To UPnP or not to UPnP
As the internet has changed, so have our lives. We no longer just dial up to find that “you’ve got mail,” instead we stay constantly connected through our phones, tablets, and computers. We are now in the age of never leaving home without a device, and being connected to the internet at all times. Some can’t even imagine going out of range.
These devices that are with us at all times are our own personal Internet of Things (IoT). IoT devices can be baby monitors, home entertainments systems, home security systems, or even a refrigerator fully equipped with a video camera so we can check whether we have milk or not.
Vance Baker presented us with Introduction to Internet of Things (IoT) Security earlier this year that provides some really good advice for creating a safe IoT environment. I know what you may be saying: “If I follow the advice given,... read more >
Not All Is Lost When You Lose Your Memory
Some time ago I wrote a blog, Memory: It’s What’s for Dinner, about the importance of capturing volatile data and memory analysis. I also provided an intro for memory analysis in Hunting Malware with Memory Analysis and More Memory Fun. What happens if you are not able to grab memory? Obviously, a full memory capture of the suspect system will give you the best chance at recovering volatile information from the system but if you can’t, not all is lost.
Hibernation and page files contain data that can help put the pieces of the puzzle back together. The hibernation... read more >
CVE-2016-0728: Evaluating the Threat Level
On January 14, 2016 researchers at Perception Point identified a 0-day local privilege escalation vulnerability (CVE-2016-0728) in Linux Kernel versions 3.8 to 4.4 (2012 – 2016). This flaw exists due to the kernel’s keyrings security facility used to retain cached security data, authentication keys, encryption keys and other data. Using a local user account, one can free a referenced keyring object and overwrite it to be executed in the kernel, escalating privileges to root. Based on statistics provided by Perception Point, tens of millions of personal computers (PCs), servers and 66% of all Android devices may be vulnerable.
NCSAM Week 4: Your Evolving Digital Life
Week 4 of National Cyber Security Awareness Month (NCSAM) discusses “Your Evolving Digital Life.” With the Internet becoming more and more integrated in our daily lives, we are opening ourselves up to new threats and challenges. To illustrate my point, let’s discuss a Facebook example while applying the Operations security (OPSEC) process.
OPSEC is a term that originated with the U.S. military. OPSEC is a process that determines if information obtained by adversaries could be interpreted to be useful to them, and using the appropriate measures to eliminate or minimize the exploitation of that information. Simply stated, OPSEC is the protection of information so that it cannot be used against you by your enemies. As our digital lives evolve, we need to be sure to practice good OPSEC.
If we look at the OPSEC process, you can see how it can be applied to how we handle our digital lives. The OPSEC process... read more >
It appears that we have come to the day as security professionals that to be part of the elite you have to disclose a new threat actor group or campaign with a code name. Once they’ve created a fun name for the threat actor group or campaign, it is usually sprinkled with some of the tactics and indicators used. The issue with the current state of naming conventions is that it has done nothing more than create great marketing material and confusion for a large part of the security community.
As a security professional who spends the majority of my time tracking threat actors, malware samples and common indicators of compromise, you may be asking “don’t you see this sharing (disclosing events) as a good thing and why is it so confusing?”
First of all, I believe the increase in sharing over the last few years has been great and has even broken down some of the barriers that were in place before. Where the confusion comes in, however, is everyone... read more >
Using memory analysis to pull Dyre Trojan config
A couple of years ago, I published a blog on Hunting Malware with Memory Analysis. Well, it is past time to dive back in to some memory analysis fun. This time, however, we will use memory analysis techniques to retrieve the Dyre Trojan configuration.
Dyre is a well-known banking Trojan that harvests credentials, primarily targeting online banking. It does this by using man-in-the-browser functionality and dynamic web injects to manipulate content on a financial institution's website and intercept credentials and sensitive information of the victim. This is where the configuration file comes in. The configuration file contains the proxy server(s) controlled by the attackers and the target bank URLs that trigger the man-in-the-browser to redirect the connection to the designated proxy server. Dyre’s configuration file looks like the following:
... read more >
Detecting Malware through Static and Dynamic Techniques
Malware analysis involves two key techniques: static analysis and dynamic analysis.
Static analysis examines malware without actually running it. Dynamic analysis (also known as behavior analysis) executes malware in a controlled and monitored environment to observe its behavior.
Each of these techniques includes elements which are further categorized as basic or advanced. Although there are benefits for conducting static and dynamic analysis as separate tasks, an analyst can realize the value provided by conducting both techniques when reverse engineering complex malware.
Performing static and dynamic analysis together helps identify the... read more >
A Successful Method of Attack
A recent Iranian cyberspy campaign included attackers posing as journalists. The long-standing attacks shed some light on how combining social engineering and social media was successful in gaining credentials from US military, government and defense contractors. This campaign takes social engineering one step further because companies and people are often prone to help journalists in the hopes that they can get their name in the press.
Social engineering is a successful method of attack that has been used for centuries, even before the age of the Internet. This is old-school spy stuff that comes right out of the times of the Cold War. Social engineering uses techniques to exploit the human nature to trust. It preys on the individual’s desire to be helpful. People who don't trust are often ones that have been... read more >
I recently found myself analyzing some emails that appeared to be spoofed or forged. During my analysis, I started looking at a header entry that I thought might aid in proving or disproving my theory. The header entry was Thread-Index. Thread-Index is a Microsoft Outlook centric header that is used to track conversations. I wanted to use this to analyze potential discrepancies in the FILETIME time stamp in the email message added by the email client.
I am using the MSDN documentation to walk through the header value and the Python programming language to illustrate how to decode the somewhat obfuscated value.
The MSDN documentation titled “Tracking Conversations” references two distinct properties (PR_CONVERSATION_TOPIC and PR_CONVERSATION_INDEX) that... read more >
Don't Let Spammers and Botnets Give Your Loved Ones the Gift of Malware
With Valentine’s Day tomorrow, be careful of the gift your loved ones give you. Not everything can be cured with a shot of penicillin.
Valentine’s Day is synonymous with sending love, but not everything you receive is what you might expect. As people in a relationship expect a card from a loved one, many will open their emails without taking a second look. However, many of the botnets and spammers will use holiday themed emails to infect unknowing victims with their own special message of love.
Valentine’s Day has seen its share of e-card emails to send a message of love to someone dear to their heart. While the thought is what counts, spammers have long used phony ecards to spread malware.
The phony emails typically have included a link that appears to take you to a site like AmericanGreetings.com, but instead takes you to a malicious website to download and install malware before redirecting to AmericanGreetings.com. Most... read more >
Some social engineering plans are better thought out - or luckier than others. Take for instance the following phishing email that has been going around during the polar vortex of 2013. This series of delivery problem themed emails, Asprox spam, started prior to the holiday season and has continued into the new year.
Early in the holiday season of 2013, the Asprox spam campaign included “delivery notifications” from shipping companies like DHL, FedEx and UPS. This was followed by issues with purchases from Costco and Wal-Mart. Aspox then wrapped up the year with a Best Buy email scheme. The creators and distributors of this malware appear to be working hard to keep their attacks timely and relevant by tying them to current events. This time, the spam is in the form of... read more >
What happens when a scammer accidentally calls a security researcher
I just got off the phone with a very nice gentleman from the "service center for the Windows® operating system computers." During the call, he informed me that they had received numerous warnings that my computer was infected. He explained that I had something "much worse than viruses," but in fact had "malwares and spywares.” The 'malware and spywares' can actually cause my computer to "crash down.”
As a way to show me that I was indeed infected with these horrible "malwares," he went through a few steps to ensure that I was in front of my laptop and it was powered on.
Little did he know, I complied by opening my non-Windows laptop and fired up a completely clean virtual image of Windows XP.
The eager savior of my malware woes instructed me to hold down the "full Windows flag" in the lower left hand corner of my keyboard (sorry my keyboard doesn't have a Windows flag, but whatever) and "press the 'R' key." After explaining what I... read more >
Social engineering can create insider threats much easier than most would think possible.
Welcome to "Thoughtful Thursday" where we blog about high profile and emerging threats. Today's hot topic is social engineering or insider threat and how those can connect.
While there is no official Webster's Dictionary definition of insider threat, there are many sources that attempt to define it. Wikipedia says, "An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems."
This is how the security community typically views the insider threat. Furthermore, it is usually attributed to a disgruntled employee or former employee, such as in the Edward Snowden case. Until this case, most organizations tended to overlook the insider threat because of... read more >
When most people hear the word malware, they think of a virus. In this blog I will attempt to define different categories of malware, and include key behaviors of each.
Malware is a term that is used to refer to malicious software. Malicious software is any software that does something that causes something bad to happen to the user, computer or network. Unfortunately, this does exclude those poorly written applications that crash or freeze, even though that could be an indicator of a bug that could be leveraged by malware. That’s another discussion altogether though.
While malware comes in many forms, for research purposes the Solutionary Security Engineering Research Team (SERT) uses the following categories based on the functionality of the malware:
- Backdoor is malicious code on a computing system allowing continuing access to the...
Another DEFCON is in the rearview mirror and there are more takeaways from the week’s events. The Solutionary Security Engineering Research Team just returned from DEFCON21, a computer security conference better known as the longest running annual hacker conference.
Besides the constant referral, and even entire talks, devoted to Snowden and the NSA spying on everyone, DEFCON21 focused on hardware hacking, smartphones, and home automation.
A particularly interesting presentation demonstrated how a couple of researchers were able to take control of a hybrid car and an SUV. They were able to: disable the brakes; change the display to show incorrect speed or gas levels; control the steering seat belts, lights, and horn. Not to mention that they were... read more >
May 09, 2013 - Posted by Jeremy Scott to
Memory is the new vogue and rightfully so. My Solutionary teammate, Susan Carter, recently posted a related blog. Ironically, we were both crafting our posts about the same time but I want to drive home the importance of capturing volatile data and performing memory analysis.
In the past, forensics examinations involving computer systems were always performed by immediately disconnecting any compromised or infected hosts from the network. This is done with a “hard shutdown” or what has become known as “pulling the plug” and immediately acquiring a forensics image acquisition of the hard drive. The rationale for doing this as the first step is to preserve the state of the hard disk.
Now, the first step in any incident response scenario should be capturing the volatile data at the onset. This has become critical to identifying the extent of the compromise or infection. In... read more >
Shortly after the New Year, Debian and the Python Software Foundation announced that attackers had compromised their community wiki servers. The significance of targeting Debian and Python are not known, but it could be because of the large distribution of these projects. Debian is not only an operating system in itself, it is also the platform on which the popular Ubuntu operating system is developed. Python is a popular platform independent programming language.
The following is a copy of the announcement that Python made:
On December 28th, an unknown... read more >
Memory analysis is extremely important in incident response, malware analysis and reverse engineering to examine memory of the infected system to extract artifacts relevant to the malicious program. Memory analysis has gained popularity in the context of reverse-engineering malware. Memory analysis can help identify malicious code and explain how the specimen was used on the suspect system.
When performing memory analysis on the suspect system, I try to answer some simple questions in an attempt to identify malicious code:
What processes were running on the suspect system at the time memory image was taken?
What artifacts of previous processes existed?
Are there any active or previous network connections?
What is the purpose and intent of the suspected file?
Are there any suspicious DLL modules?
Are there any suspicious URLs or IP addresses associated...
Hurricane Sandy has left widespread damage across the Northeastern region of the United States. It is truly saddening to watch the recovery efforts going on and the lives affected by this tragedy. However, when disaster strikes, criminals begin to take advantage of charitable hearts looking for ways to help those in need.
Scammers use social engineering tactics to take advantage of events like Hurricane Sandy. Knowing that people are charitable and caring, scammers try to reach victims on an emotional level to get them to take an action – click on a link in an email, view a video or donate to a cause. If you have not yet received an email with the “video of a shark in New York City”, or of the “Massive flood surge caught on video”, don’t worry, you probably will.
... read more >
Following in the foot steps of Joseph’s blog “Hacking to the Music”, the lyrics to the U2 song “Sunday Bloody Sunday” come to mind with the latest news of yet another Java vulnerability discovered by the same team of Polish researchers that had originally discovered the previous critical Java vulnerability.
The latest vulnerability, labeled “Issue 50,” was disclosed to Oracle last Tuesday and confirmed by the company. Oracle has stated that the issue will be addressed in a future Java SE Critical Patch Update. The researchers at Security Explorations disclosed 30 vulnerabilities to Oracle in early April, 2012. It wasn’t until other independent researchers discovered two of those... read more >
Monday came with reports by security researcher Eric Romang about the discovery of new exploit code on the same server that the recent Java 0-day was found. The exploit has been observed in the wild as well as incorporated into the Metasploit framework.
Microsoft has released a public advisory stating that the vulnerability exists in Internet Explorer 6, 7, 8 and 9. The advisory says that it may lead to remote code execution. Based on the information available and the analysis of the malicious code that has been observed, I conclude that it will lead to... read more >
An announcement was made about the release of a new version of the popular Blackhole Exploit Kit by its author, “Paunch”, on pastebin.com yesterday.
While the pricing model appears to have remained the same as the previous version, several new features have been added to this latest version, including support for Windows® 8 and mobile devices. Blackhole's success has always been related to the author’s constant maintenance and improvement of the exploit kit.
The latest version promises to provide additional improvements such as:
- Only loading exploits when client browser plugins are considered vulnerable
- Dropping the use of PluginDetect library to improve performance
- Removing all the old exploits that are not as effective
The author also describes several overhauls to the admin panel to enhance performance and statistical tracking. Additionally, the admin panel will now include... read more >
Multiple advisories have been published stating that Oracle Java Runtime Environment (JRE) 1.7 contains a vulnerability that may allow or can lead to remote code execution. It has been confirmed that it can and does lead to remote code execution. This means exploitation of this issue can lead to host compromise through malware infection, etc. The vulnerability was quickly turned into exploit code for the Metasploit framework. Although current... read more >
Earlier today, security vendor FireEye released information about a new Java 0-day vulnerability that was caught in the wild. It appears that the vulnerability is capable of being exploited on fully patched Java Runtime Environment (JRE) 1.7 update 6, which is the current up-to-date release. Not sure if it is related but there is also mention of exploit code that was added to a couple of exploit frameworks used for penetration testing recently that may be using the same 0-day vulnerability.
We know is that the exploit has been discovered in the wild and is currently being used to target would-be victims. The exploit code comes in the form of a malicious JAR file. HTML code on a malicious webpage loads a Java applet which then passes some parameters to the JAR file in order to build a URL which downloads the payload. Currently, the exploit observed in the wild is downloading a payload executable that seems to be a variant Poison Ivy. Poison Ivy is a... read more >
The latest news in malware has been the recent Kaspersky Labs discovery of the sophisticated attack toolkits named Gauss. Headlines also include reports of the Zegost RAT being served by compromised Nepalese government websites. However, the majority of the malware samples received the last couple of weeks have been related to the Blackhole Exploit Kit.
The Solutionary SERT research team has been tracking this issue for some time and our public reports up to this point have been relatively high-level. If what we’ve observed over the past few weeks is any indicator, Blackhole will not be going away any time soon, and it... read more >
Gauss has received significant media attention in the past week. Many have already begun to draw their own comparisons to Flame, as well as attempt to trace the genealogical descent to identify the family ties to Stuxnet and Duqu. Unlike the previous sophisticated attack toolkits, which have been called cyber-espionage toolkits, Gauss was designed to steal system-related information and gather banking, social networking, email and instant messaging (IM) credentials. While researchers have claimed this to be the latest in a series of possible state-sponsored attacks, theft of financial information is the unusual twist in this latest toolkit.
Enough information has been published about Flame and similarities to Stuxnet and Duqu so there is no need to rehash it all in this post. What we will look at are the similarities that Gauss has with Flame and even propose Gauss was written by the same people as Flame just as other researchers have done.
Flame was... read more >
The Solutionary Security Engineering Research Team (SERT) has been receiving a significant amount of malicious emails luring would-be victims to hosts running the Blackhole Exploit Kit.
On Wednesday, the hacker group D33Ds Company claimed responsibility for compromising Yahoo! Voices through a SQL injection attack and exposing more than 450,000 accounts and passwords. The hacker group posted what it said were the user passwords in plaintext on the Internet. The source site of the leak has since been taken offline. Yahoo! has issued a statement that the file which contained the user account credentials was old and they believe that less than 5% of the accounts are valid.
Here’s the full statement from Yahoo!
At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm... read more >
This past week we have seen a notable increase in spam appearing to be some type of recruitment email. The following is an example of the emails received with varying subject lines.
Sent: Monday, July 02, 2012 7:55 AM
Subject: Finance Manager
We have an excellent opportunity for an apprentice applicant to join a rapidly expanding company.
An at home Key Account Manager Position (Ref: 30721-126/5HR) is a great opportunity for stay at home parents or anyone who wants to work in the comfort of their own home.
This is a genuine offer and not to be confused with scams! The successful candidate must have the ability to handle calls efficiently whilst maintaining the highest levels of customer service and being courteous. Applicants must have an... read more >
There has been some recent talk about a new mobile malware variant found in the wild. The malware has been identified as Trojan-Spy.AndroidOS.Zitmo. ZitMo stands for “Zeus-in-the-Mobile”.
ZitMo was originally designed to target the Symbian smartphones, with Windows Mobile and Blackberry following later. ZitMo for Android Operating System was first detected in July 2011. This trojan is another variant targeting the Android Operating System and is distributed as an APK with the name “Android Security Suite Premium” through SMS messages.
The purpose of ZitMo is to target the security features of online banking services. Banks use what are called TAN codes (Transaction Authentication Number) with digital signatures as an additional authentication mechanism to authorize the transaction. In some cases, banks send TAN codes via a text message (these are called mTANs, or mobile transaction authentication numbers).
Like... read more >
Earlier this week, Don Gray mentioned in his blog the identification of a new piece of malware named “Flame.” As the story unfolds we learn more about the capabilities of this new malware.
The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new malware attack targeting the country, which has been named Flame (also known as Flamer or Skywiper). MAHER and others are comparing Flame to Duqu and Stuxnet, and even being considered as related to them. It is indeed the next “find” in sophisticated attack toolkits. Are they related though? Are they even similar? Are we seeing a repeat of the Duqu hype that happened last December or discovering something much bigger?
Like the wording used in the... read more >