Information Security News
Earlier this year, we started seeing reports of macro-based Bartalex malware . Bartalex has beenused in Microsoft Officedocuments sentthrough malicious spam (malspam). On Tuesday 2015-07-21, we found a sample to examine for todays diary. We used this example of Bartalexto infectaWindows hostwith Pony malware that downloaded a Dyre banking Trojan .
Example of the malspam
This malspam samplehas ADP as a spoofed sender. " />
The email headers showthis email didn" />
The malicious attachment
OfficeMalScanner generated some text files, and we couldexaminethe macro code.The largest file" />
Theres a bit of obfuscation, but we foundsomeURLs used by the malware. " />
Opening the Word document will execute the associated macro(s) if they are enabled. Heres what the document looks like when it" />
Traffic generated by the malware
We opened the Word document on a virtual machine (VM) and enabled macros. Unfortunately,the VM had only one processor core. Why is that unfortunate, you ask? Earlier this year, Dyre began checking if a machine has only one processor core. On a single-core VM, Dyre will terminate itself before doing anything , which is what happened on this VM. Below is an image of the traffic filtered in Wireshark. " />
Click on the image above for a full-size view.
Doing the same thing on a dual-core host generated additional post-infection traffic. Below is an image of Wiresharkfrom the dual-core host. On this host, post-infection traffic shows patterns associated with Dyre.
">Click on the image above for a full-size view.
We reviewed some of the Dyre post-infection traffic in Wireshark. The image below shows one of the TCP streams using SSL over port 4443. In Wiresharks Analyze menu, use Decode As and select SSL to see the information properly parsed. " />
Below are links for two EXE files found on the infected host. The hybrid-analysispages contain links to download the malware samples:
Bartalex malspam continues to be a concern. In some cases, these attachments may slip through spam filters before anti-virus programs candetect them. Fortunately, post-infection traffic should trigger network alerts. If yourorganization has adequate network security monitoring, you can detect any users that fall for this malspam.
by Cyrus Farivar
According to The New York Times and Bloomberg News, four men in Florida and Israel have been arrested in relation to the 2014 hack against JPMorgan Chase, which resulted in gigabytes of bank data being exfiltrated. The news outlets, citing anonymous sources, did not fully explain how all the suspects were connected.
The United States Attorney in Manhattan announced that the two Florida men were arrested Tuesday, and were formally charged with operating an unlicensed Bitcoin exchange, coin.mx.
However, their criminal complaints make no mention of JPMorgan Chase. The two Israelis were named as Gery Shalon and Ziv Orenstein, and were arrested by authorities there. A fifth man, Joshua Samuel Aaron, an American living in Israel, is reportedly still at large.
A security researcher has taken umbrage at Italian malware developer Hacking Team after discovering that his open source exploit tools were included in Android surveillance software sold to governments around the world.
Collin Mulliner, well-known in security circles for exposing vulnerabilities in mobile devices, published a blog post Tuesday that attempts to set the record straight. To wit: his tools—which among other things surreptitiously capture conversations and other sounds within earshot of infected Android phones—were used without permission or notice by Hacking Team. He learned about the use only after the breach of Hacking Team computers, which resulted in a 400-gigabyte leak of confidential company documents, including these e-mails showing company engineers discussing Mulliner's tools.
In Tuesday's post, Mulliner wrote:
A recently disclosed bug in OpenSSH software used to remotely access Internet-facing computers and servers allows attackers to make thousands of password guesses in a short period of time, a defect that could open systems to password cracking, a security researcher has warned.
Under normal circumstances, OpenSSH will allow just three or six login attempts before closing a connection, the researcher who goes by the moniker KingCope wrote in a blog post published last week. The recently discovered vulnerability, however, allows attackers to perform thousands of authentication requests during an open login window, which by default lasts two minutes. As a result, attackers who cycle through the most commonly used passwords face much better odds of finding the right one, since the vulnerability allows them to try many more candidates than they otherwise would.
by Sean Gallagher
A pair of computer security researchers based in St. Louis demonstrated weaknesses in an automobile system with cellular connectivity installed in as many as 471,000 vehicles in the US. Charlie Miller and Chris Valasek highlighted the vulnerability of the system by attacking a Jeep Cherokee equipped with the Uconnect system remotely while Wired's Andy Greenberg was driving it.
Uconnect, a "connected car" system sold in a number of vehicles produced by Fiat Chrysler for the US market, uses the Sprint cellular network to connect to the Internet and allows owners to interact with their vehicle over their smartphone—performing tasks like remote engine start, obtaining the location of the vehicle via GPS, and activating anti-theft features. But vulnerabilities in Uconnect, which Fiat Chrysler has issued a patch for, made it possible for an attacker to scan Sprint's cellular network for Uconnect-equipped vehicles, obtaining their location and vehicle identification information. Miller and Valasek demonstrated that they could then attack the systems within the car via the IP address of the vehicle, allowing them to turn the engine of the car off, turn the brakes on or off, remotely activate the windshield wipers, and take control of the vehicle's information display and entertainment system.
Miller and Valasek also found that they could take remote control of the steering of their test vehicle, the aforementioned Jeep Cherokee—but only while it was in reverse.
InfoSec pros spend most time, money on self-inflicted problems | CSO Online
According to a new survey of Black Hat attendees released last week, InfoSec professionals are spending the biggest amount of their time and budgets on security problems created within the organization itself. Security vulnerabilities introduced by ...
Now that my overview of Sysinternals tools with VirusTotal support is complete (Process Explorer, Autoruns and Sigcheck), lets address a couple of remarks I received (BTW, if I missed a Sysinternals tools, let me know with a comment).
1) Upload of files. Some people are worried that the Sysinternals tools will upload (confidential) files to VirusTotal. That is a valid concern, but for each tool I described, I showed how to enable hash searching first. Configured like this, the Sysinternals tools will only submit hashes to VirusTotal, and not upload files. The Sysinternals tools can upload files, but this has to be done manually (Process Explorer) or configured explicitly (Autoruns and Sigcheck).
2) Internet access. It is obvious that these tools require Internet access to connect to VirusTotal (BTW, if you have a proxy, read the comments for Process Explorer). But that is not always possible or desirable. Several years ago, I needed a tool to search through the VirusTotal database for a list of MD5 hashes. At that time, I found no programs or scripts that searched the VirusTotal database via the API (though there were scripts to submit files, but not search). Thus I wrote my own tool: virustotal-search.py. You need to obtain a VirusTotal API key to use with virustotal-search.py (create a free VirusTotal account and youll get one). And then you let virustotal-search.py run with a list of search terms (MD5, SHA1 or SHA256 hashes) and it will produce a CSV file with the results. This will take some time, as virustotal-search.py respects VirusTotals quota for free accounts: 4 requests per minute and maximum 4 search terms per request. I wont go into al the features of virustotal-search, if you are interested, visit my virustotal-search page. Here is an example of a CSV file produced by virustotal-search.py:
In an upcoming diary entry, Ill give some pointers to produce lists of hashes (tip: some Sysinternals tools can calculate hashes).