Information Security News
There should be little argument that with today's threats you should always acquire a memory image when dealing with any type of malware. Modern desktops can have 16 gigabytes of RAM or more filled with evidence that is usually crutial to understanding what was happening on that machine. Failure to acquire that memory will make analyzing the other forensic artifacts difficult or in some cases impossible. Chad Tilbury (@chadtilbury) recently told me about a new memory acquisition tool that I want to share with the ISC readers. It is called winpmem. It is written by Michael Cohen. It is free and it is available for download here. Here is a look at it.
After downloading and expanding the zip file you will see the following components:
You can see there are two executables. They are named winpmem_1.4.exe and winpmem_write_1.4.exe. I'll come back to winpmem_write_1.4.exe later. There is also a "binaries" directory that includes a couple of device drivers and a Python script. That sounds like fun! I'll come back to that one later as well. For now, lets talk about winpmem_1.4.exe. If you run it without any parameters you will get a help screen. It looks like this:
If you want to use winpmem to acquire a raw memory image, all you have to do is provide it with a filename. A copy of all the bytes in memory will be saved to that file. For example:
c:\> winpmem_1.4.exe memory.dmp
This will create a raw memory image named "memory.dmp" suitable for analysis with Volatility, Mandiants Redline and others. The tool can also create a crash dump that is suitable for analysis with Microsoft WinDBG. To do so you just add the "-d" option to your command line like this:
c:\> winpmem_1.4.exe -d crashdump.dmp
Now, some of you may be thinking, "So what! I can already dump memory with dumpit.exe, Win32dd.exe, win64dd.exe and others." Well, you are right. But if you have malware that is looking for those tools, now you have another option. While winpmem might look like a mild mannered memory acquisition tool, it actually has super powers. The BEST part of winpmem (IMHO) is in those components that I conveniently glazed over. I'll take a look at winpmem_write_1.4.exe and, better yet, that Python script in my next journal entry.
Interest in Python? Check out SANS SEC573. Python for Penetration testers! I am teaching it in Reston VA March 17th!
Click HERE for more information.
Follow me on twitter? @MarkBaggett(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
I exchanged some e-mail today with reader, Curtis and as result have fixed a typo and added some error checking to handle a problem that he was seeing (though I didn't, I suspect it has to do with different installed versions of some of the Perl packages, so I'll continue to look into the problem and will probably release another update in the next few days). Version 1.5.1 can be found here: http://handlers.sans.edu/jclausing/ipv6/dumpdns.pl
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
Earlier today, vBulletin.com was compromised. The group conducting the attack claims to have a 0-day available that enabled the attacker to execute shell commands on the server. The attacker posted screen shots as proof and offered the exploit for sale for $7,000.
If you run vBulletin:
If you had an account on vBulletin.com, make sure you are not reusing the password. The attackers claimed to have breached macrumors.com as well. According to macrumors, that exploit was due to a shared password. There is a chance that the 0-day exploit is fake and shared passwords are the root cause.
Any other ideas?
Federal authorities have arrested five more men accused of taking part in a 21st-century bank heist that siphoned a whopping $45 million out of ATMs around the world in a matter of hours.
Prosecutors said the men charged on Monday were members of the New York-based cell of a global operation and contributed to the $45 million theft by illegally withdrawing $2.8 million from 140 different ATMs in that city. The arrests came after the defendants sent $800,000 in cash proceeds in a suitcase transported by bus to a syndicate kingpin located in Florida, US Attorney for the Eastern District of New York Loretta E. Lynch said. Photos seized from one defendant's iPhone showed huge amounts of cash piled on a hotel bed and being stuffed into luggage, she said.
The heists took place during two dates in December 2012 and targeted payment cards issued by the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates and the Bank of Muscat in Oman respectively. Prosecutors dubbed the heists "unlimited" operations because they systematically removed the withdrawal limits normally placed on debit card accounts. These restrictions work as a safety mechanism that caps the amount of loss that banks normally face when something goes wrong. The operation removed the limits by hacking into two companies that processed online payments for the two targeted banks, prosecutors alleged in earlier indictments. Prosecutors didn't identify the payment processors except to say that one was in India and the other was in the United States.
More than one percent of titles available in Google's official Android app market may be unauthorized copycats of competing apps that have been re-engineered to more aggressively monitor browsing history and other personal habits, security researchers said today.
The study, published Monday by researchers from antivirus provider Bitdefender, analyzed 420,646 Android apps available in Google Play. Of those, 5,077 contained code lifted from Facebook, Twitter, and other legitimate apps. The copycat apps offered the same functionality as the original apps, but they were redesigned to include aggressive advertising libraries (often referred to as SDKs), "beacons" that can be used to track users, and modified permissions that had access to text messages, call histories, and other personal information.
"Most modifications add a new Advertising SDK in the repackaged app or change the Advertiser ID from the original app so revenue obtained through ad platforms gets diverted from the original developer to the individual who plagiarizes their work," Bitdefender's Loredana Botezatu wrote. "Other modifications add extra advertising modules to collect more data from the user than the initial developer planned. Moreover, if a developer only collects UDIDs and e-mail addresses initially, a plagiarized application can be extended to place home-screen icons, spam the notification bar, and so on to maximize the hijacker’s revenue."
by Sean Gallagher
In the wake of revelations about the National Security Agency's monitoring of traffic on the private international fiber links connecting the data centers of Google and Yahoo, Google stepped up its efforts to encrypt internal server traffic and block such monitoring. Now, Yahoo has announced its own plans to encrypt all information that travels between data centers by early next year.
In a blog post, Yahoo CEO Marissa Mayer reiterated that "Yahoo has never given access to our data centers to the NSA or any other government agency. Ever." Yahoo previously announced that it would protect Yahoo Mail sessions by default with Secure Socket Layer encryption by January 8, using a 2048-bit encryption key. Google moved to encrypt all its searches earlier this fall, and the company has enabled SSL encryption by default for users logged into its services since 2011.
In addition to encrypting traffic between its data centers by March of 2014, Yahoo is also moving to apply SSL encryption across all its websites within the same time frame. And Mayer said that Yahoo will "work closely with our international Mail partners to ensure that Yahoo co-branded Mail accounts are HTTPS-enabled."
It has become common practice to setup "Sinkholes" to capture traffic sent my infected hosts to command and control servers. These Sinkholes are usually established after a malicious domain name has been discovered and registrars agreed to redirect respective NS records to a specific name server configured by the entity operating the Sinkhole. More recently for example Microsoft gained court orders to take over various domain names associated with popular malware.
Once a sinkhole is established, it is possible for the operator of the sinkhole to collect IP addresses from hosts connecting to it. In many cases, a host is only considered "infected" if it transmits a request that indicates it is infected with a specific malware type. A simple DNS lookup or a connection to the server operating on the sinkhole should not suffice and be considered a false positive.
The data collected by sinkholes is typically used for research purposes, and to notify infected users. How well this notification works depends largely on the collaboration between the sinkhole operator and your ISP.
On the other hand, you may want to proactively watch for traffic directed at sinkholes. However, there is no authoritative list of sinkholes. Sinkhole operators try not to advertise the list in order to prevent botnet operators from coding their bots to avoid sinkholes, as well as to avoid revenge DoS attacks against the networks hosting sinkholes. Some ISPs will also operate their own Sinkholes and not direct traffic to "global" sinkholes to ease and accelerate customer notification.
And of course, you can always setup your own sinkhole, which is probably more effective then watching for traffic to existing sinkholes: See Guy's paper for details http://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Infosec bods scorn card-swiping Coin over security fears
All-in-one digital payments start-up Coin has issued a robust defence of its technology following criticism from an infosec firm. Coin offers a single combined credit/debit/loyalty/store card that's paired with a user's mobile phone. The Coin app ...
Forums software maker vBulletin has been breached by hackers who got access to customer password data and other personal information in a compromise that has heightened speculation there may be a critical vulnerability that threatens websites that run the widely used program.
"Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password," vBulletin Technical Support Lead Wayne Luke wrote in a post published Friday evening. "Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password."
The warning came three days after user forums for MacRumors—itself a user of vBulletin—suffered a security breach that exposed cryptographically hashed passwords for more than 860,000 users. When describing the attack, MacRumors Editorial Director Arnold Kim said the compromise in many ways resembled the July hack of the Ubuntu user forums, which also ran on vBulletin.