While investigating some new malware samples this week, we came across a few interesting files that use a new trick with an undocumented instruction. We had to do a bit of digging around the Intel instructions list to solve this little mystery. While it turned out that the trick itself isn’t effective in complicating debugging and disassembly, we think it’s worth sharing anyway, as we’re now seeing three different malware variants using it.
Microsoft finds APT ignored Windows systems and attacked their Macs. Interestingly, everyone else assumed it was their Windows systems. Just some humor at Microsoft’s expense but it is a funny statement for Microsoft’s CIRT to mention their Mac business unit.
“During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations,” the company said on its Security Response Center website Friday.
This is a nice collection of information on Red October from a partnership between Kaspersky and AlienVault Labs.
Together with our partner, Kaspersky, we’re releasing a whitepaper on the “indicators of compromise” that can be useful to detect and mitigate the threats from Red October. It contains indicators to detect most of the Red October activity in your systems and networks. Inside the whitepaper you will find snort rules as well as an OpenIOC file that you can use to check your systems for activity related to this cyber espionage campaign.
Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software.
A plethora of vulnerable devices due to the flaws in the Universal Plug and Play protocol put around 50 million at risk; somewhere in the neighborhood of about 58,000 security camera systems are vulnerable to hacking, and exploiting network printers top the list today for potential security mayhem.
The country of Georgia has long blamed hackers based in Russia for attacks upon its computer networks, injecting malicious code into websites, and planting spyware to steal classified information.
Now the Georgian governments CERT Computer Emergency Response Team claims it has linked an internet attack to Russias security services, and even turned the tables on a hacker it believes was involved by secretly taking over his computer and taking video footage of him.
An attacker can send rogue DNS requests to a large number of open DNS resolvers and use spoofing to make it appear as if those requests originated from the target’s IP address. As a result, the resolvers will send their large responses back to the victim’s IP address instead of the sender’s address.
In addition to having an amplification effect, this technique makes it very hard for the victim to determine the original source of the attack and also makes it impossible for name servers higher up on the DNS chain that are queried by the abused open DNS resolvers to see the IP address of the victim.
The problem lay with the DKIM key DomainKeys Identified Mail Google used for its google.com e-mails. DKIM involves a cryptographic key that domains use to sign e-mail originating from them – or passing through them – to validate to a recipient that the domain in the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender’s DNS records and verify the validity of the signature.
BoxCryptor is basically a virtual hard disk that encrypts files on the fly using 256-bit AES encryption. Unlike TrueCrypt, another popular on-the-fly encryption tool, BoxCryptor encrypts individual files, not an entire volume or container. That means that your BoxCryptor-encrypted files sync with your cloud storage service immediately after you save them, whereas with TrueCrypt syncing occurs only after you finish encrypting an entire volume.
Java continues to be the target of choice for attackers in 2012. If Java isn’t needed, remove it, block it, etc. Consider blocking Java at the border of your enterprise and whitelist sites you trust that really need it. Oracle and previously Sun, created a product that is too difficult to patch quickly and easily. The only way they can redeem the product is patch quicker and more seamlessly – for many security conscious people this improvement will be too little too late!
“Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.”