TekDefense

Sunday

Jul222012

TekTip ep2 - Basic Dynamic Malware Analysis (continued)

Sunday, July 22, 2012 at 5:14PM

Welcome to TekTip episode 2. In this episode we will continue our discussions on basic dynamic malware analysis. We will be focusing on FakeNet. If you would like to follow along at home you can download one of the samples i have been using.

Malware Sample

***This is live malware, do not download unless you have a safe environment setup first.***

Unzip pass is malware

Don't forget to checkout and download FakeNet.

Admin |

1 Comment |

tagged

Fakenet,

Malware,

Malware analysis,

tektip in

TekTip

Sunday

Jul152012

Threat Down - 7/15/2012

Sunday, July 15, 2012 at 11:24PM

Welcome to the Threat down for the week ending on July 15, 2012. Here is a recap of noteworthy news items from throughout the week.

Top Security News

10 crazy IT security tricks that actually work

I’m not sure how “crazy” these IT “tricks” are but this is a good collection of tips especially for those that are new to the field. For those of you in the DoD, you’ll recognize many of these tips from STIGs. There are a couple gems in this though.

Latest Yahoo Data Breach Restates Need for Basic Security

There were so many articles this week on the Yahoo Voice (Associated Content) data breach, it was really hard to choose one (You’ll find another in the honorable mentions). Yahoo was subject to a basic SQL injection attack that lead to a dump of over 450,000 email addresses and passwords. In an effort to make this as easy as possible for the attackers, Yahoo graciously left passwords in clear text. Email and password combinations were posted publically. Good news is someone should be able to make a decent dictionary out of this.

Warp Trojan from China said to fool routers into spreading Windows malware

Warp Trojan infects machines via the normal java/adobe exploits, but once a machine is compromised Warp shows why it is unique. Warp will send ARP requests to the local networking devices in an attempt to falsely display itself as a router. Once a networking device is fooled, subnet traffic is routed through the infected machine for man in the middle fun.

Oracle to release 88 critical fixes next week

Not much to say on this one except be prepared. These 88 patches will most likely not address the zero day for 11g that we spoke to previously.

Nvidia developer forum passwords hacked

As if the Yahoo breach wasn’t enough, last week we also received news of passwords being dumped from NVIDIAs forums. At least they didn’t store the passwords in clear text.

Botnet infections in the enterprise have experts advocating less automation

This article brings up a subject that is near and dear to my heart. Many organizations believe they can throw money at the Cyber problem to make it go away. While funding is helpful, organizations need to learn that spending all their money on expensive silver bullet appliances is not nearly as valuable as hiring experienced security personnel.

Honorable Mentions

Multi-platform Backdoor with Intel OS X Binary

Phishers use less strident subject lines to deliver new cunning attacks

Google Releases Google Chrome 20.0.1132.57

Yahoo security breach shocks experts

The worst security snafus of 2012 - so far

Cyber Armament

Admin |

TekTip ep1 - Basic Dynamic Malware Analysis

Sunday, July 15, 2012 at 11:16PM

Alright everyone, checkout our first TekTip tutorial. Please excuse the poor resolution on the video. For a better view select 720p and fullscreen.

In this episode we talk about and demo basic dynamic malware analysis. Tools we leveraged here include VMWare Workstation, Sysinternal Suite, Netcat, ApateDNS, Wireshark, Regshot.

-1aN0rmus

Admin |

5 Comments |

tagged

Malware,

Malware analysis,

tektip in

TekTip

Sunday

Jul082012

Threat Down - 7/8/2012

Sunday, July 8, 2012 at 8:58PM

Welcome to the Threat down for the week ending on July 8, 2012. Here is a recap of noteworthy news items from throughout the week.

Top Security News

Phone-raiding Trojan slips past Apple’s App Store censors

While Apple wasn’t the only company that let this slide through their filters (Google as well), this is the first reported case of malware making it past Apple’s screening methods. This trojan collects contact information, GPS information, and sends SMS to the contact list in an attempt to compromise more users.

eHarmony data breach lessons: Cracking hashed passwords can be too easy

We have learned a lot about why hashing isn’t enough (thanks Linkedin), but it is nice t see some real metrics that can be leveraged to get management on board with slated hashes. “it only took 72 hours to crack about 80% of 1.5 million eHarmony hashed passwords that were dumped”.

Internet will vanish Monday for 300,000 infected computers

Okay, I promise this will be the last article about DNSChanger that makes this list, unless there is another extension. Hard to believe that there are still 300,000 machines infected with DNSChanger after all of this publicity. Also, I wish these news sites would stop saying that the internet is going to disappear, it is just DNS resolution that goes bye-bye.

Patch Tuesday: Time to use the Flame-retardant Windows Update client

There will be nine patches released this Tuesday, three of which will be critical. While it is always important to keep your machines updated, this is a particularly significant patch Tuesday as the vulnerability that allowed Flame to leverage windows update is being addressed.

Ransomware threatens victims with police reports for child pornography

Ransomeware has been getting a lot of hype lately (thanks Reamde), but this particular strand goes above and beyond. While normal ransomeware will encrypt your drive and then ask for money in return for the password to decrypt, this strand adds the threat of placing child pornography on the victim computer and calling the police.

Botnet infections in the enterprise have experts advocating less automation

Honorable Mentions

Monkif Botnet Hides Commands in JPEGs

Security firm in Tor Project 'mass surveillance' row responds

Stuxnet cyberattack by US a 'destabilizing and dangerous' course of action, security expert Bruce Schneier says

Wikileaks releases Syria Files, 2.4 million government related emails

Hacking IPv6 Networks SI6 Networks

IPv6 Security Tools

Admin |

Threat Down - 6/24/2012

Sunday, June 24, 2012 at 10:30PM

Welcome to the Threat down for the week ending on June 24, 2012. Here is a recap of noteworthy news items from throughout the week.

Top Security News

United States Accused of Using Flame to try to Cripple Iran's Economy

With news on Flame finally wrapping up dailytech.com puts a nice article together summing up current data on the event. While cyber espionage is nothing new, Flame has brought it to the attention of the masses, reiterating what most learned from Stuxnet.

Printer bomb malware wastes reams of paper, sparks pandemonium

What’s worse than losing 1,000’s of SSN’s, or Intellectual Property? Malware has infected hundreds of networks causing printers to empty their print tray with mass quantities of binary handouts. While some of you may mock the seriousness of this situation, you wouldn’t if you knew how much print cartridges cost. Jokes aside, it is not apparent at this point if this was the goal of this malware or a side effect (maybe distraction).

US-CERT discloses security flaw in Intel chips

A flaw in the way Intel CPU’s handle the SYSRET instruction for error handling can allow attackers to launch malicious code with kernel privileges. The really interesting part here, is how this could allow guest to host escape in virtual environments. VMware is not affected though.

BYOD exposes the perils of cloud storage

IBM, an advocate for BYOD blocks access to cloud storage services such as Dropbox after finding users were placing Intellectual Property in “the cloud”. While BYOD was the catalyst for finding cloud storage woes at IBM, I wish instead this focused on why cloud storage is bad for an enterprise. It would be a shame if malware leveraged cloud storage for data exfiltration …

Google warns about 'state-sponsored' hack attacks

Upon logon, Google will inform certain users that they may be the target of a state sponsored attack. Google has not yet let on how they are determining this, but in my opinion, their proactive stance to security as of late has been nothing but good.

Attack code published for 'critical' IE flaw; Patch your browser now

I know that some of you are still weary of Windows Update after all the Flame talk these last few weeks, but it is time to ensure it’s on and serving up the latest set of patches. Attack code has been published and made easily accessible via Metasploit.

Virtual analysis misses a third of malware

I hate when articles make claims such as the title without referencing any actual study or metrics. That said, I think this brings to light something that some of us in the Malware analysis field need to understand and preach to customers and leadership. Malware can and some do, detect when they are in a virtual environment, common sandboxes, or even common honeypots. Virtual malware analysis and automated malware analysis are not going to find everything.