Cyber Threats

Malware Leveraging MIDI Remote Code Execution Vulnerability Found : Earlier today, we encountered a malware that exploits a recently (and publicly) disclosed vulnerability, the MIDI Remote Code Execution Vulnerability (CVE-2012-0003) . The said vulnerability is triggered when Windows Multimedia Library in Windows Media Player (WMP) fails to handle a specially crafted MIDI file, consequently allowing remote attackers to execute arbitrary code. In the attack that we found, the infection vector is a malicious HTML which we found hosted on the domain, hxxp://images.{BLOCKED}p.com/mp.html . This HTML, which Trend Micro detects as HTML_EXPLT.QYUA , exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file detected as TROJ_MDIEXP.QYUA , and a JavaScript detected as JS_EXPLT.QYUA . HTML_EXPLT.QYUA calls TROJ_MDIEXP.QYUA to trigger the exploit, and uses JS_EXPLT.QYUA to decode the shellcode embedded in HTML_EXPLT.QYUA’s body. Be...

Anonymous Goes After World Governments in Wake of Anti-SOPA Protests : @AnonyOps in interview with Wired. Credit: Annaliza Savage/Wired Over the last week, Anonymous has launched unprecedented string of attacks on government and business sites around the world, as the anger of the hive that a year ago turned on Egypt’s Mubarak regime turned on governments around the world. Continuous DDoSing and hacking attacks by Anonymous seems to be largely a response to proposals to strengthen intellectual property law at the expense of an open internet and to what Anonymous perceives to be overreaching of the power by various governments. After attacks on the websites of U.S. government agencies and major American rightsholder groups in response to arrests of employees of the file sharing site Megaupload, a new internationalist round started after a tweet by a high-profile Anonymous Twitter account, AnonyOps on Saturday: If you hated #SOPA, you’ll burst into flames about #ACTA http://is.gd/Bo68r4...

The MegaUpload Shutdown Effect : The popular file sharing site MegaUpload was shut down by the US FBI and Department of Justice on Thursday, January 19, and executives from the company were taken into custody. This story is very well covered by the Wall Street Journal and includes a copy of the indictment for your reading. As you would expect, this was a wildly popular site with users from all over the world. So much so that even notable celebrities appear in a video discussing MegaUpload, almost endorsing it. Previous work by Arbor Networks showed that content providers and hosting sites like MegaUpload are the new “ Hyper Giants ”. With enough global data, you can actually see the traffic drop when the shutdown occurs. Based strictly on the traffic rates it appears that the shutdown started just after 19:00 GMT on January 19, with traffic plummeting down over the next two hours. The graphic here shows three main client regions – Asia-Pacific, Europe, and the US. Over the past 24 hou...

Facebook Spammers Use Amazon's Cloud : Facebook is recently doing a decent job at keeping survey spam posts at bay (all things considered). So, what's an entrepreneurial Facebook spammer to do? Well, some have tweaked their master plan, and have expanded their use of "cloud" services. Using Amazon's S3 file hosting service solves quite a few problems for these perpetrators. Number 1, Amazon's S3 web service is pretty inexpensive to set up, therefore they can still earn from the surveys. Number 2, because Facebook has been pretty successful at blocking suspicious URLs linked to spam, hosting their scam's code in a safe and popular domain such as amazonaws.com gives them a better chance to sneak through Facebook's protections. The diagram below basically shows the whole flow of the agenda. All browsers other than Chrome and Firefox are served with a survey page, thereby ending in actual monetization if the spammer's surveys are filled out and submitt...

‘Citadel’ Trojan Touts Trouble-Ticket System : Underground hacker forums are full of complaints from users angry that a developer of some popular banking Trojan or bot program has stopped supporting his product, stranding buyers with buggy botnets. Now, the proprietors of a new ZeuS Trojan variant are marketing their malware as a social network that lets customers file bug reports, suggest and vote on new features in upcoming versions, and track trouble tickets that can be worked on by the developers and fellow users alike. A screenshot of the Citadel botnet panel. The ZeuS offshoot, dubbed Citadel and advertised on several members-only hacker forums, is another software-as-a-service malware development. Its target audience? Those frustrated with virus writers who decide that coding their next creation is more lucrative and interesting than supporting current clients. “Its no secret that the products in our field — without support from the developers — result in a a piece of junk on ...

DreamHost hacked, mass password-reset issued : According to a blog post at DreamHost Status Blog, the company has detected a security breach at one of their database servers.

Mobius Forensic Toolkit 0.5.10 – Forensics Framework To Manage Cases & Case Items : Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. Cases and item categories are defined using XML files for easy integration with other tools. Installation As root, type: python setup.py install Usage Run mobius_bin.py. You can... Read the full post at darknet.org.uk

Japanese Space Agency Loses Data After Computer Infection : The Japanese Aerospace Exploration Agency (JAXA) is the latest high profile government agency in that country found to be infected with a computer virus. read more

Droid Device as a Portable Memory Forensics Platform? : Droid Device as a Portable Memory Forensics Platform? : Continuing on the recent Droid theme, you may be interested in checking out a recent blog post, “ Running Volatility Memory Forensics Framework on your Android Phone!” . Unlike previous posts which discussed analyzing Android devices with Volatility , this post describes how to get Volatility running on your Droid device. Imagine if FireWire was more ubiquitous…! Shoutz to J-SP8s!

Zappos hacked, 24 million affected : The attackers may have swiped names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and/or cryptographically scrambled passwords.

I was recently asked to test out  Bro   IDS .   First of all you need to get all the dependencies ready before compiling  bro - ids  source code. sudo apt-get install libncurses5-dev g++ bison flex libmagic-dev libgeoip-dev libssl-dev libpcap-dev libpcap0.8-dev byacc Next step, download stable  bro  release http://www. bro - ids .org/ downloads/release/ bro -1.5.3. tar.gz Assume that you put it on your desktop. Type "cd Desktop/" to go to the desktop folder. Unzip the tarball by using this "tar zxvf  bro -1.5.3.tar.gz" cd  bro -1.5.3 ./configure make make install-broctl Navigate to the folder /usr/local/ bro /etc/ Edit the config files /broctl.cfg is the overall _BroControl_ configuration. Initially, you probably only need to edit the email address for mails sent by the framework; that's the +MailTo+ line. /node.cfg, you need to specify the network interface  Bro  is to monitor; that's the +interface+ line. /networks.cfg, list all t...

"Digital Forensics Case Leads: New version of REMnux, tools for imaging iPhone and Android devices, and a list of \"Best Reads\" from 2011 " : This week's edition of Case Leads features a new version of REMnux for malware analysis and we have two tools for collecting forensic images from iPhone and Android devices. We also have a couple of articles on Android memory analysis and the use of Open Source digital forensics tools to validate commercial tools.As always, if you have an item you'd like to share for Digital Forensics Case Leads, please send it to caseleads@sans.org.Tools: Version 3 of the REMnux for reverse engineering malware is now available as a VMware virutal appliance and a Live ISO. The latest version is based on Ubuntu 11.10 and includes significant updates to the Volatility Framework (memory analysis) and Origami Framework (PDF analysis). This version of REMnux includes several analysis tools that were not in previous versions. The newly add...

IRC bot for Android : Not so long time ago we found a very interesting piece of malware for Android. Unfortunately, it is not clear how it was spread but in any case it’s worth mentioning. The malicious application displays itself as ‘MADDEN NFL 12’ game after the installation. The file size is over 5+ MB and actually is a Trojan that drops a set of malware components onto the system: root exploit, SMS Trojan and IRC bot. The .class file "AndroidBotAcitivity" maintains this dropper functionality. It creates a ‘/data/data/com.android.bot/files’ directory and sets ‘777’ permission (read/write/execute for all users). After that it extracts three files - ‘header01.png’ (root exploit), ‘footer01.png’ (IRC bot), ‘border01.png’ (SMS Trojan) - into this directory. Then it sets ‘777’ permission on the root exploit file and executes it. Finally, it displays the text ‘(0x14) Error - Not registred application’ on the screen. If the exploit is executed successfully and the device is roote...