InfoSec News

Be careful with the links showed in this diary because they are live and could infect your computer if not handled properly

Phishing e-mail artwork is becoming more effective everyday. Users are having a bad time trying to distinguish the fake sites from the real ones. I am going to show you a different phising e-mail that does not take the user to a website to try to steal a password but installs malware to the computer using obfuscated javascripts and shellcodes.

I received today the following message:

This looked strange. I reviewed the link and pointed me to http://thedizzybaker.com/wp-includes/int-market.html. The following javascript appeared:

This javascript is obfuscated. I used firebug to get more information and got an iframe pointing to other website:

Following the new link, we find another obfuscated javascript. Let's see a snip of it:

Now here is where the malicious stuff begins. After deobfuscating the script, we find the following:

The script tries to determine which navigator is running the system:

The script tries to determine the Adobe Flash and Adobe Reader version installed:

A shellcode is executed:

Let's take a look to the shellcode. It executes the following instructions:

kernel32.VirtualProtect: This function is called in the shellcode to establish a 255-byte memory segment where the memory protection attributes can be modified. For more information about the available attributes, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa366786%28v=vs.85%29.aspx.
kernel32. LoadLibraryA: This function is called to load the urlmon.dll library, which is used to transfer information using the http protocol. A couple of functions inside the file are:
urlmon.URLDownloadToFileA: The function is called to download http://migdaliasbistro.net/w.php?f=f7d19e=1 and save it to wpbt0.dll.
kernel32.WinExec:This function is called to register the dll using regsvr32 -s and then executed.
kernel32.TerminateThread: This function is called to end the execution of the shellcode.

The file download in step 3 is a dll with MD5c3124a2981d8e1b9e13e8c21c96448f7. Virustotal shows a 7/43 detection ratio.It injects into explorer.exe and performs inline hooking to ntdll.dll. Once it is installed, it reports to hbirjhcnsuiwgtrq.ru, which resolvs to the following ip addresses:,,,,,, using a http POST to the /rwx/B2_9w3/in/ location.

Such threats are increasing and control of these involves the establishment of malware control measures as part of te Information Security Architecture of the company, like the following:

Antimalware perimeter defense: I recommend using the Trend Micro and Mcafee web gateways. They are scalabe and integrates very good with the antimalware monitoring system inside the corporation. This measure allows to protect users from downloading malicious code like javascript and executables.
Host IPS: The antimalware control is not enough in these days as the threats are evolving and the antivirus companies are not capable anymore to control in real time all the emerging malware attacks. This tool is used to prevent the materialization of the vulnerabilities on computers, such as buffer overflow, code injection, among others. Thus, the computer is protected until the virus signature is out sothe antimalware programis able to deal with the respective threat.
Antimalware: This is the conventional antimalware control that is sold by the antivirus companies.

Manuel Humberto Santander Pelez

SANS Internet Storm Center - Handler

Twitter: @manuelsantander


e-mail: msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The browser battle returned to a kind of normalcy last month as Microsoft's Internet Explorer, which had posted its largest-ever share increase in January, declined slightly in February
Intel suffered a setback in the server market this week with the news that its former partner, SeaMicro, is being acquired by AMD. But the world's top chip maker said it was internally developing technology to remain competitive in the dense server market.
Cloud computing is quickly going from promise and potential to practical applications, and CIOs who haven't already considered what cloud means for their business better step up. That was the consensus of panelists at a roundtable discussion hosted by IntraLinks on Thursday.
Multiple Dolphin Browser Applications For Android Multiple Unspecified Security Vulnerabilities
Android malware research experts at RSA Conference 2012 say using free tools to spot Android malware trends can help foster greater Android app security.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Infosec professionals unsure about abilities to stop cyber attacks
Infosecurity Magazine
It looks as the great British public is finally losing its patience with those businesses that it views as endangering their personal data, as a survey from LogRhythm claims to show that many people are now aware of the need for data disclosure ...


Barracuda Labs Introduces Hot Security Topics (HST) Ranking System
MarketWatch (press release)
"Information from HST helps to validate market data that IDC provides, and it identifies areas of opportunity where the infosec ecosystem is misaligned." Popular Topics Each exhibiting company provides a succinct company description, which Barracuda ...

and more »
Microsoft Windows Ancillary Function Driver CVE-2012-0149 Local Privilege Escalation Vulnerability
The judge overseeing Oracle's intellectual property lawsuit against Google wants Oracle to provide "a clear answer" as to why the trial shouldn't be postponed until a number of patent reexamination processes are fully played out, according to a filing late Thursday in U.S. District Court for the Northern District of California.
Mobile World Congress 2012 revealed many emerging trends for smartphones. Which will be the most significant?
AT&T yesterday clarified when and how it will slow down the connection speed of smartphone users who still have an unlimited data plan.
Earnings season has essentially ended, but Yelp's initial public offering Friday, Apple's record high share price and a strong market for IT stocks are giving tech investors plenty to get excited about.
PHP, one of the most widely used languages for building websites, has been updated with a number of improvements to ease development and speed performance.
An Oregon man has been convicted of seven courts of wire fraud for helping thousands of people steal Internet service, the U.S. Department of Justice said.
VLC Media Player Multiple Stack Based Buffer Overflow Vulnerabilities

vider OpenDNS has hired away the chief technology officer of security vendor Websense Inc. and is laying the groundwork for a variety of DNS layer security services and products aimed at enterprises.

Dan Hubbard, who spent 14 years at Websense, is planning to build out OpenDNS’ security product portfolio. Hubbard played a significant role at Websense, building the Websense Security Labs and the company’s classification engine, which is at the heart of its security products. The engine is used to filter out malicious websites, block spam and phishing attacks and is also at the core of Websense’s content filtering technology.

Hubbard confirmed his departure this week. A Websense spokesperson said the company is already reshuffling executives to fill the CTO role. Charles Renert, an expert noted for his work with Symantec Security Labs and founding Determina, was promoted to vice president and will assume Hubbard’s responsibilities in the interim.

It’s going to be extremely interesting to see how OpenDNS’s enterprise security plans unfold under Hubbard’s guidance.

I spoke to Hubbard at a reception at RSA Conference 2012 where he exuded a lot of enthusiasm for his new gig at OpenDNS. Hubbard said there’s a potential for a whole new range of security technologies that take advantage of being in the DNS layer. The company, which launched in 2005, already provides malware protection for its users by blocking outbound botnet communications at the DNS layer. It also maintains PhishTank, the largest clearinghouse of phishing information on the Internet. OpenDNS has 12 data centers that handle DNS requests, but also have been collecting threat intelligence data for years. Combining threat intelligence with the ability to keep track of individual IP addresses opens up an interesting set of capabilities for protecting laptops and mobile devices.

The company already has a broad set of users of OpenDNS Enterprise, which provides inbound and outbound protection and is application-, operating system-, protocol- and port-agnostic since it is essentially cloud-based at the DNS layer. The company has been pushing itself as an extra layer sitting between the Internet and enterprise firewalls and antivirus technology at the endpoint. There are some built-in reporting capabilities providing data on attacks and malicious websites that were blocked by the service.

Hubbard’s move to OpenDNS and the company’s security strategy caught the eyes of at least two prominent security luminaries: Dan Kaminsky and Paul Vixie, who attended the reception. Last year, Kaminsky briefly shared with me his vision of what DNS-based security technologies can do. He believes a broad range of technologies can be built out leveraging DNSSEC architecture for authentication and establishing trust in Internet communications. It could provide a much needed injection of trust into the Internet, which has been evaporating in recent years because of a variety of issues, including breaches at SSL Certificate Authority vendors and well known weaknesses in the digital certificate system itself. Vixie has also publicly shared the potential of adding security to the DNS layer.

It was hard, however, to find the enthusiasm for OpenDNS from others at the RSA Conference. The first thing that comes to mind with OpenDNS is its consumer products that enable parents to shield porn and other websites from their children.

Several industry analysts and other security professionals I spoke to were too wrapped up in their own respective areas of expertise, but a few people said they share Kaminsky’s passion for the long-term potential of DNS-layer security technologies.

OpenDNS CEO David Ulevitch told me the company already has the foundation in place to provide a wide variety of security services. He said it just has to execute on its strategy and provide a convincing argument that enterprises can get value out of having security at the DNS layer.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Multiple GO Launcher Applications Multiple Unspecified Vulnerabilities
[Suspected Spam] Endian UTM Firewall v2.4.x & v2.5.0 - Multiple Web Vulnerabilities
Google Apps customers are finding it hard to delete and reactivate domains in their accounts, after Google unexpectedly disabled the automated mechanism for performing these tasks in mid-January.
Analysts are split on how Google's new privacy rules, which went into effect Thursday, will affect users -- and ultimately the company itself.
[Suspected Spam] FlashFXP v4.1.8.1701 - Buffer Overflow Vulnerability
The fourth quarter of 2011 saw healthy external disk storage system growth, as did the year as a whole, with revenues growing by 10.6% to $23.5 billion.
As of March 1, if you hadn't erased your Google Web History and switched the feature off, you will have made a big mistake because Google has set itself on a course that will allow the company to find out way too much about you ... at least, way too much about you if you have any interest in maintaining your privacy.
A company that has been providing third-party support for Oracle's JD Edwards ERP software is undergoing a significant expansion of its efforts, despite the ongoing cloud of litigation over the market.
Jun Kim, the young co-founder of a Korean software house, was recently approached by a representative from Amazon, who offered him a US$200 credit to develop on its Web Services cloud platform.
Dell has introduced its XPS 13 ultrabook, a light, well-designed laptop that offers an impressive balance of style and performance.

Android malware skyrockets: Kaspersky Lab
Computer Business Review (blog)
In fact, CEO Eugene Kaspersky told CBR at last year's InfoSec conference that the threat to Android and other mobile platforms was, "growing but it's not visible yet compared to Windows. Cyber criminals are humans; they are lazy.

and more »
Eastman Kodak, which filed for bankruptcy protection in January, has entered into an agreement with Shutterfly for the sale of certain assets of its online photo services business for US$23.8 million, it said Thursday.
Jun Kim, the young co-founder of a Korean software house, was recently approached by a representative from Amazon, who offered him a US$200 credit to develop on its Web Services cloud platform.
Apache aims to have the upcoming 0.23 release this year be able to run on 6,000-node clusters
Politics could tip the scales in Apple's favor for a high-stakes legal battle that will decide ownership of the iPad trademark in mainland China. But some legal experts remain divided on whether it will be enough to help the U.S. tech giant avoid a ban of its iconic tablet in the country.
Concern about cyberterrorism was evident this week among security experts at the RSA security conference in San Francisco, who find that some people with extremist views have the technical knowledge that could be used to hack into systems.

SANS Institute Wins the SC Magazine Award for Best Professional Training Program
DigitalJournal.com (press release)
... The Internet Storm Center - an analysis and warning service for Internet users and organizations; the SANS Reading Room - over 1853 computer security white papers in 74 different categories; Webcasts - live webcasts covering timely Infosec topics; ...

and more »
Analysts are split on how Google's new privacy rules, which went into effect Thursday, will affect users -- and ultimately the company itself.
The U.S. has a remarkable track record of innovation. Why, then, isn't the nation's science-and-engineering work force -- the people responsible for much of that innovation -- growing?
I like a lot of things about my iPhone 4, but I don't like the way Apple seems to be closing its ecosystem again. So when the Samsung Galaxy Nexus arrived, I got rid of the iPhone and moved to Android.
Netherlands hacker poltergeisth4cker has continued to attack website in the name of freetibet. The defacement is the same as the last ones from early in the week.


What an InfoSec professional needs to know
Crain's Cleveland Business (blog)
Any Infosec professional you have on your staff should, at minimum, possess the CISSP® certification. CISSP stands for Certified Information Systems Security Professional and, while it is not the only Infosec certification that exists, ...

Two hackers hax.r00t n saadi have continued to attack servers and sites and as a result they have left a further 1,355 sites hacked and defaced. The hacked sites are also a result of another team from the other side of the cyber war that we are seeing.


Posted by InfoSec News on Mar 01

Forwarded from: <cfp2012 (at) recon.cx>

                     `-,_   `.   \  | |  /   .'    _,-'
          ,,__           `-,_ `.  \ | | /  .'  _,-'          __,,
              ''--..__       `-,_.-"""""-._ ,-'      __..--''
          ...____     ''--..__.'           `.__..--''      ...

Posted by InfoSec News on Mar 01


FOX News
01 Mar 2012

The US military's Defense Information Systems Agency (DISA) on Thursday
shut down access to the internet and blackberry service while work was
being done to fix an unspecified problem.

The shutdown, which came around 10:00am local time, means that no one in
the Pentagon has internet access. Many military downrange, including...

Posted by InfoSec News on Mar 01


By Kim Zetter
Threat Level
March 1, 2012

Hackers seized control of networks at NASA’s Jet Propulsion Laboratory
last November, gaining the ability to install malware, delete or steal
sensitive data, and hijack the accounts of users in order to gain their
privileged access, according to a report from the National Aeronautics
and Space Administration’s inspector...

Posted by InfoSec News on Mar 01


By Iain Thomson in San Francisco
The Register
1st March 2012

RSA 2012 Security experts have warned that electronic voting systems are
decades away from being secure, and to prove it a team from the
University of Michigan successfully got the foul-mouthed, drunken
Futurama robot Bender elected to head of a school board.

In 2010 the Washington DC election board announced...

Posted by InfoSec News on Mar 01


By Dara Kerr
March 1, 2012

Anonymous continued its ongoing attack on agricultural biotech giant
Monsanto today by publishing an outdated database of the company's
material. This is the newest in a barrage of strikes from hackers
aligned with Anonymous who operate under the "AntiSec" banner.

In a statement posted with the...
Yet Another Lebanon based website has been hit by hackers, this time its by @Chriss10011. The website that has been hit is the Distribution of technology, a leading world wide electronic's provider that is based out of lebanon.

Internet Storm Center Infocon Status