One-Man PoS Malware Operation Captures 22,000 Credit Card Details in Brazil

April 13, 2015, 7:29 am

≫ Next: HP Support Solutions Framework Security Issue

≪ Previous: Reverse Engineering Vectored Exception Handlers: Implementation (3/3)

$

0

0

We have been able to identify a new point-of-sale (PoS) malware family that has affected more than 100 victim organizations in Brazil. We have dubbed this new malware family as “FighterPOS”. (This name is derived from BRFighter, the tool used by the author to create this new threat.) This one-man operation has been able to steal more than 22,000 unique credit card numbers.

more here.........http://blog.trendmicro.com/trendlabs-security-intelligence/fighterpos-fighting-a-new-pos-malware-family/

---

HP Support Solutions Framework Security Issue

April 13, 2015, 7:32 am

≫ Next: CONIKS

≪ Previous: One-Man PoS Malware Operation Captures 22,000 Credit Card Details in Brazil

$

0

0

After discovering the flaw in Dell's System Detect software I looked into other similar software for issues. This post details two issues I found with the HP Product Detection software and explores the protections HP put in place. I'm also going to explain how they could be easily bypassed to allow an attacker to force files to be downloaded, read arbitrary data, registry keys and system information through the users browser with little or no interaction.

more here........http://tomforb.es/hp-support-solutions-framework-security-issue

CONIKS

April 13, 2015, 7:36 am

≫ Next: Hard Disk Firmware Hacking

≪ Previous: HP Support Solutions Framework Security Issue

$

0

0

CONIKS is an end-user key verification service capable of integration in end-to-end encrypted communication systems.

With CONIKS, users can be sure that their communication remains secure while not needing to worry about encryption keys because the CONIKS client will efficiently monitor their account on their behalf. The CONIKS client also audits the communication service providers of interest to the user to ensure that these are presenting consistent views of their contact' accounts.

more here with tech paper included.....http://www.coniks.org/more-info

Hard Disk Firmware Hacking

April 13, 2015, 9:31 am

≫ Next: Challenging CoinVault – it's time to free those files

≪ Previous: CONIKS

$

0

0

I've not been doing much in the windows malware world for a while now, because quite frankly I've run out of ideas and I'm totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here.

A couple of years ago I started looking into BIOS rootkits (back before (U)EFI was mainstream). I was aware that most hardware had a BIOS type setup that is usually initialized during the POST phase of the boot process, so I was looking into the possibility of modifying  firmware to work in the same way as a BIOS rootkit would. My two main candidates were the GPU and Hard Disk, which I began looking into (but was mostly sandbagged by my lack of reverse engineering knowledge at the time).

My current project is on hold while I await the arrival of some expensive hardware which will allow me to overcome a setback (the manufacture disabled the JTAG interface prior to shipping), so I decided to have a play with something I saw on spritesmods in 2013 (Hard disk hacking).

more here..........http://www.malwaretech.com/2015/04/hard-disk-firmware-hacking-part-1.html

and part two here....http://www.malwaretech.com/2015/04/hard-disk-firmware-hacking-part-2.html

Challenging CoinVault – it's time to free those files

April 13, 2015, 9:33 am

≫ Next: Analyzing Gootkit's persistence mechanism (new ASEP inside!)

≪ Previous: Hard Disk Firmware Hacking

$

0

0

Some months ago we wrote a blog post about CoinVault. In that post we explained how we tore the malware apart in order to get to its original code and not the obfuscated one.

So when were contacted recently by the National High Tech Crime Unit (NHTCU) of the Netherlands' police and the Netherlands' National Prosecutors Office, who had obtained a database from a CoinVault command & control server (containing IVs, Keys and private Bitcoin wallets), we were able to put our accumulated insight to good use and accelerate the creation of a decryption tool.

more here........https://securelist.com/blog/69595/challenging-coinvault-its-time-to-free-those-files/

Analyzing Gootkit's persistence mechanism (new ASEP inside!)

April 13, 2015, 9:36 am

≫ Next: Analysis of Adobe Flash Player shared ByteArray Use-After-Free Vulnerability

≪ Previous: Challenging CoinVault – it's time to free those files

$

0

0

Malware authors are quite known for their innovation. A couple of years back, we wouldn't have imagined running into Node.js and JavaScript-based malware, yet that's exactly what Gootkit does.

more here.......http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html

Analysis of Adobe Flash Player shared ByteArray Use-After-Free Vulnerability

April 13, 2015, 10:07 am

≫ Next: Booby-trapped Hugo Boss Advert Spreads Cryptowall Ransomware

≪ Previous: Analyzing Gootkit's persistence mechanism (new ASEP inside!)

$

0

0

In February, just a few days after CVE-2015-0311 was found being exploited in the wild, a new Adobe Flash Player vulnerability popped up.

Trend Micro and SpiderLabs have already published their analysis of the bug, but I thought it would be worth providing my own analysis, which I carried out in order to create a reliable exploit from scratch for our products Core Impact Pro and Core Insight.

We’ll go through the avmplus source code and IDA in order to fully understand the root cause of the vulnerability here.........https://blog.coresecurity.com/2015/04/13/analysis-of-adobe-flash-player-shared-bytearray-use-after-free-vulnerability/

Booby-trapped Hugo Boss Advert Spreads Cryptowall Ransomware

April 13, 2015, 12:14 pm

≫ Next: SPEAR - Redirect to SMB

≪ Previous: Analysis of Adobe Flash Player shared ByteArray Use-After-Free Vulnerability

$

0

0

Malicious advertising attacks (malvertising) have been plaguing mainstream sites and their visitors a lot these past few years.

While some are easy to spot and get rid of, others tend to be much more sophisticated and hard to shine light on.

more here.......https://blog.malwarebytes.org/malvertising-2/2015/04/booby-trapped-hugo-boss-advert-spreads-cryptowall-ransomware/

---

SPEAR - Redirect to SMB

April 13, 2015, 12:16 pm

≫ Next: Yara Rule to detect Backspace Malware

≪ Previous: Booby-trapped Hugo Boss Advert Spreads Cryptowall Ransomware

$

0

0

We’ve uncovered a new technique for stealing sensitive login credentials from any Windows PC, tablet or server, including ones running previews of the yet-to-be-released Windows 10 operating system. Software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec can be exploited using this vulnerability, which we have dubbed Redirect to SMB.  Carnegie Mellon University CERT disclosed the vulnerability to the public today (#VU672268), following six weeks of working with vendors to help them mitigate the issue.

more here.......http://blog.cylance.com/redirect-to-smb

Yara Rule to detect Backspace Malware

April 13, 2015, 12:23 pm

≫ Next: Zero Access Malware

≪ Previous: SPEAR - Redirect to SMB

$

0

0

Access Yara Rules to detect Backspace Malware  discussed  in FireEye’s APT30 report here........https://github.com/Neo23x0/Loki/blob/master/signatures/apt_apt30_backspace.yar

Zero Access Malware

April 13, 2015, 12:32 pm

≫ Next: Paper: A Comparative Study of Email Forensic Tools

≪ Previous: Yara Rule to detect Backspace Malware

$

0

0

The Zero Access trojan (Maxx++, Sierief, Crimeware) has affected millions of computers worldwide, and it is the number one cause of cyber click fraud and Bitcoin mining on the Internet. Once the trojan has been delivered into the system, it begins to download many other types of malware that can each cause a great deal of damage to an organization.

The trojan’s primary infection vector is spam mail and exploits kits, but it can also be distributed by P2P file sharing services and fake cracks and keygens. The trojan is unique in the fact that it connects to a P2P botnet chain that makes it very difficult to dismantle the botnet as a whole.

more here......http://resources.infosecinstitute.com/zero-access-malware/

Paper: A Comparative Study of Email Forensic Tools

April 13, 2015, 3:01 pm

≫ Next: Metasploit: Apple OS X Rootpipe Privilege Escalation

≪ Previous: Zero Access Malware

$

0

0

Abstract
Over the last decades, email has been the major carrier for transporting spam and malicious contents
over the network. Email is also the primary source of numerous criminal activities on the
Internet. Computer Forensics is a systematic process to retain and analyze saved emails for the
purpose of legal proceedings and other civil matters. Email analysis is challenging due to not only
various fields that can be forged by hackers or malicious users, but also the flexibility of composing,
editing, deleting of emails using offline (e.g., MS Outlook) or online (e.g., Web mail) email applications.
Towards this direction, a number of open source forensics tools have been widely used
by the practitioners. However, these tools have been developed in an isolated manner rather than
a collaborative approach. Given that email forensic tool users need to understand to what extent a
tool would be useful for his/her circumstances and conducting forensic analysis accordingly. In
this paper, we examine a set of common features to compare and contrast five popular open
source email forensic tools. The study finds that all email forensic tools are not similar, offer diverse
types of facility. By combining analysis tools, it may be possible to gain detailed information
in the area of email forensic.

more here........http://www.forensicmag.com/sites/forensicmag.com/files/JIS_2015041015341322.pdf?

Metasploit: Apple OS X Rootpipe Privilege Escalation

April 13, 2015, 4:10 pm

≫ Next: A Tale of Two Exploits

≪ Previous: Paper: A Comparative Study of Email Forensic Tools

$

0

0

This module https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/rootpipe.rb
exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root, dubbed "Rootpipe."

A Tale of Two Exploits

April 13, 2015, 10:07 pm

≫ Next: Last-minute tax declarations lead to IRS-themed Ransomware

≪ Previous: Metasploit: Apple OS X Rootpipe Privilege Escalation

$

0

0

CVE-2015-0336 is a type confusion vulnerability in the AS2 NetConnection class. I reported this issue in January and soon wrote a proof-of-concept exploit for the bug. The issue was patched by Adobe in March and less than a week later, in what was likely a case of bug collision, it was found in two exploit kits in the wild. This created an interesting opportunity to compare a real exploit to a theoretical one and better understand how attackers exploit Flash vulnerabilities.

more here.........http://googleprojectzero.blogspot.com/2015/04/a-tale-of-two-exploits.html

Last-minute tax declarations lead to IRS-themed Ransomware

April 14, 2015, 6:56 am

≫ Next: ASN.1 vs DER vs PEM vs x509 vs PKCS#7 vs

≪ Previous: A Tale of Two Exploits

$

0

0

Oh, how procrastination gets all of us! April 15th is the U.S. tax deadline and it looks like most of us will be coming down to the wire on declaring our taxes and holding our collective breath in expectation of that sweet, sweet refund. Sadly, our malware writing friends are aware of this and their discipline has proven far superior. Knowing that many are on the lookout for emails from the Internal Revenue Service concerning pending refunds, criminals have crafted some of their own.

more here...........http://securelist.com/blog/research/69605/your-tax-refund-with-a-data-kidnapping-twist/

---

ASN.1 vs DER vs PEM vs x509 vs PKCS#7 vs

April 14, 2015, 7:06 am

≫ Next: Prosecutors suspect man hacked lottery computers to score winning ticket

≪ Previous: Last-minute tax declarations lead to IRS-themed Ransomware

$

0

0

I was really confused about all those acronyms when I started digging into OpenSSL and RFCs. So here's a no bullshit quick intro to them here.......http://www.cryptologie.net/article/260/asn1-vs-der-vs-pem-vs-x509-vs-pkcs7-vs/

Prosecutors suspect man hacked lottery computers to score winning ticket

April 14, 2015, 7:08 am

≫ Next: Exploits for CVE-2015-1318 and CVE-2015-1862 which are bugs in Apport (Ubuntu) and Abrt (Fedora)

≪ Previous: ASN.1 vs DER vs PEM vs x509 vs PKCS#7 vs

$

0

0

Former security director may have tampered with number generator to win $14.3M here.........http://arstechnica.com/tech-policy/2015/04/prosecutors-suspect-man-hacked-lottery-computers-to-score-winning-ticket/

Exploits for CVE-2015-1318 and CVE-2015-1862 which are bugs in Apport (Ubuntu) and Abrt (Fedora)

April 14, 2015, 2:40 pm

≫ Next: Attacker controlled HTTP statuscode + HTML Entity Encoded payload = XSS

≪ Previous: Prosecutors suspect man hacked lottery computers to score winning ticket

$

0

0

In Apport, an unprivileged user can use a namespace-based attack because 

there is an execveby root after a chroot into a user-specified 

directory

Apport/Abrt Vulnerability Demo Exploit here......https://gist.github.com/taviso/0f02c255c13c5c113406

and in ABRT, an unprivileged user can use a namespace-based attack because 

there is an execve by root after a chroot into a user-specified directory.

Abrt also suffers from race conditions and symlink problems as quoted by 

Kurt Seifried of RedHat.

A race condition exploit for CVE-2015-1862, targeting Fedora here....https://gist.github.com/taviso/fe359006836d6cd1091e

Additionally some bugs in crash analysis frameworks on Ubuntu/Fedora/Others here....http://www.openwall.com/lists/oss-security/2015/04/14/4

The Two CVE bugs were reported by Tavis Ormandy

Attacker controlled HTTP statuscode + HTML Entity Encoded payload = XSS

April 14, 2015, 8:21 am

≫ Next: IDA: What's new in 6.8

≪ Previous: Exploits for CVE-2015-1318 and CVE-2015-1862 which are bugs in Apport (Ubuntu) and Abrt (Fedora)

$

0

0

Payload here......https://pastie.se/a23c7986

IDA: What's new in 6.8

April 14, 2015, 8:29 am

≫ Next: The Wolves of Vuln Street - The First System Dynamics Model of the 0day Market

≪ Previous: Attacker controlled HTTP statuscode + HTML Entity Encoded payload = XSS

$

0

0

This is mainly a maintenance release, so our focus was on fixing bugs. However, there are some improvements too:
Support for long names. In previous versions of IDA names were limited to 511 bytes. This was causing problems, especially with long mangled C++ names (e.g. boost names). We removed this limitation in many places of IDA. The work is not complete, there are still some areas where the limitation exists but overall the listings are more readable now.
Dalvik: added support for OAT files
PPC: support for Power ISA 2.07
Better analysis of prolog code; better register tracking, especially for ARM
Lots of vulnerabilities fixed thanks to the submissions to our bug bounty program

more here.......https://www.hex-rays.com/products/ida/6.8/index.shtml