Posts

Showing posts from 2011

Malicious Password-protected Documents used in Targeted Attacks

Image
Malicious Password-protected Documents used in Targeted Attacks : Recently, we discovered malware in the wild in the form of document files, such as PDF and Word, using password protection. The malware are used as attachments in email in limited, targeted attacks. Passwords for document files are commonly used to prevent unauthorized access to the files by encrypting them with passwords. However, attackers are misusing the password feature to encrypt files, most likely to make it difficult for security products to detect them as malware. It also makes reverse-engineering the files difficult because they need to be decrypted before analysis can be performed. These malware themselves aren’t anything special. They are no different to the common attachments used in typical targeted attacks except for the fact that they require passwords to be opened. Various office suite software includes a password encryption feature, so document files are not the only type that can be used for this sort ...

More information about the December 2011 ASP.Net vulnerability

Image
More information about the December 2011 ASP.Net vulnerability : Today, we released Security Advisory 2659883 alerting customers to a newly disclosed denial-of-service vulnerability affecting several vendors’ web application platforms, including Microsoft’s ASP.NET. This blog post will cover the following: Impact of the vulnerability How to know if your configuration is vulnerable to denial-of-service How to detect the vulnerability being exploited at network layer How to detect the vulnerability being exploited on the server Background on the workaround to protect your website Impact of the vulnerability This vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade signific...

PDF Malware Protected by AES-256

Image
PDF Malware Protected by AES-256 : Adobe Systems released a security update for Adobe Acrobat and Reader 9.x for Windows on December 16, 2011, in order to fix a zero-day vulnerability. As Vikram Thakur reported recently , there have been zero-day attacks using this PDF vulnerability, dropping Backdoor.Sykipot on to the compromised computer. We have found another variant of PDF malware in the wild using the same vulnerability. This version of PDF malware uses an encryption method that is found natively in the PDF specifications. As I wrote in my Portable Document Format Malware whitepaper , the encryption method used by PDF malware has changed from RC4 to AES. The AES specifies the encryption key has 128 bits in length. However, this variant adopts AES-256 as the encryption method, with a key length of 256 bits. The specification for the encryption method using AES-256 in a PDF is described as an extension of the ISO32000 version of PDF specification. It is able to download the PDF ex...

In Possible Targeted Attack, Amnesty International Web Site Found Serving Malware

In Possible Targeted Attack, Amnesty International Web Site Found Serving Malware : Amnesty International’s United Kingdom website was compromised late last week and was being used to exploit a known Java runtime environment hole on machines belonging to unwitting visitors to the site, according to Barracuda Labs researcher, Paul Royal. read more

Android Malware Analysis: A How-To

Nice presentation by Alex Kirk on doing Android Malware analysis While mobile malware comprises only a tiny fraction of the overall landscape in terms of volume, it is fast becoming essential to address from an enterprise security standpoint. Unfortunately, very few people would even have a clue where to start if charged with analyzing a program on a smart phone. This disconnect provided the rationale for a presentation I recently gave at Hack in the Box Malaysia on how to go from "I've got an Android APK file, now what?" to full static and dynamic analysis. The slides, available here , contain links to a number of useful tools. The good news for longtime readers of this blog is that the process is even easier now than it was when Alain Zidouemba discussed reversing Android apps last August. Free software is available that can deliver the original Java source for any given Android app. My presentation also provides an overview of the Android permissions system and its re...

Test

Test

Todays Ramblings

Updated W32.Stuxnet Dossier is Available 'Sloppy' Chinese hackers scored data-theft coup with 'Night Dragon' Data Breach and Encryption Handbook Salesman: Hackers use Chinese company's servers Mallory – Transparent TCP & UDP Proxy Chinese hackers behind espionage attacks hitting Western oil firms?