InfoSec News

Google's SPDY protocol makes 10% to 20% faster Web downloads, says Strangeloop.
 
The Lulzsec hacking group continues to cause headaches for IT staffers. On Monday it published data it obtained from servers belonging to the U.S. Senate and Bethesda Softworks, a Rockville, Maryland, game maker.
 
The much-criticized JCP (Java Community Process) is set for a facelift that includes greater transparency and the possible loss of voting privileges for JCP members who disregard their responsibilities.
 
Facebook may not be having its initial public offering until sometime in 2012 but its potential valuation is already generating a lot of buzz.
 
Hewlett-Packard today made some seismic level changes to its top management that included the exit of its CIO, Randy Mott, who is leaving "effective immediately."
 
Several privacy groups are asking U.S. regulators to force Facebook to halt plans for its facial recognition service.
 
An Arizona company is suing Apple in federal court over the "iCloud" trademark, court documents show. One legal expert said Apple would likely settle the case for cash.
 
American Airlines will deploy 6,000 new Galaxy Tab 10.1 tablets onboard some of its international and transcontinental flights in business and first class later this year.
 
The most surprising thing about the presentations Apple's leaders gave at the company's Worldwide Developers Conference earlier this month was that we actually had been told in advance about some of the news that was going to be discussed.
 
It takes more than app development savvy and code crunching to get noticed in Apple's busy App Store. For app developer Appetizer Mobile, it helped to have Lady Gaga.
 
Oracle Java SE and Java for Business CVE-2011-0871 Remote Java Runtime Environment Vulnerability
 
Oracle Java SE and Java for Business CVE-2011-0868 Remote Denial of Service Vulnerability
 

Forbes (blog)

Meet The Lebanese Hacker Tormenting Sony “For Moral Reasons”
Forbes (blog)
Even if Idahc's methods may cross the line of what the infosec community calls “responsible disclosure,” to put it lightly, he nonetheless criticizes LulzSec's recent escapades, like hacking the FBI program Infragard and the security firm Unveillance. ...

and more »
 
Hoping to further boost its position in display advertising, Google scooped up Admeld, a company that aims to simplify the display ad buying process.
 
Facebook may continue to gain users, but the world's biggest social network isn't gaining them as quickly as it has been and is actually losing users in the U.S.
 
Mozilla will try to plug more memory leaks in Firefox with a new, aggressive approach that relies on weekly bug triage meetings.
 
[ MDVSA-2011:108 ] xerces-j2
 
[HITB-Announce] HITB eZine Issue #006 Released!
 
Re: HTB22943: XSS in Dalbum
 
Douran Portal Multiple Input Validation Vulnerabilities
 
[ MDVSA-2011:109 ] webmin
 
Douran Portal Arbitrary File Upload and Cross Site Scripting Vulnerabilities
 
Oracle's Exadata X2 machines are now certified to run applications from rival SAP, following recent steps by SAP to move its customers off Oracle database platforms.
 
The new version of Dragon speech recognition software includes support for iPhones and social networks
 
Immersive virtual environments - such as Second Life and some enterprise-friendly alternatives - have traditionally required users to download special software and learn a difficult user interface.
 
When was the last time you've used a search engine? If you are like most Internet users, it was probably less than an hour ago--possibly much less. But what about a local search engine for your own desktop, like X1 Desktop Search ($50, 14-day free trial)?
 
Acclivity’s AccountEdge is rarely a surprise. Run the install and open AccountEdge and what you’ll find is a solid bookkeeping application with a broad set of tools for managing your business finances. What was once an outlier in the Mac accounting world, an alternative to QuickBooks Pro, has slowly and steadily become the quiet, efficient, thoughtfully updated standard for managing your business’ books.
 
Taiwanese PC maker Acer is investigating the hacker attack that stole customer data from its Packard Bell unit in Europe, the company said.
 
TelEduc 'cod_lin' Parameter SQL Injection Vulnerability
 
A new version of the BlackBerry Tablet OS will soon be available to all BlackBerry PlayBook tablet users to address a security issue raised by Adobe about its Flash Player.
 
Ubuntu 11.04 (nicknamed Natty Narwhal) marks a decided change in direction for the Linux-based operating system. The biggest change is that Canonical, the organizer of Ubuntu, is replacing the Gnome/KDE desktop environment with a new user interface called Unity.
 
Google removed more malware-infected applications from its Android Market last week, according to a security researcher who reported the rogue software to the company.
 
Some of your peers rely on these tools to help run their shops, for everything from real-time server graphing to capacity planning and virtual machine backup.
 
Turkey responded to the hacking group Anonymous with 32 arrests following attacks on government websites, according to the country's state-run news agency.
 
Subrion CMS 'username' Parameter SQL Injection Vulnerability
 
Hewlett-Packard had a cutout section of its modular data center on display at its user conference last week in Las Vegas. HP believes it will sell a lot of its EcoPODs as companies look for ways to replenish data center capacity.
 
A federal requirement to change over from 15,000 ICD-9 codes to approximately 68,000 ICD-10 codes, which are used to describe medical conditions as well as to bill insurance companies, is overwhelming IT managers.
 
Joomla Minitek FAQ Book 'id' Parameter SQL Injection Vulnerability
 
Pacer Edition CMS 'l' Parameter Local File Include Vulnerability
 
Technote 'sort' Parameter SQL Injection Vulnerability
 
My colleague Branko and I spent a lot of time reversing various FakeAV/RogueAV copies as we were quite interested in how they manage to constantly have 5 detections on VirusTotal (and therefore successfully evade detection by normal anti-virus programs).
We noticed that various FakeAV versions use pretty advanced obfuscation, basically anything you can think of: anti-disassembly (destroying functions, opaque predicates, long ROP chains ...), anti-emulation, anti-VM, anti-debugging, even with some bugs of their own.
Branko spent a lot of time analyzing this to improve his Optimice plugin for IDA Pro. If you havent heard about it, and you spend a lot of time analyzing malware or reverse engineering binaries, be sure to check it at http://code.google.com/p/optimice/. Its an amazing tool that can cut down on your time spent on reversing by an order of magnitude.
Below is a screenshot of what Optimice can do on the left side you can see the original FakeAV code, while on the right you can see the same code after Optimice deobfuscated and optimized it. Much easier to analyze, isnt it:

Back to FakeAV now time to explain the title of this diary. While reversing one of the FakeAV copies we noticed that under certain circumstances (when FakeAV is trying to update itself), it basically calls its own binary with a very interesting argument, as you can see in the screenshot below:

Those Harry Potter fans among you probably immediately noticed the argument BOMBARDAMAXIMUM which, according to some online references is a spell that, being a stronger version of Bombarda, provokes explosions capable of bringing an entire wall down. Im not sure which wall this is about, but at least there is some sense of humor here.

If the argument was supplied, the binary will call two functions: the first one will create couple of mutexes, while the second function will connect to a CC, send some data and (probably we couldnt confirm this since the CC is down) updates itself. This part of code is shown below:

Stay tuned, well post more interesting things in next couple of weeks, including a paper.
--

Bojan

INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
WordPress Events Manager Plugin 'admin.php' SQL Injection Vulnerability
 
Internet Storm Center Infocon Status