There should be little argument that with today's threats you should always acquire a memory image when dealing with any type of malware.  Modern desktops can have 16 gigabytes of RAM or more filled with evidence that is usually crutial to understanding what was happening on that machine.   Failure to acquire that memory will make analyzing the other forensic artifacts difficult or in some cases impossible.  Chad Tilbury (@chadtilbury) recently told me about a new memory acquisition tool that I want to share with the ISC readers.  It is called winpmem.   It is written by Michael Cohen.  It is free and it is available for download here.  Here is a look at it.  

After downloading and expanding the zip file you will see the following components:

You can see there are two executables.  They are named winpmem_1.4.exe and winpmem_write_1.4.exe.  I'll come back to winpmem_write_1.4.exe later.  There is also a "binaries" directory that includes a couple of device drivers and a Python script.   That sounds like fun!   I'll come back to that one later as well.  For now, lets talk about winpmem_1.4.exe.  If you run it without any parameters you will get a help screen.   It looks like this:

If you want to use winpmem to acquire a raw memory image, all you have to do is provide it with a filename.  A copy of all the bytes in memory will be saved to that file.  For example:

c:\> winpmem_1.4.exe memory.dmp

This will create a raw memory image named "memory.dmp" suitable for analysis with Volatility, Mandiants Redline and others.   The tool can also create a crash dump that is suitable for analysis with Microsoft WinDBG.   To do so you just add the "-d" option to your command line like this:

c:\> winpmem_1.4.exe  -d crashdump.dmp

Now, some of you may be thinking, "So what!  I can already dump memory with dumpit.exe, Win32dd.exe, win64dd.exe and others."  Well, you are right.  But if you have malware that is looking for those tools, now you have another option.   While winpmem might look like a mild mannered memory acquisition tool, it actually has super powers.   The BEST part of winpmem (IMHO) is in those components that I conveniently glazed over.   I'll take a look at winpmem_write_1.4.exe and, better yet, that Python script in my next journal entry.

Interest in Python?   Check out SANS SEC573.  Python for Penetration testers!  I am teaching it in Reston VA March 17th!

Click HERE for more information.

Follow me on twitter?  @MarkBaggett

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I exchanged some e-mail today with reader, Curtis and as result have fixed a typo and added some error checking to handle a problem that he was seeing (though I didn't, I suspect it has to do with different installed versions of some of the Perl packages, so I'll continue to look into the problem and will probably release another update in the next few days).  Version 1.5.1 can  be found here: http://handlers.sans.edu/jclausing/ipv6/dumpdns.pl

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Earlier today, vBulletin.com was compromised. The group conducting the attack claims to have a 0-day available that enabled the attacker to execute shell commands on the server. The attacker posted screen shots as proof and offered the exploit for sale for $7,000.

If you run vBulletin:

  • carefully watch your logs.
  • ensure that you apply all hardening steps possible (anybody got a good pointer to a hardening guide?)
  • keep backups of your database and other configuration information
  • if you can: log all port 80 traffic to your bulletin.

If you had an account on vBulletin.com, make sure you are not reusing the password. The attackers claimed to have breached macrumors.com as well. According to macrumors, that exploit was due to a shared password. There is a chance that the 0-day exploit is fake and shared passwords are the root cause.

Any other ideas?


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Federal authorities have arrested five more men accused of taking part in a 21st-century bank heist that siphoned a whopping $45 million out of ATMs around the world in a matter of hours.

Prosecutors said the men charged on Monday were members of the New York-based cell of a global operation and contributed to the $45 million theft by illegally withdrawing $2.8 million from 140 different ATMs in that city. The arrests came after the defendants sent $800,000 in cash proceeds in a suitcase transported by bus to a syndicate kingpin located in Florida, US Attorney for the Eastern District of New York Loretta E. Lynch said. Photos seized from one defendant's iPhone showed huge amounts of cash piled on a hotel bed and being stuffed into luggage, she said.

The heists took place during two dates in December 2012 and targeted payment cards issued by the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates and the Bank of Muscat in Oman respectively. Prosecutors dubbed the heists "unlimited" operations because they systematically removed the withdrawal limits normally placed on debit card accounts. These restrictions work as a safety mechanism that caps the amount of loss that banks normally face when something goes wrong. The operation removed the limits by hacking into two companies that processed online payments for the two targeted banks, prosecutors alleged in earlier indictments. Prosecutors didn't identify the payment processors except to say that one was in India and the other was in the United States.

Read 3 remaining paragraphs | Comments


Google and Facebook have joined the Dynamic Spectrum Alliance, an international group advocating access to unused spectrum for broadband networks based on so-called "white spaces" technology.
Nagios Core CVE-2013-2029 Insecure Temporary File Creation Vulnerability
Nagios CVE-2013-4214 Insecure Temporary File Creation Vulnerability
OpenStack Glance 'download_image' Policy Information Disclosure Vulnerability
NASA's Maven spacecraft blasted off from Cape Canaveral Air Force Station today for a 10-month journey to the Red Planet.
Compensation awarded to the top five executives at Microsoft, including current CEO Steve Ballmer, fell in fiscal year 2013, the first time in the last four years that it's declined, according to a filing with the SEC.
Sen. Chuck Schumer (D-NY) plans to file legislation that would extend and tighten an existing ban on 3D-printed plastic guns that can get through metal detectors and x-ray machines undetected.
Experts hired by Apple and Samsung explained and justified their differing damages claims to a California jury Monday as the latest battle between the two smartphone giants moves closer to a conclusion.
Google has reached a $17 million settlement with 37 states and the District of Columbia over its unauthorized placement of cookies on devices running Apple's Safari browser, New York Attorney General Eric Schneiderman said.
China has maintained its lead in the twice-yearly ranking of the world's most powerful supercomputers, with the Chinese National University of Defense Technology's Tianhe-2 system bringing 33.86 petaflop/s (quadrillions of calculations per second) to the contest, almost twice the calculations offered by the runner up, the Titan Cray system run by the U.S. Department of Energy's Oak Ridge National Laboratory.

More than one percent of titles available in Google's official Android app market may be unauthorized copycats of competing apps that have been re-engineered to more aggressively monitor browsing history and other personal habits, security researchers said today.

The study, published Monday by researchers from antivirus provider Bitdefender, analyzed 420,646 Android apps available in Google Play. Of those, 5,077 contained code lifted from Facebook, Twitter, and other legitimate apps. The copycat apps offered the same functionality as the original apps, but they were redesigned to include aggressive advertising libraries (often referred to as SDKs), "beacons" that can be used to track users, and modified permissions that had access to text messages, call histories, and other personal information.

"Most modifications add a new Advertising SDK in the repackaged app or change the Advertiser ID from the original app so revenue obtained through ad platforms gets diverted from the original developer to the individual who plagiarizes their work," Bitdefender's Loredana Botezatu wrote. "Other modifications add extra advertising modules to collect more data from the user than the initial developer planned. Moreover, if a developer only collects UDIDs and e-mail addresses initially, a plagiarized application can be extended to place home-screen icons, spam the notification bar, and so on to maximize the hijacker’s revenue."

Read 3 remaining paragraphs | Comments


The NSA's MUSCULAR program grabbed more data (especially from Yahoo) than NSA's analysts could swallow.

In the wake of revelations about the National Security Agency's monitoring of traffic on the private international fiber links connecting the data centers of Google and Yahoo, Google stepped up its efforts to encrypt internal server traffic and block such monitoring. Now, Yahoo has announced its own plans to encrypt all information that travels between data centers by early next year.

In a blog post, Yahoo CEO Marissa Mayer reiterated that "Yahoo has never given access to our data centers to the NSA or any other government agency. Ever." Yahoo previously announced that it would protect Yahoo Mail sessions by default with Secure Socket Layer encryption by January 8, using a 2048-bit encryption key. Google moved to encrypt all its searches earlier this fall, and the company has enabled SSL encryption by default for users logged into its services since 2011.

In addition to encrypting traffic between its data centers by March of 2014, Yahoo is also moving to apply SSL encryption across all its websites within the same time frame. And Mayer said that Yahoo will "work closely with our international Mail partners to ensure that Yahoo co-branded Mail accounts are HTTPS-enabled."

Read 1 remaining paragraphs | Comments


Adobe ColdFusion CFIDE Directory Cross Site Scripting Vulnerability
Lenovo's new Yoga Tablet has an innovative form with a built-in stand and exceptionally long battery life. But the rest of its features aren't quite as high-end.
Apple has moved a step closer to acquiring the Israeli chip design company that provided the motion sensing technology used in Microsoft's first-generation Kinect video game controller.
Qualcomm's Toq smartwatch will go on sale for $349.99 starting Dec. 2, marking the company's first step into the wearable market.
It's that time again a 2013's second and last Top500 report is out, detailing and ranking the most powerful supercomputers on the planet. Here's our walkthrough of just the top 10, which features a lot of long-standing heavyweights, along with a new face.

It has become common practice to setup "Sinkholes" to capture traffic sent my infected hosts to command and control servers. These Sinkholes are usually established after a malicious domain name has been discovered and registrars agreed to redirect respective NS records to a specific name server configured by the entity operating the Sinkhole. More recently for example Microsoft gained court orders to take over various domain names associated with popular malware.

Once a sinkhole is established, it is possible for the operator of the sinkhole to collect IP addresses from hosts connecting to it. In many cases, a host is only considered "infected" if it transmits a request that indicates it is infected with a specific malware type. A simple DNS lookup or a connection to the server operating on the sinkhole should not suffice and be considered a false positive.

The data collected by sinkholes is typically used for research purposes, and to notify infected users. How well this notification works depends largely on the collaboration between the sinkhole operator and your ISP.

On the other hand, you may want to proactively watch for traffic directed at sinkholes. However, there is no authoritative list of sinkholes. Sinkhole operators try not to advertise the list in order to prevent botnet operators from coding their bots to avoid sinkholes, as well as to avoid revenge DoS attacks against the networks hosting sinkholes. Some ISPs will also operate their own Sinkholes and not direct traffic to "global" sinkholes to ease and accelerate customer notification.

And of course, you can always setup your own sinkhole, which is probably more effective then watching for traffic to existing sinkholes: See Guy's paper for details http://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
IBM achieved a computing breakthrough when the Watson supercomputer outperformed humans in game show "Jeopardy," but the company now wants to supercharge its high-end Power servers by tapping into graphics processors for the first time.
The National Institute of Standards and Technology (NIST) held a fifth workshop in Raleigh, North Carolina last week on the comprehensive, preliminary cybersecurity framework mandated under President Obama's February 2012 executive order, the last such gathering before the framework becomes final in February.
"I spent $174 million on a website and all I got was this bad press."
Google Chrome CVE-2013-6802 Unspecified Remote Sandbox Security Bypass Vulnerability
Google will display warnings above the search results for 13,000 terms it believes are associated with more explicit child sexual abuse terms, it announced Monday. Microsoft said it will take similar action on its Bing search engine, and on Yahoo searches powered by Bing.
Nvidia wants to help create some of the world's fastest computers with its latest Tesla K40 graphics chip, which is its fastest supercomputing co-processor to date.
LinuxSecurity.com: Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust [More...]
LinuxSecurity.com: Several vulnerabilities have been discovered in the chromium web browser. CVE-2013-2931 [More...]
LinuxSecurity.com: It was discovered discovered that SSL connections with client certificates stopped working after the DSA-2795-1 update of lighttpd. An upstream patch has now been applied that provides an appropriate identifier for client certificate verification. [More...]
So far, it isn't clear which C-level exec will lead the big-data charge. CIOs, if they want a shot at this job, will need to focus on business innovation, not technology.
Survey finds that CIOs and marketing chiefs don't see eye-to-eye on much at all.
WordPress Tweet Blender Plugin 'tb_tab_index' Parameter Cross Site Scripting Vulnerability
Salesforce.com aims to establish its image as a full-blown CRM (customer relationship management) development platform built for the world of social media and mobile devices with the launch of Salesforce1, which will be unveiled this week at the Dreamforce conference in San Francisco.
And enterprises could be the real growth area for wearable computing.
A group of hackers claim to have exploited an undocumented vulnerability in the vBulletin Internet forum software in order to break into the MacRumors.com and vBulletin.com forums.
Sony said sales of its PlayStation 4 game consoles crossed 1 million units just 24 hours after the device was launched in the U.S. and Canada on Friday, although some users reported some issues with the device.

Infosec bods scorn card-swiping Coin over security fears
All-in-one digital payments start-up Coin has issued a robust defence of its technology following criticism from an infosec firm. Coin offers a single combined credit/debit/loyalty/store card that's paired with a user's mobile phone. The Coin app ...

and more »
If there's no catastrophic system failure or major software deployment to work on, CEOs might wonder what IT does all day. Here's how to make sure your contributions aren't undervalued when things go smoothly.
No policy, no matter how well crafted, is immune from periodic review. Fall is when our manager tackles that.
Pradeep Mannakkara, CIO at Rosetta Stone, established a plan to transform the company's technology stack, shifting much of the aging infrastructure to a cloud-based platform, which enabled a more efficient workflow and fostered innovation.
The rock: Users want to use their smartphones for work. The hard place: Security is deficient. All CIOs are caught between the two.
Microsoft's search for a new CEO is entering its endgame, according to a report by Bloomberg.
Apple Mac OS X Hard Link Local Denial of Service Vulnerability
GnuTLS 'libdane/dane.c' CVE-2013-4487 Incomplete Fix Remote Buffer Overflow Vulnerability

Forums software maker vBulletin has been breached by hackers who got access to customer password data and other personal information in a compromise that has heightened speculation there may be a critical vulnerability that threatens websites that run the widely used program.

"Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password," vBulletin Technical Support Lead Wayne Luke wrote in a post published Friday evening. "Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password."

The warning came three days after user forums for MacRumors—itself a user of vBulletin—suffered a security breach that exposed cryptographically hashed passwords for more than 860,000 users. When describing the attack, MacRumors Editorial Director Arnold Kim said the compromise in many ways resembled the July hack of the Ubuntu user forums, which also ran on vBulletin.

Read 9 remaining paragraphs | Comments


[SECURITY] [DSA 2798-1] curl security update
[SECURITY] [DSA 2797-1] chromium-browser security update
[SECURITY] [DSA 2795-2] lighttpd regression update
Information Security Forecast 2014
XADV-2013006 FreeBSD <= 10 kernel qlxge/qlxgbe Driver IOCTL Multiple Kernel Memory Leak Bugs
XADV-2013005 FreeBSD 10 <= nand Driver IOCTL Kernel Memory Leak Bug
[CVE-2013-6356] Avira Secure Backup v1.0.0.1 Multiple Registry Key Value Parsing Local Buffer Overflow Vulnerability
Cross-Site Scripting (XSS) in Tweet Blender Wordpress Plugin
Internet Storm Center Infocon Status