Personal blog of Alex Muratov

Beware of browser “miners”

Cryptocurrency “mining” is very popular today. More and more people “mine” it and get profit. It is not rare case when a malware installs a “miner” on an infected workstation and turns it to a mining machine to create profit for a threat actor.

But now anybody may become a victim of such tactic without being infected by malware – browser mining.
How it happens? A malicious web site injects a JS script that does mining. It is very ineffective in terms of a single miner, but if number of such “accidental” miners is high, expected profit may be measurable.

An example:
Web site “www.tyxihxxtpumgm[.]bid” is referred by another streaming web site and it injects to a victim’s browser the following script:

You can see that the script contains a wallet address, but it is not valid coin address. Apparently it is just a token that is linked to an actual wallet. The actual “miner” site is coin-hive[.]com. Of course actual registrant is hidden by “whois protector” and it was registered recently on Aug 24, 2017. The site says “A crypto Miner for your web site. Monetize your business with your users’ CPU power”. For me it sounds not very friendly for users!

So if you see that your browser is sluggish and “eats” a lot of CPU resources, take a look, maybe your computer is recruited to mine “coins” for somebody.

Posted in Bitcoin, Cryptocurrency, Malware | Tagged , | Leave a comment

Splunk certified Architect

Got my Splunk Architect (I) certification. The lab took 12 hours from the beginning to the end. Now looking for the II level!

Posted in Splunk | Leave a comment

Splunk certified

Some news: just got my Splunk certifications: “Splunk Certified Power User” (Cert-135865) and “Splunk Certified Admin” (Cert-136075)

   

Now looking for the “Splunk Certified Architect”!

Posted in Splunk | Tagged | Leave a comment

Splunk “Loading…” issue – quick fix

Sometimes you can start experiencing the following issue: after successful login to Splunk, instead of a dashboard(s) it shows only short message “Loading…” and it is never ending. No menu is available, you can click on apps selector, but nothing happens. Restarting Splunk does not fix the issue, logs contain no errors. The resolution is pretty simple, because it is not Splunk, but your browser.

Clear browser cache, restart it and login again – the issue has gone.

 

Google Chrome: https://support.google.com/chrome/answer/95582?hl=en
FireFox: https://support.mozilla.org/en-US/kb/how-clear-firefox-cache
Edge: http://windows.microsoft.com/en-ca/windows-10/edge-privacy-faq

Posted in Splunk | Leave a comment

Adobe Flash Player – true zero-day vulnerability CVE-2015-7645

Flash_Player_0-Day_VulnerabilityAdobe still keeps a tradition to publish information about new zero-day vulnerabilities affecting their Flash Player (now 19.0.0.207).

What is really interesting – there is no patch yet, and this vulnerability has been exploited in the wild! So it is yet another good reason to disable Flash player in your browser (if you did not disable it already).

Security Advisory: APSA15-05

Details about know exploitation (spear phishing targets Ministries of Foreign Affairs) as part of Operation Pawn Storm:
New zero-day exploit hits fully patched Adobe Flash

Update:

Trend Micro analyzed the vulnerability and made a PoC code. Again it is poor technique how Flash compiler handles language semantics and allows to bypass internal security controls:
Latest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques

In my opinion described technique exploits some fundamentals weaknesses of Active Script and will not be easy to fix the root cause.

Posted in Hacking, Malware | Leave a comment

All aboard! Time to check-in on “Insight”

If you missed your chance to get a boarding pass to “Orion” mission, you have another chance: NASA is preparing “Insight” and this flight is heading to Mars the next year.

Your name will be put to a chip on “Insight”. Hurry! Registration will be closed on Sep 8th.

insight-boarding-pass

Posted in Space | Leave a comment

Deface pages at Pastebin

anonymousPastebin.com is favorite place for software programmers. They share code snippets, and by default a submitted “pastie” is publicly available. By some reason hackers also like to share HTML codes of defacement pages they use for compromised site. I wrote a script that scans Pastebin on regular basis, detects HTML code and renders it.

Below you can see some found samples of defacement pages. Not sure were they actually used or not 🙂

Posted in Hacking | Tagged , , | 1 Comment

Phishing, funny stuff

Recently I got yet another phishing email that invited me to do something urgently with my RBC account.

phishing-rbc1

Oh, nice! I have to install a security certificate in order to continue use RBC online banking. Too complex to be true, right? I checked the attachment and it was not a security certificate as was promised. Actually it was an HTML file that simply redirects a victim to a phishing site.

Nothing special, a phishing page was hosted at some Norwegian porno-site. Apparently it was hacked and phishing pages/scripts were injected. What was actually interesting – hacker forgot to disable directory view and all files were visible. Surprisingly there was “.htaccess” file. I opened it and enjoyed long list of IP addresses with funny comments:

phishing-rbc2

 

It indicates that the hacker has a pretty long list of “offenders” – security companies, ad bots, crawlers, etc. Unfortunately the owner of the legitimate site quickly find out (or another party informed about) injected phishing pages and deleted all of them so I did not have a chance to dig further.

Posted in Uncategorized | Leave a comment

Snorby & Snort is up and running

Finally I setup my home IDS: Snort & Snorby on top.
The goal: to see what is going on in my Internet traffic, is there anything interesting.
Also Snort output will be collected by home Splunk instance.
The screenshot below shows only test events, nothing serious 🙂

I used this guide: Home IDS with Snort And Snorby
It is pretty detailed though it has some typos and omission. Step-by-step does not give you a working environment since one important thing is not mentioned:
Barnyard and Snorby have to use the same database! I am thinking to produce a better guide, will see.

snorby

Posted in IDS, SIEM | Leave a comment

Did you get your boarding pass to the “Orion” mission?

orion boarding pass

Send your name to Mars

Posted in Space | Tagged , , | Leave a comment

BOINC

BOINC

Ads

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Calendar

November 2017
M T W T F S S
« Oct    
 12345
6789101112
13141516171819
20212223242526
27282930  
%d bloggers like this: