InfoSec News

China’s largest search engine Baidu posted strong earnings for the second quarter, driven by growing traffic and increased spending by advertising customers.
 
Mozilla has launched a new project to build an operating system for mobile devices that will run applications primarily on the Web.
 

Hackers could whip up a Cyber Storm
Technology Spectator
One of the main aims of last year's infosec geek-fest was to improve information sharing across the public and private sector. Cyber Storm III, held in September last year, involved more than 50 Australian organisations including Telstra, ASX, ...

and more »
 
Oracle Sun Solaris Kernel USB Configuration Descriptor Local Buffer Overflow Vulnerability
 
Randy Vickers, the director of the U.S. Computer Emergency Response Team (US-CERT), has resigned from his position without any official explanation for the abrupt move.
 
SanDisk has introduced a new line of SSDs designed for consumers who may want to extend the life of an aging computer, or to add some performance pep and reliability by swapping out an HDD for an SSD.
 
The argument raging over LightSquared's proposed LTE network and possible interference with GPS services is actually two arguments over two sets of frequencies, both of which the startup hopes eventually to use.
 
Apple iOS Data Security Certificate Chain Validation Security Vulnerability
 
Privacy researchers Alessandro Acquisti and Ralph Gross have converged facial recognition technology with publicly available personal information on social networks to identify individuals.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Presented By:
Welcome the Zettabyte Era with Cisco
  Today we use terms like gigabyte and terabyte when it comes to data. Five years from now, we will enter the era of the zettabyte. Connect with Cisco across the web through various social channels as we guide you through the future of the Internet.
socialmedia.cisco.com

Ads by Pheedo

 
Extending a partnership established in 2006, Microsoft has renewed a working agreement to resell SUSE Linux and help develop new Windows interoperability tools for the OS, Microsoft announced Monday.
 
Italy's specialist police unit responsible for combating cybercrime suffered an embarrassing hack Monday by members of the loosely knit Anonymous hacktivist galaxy.
 
Intel has shipped two ultra-low-voltage Celeron processors this month as the company fills out its Sandy Bridge chip lineup for budget laptops.
 
A U.S. Federal Communications Commission proposal to transfer 120MHz of television spectrum from broadcasters to mobile broadband carriers could require more than 800 TV stations to change channels and could drive more than 200 off the air permanently, according to a trade group.
 
Amazon today bowed to Apple's newest App Store rules, and removed a link in its iPhone and iPad Kindle apps that took customers directly to its online store.
 
Researchers over the weekend uncovered a Facebook app for Apple's iPad, and showed how 'jailbroken' tablets could run the still-unreleased software.
 
Apple Mac OS X QuickLook Remote Buffer Overflow Vulnerability
 
APPLE-SA-2011-07-25-2 iOS 4.2.10 Software Update for iPhone
 
As I already wrote in many previous diaries, various FakeAV groups go through a lot of work to make their malware as resilient to legitimate anti-virus programs as possible both on the server side where they abuse various search engines in order to poison results and get new users to visit their booby trapped sites as well as on the client side, where they constantly modify binaries in order to evade AV detection.
One of the most common ways of making detection more difficult is through packing. However, the authors behind FakeAV use a bunch of other techniques to constantly modify/change their client binaries. They pretty much employ all obfuscation techniques you can think of: anti-disassembly (destroying functions, opaque predicates, long ROP chains ...), anti-emulation, anti-VM, anti-debugging etc. Well take a look at last two of these.
Anti-emulation is used to prevent execution of malware (or to change the way it behaves) when it is executed in an emulated environment. The emulated environment can be some kind of a sandbox or, more commonly, isolated environment that is part of a legitimate anti-virus. Todays AV products almost always use various heuristics in order to detect previously unknown malware. This heuristics is (besides other features) also based on actions that the sample performs in the isolated environment. Basically, the AV program executes the sample in the isolated environment and monitors its activities. If something bad is detected (i.e. the sample dropping something in the C:WindowsSystem32 directory) the AV program can block it and prevent it from infecting the machine.
Authors of malware usually try to detect if they are running in such an isolated environment by calling weird functions. FakeAV, for example, calls some of the following: LCMapStringA, GetFontData, GetKeyState, GetFileType, GetParent. The idea here is to call a function that the isolated environment (hopefully for the author) has not implemented properly and to detect that the return code is incorrect. As there are thousands of functions in the Windows API its impossible for the AV program to correctly implement all functions (although they take good care of those commonly used by malware). Its a cat and mouse game.
Besides such artificial isolated environments, the malware authors (including the guys behind FakeAV) dont like when their malware is being executed on virtual systems such as VMWare or VirtualPC or under real, hardware Hypervisors. The FakeAV used quite a bit of well known code to detect various virtual systems. One of the tests they use is the CPUID instruction. The CPUID instruction is a very useful instruction since both Intel and AMD CPUs have reserved bit 31 of ECX of CPUID leaf 0x1 as the hypervisor present bit. This allows applications to check if they are running in a guest (virtual) system by calling the CPUID instruction with EAX set to 0x1 and then checking bit 31 of ECX. If it is set, the application is running in a virtual system. This is what the FakeAV authors do as shown in the following picture:

Or they failed (like, epic)? Check the picture above carefully. So, the bit 31 of ECX has to be set in order to indicate that we are in a virtual machine. What did the FakeAV author do? After calling the CPUID instruction, instead of checking the value of ECX against 0x80000000 (the 31st bit), the author overwrites ECX with this value and then checks its own value against itself. This test always returns 0 so the FakeAV author fails on detecting if the program is in a virtual machine, even if the Hypervisor honestly set the 31st bit. And there are more failures in the code later .
Before I end this diary, Id like to congratulate my colleague Branko on winning the Hex-Rays IDA Pro plugin contest (http://www.hex-rays.com/contest2011/) with Optimice (http://code.google.com/p/optimice/). Of course, congratulations to Jennifer Baldwin from the University of Victoria for the Tracks plugin which looks very cool.





--

Bojan

INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
An issue that had simmered for several weeks boiled over this weekend, as Google apparently accelerated deletions of Google+ accounts over the site's requirement that members use their real names.
 
Qualcomm said it wants to make smartphones and tablets more interactive through the acquisition of gesture-recognition assets from GestureTek, which holds patents related to motion-based human-computer interaction.
 
Intel on Sunday acknowledged that a bug could cause its SSD 320 solid-state drives to fail, and said a firmware upgrade is on its way to address the problem.
 
Linux Kernel SSID Buffer Overflow Vulnerability
 
APPLE-SA-2011-07-25-1 iOS 4.3.5 Software Update
 
APPLE-SA-2011-07-20-2 iWork 9.1 Update
 
OWASP AppSec USA 2011 Pre-conference Challenge #3 - July
 
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Chinese authorities have closed two unauthorized Apple stores in Kunming following an investigation prompted by a blogger who posted photos last week of one outlet.
 
[DSB-2011-01] Security Advisory FreeRADIUS 2.1.11
 
libsndfile PAF File Integer Overflow Vulnerability
 
[SECURITY] [DSA 2284-1] opensaml2 security update
 
phpBB AJAX Chat/Shoutbox MOD CSRF Vulnerability
 
[SECURITY] [DSA 2283-1] krb5-appl security update
 
CobraScripts (search_result.php?cid) Remote SQL injection Vulnerability
 
[ MDVSA-2011:118 ] wireshark
 
Re: [Full-disclosure] [Bkis] sNews 1.7.1 XSS vulnerability
 
An issue that had simmered for several weeks boiled over this weekend, as Google apparently accelerated deletions of Google+ accounts over the site's requirement that members use their real names.
 
Oracle on Monday announced a sneak peak at features slated for MySQL 5.6, the next version of its open-source database, that focus on improved scalability, integration and performance.
 
[ MDVSA-2011:119 ] libsndfile
 
[ MDVSA-2011:116 ] curl
 
Joomla! 1.7.0-RC and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
 
Permutation Oriented Programming
 
Research in Motion will lay off 2,000 staffers, or a little more than 10% of its workforce.
 
The new Profile Manager is a nice addition, but in almost every other respect, Lion Server is a downgrade that may prompt a move to Windows Server
 
QEMU '-runas' Argument Local Security Bypass Vulnerability
 
Microsoft last week confirmed that customers running Office for Mac will experience problems with the suite on Apple's new Lion operating system.
 
More and more companies are offering paid time off to employees who want to volunteer, either on company-sponsored initiatives or at a charity or agency of their own choosing.
 
Linux Kernel 'drivers/media/radio/si4713-i2c.c' Remote Buffer Overflow Vulnerability
 
The negotiations to strike a deal on the debt ceiling may be getting all the attention in Congress, but there are also new efforts by lawmakers to address high-skill immigration issues.
 
Generic drug maker Ratiopharm, now part of Teva Canada, turned to social networking tools to solve communication problems that choked the supply chain and made it difficult to respond to fluctuations in customer demand.
 
Russia's profile in supercomputing is rising, thanks to a Moscow-based company and a Russian president who sees high-performance computing as critical to the nation's future.
 
Godly Forums 'id' Parameter SQL Injection Vulnerability
 
WebKit CVE-2011-0222 Memory Corruption Remote Code Execution Vulnerability
 
CiscoKits CCNA TFTP Server Long Filename Remote Denial of Service Vulnerability
 
Download Accelerator Plus '.m3u' File Buffer Overflow Vulnerability
 

Posted by InfoSec News on Jul 24

http://www.darkreading.com/security/attacks-breaches/231002455/new-targeted-attack-campaign-against-defense-contractors-underway.html

By Kelly Jackson Higgins
Dark Reading
July 22, 2011

The U.S. Defense industry once again is under siege by cyberspies in an
attack that provides a link to a rigged spreadsheet containing a real
list of high-level defense industry executives who attended a recent
Intelligence Advanced Research Projects Activity...
 

Posted by InfoSec News on Jul 24

http://www.theregister.co.uk/2011/07/22/mac_battery_hack/

By Dan Goodin in San Francisco
The Register
22nd July 2011

Now that Apple has endowed the Mac operating system with
state-of-the-art security protections, a researcher has devised new
attacks that target the machine's battery.

Charlie Miller, well known for his numerous attacks on iPhones and Macs,
may not have achieved his ultimate objective of making a Mac
spontaneously...
 

Posted by InfoSec News on Jul 24

http://news.techworld.com/security/3292871/german-national-cyber-security-centre-attacked-by-hackers/

By Nicolas Zeitler
TechWorld
22 July 11

Just a few weeks after German authorities opened a national Cyber
Defense Centre in Bonn, it was attacked by hackers and now officials are
struggling to arrest all of those involved.

While security authorities reported they had arrested two members of the
hacking group linked to the attacks, the group...
 

Posted by InfoSec News on Jul 24

Forwarded from: Call For Papers <cfpt (at) securitybyte.org>

The first round of speakers have been selected for Securitybyte, please follow
us on twitter @securitybyte to get the latest updates on speakers and event.

Deral Heiland, From Printer to Owned: Leveraging Multifunction Printers During
Penetration Testing
Nithya Raman, Security threats on social networks
Alexander Polyakov, A Crushing Blow At the Heart of SAP J2EE Engine
Bishan...
 

Posted by InfoSec News on Jul 24

http://www.bloomberg.com/news/2011-07-21/former-akamai-worker-to-plead-guilty-in-economic-espionage-case-u-s-says.html

By Don Jeffrey
Bloomberg
July 21, 2011

A former employee of Akamai Technologies Inc. (AKAM) agreed to plead
guilty to providing trade secrets to an undercover agent posing as an
Israeli intelligence officer, the U.S. government said.

Elliot Doxer, 42, of Brookline, Massachusetts, will appear at a plea
hearing in Boston Aug....
 
Internet Storm Center Infocon Status