Investigation of a new undocumented instruction trick – Microsoft Malware Protection Center – Site Home – TechNet Blogs

While investigating some new malware samples this week, we came across a few interesting files that use a new trick with an undocumented instruction. We had to do a bit of digging around the Intel instructions list to solve this little mystery. While it turned out that the trick itself isn’t effective in complicating debugging and disassembly, we think it’s worth sharing anyway, as we’re now seeing three different malware variants using it.

via Investigation of a new undocumented instruction trick – Microsoft Malware Protection Center – Site Home – TechNet Blogs.

Microsoft joins list of recently hacked companies – Computerworld

Microsoft finds APT ignored Windows systems and attacked their Macs.  Interestingly, everyone else assumed it was their Windows systems.  Just some humor at Microsoft’s expense but it is a funny statement for Microsoft’s CIRT to mention their Mac business unit.

“During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations,” the company said on its Security Response Center website Friday.

via Microsoft joins list of recently hacked companies – Computerworld.

Red October – Indicators of Compromise and Mitigation Data – AlienVault Labs

This is a nice collection of information on Red October from a partnership between Kaspersky and AlienVault Labs.

—————————

Together with our partner, Kaspersky, we’re releasing a whitepaper on the “indicators of compromise” that can be useful to detect and mitigate the threats from Red October. It contains indicators to detect most of the Red October activity in your systems and networks. Inside the whitepaper you will find snort rules as well as an OpenIOC file that you can use to check your systems for activity related to this cyber espionage campaign.

via Red October – Indicators of Compromise and Mitigation Data – AlienVault Labs.

contagio – Batchwiper Samples

Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software.

via contagio.

Exploiting Universal Plug-n-Play protocol, insecure security cameras & network printers

A plethora of vulnerable devices due to the flaws in the Universal Plug and Play protocol put around 50 million at risk; somewhere in the neighborhood of about 58,000 security camera systems are vulnerable to hacking, and exploiting network printers top the list today for potential security mayhem.

via Exploiting Universal Plug-n-Play protocol, insecure security cameras & network printers.

Counterattack! Suspected hacker caught on HIS WEBCAM, while spying on Georgia | Naked Security

The country of Georgia has long blamed hackers based in Russia for attacks upon its computer networks, injecting malicious code into websites, and planting spyware to steal classified information.

Now the Georgian governments CERT Computer Emergency Response Team claims it has linked an internet attack to Russias security services, and even turned the tables on a hacker it believes was involved by secretly taking over his computer and taking video footage of him.

via Counterattack! Suspected hacker caught on HIS WEBCAM, while spying on Georgia | Naked Security.

Open DNS resolvers increasingly abused to amplify DDoS attacks, report says – Computerworld

An attacker can send rogue DNS requests to a large number of open DNS resolvers and use spoofing to make it appear as if those requests originated from the target’s IP address. As a result, the resolvers will send their large responses back to the victim’s IP address instead of the sender’s address.

In addition to having an amplification effect, this technique makes it very hard for the victim to determine the original source of the attack and also makes it impossible for name servers higher up on the DNS chain that are queried by the abused open DNS resolvers to see the IP address of the victim.

via Open DNS resolvers increasingly abused to amplify DDoS attacks, report says – Computerworld.

How a Google Headhunters E-Mail Unraveled a Massive Net Security Hole | Threat Level | Wired.com

The problem lay with the DKIM key DomainKeys Identified Mail Google used for its google.com e-mails. DKIM involves a cryptographic key that domains use to sign e-mail originating from them – or passing through them – to validate to a recipient that the domain in the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender’s DNS records and verify the validity of the signature.

via How a Google Headhunters E-Mail Unraveled a Massive Net Security Hole | Threat Level | Wired.com.

How to encrypt your cloud storage for free

BoxCryptor is basically a virtual hard disk that encrypts files on the fly using 256-bit AES encryption. Unlike TrueCrypt, another popular on-the-fly encryption tool, BoxCryptor encrypts individual files, not an entire volume or container. That means that your BoxCryptor-encrypted files sync with your cloud storage service immediately after you save them, whereas with TrueCrypt syncing occurs only after you finish encrypting an entire volume.

via How to encrypt your cloud storage for free.

Researchers find critical vulnerability in Java 7 patch hours after its release | Security – InfoWorld

Java continues to be the target of choice for attackers in 2012.  If Java isn’t needed, remove it, block it, etc.  Consider blocking Java at the border of your enterprise and whitelist sites you trust that really need it.  Oracle and previously Sun, created a product that is too difficult to patch quickly and easily.  The only way they can redeem the product is patch quicker and more seamlessly – for many security conscious people this improvement will be too little too late!

“Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.”

via Researchers find critical vulnerability in Java 7 patch hours after its release | Security – InfoWorld.