OSS-2016-02: Weak authentication in NXP Hitag S transponder allows an attacker to read, write and clone any tag
OSS-2016-03: Insufficient Integrity Protection in Winkhaus Bluesmart locking systems using Hitag S
[SECURITY] [DSA 3431-1] ganeti security update
[SECURITY] [DSA 3432-1] icedove security update

Posted by InfoSec News on Jan 01


[This was posted on Twitter Thursday by Gene Spafford - @TheRealSpaf
and I figured I should share this with the list. Please check out the
above link for complete details, history, and the special offer! - WK]

Sunday, December 06, 2015 by spaf

It may seem odd to consider June 2016 as January approaches, but I try to think
ahead. And June 2016 is a...

Posted by InfoSec News on Jan 01

Forwarded from: Luiz Eduardo <le (at) ysts.org>

Hello ISN readers and sorry for the possible cross-postings you might see, on
behalf of the conference's organization team I would like to let you know that
YSTS X's CFP is currently opened.

Call for Papers - YSTS X - Information Security Conference, Brazil

YSTS 10th Edition

Where: Sao Paulo, Brazil

When: June 13th, 2016

Call for Papers Opens: December 13th, 2015

Call for...

6D713031CD29F69C679DE72C234E45AA !

You can not always be successful in your undertakings. Failure will happen too. But failure is not necessarily negative, for example, its positive when you can learn something while failing. Im happy when I learn something, even when I fail.

This diary entry is about one of my failures, I hope you" />

I had the idea to try to detect such executables with YARA. Look for PE files with resources (icons are stored as resources), and then try to find the byte sequence that makes up the icon. Here is the YARA rule:

Version 0.0.1 2015/10/31
Source code put in public domain by Didier Stevens, no Copyright
Use at your own risk

Shortcomings, or todo-) :

2015/10/27: start
2015/10/31: added second rule

import hash
import pe

rule PE_File_Contains_Acrobat_Icon_2

author = Didier Stevens (https://DidierStevens.com)
description = Detect the presence of the Acrobat Icon
sample = c94255d2b4f68da6c0bbf669c87141b7
method = Find hex sequence present in the icon and then calculate the hash of the bitmap and compare)
$a = {07 07 07 00 00 00 00 00 EE EE EE FF F9 F9 F9 FF F9 F9 F9 FF F9 F9 F9 FF F9 F9 F9 FF F9 F9 F9 FF}
pe.number_of_resources 0 and
pe.sections[pe.section_index(.rsrc)].raw_data_offset @a - 0x110 and
hash.md5(@a - 0x110, 9640) == 95f41b1d89e6ad15ec5012f74d49d7de

First I check that the file is a PE file, and that it has resources: pe.number_of_resources 0

The raw bitmap of the ICON in this sample is 9640 bytes. That is too long as a search expression, so I search for a distinct substring of this icon, $a: 07 07 07 00 00 00 00 00 EE EE EE FF F9 F9 F9 FF F9 F9 F9 FF F9 F9 F9 FF F9 F9 F9 FF F9 F9 F9 FF. This substring starts at position 0x110 into the raw bitmap.

So I check that string $a does not appear earlier in the PE file than the resource section: pe.sections[pe.section_index(.rsrc)].raw_data_offset @a - 0x110

And finally, I check that the complete raw bitmap of the icon is present by calculating the md5 hash of the 9640 bytes that contain $a: hash.md5(@a - 0x110, 9640) == 95f41b1d89e6ad15ec5012f74d49d7de" />

works. It triggers on the sample.

But it is one of my failures, because this rule has never detected any other samples with the same icon. And since I wrote the rule, I was able to check different new samples using the same social engineering trick. But for each sample the icon looked slightly different, and thus the hash was different.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status