Hackin9
[SECURITY] [DSA 3554-1] xen security update
 

Techworm

Lian Li's first standing desk can also be your PC
Techworm
Today, Lian-Li Industrial Co. Ltd announced the DK-04 computer desk chassis: the first-ever standing computer desk. This chassis offers hardcore enthusiasts design improvements, better drive mounting, extensive water cooling support, and, most ...

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Saarinen: Australia to cyber the world
New Zealand Herald
... being sunk on the initiative. Already, I've had an avalanche of emails from security vendors welcoming the cyber security policy, no doubt hoping for a slice of the action. Now's probably a good time to consider a career in infosec in other words ...

and more »
 

Enlarge (credit: Xylitol)

Two men who built and sold a banking trojan that infected more than 50 million computers around the world and caused almost $1 billion in losses have been sentenced to a combined 24 years in prison.

Aleksandr Andreevich Panin, the chief developer and distributor of SpyEye, received a sentence of nine years and six months in federal prison, according to a statement issued by the US Department of Justice. In underground forums where the trojan was sold, the 27-year-old Russian national went by the hacker aliases “Gribodemon” and “Harderman.” In 2010, prosecutors said, he received the source code to a crimeware platform dubbed ZeuS. From 2009 to 2011, he conspired with others to develop SpyEye, which is believed to have borrowed liberally from ZeuS.

Prosecutors said Panin conspired with Hamza Bendelladj, aka Bx1, an Algerian man who received a 15-year prison term during the same Wednesday sentencing in federal court in Atlanta. Prosecutors said Bendelladj transmitted more than one million spam e-mails containing SpyEye and related malware to computers in the United States. The feat infected hundreds of thousands of computers. Bendelladj also developed SpyEye add ons that automated the theft of funds from victim bank accounts and further spread malware, including SpyEye and Zeus. Authorities said he stole personal information from almost 500,000 people and caused millions of dollars in losses to individuals and financial institutions around the world.

Read 5 remaining paragraphs | Comments

 

James Comey is the director of the FBI. (credit: Brookings Institute)

FBI Director James Comey suggested to a conference in London that his agency paid more than $1.3 million to gray-hat hackers who were able to unlock the iPhone 5C that was used by Syed Farook Rizwan, the dead terrorist who masterminded the attack in San Bernardino, California, in December 2015.

According to Reuters, Comey was asked Thursday how much the FBI paid for the technique that eventually allowed investigators to access the locked phone.

"A lot. More than I will make in the remainder of this job, which is seven years and four months for sure," Comey said. "But it was, in my view, worth it."

Read 5 remaining paragraphs | Comments

 
exploit CVE-2016-2203
 
CVE-2016-3074: libgd: signedness vulnerability
 

(credit: Wikipedia)

The UK's intelligence agencies (MI5, MI6, and GCHQ) are spying on everything you do, and with only the flimsiest of safeguards in place to prevent abuse, according to more than a thousand pages of documents published today as a result of a lawsuit filed by Privacy International.

The documents reveal the details of so-called "Bulk Personal Datasets," or BPDs, which can contain "hundreds to millions of records" on people who are not suspected of any wrongdoing.

These records can be “anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities,” Privacy International's legal officer Millie Graham Wood said in a statement. "The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data."

Read 21 remaining paragraphs | Comments

 
OpenTSDB RCE
 
TOP: Time information is transmitted between sites across a turbulent air path. Real-time feedback is supplied to the clock at site B to synchronize it with the clock at site A. BOTTOM: Measured timing deviation, or precision, between ...
 

Cloud Tech

Docker security: How to monitor and patch containers in the cloud
Cloud Tech
The truth is that many of your current tools and processes will have to change. Often your existing tools and processes are not “aware” of containers, so you must apply creative alternatives to meet your internal security standards. The good news is ...

 

Please refer to the first part that I posted earlier on some background on what pseudo-darkleech">cat stage2.js | perl -pe \}\{])/$1\n/g" />

Now, two code blocks stand out. The first is querying the userAgent (browser type), and it is getting queried for the presence of rv:11, MSIE and MSIE 10. rv:11 can be found in both the old Firefox 11, but also in Internet Explorer 11. MSIE and MSIE 10 are looking for that particular version of Internet Explorer. This section is coded as convoluted as it is, and also includes that odd (+[window.sidebar]) section, because the bad guys are trying to fool dynamic analysis in malware sandboxes and proxy servers. On a regular browser, this code works as intended, and returns a value of 2 in the variable ug if the browser is IE10 or IE11. But on a Spidermonkey or other JavaScript interpreter that does not emulate the full range of the browsers document object model (DOM), this section will leave ug undefined, or set it to zero.

The second block again refers to the evs">replace(/[^a-z]/g,) strips out all the numbers and spaces, and retains only the text characters. What then follows is a loop over this resulting string, and another XOR-operation to decode it. This time, it isnt a simple XOR with 9">npyu=tbQos5ZSsPE3rk

an XOR-operation with a password (npyu) of length 14, which means that the code block is making use of a polyalphabetic cipher (Vigenre). The consequence of this is that the evs block alone cannot really be decoded without also decoding the JavaScript that contains the password. A simple XOR with 9 is trivially broken, but a XOR with a 14-character password cannot reasonably be brute forced.

So .. lets clean up the code a bit more, so that we can actually run it in SpiderMonkey, and see the result. ">document.getElementById(evs">zfsp=a9ca7 d97,b 52 3j3 db3ax4 82 d-126 gb9u6 103cc 109d 102 -126 3fef9d 1xd22 96 -p10 -ax9 b-10cd8g. 1bm07 10bw .....

Next, we strip off all that browser detection logic, and just set the result, ug=2. And finally, instead of actually running the decoded block, at the very end, we want to print it:" />

And we are ready to rock:" />

In the end, the pseudo-darkleech code block just generates an IFRAME that loads an Angler Exploit Kit. All these stages of having a HTML and JavaScript block where one decodes the other first into a script and then into the IFRAME, and all this using of browser directives and even a polyalphabetic cipher is not malicious per se, since it does not exploit any vulnerabilities. It just serves to hide the malicious IFRAME from proxies and malware sandboxes, so that the AnglerEK really only loads on the user PC, and not in an emulator or filter that aims to detect its presence.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Threatpost

Misunderstanding Indicators of Compromise
Threatpost
Conflating Observables and IOCs, and improperly using Observables results in high rates of false-positive alerts, said Alex Sieira on the Infosec Zanshin blog. What are sold as “threat intelligence” feeds are often really Observables feeds, not ...

 
Internet Storm Center Infocon Status