InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft has quietly extended support for the consumer versions of Windows 7 and Windows Vista by five years, syncing them with the lifespan of enterprise editions.
Dolphin Multiple Cross Site Scripting Vulnerabilities
When Wendell tries to boot his PC, an error message announces a disk read error. It's as if his hard drive--with three year's worth of work on it--doesn't exist.
Reader Fred wants to know if a laptop hard drive can be plugged into a desktop PC. "The pin out appears to be the same," he notes, "but there is no separate power-supply connector."
GLPI 'sub_type' Parameter Remote File Include Vulnerability
The ISChas written a number of diaries about DNSChanger in the past, including this excellent diary by a number of ISC Handlers, so Iam not going to rehash the history.
With the FBI's March 8th deadline for disabling the DNSChanger resolvers rapidly approaching, the predictable fearmongering is beginning in the blogosphere and the regular press. Rest assured that DNSChanger infected a relatively small number of computers compared to most infections, and turning off the temporary resolvers will barely be blip on the Internet. There are some suggestions that the FBImay extend this deadline to permit companies to complete their cleanup. Frankly Iam on the fence about whether or not an extension is a good idea. Icertainly don't want to entertain the possibility that the companies that Ido business with, and entrust my personal information to, may take more than 4 months to cleanup a known malware infection.
The fact is that DNSChanger has provided us a rare opportunity. DNSChanger itself never reached its full potential because of the FBI's intervention, but analysis of DNSChanger infected computers has revealed that computers infected with DNSChanger are nearly always infected with a range of other malware including malware that disables automatic updates and antivirus products. Others have been found with credential stealing Trojans and rootkits. Certainly the detection of this sort of malware should result in immediately taking the computer off the network and rebuilding it.
The symptoms of a DNSChanger malware infection are relatively easy to detect. From shortly after the FBI's Operation Ghost Click was revealed, the DNSChanger Working Group (DCWG) provided instructions on how to determine if your computer is infected, and shadowserver.org has made reports available which permit anyone who owns their own address space to reliably detect the presence of DNSChanger infections, and by extension associated malware.
In the last month or so another way of detecting DNSChanger infected computers has been made available. Several countries have launched eyechart sites which will tell you if the machine you are on is infected with malware. For the most part these sites follow the pattern of dns-ok.CC where CC is the country code of the hosting country. Some that are available are dns-ok.us (U.S.), dns-ok.ca (Canada), dns-ok.de (Germany), dns-ok.be (Belgium) and Iam sure many others. They all follow a familiar pattern. If the site is a friendly green your computer is not infected with DNSChanger, a not so friendly red requires further investigation.
One caveat. It appears that in relatively rare circumstances, DNSChanger may infect SOHOrouters. So although the eyechart may be red, it may not be the computer you are on that is infected. It may be the router. Either way you know that some investigation is warranted.
Please consider using these available tools to cleanup malware infections on your network...before the FBIturns off the resolvers.
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
It's easy to wax nostalgic about old technology--to remember fondly our first Apple IIe or marvel at the old mainframes that ran on punched cards. But no one in their right mind would use those outdated, underpowered dinosaurs to run a contemporary business, let alone a modern weapons system, right?
CubeCart Multiple URI Redirection Vulnerabilities
Dolphin 7.0.7 <= Multiple Cross Site Scripting Vulnerabilities
OxWall 1.1.1 <= Multiple Cross Site Scripting Vulnerabilities
F*EX Multiple Cross Site Scripting Vulnerabilities
WordPress Absolute Privacy Plugin 'abpr_authenticateUser()' Security Bypass Vulnerability
Japan's third-largest mobile carrier said Monday it will launch a new high-speed service this week, with a portable Wi-Fi router that will support download speeds of up to 76Mbps.
Microsoft has struck a deal which will make it easier for more Windows Phone users to pay for Marketplace apps via their phone bill.
DC4420 - London DEFCON - February meet - Tuesday February 21st 2012
SQL Injection Vulnerabilities in TestLink
SEC Consult SA-20120220-1 :: Multiple Vulnerabilities in ELBA5
SEC Consult SA-20120220-0 :: Multiple critical vulnerabilities in VOXTRONIC voxlog professional
[SECURITY] [DSA 2412-1] libvorbis security update
[SECURITY] [DSA 2411-1] mumble security update
CubeCart 3.0.20 (3.0.x) and lower | Open URL Redirection Vulnerability [Updated]
WebsiteBaker 2.8.2 SP2 HTTP-Referer XSS vulnerability
A lot of people ask me what kind of tools I use for malware research.
That's definitely a really broad question, because sometimes each malware may need a different approach. However, there are some simple tools that can help on a first approach and sometimes will give all the answers you need, without the need to go deeper on more complete debuggers and disassemblers as OllyDbg and IDA Pro, which by the way are two great tools!
For this diary I am not considering exploits, like pdf or java exploits, but just plain PE files ( EXE and DLLs).
As part of my first look kit I use the pescanner python script from Malware Analysis Cookbook, which the authors made available here.
This script can give you some valuable information about the PE file, like the PE Sections, Version information (if available), and compilation date. Because there are some known bad indicators, the script will also print out the [SUSPICIOUS] word when it finds one of those indicators, such as strange compilation date, and strange entropy values found on the PE Sections.
Once you are used to the analysis, a simple look on this will help you to identify possible malicious files. Since it was based on Ero Carrera's pefile python module, you can modify and add additional features if you think is necessary. One addition I did on mine was to show if the file contains an overlay. On a few situations you should see valid overlay in files, and it is very common to find parasitic virus including its code as an overlay on the PE file.
Another great tool that I use is called HIEW (Hacker's View) hex editor. It is a really complete old-style tool. I mean old style because it uses a DOS window, there is no GUI...:)
It has a lot of features, from a complete HEX editor, an ASCII view of the file, and a Decode view, where you are presented with a disassembler. It also contains several shortcuts with pre-defined functions, as to show you the basic PE information, the number of sections, the entry point address and much more.
It also allows you to go straight to section you want or jump to a specific address on the file, list the imports and exports and even edit the file.
It is a paid tool available here, but it contains a free version (6.50) which does not contain all features but can definitely give you a feel of it.
There was a open source product called Biew that had almost the same features of Hiew, but seems that it is not being updated since 2009.
Another tool that I've been checking lately is called HT Editor, that is a promissing project. It still doesnt have a lot of feaures but I like it. You may check it here
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Chinese handset maker ZTE announced two LTE smartphones on Monday, its first phones running Android 4.0.
Groupon has acquired Hyperpublic, a small company that develops location-based technology that can be integrated into other applications.
Mozilla has asked all certificate authorities (CAs) to revoke subordinate CA certificates currently used for corporate SSL traffic management, offering an amnesty to any CAs that had breached Mozilla's conditions for having their root certificates ship with its products.
LightSquared has defaulted on a US$56.25 million payment due under a 2007 wireless spectrum cooperation agreement with Inmarsat, the U.K. satellite communications operator said Monday, adding that it could terminate the agreement if LightSquared doesn't make payment within 60 days.
Name: Jon Pedersen Sr.
Apple has threatened to take legal action against a little-known Chinese firm for inflaming an ongoing dispute over the iPad trademark, alleging that the company's founder and its lawyers have made misleading statements that could damage the U.S. tech giant's business in China.
ELBA Multiple Security Vulnerabilities
Three lawmakers from the U.S. House of Representatives have asked the Federal Trade Commission to investigate whether last week's report of privacy violations of Safari users by Google violated a consent agreement the company had reached with the FTC last year.
An upcoming campaign announced by the hacking group Anonymous directed against the Internet's core address lookup system is unlikely to cause much damage, according to one security expert.
Apple supplier Foxconn Technology said on Saturday it had raised wages for its assembly line workers in China by 16 to 25 percent, as the company faces public scrutiny for its working conditions at its factories.
@s3rverexe has just announced that they have hacked a chinese police website, which happens to be the Panjin City Public Security Bureau website.

El Salvador Ministry of Education has been hacked by Nusantara Cyber Army and announced on @idc0tz/ twitter account and the hack has resulted in administration accounts being leaked.

Anonymous hacker @maldaria48 has hacked an official Yamaha music website and dumped a fair amount of accounts as a result.

Columnist Michael Hugos describes how to build an agile IT architecture in three easy steps, from integrating internal and external systems to developing customer-facing applications. Insider, registration required.
Last week, Apple took most Mac users by surprise when it released a developers preview of Mountain Lion, the company's upcoming desktop OS. We're here to fill in some of the blanks about the new cat.
The board of directors of Samsung Electronics has decided to spin off the company's LCD (liquid crystal display) panel manufacturing unit, it said Monday.
Mumble '.mumble.sqlite' Insecure File Permissions Vulnerability
A Chinese court has ordered a local electronics vendor to stop selling the iPad, as part of an escalating trademark dispute that threatens to stop Apple from selling its iconic tablet in the country.

Posted by InfoSec News on Feb 20


By Shubhankar Adhikari
The Sunday Guardian
February 20, 2012

Soon after Microsoft India's online store was hacked last week, rumours
swirled in Twitter that ethical hacker Ankit Fadia had been hired as a
security consultant by the software giant. He denies these rumours,
calling them baseless.

Fadia feels that the hacking of the Microsoft website...

Posted by InfoSec News on Feb 20


By John E Dunn
CSO Online
February 17, 2012

A USB stick containing a confidential safety report on a UK nuclear
power station has been lost in India, UK ministers have been told by a
red-faced Office for Nuclear Regulation (ONR).

The report on Hartlepool nuclear power station was reportedly downloaded
in unencrypted form on to the drive before...

Posted by InfoSec News on Feb 20


By Mathew J. Schwartz
February 17, 2012

It is every corporate security manager's worst nightmare.

News surfaced this week that Nortel's network was hacked in 2000, after
which attackers enjoyed access to the telecommunications and networking
company's secrets for 10 years.

The intrusions reportedly began after attackers used passwords stolen

Posted by InfoSec News on Feb 20


By Bob Brewin

When the Air Force Special Operations Command decided to buy 2,861
made-in-China Apple iPad tablet computers in January to provide flight
crews with electronic navigation charts and technical manuals, it
specified mission security software developed, maintained and updated in

The command followed in the path of Alaska Airlines, which in May 2011...

Posted by InfoSec News on Feb 20


Sunday Observer
19 February 2012

The leading computer security response teams in Sri Lanka completed a
drill to test response capability of their systems last week in a joint
cross-border action organised by the Asia Pacific Computer Emergency
Response Team (APCERT) headquartered in Japan.

Titled "Advance Persistent Threats and Global Coordination", the drill...

PCAnywhere code never changed: analyst
ZDNet Australia
In a submission to the InfoSec Institute, an anonymous analyst reveals that PCAnywhere, although heavily documented with comments throughout its code, is relatively unchanged from 10 years ago. Most changes, according to the analyst, ...

and more »
Internet Storm Center Infocon Status