InfoSec News

A popular approach to obfuscating malicious browser scripts involves using JavaScript itself to decode the original script when the browser processes the malicious web page. Malware analysts can often bypass such defensive measures by running the script in a standalone JavaScript engine to observe its execution or examine its output. Mozilla's SpiderMonkey has been a common choice for this task. Google's V8 engine is a powerful, though lesser-known alternative for accomplishing this.
Deobfuscating JavaScript Using SpiderMonkey
SpiderMonkey is a standalone JavaScript language that is used in Firefox. We can use SpiderMonkey to run the malicious script outside of the browser, letting it deobfuscate itself.At the end of the deobfuscation process, the malicious script often transfers control to the newly-decoded code using document.write() or eval() commands.
One way to spy on such commands is to compile a customized version of SpiderMonkey, as Didier Steven did when tackling this challenge. Another is to use JavaScript itself to definedocument.write()or redefineeval()commands like this:

document = {

eval = function(input_string) { }
You can safe these definitions into a separate file (e.g., file.js) and load it into SpiderMonkey before the file containing the malicious script (malware.js). SpiderMonkey (js) lets you do this from the command-line like this:

js -f file.js -f malware.js
In this case, SpiderMonkey will define the necessary objects and methods according to file.js contents, then execute the malicious script. The script will likely deobfuscate its protected components. If the script executesdocument.write()or redefineeval()at the end of this process, SpiderMonkey will show you the output, which should be the decoded contents.
SpiderMonkey runs best on a Unix platform. You can compile it from source code by following Mozilla's build instructions. On a Debian or Ubuntu platform you can install SpiderMonkey using the spidermonkey-bin this means that a malicious script might deobfuscate fine on Chrome (V8), but not on Firefox (SpiderMonkey). In particular, SpiderMonkey optimizes the results of the arguments.callee.toString() call, while V8 does not. There are other differences in the way V8 and SpiderMonkey are implemented as well.
To build V8 from source code on a Unix platform, follow Google's instructions. First, install the tools necessary to get and build V8. These include g++, SVN and scons, which are available as packages on Debian and Ubuntu platforms. Then download the source code using SVN:

svn checkout http://v8.googlecode.com/svn/trunk/ v8
Then build the tool, including its command-line interface shell called d8 using scons:

cd v8

scons d8
Though the tool is called V8, to use the d8 command to invoke it, just like you'd utilize the js command for SpiderMonkey:

d8 -f file.js -f malware.js
SpiderMonkey and V8 will be installed in the upcoming update to the REMnux Linux distribution. If this topic interests you, check out the Reverse-Engineering Malware course I'll be teaching at SANS on-line in January-February 2012.
-- Lenny
Lenny Zeltser focuses on safeguarding customers' IT operations at Radiant Systems. He also teaches how toanalyzeandcombatmalware at SANS Institute. Lenny is activeon Twitterand writes adaily security blog.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet darling Regretsy is a site and community built around poking fun at strange and weird offerings on the handmade goods site Etsy. Regretsy is also known for its charitable funding efforts, which have helped Etsy sellers in need and charities to the tune of over $100,000 since 2009.
MIT Kerberos KDC TGS Handling NULL Pointer Dereference Denial Of Service Vulnerability
At this point, it's fair to say that the company that gave us the "Kodak moment" has had its moment in the sun. With its once-pricey shares now selling at around $1, Eastman Kodak is bleeding over $70 million dollars a month, making Canada's browbeaten Research in Motion look fit as a fiddle by comparison.
Apple Safari 'libxml' (CVE-2011-0216) Remote Code Execution Vulnerability
Facebook's decision to establish an engineering office in New York City may make it easier for other high-tech firms to recruit people who might be more likely to consider Silicon Valley over the Big Apple, according to some tech firms in the city.
IBM on Monday demonstrated its first Racetrack Memory chip, which could offer as much data storage capacity as a hard drive but with the read/write speeds of DRAM and durability of NAND flash.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 2360-1] Two month advance notification for upcoming end-of-life for Debian oldstable
[SECURITY] [DSA 2359-1] mojarra security update
The National Institute of Standards and Technology (NIST) published a revised biometric standard in November, 2011, that vastly expands the type and amount of information that forensic scientists can share across their international ...
Adobe today confirmed that an unpatched vulnerability in Adobe Reader is being exploited by criminals who may be targeting defense contractors.
A lawsuit filed against Hewlett Packard Co last week over a recently discovered vulnerability in its LaserJet printers alleges that the company knew about the flaw for some time but did nothing about it.
A proposal in the U.S. House of Representatives would set up a new semi-independent organization allowing the U.S. government and private companies to share information about cyberthreats, but some critics questioned whether the group would be too removed from congressional scrutiny.
AT&T once again has the lowest customer satisfaction ratings of any wireless carrier in the United States, according to the latest survey from Consumer Reports.
Google Wallet, a mobile payment app, won't appear on the Samsung Galaxy Nexus smartphone from Verizon Wireless.
As of this past weekend, more than 10 billion apps had been downloaded from the Android Market.
Celery Argument Processing Local Privilege Escalation Vulnerability
WordPress AdRotate Plugin 'adrotate-out.php' SQL Injection Vulnerability
MITKRB5-SA-2011-007 KDC null pointer dereference in TGS handling [CVE-2011-1530]
WordPress Users Plugin "uid" Parameter SQL Injection Vulnerability
osCommerce Multiple Local File Include Vulnerabilities
Red Hat has updated its flagship operating system, Red Hat Enterprise Linux, with new technologies designed to cut the cost and improve performance of enterprise storage, the company announced Tuesday.
[security bulletin] HPSBMU02726 SSRT100685 rev.2 - HP Operations Agent and Performance Agent for AIX, HP-UX, Linux, and Solaris, Local Unauthorized Access
European Union (EU) antitrust regulators today launched a formal investigation into how Apple and several major publishers priced electronic books.
Intel and Micron today announced it will begin producing NAND flash dies with 128Gbit capacity, doubling the amount of data that can be stored using current non-volatile memory technology.
Cisco this week unveiled products and packaging options for customers looking to implement public, private and hybrid cloud computing.
Global spam fell to the lowest level in three years in a sign that spammers may be getting a better rate of return by hitting social-media websites instead, according to the latest figures on Tuesday from Symantec.
Enterprises should educate device owners about setting application permissions and mobile application developers should add notification features to establish trust with users, experts say.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Two new Droid Xyboard tablet computers that use the Verizon Wireless 4G LTE network will go on sale later this month. Prices started at $429.99.
Apple’s ebooks business is to be investigated by the European Union’s top antitrust regulator. The computer giant is accused of operating a cartel with five other publishers and engaging in other restrictive business practices banned under E.U. law.

Security assessment reviews an organization’s mobile security policies and technologies, evaluating the mobile security posture against a set of 15 core elements.

Symantec’s consulting team is launching a mobile security assessment service, designed to assess a business’ mobile security policies and defensive technologies.

The new service is an extension of the Symantec Security Program Assessment. Symantec created a Mobile Security Framework that is designed to evaluate how a business addresses mobile device security from a governance, intelligence and infrastructure perspective. Among the 15 core elements that make up the framework are policies, standards and awareness, asset inventory and ownership, application security and monitoring and reporting metrics.

Symantec’s mobile assessment service is one of many available to enterprises. Security vendors have been quick to offer a variety of mobile services and products because businesses have been inundated with employees bringing in personal devices that they expect to connect to the corporate network. For example, McAfee, Verizon Business, IBM and other firms provide a variety of consulting services that can evaluate security programs and more specifically, an organization’s mobile security posture. Experts have been touting ways to write effective mobile security policies to address the influx. Technologies are available to address policy enforcement across platforms and control access to sensitive data.

In an interview with SearchSecurity.com, Franklin Witter, manager of security business practices at Symantec, said his consulting team will use a series of surveys, workshops and interviews to understand the organization’s risk tolerance and practices and technologies already in place. “We want to understand the business use case for mobile technology in the enterprise,” Witter said.

The goal is to lay out a security plan that addresses the strengths and weaknesses inherent in each mobile platform, Witter said. Organizations will get a better understanding of the gaps in their current state of maturity.

Witter said Symantec clients that have undergone a full security program assessment have been asking for a more focused mobile evaluation. “Our advisory team takes a product agnostic approach,” Witter said. “We’re not solely focused on Symantec products.”

The Symantec Mobile Security Assessment Suite costs about $40,000. Organizations that undergo the review are given a final written report and scorecard illustrating the organization’s mobile security readiness. The report also provides recommendations and an action plan to address existing gaps.
Mobile Application Assessment Service

Symantec also rolled out an application assessment service designed to test mobile apps for a variety of coding errors that could lead to data leakage or a costly data breach. Witter said the testing will be offered in either a white-box or black-box testing. The cost of the evaluation will depend on the scope of the project, he said.

The application assessment service has been operating for about a year. Symantec is seeing an increase in businesses designing custom applications for either employee use or for their customers.

The assessment can identify issues with authentication and authorization, data validation, session management, encryption, auditing and logging and the business logic of a mobile application. It can be performed in conjunction with a penetration assessment to provide a more deeper view of vulnerabilities.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Setting up and maintaining your home PC network is easier than ever before with Windows 7--but that's not saying much. Many networking issues still aren't easily fixed from Windows 7's control panels. That's why we've compiled a list of common networking problems and their quick fixes.
Teradici has upgraded the firmware for PC-over-IP-based zero clients to provide smoother authentication, improved USB performance and support for Internet Protocol version 6, the company said on Monday.
For the past couple months I've been working to track down a solution to a problem that's been bugging Outlook users for at least a year: When you click a Web link embedded in an e-mail, Outlook returns this error:
Cloud-based human resources software vendor SuccessFactors said Tuesday it is acquiring Jobs2web for US$110 million, just days after SAP announced it would buy SuccessFactors in a $3.4 billion deal.
Google Wallet, a mobile payment app, won't appear on the Samsung Galaxy Nexus smartphone from Verizon Wireless.
RETIRED: Apache MyFaces CVE-2011-4343 Information Disclosure Vulnerability
Apache MyFaces EL Expression Evaluation Security Bypass Vulnerability
The Dutch competition Authority NMa raided the offices of Vodafone, T-Mobile and KPN on Tuesday morning as part of an investigation into price fixing, the authority said.
Japanese mobile game provider Gree said Tuesday it would launch a new gaming platform next year as it looks to take on heavyweights like Facebook and Zynga.
The new line of Ultrabook notebooks are thin, lightweight and elegant. But do they deliver all they promise? We put Acer's Aspire S3 and Asus' Zenbook UX31 to the test.
Microsoft faces a tough sell with Windows 8, IDC said, because it tries to 'offer the best of both worlds' with a single OS suitable for both desktops and tablets.
Tiobe survey has C# nipping at C++'s heels in popularity, but C++ holds edge in growing mobile development field
Hewlett-Packard has acquired the German company Hiflex Software to advance its Web-based printing business, it said on Tuesday.
Facebook has hired the team at Gowalla, a mobile location service in Austin, Texas, but the service will be shut down by January, the companies said Monday.
The Dutch competition Authority NMa raided the offices of Vodafone, T-Mobile and KPN on Tuesday morning as part of an investigation into price fixing, the authority said.
FFmpeg libavcodec 'vmd decode()' Heap Based Buffer Overflow Vulnerability
A Carrier IQ executive downplays the significance of the company's effort to patent a technology that it said could help wireless carriers undertake 'advertising audience segmentation analysis and content copyright analytics.'
Texas Memory Systems today announced its first high-availability NAND flash array aimed at storing the most mission critical data requiring the highest performance.

Posted by InfoSec News on Dec 06


By Ericka Chickowski
Contributing Editor
Dark Reading
Dec 05, 2011

When the calendar flips over to a new year in January, organizations
will be faced with a new round of compliance demands piled on to the
existing ones that they may already be struggling to deal with. Here's
what a range of industry insiders say should make...

Posted by InfoSec News on Dec 06


By John E Dunn
05 December 2011

Taking inspiration from Dan Brown’s The Da Vinci Code, a US startup has
fused a USB flash drive with a ‘Cryptex’ device, a metal cylinder that
can only be opened by setting the correct combination on a rotating

The latest Crypteks (notice the different spelling) is not the first
device of its kind –...

Posted by InfoSec News on Dec 06


Al Jazeera English
December 5, 2011

Greenpeace activists secretly entered a French nuclear site before dawn
and draped a banner reading "Coucou" and "Facile", (meaning "Hey" and
"Easy") on its reactor containment building, to expose the vulnerability
of atomic sites in the country.

Police, whom the environmental activist group...

Posted by InfoSec News on Dec 06


By Gregg Keizer
December 5, 2011

The attack that hacked RSA Security's network earlier this year
succeeded because the company failed to take a basic security
precaution, a researcher said Monday.

According to Rodrigo Branco, the director of Qualys' vulnerability and
malware research labs, the malware targeted the...

Posted by InfoSec News on Dec 06


By Lucian Constantin
Romania-Bureau Dec 5, 2011

Cyber-thieves are using distributed denial-of-service (DDoS) attacks in
order to distract banks from spotting and reversing fraudulent wire
transfers initiated on behalf of their customers.

The FBI has recently issued an alert about fake emails...
Apache MyFaces CVE-2011-4343 Information Disclosure Vulnerability
Intacct is hoping to build on its stake in the cloud ERP (enterprise resource planning) market via a three-way integration with Salesforce.com's CRM (customer relationship management) application and project management software from Clarizen.
India's reported plans to ask Internet companies to filter objectionable content may overstep the country's own laws, according to legal experts.
Fyodor from insecure.org and the creator of nmap has issued the following statement on the nmap-hackers mailing list today.

nmap is one the most respected networking tools available.

This is just another example that it is easy to be duped.
Downloaders beware. Stay vigilant.


ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status