Information Security News
This weekend (June 22-23) the Amateur Radio Relay League and Radio Amateurs of Canada and holding their annual Field Day (http://www.arrl.org/field-day) exercise in North America. Amateur radio operators participate in an emergency preparedness exercise where they deploy their equipment outside the comfort of their home radio shacks and many operate on alternative/emergency power sources. Each year around this time, I realize that I've forgotten that this is coming up, and I hurriedly assemble my kit at the last minute and I try to fit in more than I can accomplish on my own. In other words, it's a realistic drill for me.
In the early days of the Internet Storm Center when large-scale scanning worms were threatening the basic infrastructure of the Internet we discussed falling back to packet radio as a communications option. Fortunately, those discussions remained theoretical and we didn't have to put it into practice. However, each year at Field Day, I'm reminded of the possibility that the right combination of disasters could fracture the Internet noticeably.
This makes me think of WinkLink 2000 (http://www.winlink.org/)
WinLink 2000 describes itself as "a worldwide system of volunteer sysops, radio stations and network assets supporting e-mail by radio, with non-commercial links to internet e-mail." Basically it provides e-mail service where the last mile is via amateur radio. It's used by ships at sea, and in emergency radio service when the local infrastructure is severely damaged.
I think this service would be very useful in an Internet-threatening scenario. Which is why I'm putting out the call to any readers who are also winlink-enabled. Send an email in to us ([email protected]) from your winlink account. Let us know if you'd be interested in participating in any Internet disaster response activities that we may have in the future.(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
As I sit in my hotel room in Washington DC at the SANSFIRE 2013 conference, preparing to present Memory Analysis with Volatility to a [email protected] crowd (7:15 International Ballroom Center), an opportunity arose from which to get you warmed up for tonight's talk or inspire you to become a Volatility user (you should be already).
We received an advisory from a faithful reader indicating that he had uploaded "a dropper we got blitzed with from a spam campaign today" to ISC. We love us some malware samples, so I got busy. A typical review of the sample (invoice.exe) on a Windows VM gave us the basic behavioral details as seen in this ProcDOT visualization (ProcDOT also rules).
We can see that the invoice.exe process makes two Internet calls, spawns some shells to run reg.exe to create some registry entries, and creates a log file along with replicating itself to mc.exe in the victim user Application Data directory, before hiding itself from visible user APIs. Anubis provides better detail, but of concern was that fact that invoice.exe and mc.exe (same file, same hash) exhibited only one AV detection via Virustotal as this was written (certain to change soon). As such, we don't have much to go from as to what malware family we're really dealing with here.
But wait...Volatility to the rescue. I grapped a memory image from the compromised VM, copied the memory dump to my faithful SIFT 2.14 VM, and issued three simple commands that gave me all I needed to know.
Here's the play by play.
I upload said .dmp file to Virustotal and voila, now we know what we're dealing with. Our faithful reader is the proud owner of a W32.Shadesrat (Blackshades) variant. This is one malware family where they apparently caught the bad guy last year (not before he sold his warez to many a miscreant as is evident here).
Wise man say "What I hear I forget, what I see I remember, what I do with Volatility I understand."
Hope to see you tonight at SANSFIRE 2013 for some Volatility 101 across the full lifecycle of security analytics (penetration testing, monitoring, incident response).
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Exclusive London Seminar On The Mobile Enterprise Eco-System
“We surveyed visitors at Infosec to measure their preparedness for the onslaught of consumerised IT. An astonishing 53percent had either serious deficiencies or were at risk of failure with multiple areas of improvement needed. “This figure isn't just ...
Somewhere I know TJ O'Connor is a very happy analyst. EMET 4.0 has been released in its final version and is now available for download.
TJ O'Connor's Nuclear Scientists, Pandas, and EMET Keeping Me Honest, an ISC guest diary posting: https://isc.sans.edu/diary/Nuclear+Scientists%2C+Pandas+and+EMET+Keeping+Me+Honest/15890
For those of you who are new to EMET:
"The Enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system. Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc."
EMET 4.0 features and updates incude:
Help Net Security
Businesses not fully implementing infosec programs
Help Net Security
Businesses not fully implementing infosec programs. Posted on 18 June 2013. Bookmark and Share. Many U.S. small businesses are taking a passive approach when it comes to protecting their data leaving themselves vulnerable to data loss and possible ...
Posted by InfoSec News on Jun 18http://news.techworld.com/security/3453139/firms-take-10-hours-spot-data-breaches-mcafee-finds/
Posted by InfoSec News on Jun 18http://www.washingtontimes.com/news/2013/jun/17/nsa-leaker-says-audits-govt-snooping-dont-work/
Posted by InfoSec News on Jun 18http://www.darkreading.com/advanced-threats/cyberespionage-operators-work-in-groups/240156664
Posted by InfoSec News on Jun 18http://allthingsd.com/20130617/coming-to-wall-street-this-month-quantum-dawn-2-cyberwar/
Posted by InfoSec News on Jun 18http://www.nextgov.com/cybersecurity/2013/06/ig-dhs-does-not-track-security-training-system-administrator-contractors/64976/