(credit: Tavis Ormandy)

A reasonable expectation of security software is that at worst it should make your system no less secure than would be without the software. Sadly, it often seems that such software fails to meet even this low bar.

Comodo Internet Security is a security suite that includes anti-virus, firewalling, and sandboxing to allow applications to be run in a notionally secure unprivileged environment. By default, it also includes a component called GeekBuddy. GeekBuddy is a VNC server, providing full remote access to your system. In May of 2015 it was pointed out that this VNC server was running without a password—yes, really—providing, at the very least, local privilege escalation. Sandboxed applications such as Google Chrome, or even those running in Comodo's own sandbox, could connect to this VNC server and have full access to your system.

With the right (or rather, in this case, wrong) network configuration, the VNC server might even be exposed to remote attackers.

Read 4 remaining paragraphs | Comments


An Oregon man has admitted he tricked hundreds of people into divulging their Apple and Gmail passwords in a scheme that allowed him to steal nude images of more than a dozen victims, some of them celebrities.

Andrew Helton, 29, of Portland, entered the plea on Thursday to one felony count of unauthorized access to a protected computer to obtain information, according to documents filed in federal court in Los Angeles. Prosecutors said he gained illegal access to 363 Apple and Gmail accounts, including those belonging to members of the entertainment industry in Los Angeles. He then used the access to obtain data stored in the online accounts, including 161 sexually explicit, nude, or partially nude images of 13 people, some who were unidentified celebrities.

According to a plea agreement unsealed Friday, Helton engaged in a fraud campaign from March 2011 to May 2013 in which he sent e-mails that falsely claimed to come from Apple or Google. The phishing e-mails asked victims to verify their accounts by clicking on links that led to what looked like authentic Apple or Google login pages. When targets complied, their passwords were transmitted to Helton, who used them to illegally access account data.

Read 2 remaining paragraphs | Comments


ble code can take different forms in a Microsoft Windows operating system: it can be an executable (a PE - Portable Executable -file), a shared library (DLL) or a driver. The ability to execute code on a system is the attackers ultimate goal. Everyday, they are trying to find new ways todeliver maliciouscode available to a system to compromizeit. This can be via a vulnerability in a software, an OLE document with an embedded VBA macro, a malicious JavaScript code in a web page.Thats why it is mandatory to control and know which applications areexecuted on a system. When a computer is compromised, there are two ways to find malicious code: the first one is a reactive way by using forensics tools like Volatility. The first step is to make a dump of the infected computer memory and then to"> $ vol.py -f memory.dump --profile=Win7SP1x86 psxviewOffset(P) Name PID pslist psscan thrdproc pspcdid csrss---------- -------------------- ------ ------ ------ -------- ------- -----0x06541da0 svchost.exe 1140 True True False True True0x06531b10 wuauclt.exe 1040 True True False True True0x065e44d8 svchost.exe 952 True True False True True......">But there is another way which is moreproactive: tocapture executablecode live when the system is executing it. To achieve this, Im usinga nice tool called PECapture. There are two versions of this tool, a completely free version that is a graphical tool with a classicGUI. The second one is running as a Windows service (to be completely transparent for the user) called PE Capture Service. This one is free for personal use butalicense is required for">
  • As its name suggests,">The installation is pretty straight forward: download the archive, extract the files in a folder, select your architecture (x86 or x64), move the directory in the C:\PECaptureSvc (this can be changed via the configuration file) and launch install.bat. Thats it! The service will start automatically at each reboot. By default, captured executables are"> C:\PECaptureSvc\Intercepted\[hostname]\[dd
    \">The daily"> 18/02/2016 20:45:33C:\totalcmd\TOTALCMD64.EXE">Note that an exclusion database is available (to prevent most common executable code to be logged every day). You can define regular expressions. Executable files matching them won"> C:\MySafeTools\*.exe">You can also disable one of the two mainfeatures. By example:to log and not save the extracted code (keep in mind that the Intercepted">">To be more practical, here is an example of asystem infected by the newly Locky ransomware. The sample used is">">Let"> 18/02/2016 20:46:20C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL2403A9F058DFDD337CE9A67AE1ECAD6318/02/2016 21:03:46C:\Program Files (x86)\WinRAR\RarExt64.dllC2CE5E4DF7B3766A7A59A6634F29ABB118/02/2016 21:05:29">WINWORD.EXE4E7782C13D82BAA36059745280135A8418/02/2016 21:05:35C:\Program Files (x86)\Microsoft Office\Office12\WWLIB.DLLC102BEDBE15445AA2938EBF0D5B281E018/02/2016 21:05:38C:\Program Files (x86)\Microsoft Office\Office12\OART.DLL7F2C8065F1079D04BD8BC2B19750A59618/02/2016 21:05:42C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSO.DLLE7AAFC1A321ED0E3EF44B1ED8CF09FA218/02/2016 21:05:42C:\Program Files (x86)\Microsoft Office\Office12\1033\WWINTL.DLLBEF1EAD605CF791FDBB48ADD7107550918/02/2016 21:05:42C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSPTLS.DLL34B820CE0B0A26CFAF78F6E57709FFB718/02/2016 21:05:44C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSORES.DLLC7D010BD8BCEF2EB3FCA8F7CD3C08D9F18/02/2016 21:05:46C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\1033\MSOINTL.DLL4C5D603A632023BFDB8EDD4436882ABF18/02/2016 21:05:47C:\Program Files (x86)\Common Files\microsoft shared\OFFICE11\msxml5.dllFC5CB6727354B634CD8AD3EFB4B8F83D18/02/2016 21:05:47C:\Windows\System32\spool\drivers\x64\3\PSCRIPT5.DLL211A1CFF92CF7F70EB61606ABB72961518/02/2016 21:05:47C:\Windows\System32\spool\drivers\x64\3\PS5UI.DLL9699DB0085C06D5E1D03089D88CA13B918/02/2016 21:05:47C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\RICHED20.DLL1A8B4857F2CAAED89E16B1ED1F24930D"> 18/02/2016 21:05:48">VBE6.DLL563482363CD86013E8EF29575D790D2218/02/2016 21:05:48C:\Program Files (x86)\Microsoft Office\Office12\msproof6.dllDA79517783552B80229705D9720B8E8D18/02/2016 21:05:48C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvcp80.dll0B3595A4FF0B36D68E5FC67FD7D70FDC18/02/2016 21:05:49C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLLCB0C98DD5C3108F71BAA938B1ECD8B0418/02/2016 21:05:49C:\PROGRA~2\MICROS~3\Office12\OUTLFLTR.DLL87BA0576429722DF5B92FD43F55FAD7718/02/2016 21:05:49C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA6\1033\VBE6INTL.DLLB64D8A3F75C4AB72242910D9F4BBEB7518/02/2016 21:05:49C:\Windows\SysWOW64\SCP32.DLLF0283069C1B8E0A65A97F08186BFC9B218/02/2016 21:05:49C:\Windows\SysWOW64\FM20.DLL7D5AD5FAF64BF8AA1EB55B81A3AB830D18/02/2016 21:05:49C:\Windows\SysWOW64\FM20ENU.DLLF2CE3C8E63F770DB3E59D503CE4CC31118/02/2016 21:07:40C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WMINet_Utils.dllFDA2FEC6B42787EE1ED4EFD39359770B"> 18/02/2016 21:08:58">vcgfdrDYa.exe">This is indeed our Locky malware as reported byVirusTotal:">">Of course, the log file contains useful information that can be reused by other tools.Im loading the PECaptureSvc events within my Splunk. The file has a clean format so it"> [pecapturesvc]DATETIME_CONFIG =NO_BINARY_CHECK = truecategory = Operating Systemdescription = PECaptureSVC Log Filepulldown_type = true">Field extraction is helpful. Im only extracting those two fields:filename and md5">A few months ago, in a previous diary, I explained how to generate a list of hashes from a clean system using the Microsoft tool FCIV. You can now combine the two processes and detect automatically PE code that is not standard into your organization. Create a Splunk lookup table with your known (good)hashes and compare them on the fly. The same hashes can also">">Another good point is the fact that PE Capture isnt a common tool (yet).Im not aware of any malware checking for the presence of PECaptureSvc.exe like they usually do for anti-virus or debugging processes.">">Happy hunting!">">Xavier Mertens
    ISC Handler - Freelance Security Consultant
    PGP Key
  • (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Internet Storm Center Infocon Status