InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
JFRS can provide law enforcement with its only leads by identifying suspects from photos or video footage. It also can save weeks or months of investigative work.
Trust for Americas' tech-based program gives disabled individuals throughout Latin America job skills tailored to their region's job market, helping to alleviate the lack of education and training available to the disabled, and helping to lift them out of poverty.
Curriki is leveraging technology to bring free educational resources to educators, parents and students around the world, to help deliver better student outcomes at lower costs and to eliminate financial barriers to receiving an education.
The use of low-cost mobile phones in conjunction with the free EpiSurveyor software drastically cut costs for data collection and analysis in developing regions while enabling quicker times for quality control and improving implementation speed.
The Cloud Services Innovation Platform centralizes resources, cuts cost and provides a more scalable and flexible IT backbone for the National Resource Conservation Service.
Fujitsu's contributions of various resources, including free cloud services, communications applications, PCs and volunteers, helped workers, customers and Japanese residents as they try to recover from the devastation caused by the 2011 earthquake and tsunami.
Delivering HIV test results quickly allows healthcare providers to start life-saving treatment right away, improving the infants' chances for survival.
The new IT infrastructure features a self-service portal that radically improves the way the Norwegian government administers pensions to 1 million residents and readies it for an expected increase in retirees.
An SMS management tool and a Web-based reporting tool give increased visibility into antimalarial medicine inventories among health facilities
The delivery of customized healthcare information to patients via a smartphone app results in educated patients who are better consumers of healthcare resources and better able to manage their medical conditions.
There are numerous ways of concealing sensitive data and code within malicious files and programs. However, attackers use one particular obfuscation technique very frequently because it is simple to implement and offers protection that's usually sufficient. This approach works like this:

The attacker picks a 1-byte value to act as the key. The possible key values range from 0 to 255 (in decimal).
The attacker's code iterates through every byte of the data that needs to be encoded, XOR'ing each byte with the selected key.

To deobfuscate the protected string, the attacker's code repeats step #2, this time XOR'ing each byte in the encoded string with the key value.
For example, consider themalicious Microsoft Word document World Uyghur Congress Invitation.doc, which was submitted to victims as an email attachment in a targeted attack. (To understand how this exploit works, see my earlier postsHow Malicious Code Can Run in Microsoft Office Documents andHow to Extract Flash Objects From Malicious MS Office Documents.)
In this case, the attacker embedded an ActiveX control inside the Word document to execute JavaScript, which and executed downloaded a malicious Flash program, which targeted a vulnerability in the victim's Flash Player. The payload of the exploit extracted and executed a malicious Windows executable, which was hidden inside the Word document.
To locate the executable file within the Word document, you can use Frank Boldewin's OfficeMalScanner tool. The scan option directs the tool to look for the embedded malicious Office and Windows executable files. The brute option tells the tool to look for these artifacts even if they were obfuscated using several common methods, including the XOR technique described above.

In this example, OfficeMalScanner automatically locates and extracts the embedded Windows executable, saving it as the WUC Invitation Letter Guests__PEFILE__OFFSET=0xfc10__XOR-KEY=0x70.bin. (The tool automatically determined that the attacker used XOR key 0x70 to conceal this file.) According to PEiD (see screenshot below), the extracted file is a Win32 program that is not packed and that was probably compiled using Microsoft Visual C++.

The deobfuscated and extracted Windows executable file can be analyzed using any means, including your favorite disassembler and debugger, as well as using behavioral analysis techniques.
It's quite possible that the extracted malicious executable also contains obfuscated data. Given that everyone, including malware authors, takes shortcuts once in a while, it's possible that this data is protected using the simple XOR algorithm we discussed earlier. Didier Steven's XORSeach tool can scan any file, looking for strings encoded using simple techniques, including this XOR method.
You need to know the clear-text version of the string you'd like XORSearch to locate. One good value to look for is http, because attackers often wish to conceal URLs within malicious code. Another good string, as suggested by Marfi, might be This program, because that might identify an embedded and XOR-encoded Windows executable, which typically has the string This program cannot be run in DOS mode in the DOS portion of the PE header.
As you can see below, XORSearch locates the string HTTP/1.1 apparently it was encoded using the key 1B. (Sometimes you get a false positive, as seems to be the case with the key 3B.)

When invoking XORSearch with the -s parameter, you direct the tool to attempt decoding all strings within the file using the discovered key. In our example, this results in the creation of the WUC Invitation Letter Guests__PEFILE__OFFSET=0xfc10__XOR-KEY=0x70.bin.XOR.1B file. If you look at this file using a hex editor, you can locate several decoded strings that you might use as the basis for custom signatures and further code-level analysis.

XOR and related methods are often used by attackers to obfuscate code and data. The tools above help you locate, decode and extract these concealed artifacts. If you have recommendations for other tools that can help with such tasks, please let us know by emailor leave a comment below.
-- Lenny Zeltser
Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Lenovo is working to surpass HP as the top PC maker in the world and executives think pushing ultrabooks is the way to make that happen.
Now that Asustek has shown off a 10-in. Windows RT tablet, speculation is building over what competitors' devices will look like, how much they will cost and when they will go on sale.
HP today announced new deduplication solutions for its StoreOnce Backup product line, including the B6200, that enable 100TB/hr backup performance.
Hewlett-Packard's Autonomy subsidiary will release an add-on component to link the company's IDOL flagship search software to the Apache Hadoop data processing platform, it announced Monday as part of its HP Discover user conference this week in Las Vegas.
Claims software used by many large auto and homeowners insurance vendors in the U.S. has allowed the companies to manipulate claim payments and "low-ball" customers, according to a new report from the Consumer Federation of America.
Microsoft has embedded Adobe's Flash Player in the Metro version of Internet Explorer 10 (IE10) in Windows 8 and Windows RT
Toshiba today announced a new line of solid-state drives that use 19-nanometer process technology, the smallest circuitry to date.
IBM today announced a dozen upgrades or new services for its storage products, including inline compression for its storage virtualization appliance, SVC.
Reader Derrick Cliff has need of quick and dirty storage. He writes:
Analysts who track IT employment are offering starkly different views of IT hiring that range from still healthy to troubling.
The new 4.8-in. Samsung Galaxy S III smartphone will be available from five U.S. carriers in June. Each of the carriers has a slightly different timetable for rolling it out.
With a focus on both cloud and mobile, IBM has updated its Rational line of software development management products and services, the company announced Monday during the kick off its annual Innovate software conference, being held this week in Orlando.
Microsoft GDI+ CVE-2012-0165 EMF Image Processing Remote Code Execution Vulnerability
The fraudulent Microsoft certificates were used in the Flame malware attacks and could be used by less sophisticated cybercriminals, according to Microsoft.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Speculation is flying that Facebook executives may be developing technology that would enable kids under the age of 13 to join the site with parental supervision.
Samsung plans to offer its Galaxy S III smartphones to consumers in the U.S. through five carriers beginning this month, the company said Monday, but the device will not run a quad-core processor as does the 3G version launched in Europe and India.
Magnetic Billiards: Blueprint from Zee 3 Limited is a study in contrasts. The game has simple graphics--it takes places on a billiard table sketched out on a set of blueprints--but the colors and patterns are quite striking. It's a pretty simple game--you can get right to playing without ever swiping your way through the in-app tutorials--but there are tricks and tips you can only master by diving in deep. And it's a textbook casual game that you can play in short bursts and put down again--though, if you're not careful, you could find yourself spending a lot of time trying to conquer Magnetic Billiards.
Ubuntu Update Manager CVE-2012-0949 Information Disclosure Vulnerability
[SECURITY] [DSA 2485-1] imp4 security update
Microsoft on Sunday revoked several of its own digital certificates after discovering that the makers of the Flame super-cyber spy kit figured out a way to sign their malware with the company's digital "signature."
Any.do is the rare mobile app that began its life (and rose to popularity) on Android, only to arrive on the iOS platform later. In Any.do's case, "later" turned out to be Monday, as the to-do list app landed in the App Store.
[SECURITY] [DSA 2482-1] libgdata security update
[SECURITY] [DSA 2482-1] arpwatch security update
[SECURITY] [DSA 2481-1] arpwatch security update
[SECURITY] [DSA 2484-1] nut security update

NetClarity Hires Cisco Sales Veteran Tom Hewett as Vice President of Sales for ...
San Francisco Chronicle (press release)
... 2012 NetClarity, Inc., the leading provider of Next Generation Network Access Control (NAC) technology in the marketplace, on the heels of receiving the "Most Innovative New Security Product for 2012" award from InfoSec Products Guide, ...

and more »
Advanced Micro Devices said Monday that it has added more horsepower to its chip lineup with new 16-core Opteron server chips based on the Bulldozer microarchitecture.
We've received a fair number of questions on today's emergency patch from Microsoft (https://isc.sans.edu/diary/13366), and many of them have been simply Why don't they just put the affected Certs into the CRL (Certificate Revocation List)? That is, after all, what the CRL is for, and it's part of the SSLprotocol for goodness sake!

Simply put, in most cases the browsers do not consult the CRL, or if they do, they time out the lookup and proceed on *very* quickly. Jim wrote on this in Febuary when Chrome enabled this behaviour ( http://http://isc.sans.edu/diary.html?storyid=12556 ). But this behaviour has been in force for some time (to various degrees) in most browsers an platforms. A quick google led me to some excellent articles on this topic:



You'd think after the Diginotar compromise just last year (http://isc.sans.edu/diary.html?storyid=11500 , http://isc.sans.edu/diary.html?storyid=11512 and many others), we'd have learned and changed this behaviour.

Unfortunately, it's truly become a race to the bottom for Browsers where SSL security is concerned. And sadly, it's we, the browser users who insist on the fastest browser that have forced them to go there.


Rob VandenBrink

Metafore.ca (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

NetClarity Hires Cisco Sales Veteran Tom Hewett as Vice President of Sales for ...
PR Web (press release)
NetClarity, Inc., the leading provider of Next Generation Network Access Control (NAC) technology in the marketplace, on the heels of receiving the “Most Innovative New Security Product for 2012” award from InfoSec Products Guide, today announces ...

and more »
It's really not all that difficult to do a little self-vetting of the apps you install on your mobile devices.
Samsung plans to offer its Galaxy S III smartphones to consumers in the U.S. through five carriers beginning this month, the company said Monday, but the device will not run a quad-core processor as does the 3G version launched in Europe and India.
Salesforce.com is acquiring social media marketing firm Buddy Media in a US$689 million cash and stock deal, the companies announced Monday. The transaction is expected to close in Salesforce.com's third fiscal quarter, which ends Oct. 31.
IrfanView Formats PlugIn 'NCSEcw.dll' Heap Based Buffer Overflow Vulnerability
IrfanView Formats PlugIn TTF File Buffer Overflow Vulnerability
Asustek Computer unveiled a novel laptop-tablet design at the Computex trade show in Taipei on Monday, along with an all-in-one PC with a detachable monitor that transforms into "the world's biggest tablet."
Network UPS Tools (NUT) 'addchar()' Function Buffer Overflow Vulnerability
Microsoft's Windows 8 will activate its built-in antivirus software only if it senses that the PC is not protected by another security program, says McAfee.
Less worried than they once were about the elimination of their positions, IT pros are now focused on finding the best fit for their skill set.
HP CEO Meg Whitman's strong support for Republican presidential candidate Mitt Romney carry risks ranging from public perception of the company to closer scrutiny by the government. HP says Whitman's politics are her own.
Adoption of Android tablets and smartphones in enterprises has been 'severely limited' by the complexities of managing the wide variety of devices and versions of the operating system, research firm Gartner said in a new report.
The executive director of Utah's Department of Technology Services has resigned over a data breach that exposed the Social Security numbers and other personal data of around 280,000 Medicaid recipients.
U.S. schools will need networks that deliver broadband performance of 100Mbps for every 1,000 students and staff members, a new report says.
SAP has agreed to buy cloud-based e-commerce vendor Ariba for $4.3 billion.
Thornton May's thinking about executive identity has meandered as far back as our hunter-gatherer forebears.
Hospitals, whose Wi-Fi networks are clogged with clinician and patient data traffic, are getting some much-needed bandwidth relief with the FCC's approval of radio bandwidth spectrum for wireless medical monitoring devices.
A program that allows foreign science, technology, engineering and math grads to work in the U.S. for 29 months without a work visa was expanded with little attention in May by the Obama administration.
Companies are reporting dramatic payoffs from radical changes in their business intelligence and data analysis practices.
Asustek Computer (Asus) on Monday showed off a tablet with an ARM processor and the Windows RT OS, becoming among the first of its type shown by PC makers.
WebKit Cross Site Scripting Filter Security Bypass Vulnerability
Microsoft Windows Digital Certificates Spoofing Vulnerability
GIMP CVE-2012-2763 Buffer Overflow Vulnerability
Internet Storm Center Infocon Status