuba!
Muat Turun
NOTA: Perisian ini tidak mengandungi apa-apa virus atau kod yang mencurigakan. Anda juga boleh membuat imbasan dari perisian antivirus anda untuk melihatnya sendiri.
Versi Web Boleh diakses disini
Just bought a new Samsung Galaxy Tab 8.9 P7300. Well, there’s a lot of cool things we can do besides of playing games, social networks, notes, or whatever entertainment. For some of you probably software developer might want more ‘fun’ with it. But with factory settings nothing much we can do even you can’t run a software as simple as phone call apps or access to a little special command on terminal console. So, before we start read the following:
Warning: Please make sure you have a backup copy of your firmware.
Warning: Please make sure backup all your important data.
Warning: Your warranty may get void once doing this process.
Warning: Recommended to install SuperUser app to get prompt permission when launching an apps with root level.
Warning: I did on Samsung Galaxy Tab 8.9 P7300 + Android 3.1 (Honeycomb) ONLY. Never try yet on other devices.
Disclaimer: The author of this write-up do not take any responsibilities for any damage causes by this action.
Follow step by step below:
1. First of all download this file package first. Download here >> root_2.zip.
2. Put the root_2.zip into the root directory (No need to extract).
6. Choose Recovery Mode on your left by pressing Volume Down button then press Volume Up button for confirmation.
7. Choose ‘apply update from /sdcard’ by using your volume up/down button. Make sure you choose the ‘root_2.zip’ on your root storage. Then press Power button to confirm.
9. Now choose ‘reboot system now’ to restart your device. Your device should be rooted now.
10. You can verify whether your device is successful rooted or not by opening Terminal console and type ‘su’ and ENTER. Then type ‘id’ and ENTER. You’ll see your user id now is ‘root’ as shown in image below.
UPDATE (09/01/2012):
Another two devices from a friend of mines which is using Samsung Galaxy Tab 7.0+ and Samsung Galaxy Tab 10.1 seem to be work with those step.
While I was watching ‘The Pacific’ movie suddenly I just get a Yahoo Messenger popup message from my old friend (which is he’s already Rest-In-Peace on Aug 2009 ago). This is interesting and kind of surprise for me while seeing my very close friend suddenly ‘wake-up’ from his long rest. I was monitoring this scammer about few months ago after surprising his online status. Check this out from the chatting using web browser YM:
http://yhoo-it.com/?id=4ccda25f27843014&s=1&user=matkamil2000
The URL seem to be already expired. But soon it will appeared again. The actual website will appear some kind of offering money that needs user to input their user name and email.
Registration Service Provided By: Bizcn.com
Website: http://www.bizcn.com
Whois Server: whois.bizcn.comDomain name: yhoo-it.com
Registrant Contact:
zhang yu
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cnAdministrative Contact:
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cnTechnical Contact:
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cnBilling Contact:
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cnDNS:
ns7.cnmsn.net
ns8.cnmsn.netCreated: 2011-12-04
Expires: 2012-12-04
The domain name seem to be newly registered and exactly the time I was start monitoring it. The domain has been pointed to two DNS ns7.cnmsn.net and ns8.cnmsn.net. The DNS server were also registered from China.
Registration Service Provided By: Bizcn.com
Website: http://www.bizcn.com
Whois Server: whois.bizcn.comDomain name: cnmsn.net
Registrant Contact:
XiaMen Longtop Online Technology Co.,Ltd
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cnAdministrative Contact:
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cnTechnical Contact:
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cnBilling Contact:
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cnDNS:
dns.bizcn.com
dns.cnmsn.net
ns5.cnmsn.net
ns6.cnmsn.net
ns1.4everdns.com
ns2.4everdns.comCreated: 2003-08-08
Expires: 2015-02-27
Well, lets dig some more.
Nmap scan report for yhoo-it.com (109.230.222.53)
Host is up (0.29s latency).
rDNS record for 109.230.222.53: hosted.by.xsserver.eu
Not shown: 986 closed ports
PORT STATE SERVICE VERSION
25/tcp filtered smtp
80/tcp open http nginx 1.0.4
|_http-title: Site doesn’t have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
111/tcp open rpcbind 2 (rpc #100000)
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open ssh OpenSSH 5.5p1 Debian 6 (protocol 2.0)
| ssh-hostkey: 1024 6e:96:96:b1:aa:4b:e2:1a:e5:9f:35:9c:6a:79:af:df (DSA)
|_2048 48:bb:c1:d4:bf:08:4d:c6:41:30:ea:57:3e:eb:fe:19 (RSA)
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1026/tcp filtered LSA-or-nterm
1027/tcp filtered IIS
4444/tcp filtered krb524
5432/tcp open postgresql PostgreSQL DB 8.4.1 – 8.4.4
6129/tcp filtered unknown
6580/tcp open parsec-master?
Device type: general purpose|WAP|router
Running (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Linksys Linux 2.4.X (92%), Netgear embedded (92%), D-Link embedded (92%), Linksys embedded (92%), Peplink embedded (92%)
, Asus Linux 2.6.X (91%)
Aggressive OS guesses: Linux 2.6.23 – 2.6.33 (95%), Linux 2.6.35 (94%), Linux 2.6.31 (94%), Linux 2.6.32 (94%), Linux 2.6.22 (94%), OpenWrt White Russian 0.9 (Linux 2.4.3
0) (92%), Linux 2.6.18 – 2.6.27 (92%), Linux 2.6.31 – 2.6.34 (92%), Linux 2.6.34 (92%), Netgear DG834G WAP (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 9 hops
Service Info: OS: LinuxTRACEROUTE (using port 23/tcp)
HOP RTT ADDRESS
1 12.00 ms 60.53.173.202
2 16.00 ms 60.53.173.213
3 16.00 ms 60.53.173.213
4 228.00 ms 10.55.192.38
5 229.00 ms 10gigabitethernet1-3.core1.lax1.he.net (206.223.123.37)
6 290.00 ms 10gigabitethernet4-3.core1.nyc4.he.net (72.52.92.225)
7 333.00 ms 10gigabitethernet1-2.core1.lon1.he.net (72.52.92.242)
8 399.00 ms 10gigabitethernet4-2.core1.fra1.he.net (184.105.213.146)
9 290.00 ms hosted.by.xsserver.eu (109.230.222.53)
Since I don’t trust any source from China even their web hosting provider, I make some Nmap scanning to seem what its got. The web server seem to be running on Unix machine with several web services port opened.
The Yahoo Messenger online status is coming from the expired phone number which probably has been taken by China scammer that live in Malaysia. Malaysia has multicultural country and it’s not impossible that a Chinese from China can disguise as Chinese from Malaysia. Another thing is that probably the YM account has been stolen from his machine via malware infection.
More updates coming up soon.
Web Defacement