Hackin9
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

This weekend (June 22-23) the Amateur Radio Relay League  and Radio Amateurs of Canada and holding their annual Field Day (http://www.arrl.org/field-day) exercise in North America.  Amateur radio operators participate in an emergency preparedness exercise where they deploy their equipment outside the comfort of their home radio shacks and many operate on alternative/emergency power sources.  Each year around this time, I realize that I've forgotten that this is coming up, and I hurriedly assemble my kit at the last minute and I try to fit in more than I can accomplish on my own.  In other words, it's a realistic drill for me.

In the early days of the Internet Storm Center when large-scale scanning worms were threatening the basic infrastructure of the Internet we discussed falling back to packet radio as a communications option.  Fortunately, those discussions remained theoretical and we didn't have to put it into practice.  However, each year at Field Day, I'm reminded of the possibility that the right combination of disasters could fracture the Internet noticeably.

This makes me think of WinkLink 2000 (http://www.winlink.org/)

WinLink 2000 describes itself as "a worldwide system of volunteer sysops, radio stations and network assets supporting e-mail by radio, with non-commercial links to internet e-mail."  Basically it provides e-mail service where the last mile is via amateur radio.  It's used by ships at sea, and in emergency radio service when the local infrastructure is severely damaged.

I think this service would be very useful in an Internet-threatening scenario.  Which is why I'm putting out the call to any readers who are also winlink-enabled.  Send an email in to us ([email protected]) from your winlink account.  Let us know if you'd be interested in participating in any Internet disaster response activities that we may have in the future.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Facebook has been down on Tuesday night, giving users error messages or long response times.
 
An email composed, but never sent, by former Apple CEO Steve Jobs may prove instrumental in the Justice Department's case that Apple, along with the five largest book publishers, colluded to fix prices for electronic books.
 
Dish Network won't try to beat SoftBank's US$21.6 billion bid for Sprint Nextel, apparently clearing the way for the Japanese service provider to buy Sprint.
 
Internet tools are just starting to be applied to industrial tasks such as maintaining equipment and optimizing operations, but the wealth of data being produced by industrial systems could make this a major focus of development in the coming years.
 
JBoss Enterprise Application Platform CVE-2012-5575 Information Disclosure Vulnerability
 
Microsoft is upping the stakes in the growing market for cloud-based ERP, with its Dynamics GP 2013 and NAV 2013 products now available for deployment on its Azure service.
 
Nvidia is to start licensing its graphics cores more widely in a bid to cash in on the need for powerful graphics in smartphones, tablets and other devices.
 
Carl Icahn has acquired a larger stake in Dell and called for a better buyout offer than the proposal of US$13.65 per share from Michael Dell and Silver Lake Partners.
 
Google has asked the court overseeing terrorism-related surveillance programs at the U.S. National Security Agency to allow the company to publish information on the number of surveillance requests it receives.
 
APPLE-SA-2013-06-18-1 Java for OS X 2013-004 and Mac OS X v10.6 Update 16
 
[SECURITY] [DSA 2628-2] nss-pam-ldapd update
 
[SECURITY] [DSA 2698-1] tiff security update
 
Oracle has issued a new security patch for Java, but only 7% deployed the patch before it.
 
While Windows 8 is getting blamed for dismal PC sales, upgrading laptops and desktop systems isn't a priority for business users, according to new research.
 
Nvidia wants to accelerate mobile-device performance with underlying tools that enable CPUs and graphics processors to work in a coherent manner.
 
Frustrated by their difficulty prosecuting cases involving online content that is illegal or damaging to individuals, a group of state attorneys general are taking action.
 
Apache Santuario XML Security for C++ CVE-2013-2156 Remote Heap Buffer Overflow Vulnerability
 
Apache Santuario XML Security for C++ XML Signature CVE-2013-2155 Denial of Service Vulnerability
 
Apache Santuario XML Security for C++ CVE-2013-2154 Stack Buffer Overflow Vulnerability
 

As I sit in my hotel room in Washington DC at the SANSFIRE 2013 conference, preparing to present Memory Analysis with Volatility to a [email protected] crowd (7:15 International Ballroom Center), an opportunity arose from which to get you warmed up for tonight's talk or inspire you to become a Volatility user (you should be already).

We received an advisory from a faithful reader indicating that he had uploaded "a dropper we got blitzed with from a spam campaign today" to ISC. We love us some malware samples, so I got busy. A typical review of the sample (invoice.exe) on a Windows VM gave us the basic behavioral details as seen in this ProcDOT visualization (ProcDOT also rules).

w32.shadesrat ProcDOT visualization

We can see that the invoice.exe process makes two Internet calls, spawns some shells to run reg.exe to create some registry entries, and creates a log file along with replicating itself to mc.exe in the victim user Application Data directory, before hiding itself from visible user APIs. Anubis provides better detail, but of concern was that fact that invoice.exe and mc.exe (same file, same hash) exhibited only one AV detection via Virustotal as this was written (certain to change soon). As such, we don't have much to go from as to what malware family we're really dealing with here.

But wait...Volatility to the rescue. I grapped a memory image from the compromised VM, copied the memory dump to my faithful SIFT 2.14 VM, and issued three simple commands that gave me all I needed to know.

  1. vol.py --profile=WinXPSP3x86 connscan -f invoice.raw
  2. vol.py --profile=WinXPSP3x86 pslist -f invoice.raw
  3. vol.py --profile=WinXPSP3x86 malfind -p 268 -D ~/Desktop/output/  -f invoice.raw

Here's the play by play.

  • Step 1 indicated that Process ID (PID) 268 was responsible for an connection to 124.248.205.22 over port 80 in Hong Kong (oh boy, we know this doesn't end well).
  • Step 2 indicated that PID 268 belonged to invoice.exe (our intial sample, we're on the right track).
  • Step 3 dumped PID 268 to the SIFT desktop as process.0x86372a38.0x400000.dmp

I upload said .dmp file to Virustotal and voila, now we know what we're dealing with. Our faithful reader is the proud owner of a W32.Shadesrat (Blackshades) variant. This is one malware family where they apparently caught the bad guy last year (not before he sold his warez to many a miscreant as is evident here).

Wise man say "What I hear I forget, what I see I remember, what I do with Volatility I understand."

Hope to see you tonight at SANSFIRE 2013 for some Volatility 101 across the full lifecycle of security analytics (penetration testing, monitoring, incident response).

Russ McRee | @holisticinfosec

 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
NASA wants to find asteroids that could threaten Earth and figure out what to do about them. It wants your help doing it.
 
The National Security Agency is creating new processes aimed at making it harder for systems administrators to misuse privileged access to agency systems, NSA officials told the U.S. House Intelligence Committee Tuesday.
 
For 25 cents, would you send a short message deep into outer space in the hopes that an alien race might receive it?
 
The shift toward smaller tablets will accelerate in the second half of the year when a slew of tablet makers, including Apple, introduce new models with screens 8-in. or smaller, said Richard Shim, an analyst with DisplaySearch.
 
X.Org libXv 'XvQueryPortAttributes()' Function Remote Code Execution Vulnerability
 
X.Org libXv CVE-2013-1989 Multiple Remote Code Execution Vulnerabilities
 
AT&T has set up a pilot program to offer free solar-powered cellphone charging stations in and around New York City.
 
Thomas P. Jackson, the former federal judge who in 2000 ruled that Microsoft should be split into two companies, died Saturday. What if his ruling, overturned before it could be implemented, had gone into effect?
 
U.S. law enforcement agencies have disrupted more than 50 terrorist plots in the U.S. and other countries with the help of controversial surveillance efforts at the U.S. National Security Agency, government officials said Tuesday.
 
Microsoft today confirmed that it has heavily discounted the Surface RT tablet to universities and K-12 schools, cutting the price of the entry-level model by 60%.
 
X.Org libxcb 'read_packet()' Function Remote Code Execution Vulnerability
 
U.S. law enforcement agencies have disrupted more than 50 terrorist plots in the U.S. and other countries with the help of controversial surveillance efforts at the U.S. National Security Agency, government officials said Tuesday.
 
Google said it's spending $5 million to wipe images of child abuse off the Internet and another $2 million to create tools to find the images and eradicate them.
 
The source code for the Carberp banking Trojan program is being offered for sale on the underground market at a very affordable price, which could result in additional Carberp-based financial malware being developed in the future, according to researchers from Russian cybercrime investigations firm Group-IB.
 
Apache Subversion CVE-2013-2112 Remote Denial of Service Vulnerability
 
Apache Subversion CVE-2013-2088 Command Injection Vulnerability
 
[SECURITY] [DSA 2710-1] xml-security-c security update
 
Apache Subversion CVE-2013-1968 Remote Denial of Service Vulnerability
 
Microsoft released its first iOS version of Office on Friday, but a wide range of alternative iOS apps and suites already exist. Ryan Faas details some of the competition.
 
Huawei Technologies' much-leaked Ascend P6 smartphone is the world's thinnest at 6.18 millimeters, and has the highest-resolution front-facing camera at 5 megapixels, the company claimed at the phone's London launch.
 
FreeBSD Security Advisory FreeBSD-SA-13:06.mmap
 
Re: CVE-2013-2156: Apache Santuario C++ heap overflow vulnerability
 
CVE-2013-2154: Apache Santuario C++ stack overflow vulnerability
 

Exclusive London Seminar On The Mobile Enterprise Eco-System
ChannelBiz
“We surveyed visitors at Infosec to measure their preparedness for the onslaught of consumerised IT. An astonishing 53percent had either serious deficiencies or were at risk of failure with multiple areas of improvement needed. “This figure isn't just ...

 
Huawei Technologies' much-leaked Ascend P6 smartphone is the world's thinnest at 6.18 millimeters, and has the highest-resolution front-facing camera at 5 megapixels, the company claimed at the phone's London launch.
 
The Canadian privacy commissioner and 36 other data protection authorities on Tuesday raised privacy concerns about Google Glass in an open letter to CEO Larry Page.
 
Almost a year after the Higgs boson announcement, the world's most powerful particle accelerator, the Large Hadron Collider (LHC), is getting upgraded.
 
Cyobozu Live for Android Unspecified Arbitrary Code Execution Vulnerability
 
CVE-2013-2155: Apache Santuario C++ denial of service vulnerability
 
CVE-2013-2153: Apache Santuario C++ signature bypass vulnerability
 

Somewhere I know TJ O'Connor is a very happy analyst. EMET 4.0 has been released in its final version and is now available for download.

Download here: http://www.microsoft.com/en-us/download/details.aspx?id=39273

Microsoft blogpost: http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx

TJ O'Connor's Nuclear Scientists, Pandas, and EMET Keeping Me Honest, an ISC guest diary posting: https://isc.sans.edu/diary/Nuclear+Scientists%2C+Pandas+and+EMET+Keeping+Me+Honest/15890

For those of you who are new to EMET:

"The Enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system. Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc." 

EMET 4.0 features and updates incude:

Certificate Trust, mitigations improvement hardening, and the Early Warning Program
Redesigned User Interface
Configuration Wizard
Changes in Certificate Trust
Updated Group Policy profiles
 
Download and benefit. I'll be covering EMET 4.0 in toolsmith for July.
Cheers.
 
Russ McRee | @holisticinfosec
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Hewlett-Packard has shuffled the management of its PC division as it tries to sharpen its focus on growth markets.
 
Huawei Technologies' much-leaked Ascend P6 smartphone is the world's thinnest at 6.18 millimeters, and has the highest-resolution front-facing camera at 5 megapixels, the company claimed at the phone's London launch.
 
The Swedish Nacka District Court has ruled that Pirate Bay co-founder Gottfrid Svartholm Warg may be extradited to Denmark to face hacking charges, the court confirmed Tuesday.
 
It's possible to trick users into activating their webcams through clickjacking trickery and transparent Flash apps in the page. The problem was allegedly fixed in 2011 but is back again in the latest Chrome browser
    


 

Help Net Security

Businesses not fully implementing infosec programs
Help Net Security
Businesses not fully implementing infosec programs. Posted on 18 June 2013. Bookmark and Share. Many U.S. small businesses are taking a passive approach when it comes to protecting their data leaving themselves vulnerable to data loss and possible ...

and more »
 
Remember those "Tastes great! Less filling!" beer ads? Many debate cloud computing in a similar manner, saying the cloud's great because it's either agile or inexpensive. As it turns out, cloud computing's affordability and agility aren't mutually exclusive -- and that's good news for enterprise IT.
 
Japan's public television broadcaster, NHK, has developed an array of video cameras that are synchronized to create "bullet time" shots like those popularized in the film The Matrix.
 
LinuxSecurity.com: Multiple vulnerabilities were discovered in the dissectors for CAPWAP, GMR-1 BCCH, PPP, NBAP, RDP, HTTP, DCP ETSI and in the Ixia IxVeriWave file parser, which could result in denial of service or the execution of arbitrary code. [More...]
 
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in owncloud: Cross-site scripting (XSS) vulnerabilities in js/viewer.js inside the files_videoviewer application via multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and 4.5.12 allows authenticated [More...]
 
Experimentation with pricing structures will let the broadband providers -- and their customers -- test new business models without regulatory interference.
 
Jive Software is making a mobile push with new and enhanced mobile applications that have an emphasis on helping users of the enterprise social networking suite create, not just view, content from their tablets and smartphones.
 
PHP CVE-2013-2110 Heap Based Buffer Overflow Vulnerability
 
XnView CVE-2013-3246 Stack Based Buffer Overflow Vulnerability
 
Japan's public television broadcaster, NHK, has developed an array of video cameras that are synchronized to create "bullet time" shots like those popularized in the film The Matrix.
 
Speculation abounds that Facebook Thursday will unveil tools to enable its popular Instagram app to take and share short videos.
 
Walmart has begun selling the Chromebook in 2,800 of its approximately 4,600 U.S. stores, expanding the reach of this still-on-the-margins platform. Staples too.
 
NewsGator has upgraded its Social Sites enterprise social networking (ESN) add-on for SharePoint to make the software better able to tailor the content, notifications and capabilities it displays for each user.
 
ClamAV CVE-2013-2021 Remote Code Execution Vulnerability
 
Java users should be prepared to update their installations later today as Oracle's latest Java update will fix 40 security vulnerabilities, 37 of which can be exploited over the network
    


 

Posted by InfoSec News on Jun 18

http://news.techworld.com/security/3453139/firms-take-10-hours-spot-data-breaches-mcafee-finds/

By John E Dunn
Techworld
17 June 2013

The average organisation believes it would spot a data breach in ten
hours, a McAfee global survey of IT professionals has found. But is that
result good, indifferent or an indication of the downright complacent?

The firm’s interrogation of 500 decision makers from the US, UK, Germany
and Australia earlier...
 

Posted by InfoSec News on Jun 18

http://www.washingtontimes.com/news/2013/jun/17/nsa-leaker-says-audits-govt-snooping-dont-work/

By Shaun Waterman
The Washington Times
June 17, 2013

The former National Security Agency contractor who leaked classified
information about its telecommunications surveillance program said Monday
that there are few safeguards to prevent abuse of data-gathering projects
and that large amounts of data about Americans routinely are collected in...
 

Posted by InfoSec News on Jun 18

http://www.darkreading.com/advanced-threats/cyberespionage-operators-work-in-groups/240156664

By Robert Lemos
Dark Reading
June 13, 2013

In a study of the life cycle of cyberespionage attacks, a group of
researchers at a Taiwanese security startup have found that the nation's
major government agencies encounter a dozen such attacks each day and that
the operators behind the attacks have virtual data centers that appear to
be processing...
 

Posted by InfoSec News on Jun 18

http://allthingsd.com/20130617/coming-to-wall-street-this-month-quantum-dawn-2-cyberwar/

By Arik Hesseldahl
All Things D
June 17, 2013

If anything seems a little off on Wall Street later this month, you can
blame the cyberwar.

Or rather the simulated cyber attack exercise dubbed Quantum Dawn 2. As
reported by Lauren Tara LaCapra at Reuters, it’s an exercise that will run
through most of the business day on June 28, simulating a...
 

Posted by InfoSec News on Jun 18

http://www.nextgov.com/cybersecurity/2013/06/ig-dhs-does-not-track-security-training-system-administrator-contractors/64976/

By Aliya Sternstein
Nextgov
June 17, 2013

The Homeland Security Department does not keep tabs on whether contractors
that monitor vulnerabilities on federal networks have undergone training,
according to a new inspector general audit.

These private sector system administrators support CyberScope, a central
reservoir...
 
Google's Chromebook laptop will be carried by more than 6,600 stores around the world, as the company signs on more retailers.
 
Yahoo has received between 12,000 to 13,000 requests for user data from law enforcement agencies in the U.S. between Dec. 1 and May 31 this year, the company said Monday.
 
Advanced Micro Devices is building its future server strategy around chips used in smartphones and tablets. The company said its first ARM server processors -- which will be released in the second half of next year -- will be faster and more powerful than its existing low-power x86 server processors.
 
Internet Storm Center Infocon Status