Archive for January, 2013

Pool Party!

Posted in Application, Mobile with tags , , , on January 29, 2013 by keizer

Pool Party

A new social pool game by nitako – pool party was recently released to the mobiles (iphone and android)- letting you play pool against Facebook users, using turns.

It is actually a pretty cool game, I played it (normally) for about 2 weeks… getting better and better. I must say, once you get how it works, its pretty easy to score the balls. As you earn more and more coins, you want play on larger pots. And that’s what I did… Now, you probably know the saying “Don’t put all your eggs in one basket”, so I did :\ – playing with all my coins against one dude, which turned out to be better then then I expected, which led me to lose all my coins!

This is when I lost my temper… after all the time & effort I put in this game, I left with nothing! It’s time to use my profession skills for something truly important! let’s try and get more coins… and fast!

So I started digging in the application’s traffic… changing the amount of coins, pots, cash… every variable that held an amount of coins, I changed it… but nothing!

Until I found a way… which,  to my disappointment, includes taking others’ coins 😦 oh well… its not real money 🙂

and this is how it works:

Play a game, until you win (it doesn’t matter on what amount you’re playing on)  and the game ends – catch the requests. One of them will look like this (notice the tableData=) :

org_req

Copy the part from the tableData= to the end of the request – which should say: result=EightSank – and paste it into a notepad or any other text editor.  Next time you’re playing with someone, just after hitting the ball – intercept the requests (using any proxy application), and when you see the requests that holds the tableData – replace it with the text you saved, which represents the insertion of the 8 ball, which indicates that you have won. 

Now, let’s see it in action:

1. I have 12,250 coins:

before

2. Oh, it’s my turn,  so I’ll just turn the requests interception ON :

ur_turn

3. After hitting the ball (it doesn’t matter what actually happens in the game), I find the request we discussed earlier and replaced the tableData part. Which in this case saying result=TurnOver (guess not…:))

tamper24. With the EightSank tableData – I saved from one of my (many) victories:

tamper3

5. Its magic! most of the balls are still on the table, but it says clearlyYou Cleared the table ! the game ends with a pot of $200 :

cleared

6. Voilà! I now have 12,350 coins (Of course, I invested 100 myself, so the actual profit is, in this case, 100$)…

after

If you liked that post, and you want me to find you fast& easy ways to earn coins – comment with the name of the iphone game you want, and I’ll do my best.

Cheers!

Advertisements

New Zero-Day Java Exploit

Posted in JAVA, Malware with tags , , on January 13, 2013 by keizer

After Julia Wolf, Darien Kindlund, and James Bennett from FireEye, in their post: Happy New Year from new Java Zero-day, observed that a Java security bypass zero-day vulnerability (CVE-2013-0422) has been actively exploited in the wild starting Jan. 2. They have been able to reproduce the attack in-house with the latest Java 7 update (Java 7 update 10) on Windows.

Some initial landing pages are actually hosted on a popular file-sharing website. Eventually the landing pages redirect to several different domains hosting exploits and malware.

ScreenShot079
The malware will download an executable file from a remote server and execute it by exploiting the vulnerability. Though the malware is designed for Windows only, the vulnerability can also be exploited across different browsers and OS platforms.

ScreenShot080

The malware payload is ransomware, commonly known as Tobfy. It retrieves a template from the Web, in this case:
hxxp://<random>.cristmastea.info/get.php — and creates a full screen window demanding payment using some kind of social engineering scheme to scare the victim. Additionally, it disables Windows Safe Mode by deleting values under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot, and it terminates processes like “taskmgr.exe,” “msconfig.exe,” “regedit.exe,” and “cmd.exe” in order to deter the victim from trying to find or disable the malware. Strings such as:
\\xneo\\lock\\Release\\lock.pdb and “Conteneur ActiveX” were found in memory and helped make identification easier.

One more noteworthy finding is that the URLs used to download the template and make callbacks are stored XOR encoded and must be decoded before use. However, it appears the author forgot to call the decode function in the callback thread. This means that the malware is unable to communicate with the attacker. The malware is supposed to make an HTTP request for:
hxxp://<random>.my-files-download.ru/status.php, but instead requests the invalid URL
hxxp://<random>.my-files-download.ru/.ru`utr/qiq. What makes this error even worse for victims is that this callback thread determines whether the victim has paid the fee and is responsible for removing the ransomware from the system. It seems even paying up will do no good in this case!

ScreenShot081
ScreenShot082

ScreenShot083