« Windows token kidnapping returns to haunt Microsoft: Cyber Highlights July 20, 2010 | Main | DNSSEC now fully deployed on the Internet root: Cyber Highlights July 7 22, 2010 »
Black Hat talk to reveal analysis of hacker fingerprints: Cyber Highlights July 21, 2010
By Kelli Tarala | July 22, 2010
Looking deeper within malware yields fingerprints of the hackers who write the code, and that could result in signatures that have a longer lifetime than current intrusion-detection schemes, Black Hat 2010 attendees will be told July 28 and 29. Analysis of the binaries of malware executables also reveals characteristics about the intent of the attack code that could make for more efficient and effective data defenses, said the CEO of HBGary, whose briefing “Malware Attribution: Tracking Cyber Spies and Digital Criminals” is scheduled for the Las Vegas conference. The CEO said this analysis uncovers tool marks — signs of the environments in which the code was written — that can help identify code written by a common person or group based on what combination of tools they use. For example, his research looked under the covers of one malware executable whose fingerprint included use of Back Orifice 2000, Ultra VNC remote desktop support software, and code from a 2002 Microsoft programming guide. Each program was slightly modified, but the information available amounted to a good fingerprint. The malware was a remote access tool (RAT), and RAT generators such as Poison Ivy could have created unique RAT code for each use, but that is not the route this attacker chose. Identifying this RAT in other instances of malware can link groups of malicious code to a common author or team. The CEO found these fingerprints last a long time. Once written, the binaries themselves are altered only infrequently, so employing these fingerprints as malware signatures will be more useful for longer periods.
Full Story:
http://www.networkworld.com/news/2010/071910-black-hat-fingerprint.html?hpg1=bn
Report: U.S. intelligence community inefficient, unmanageable
The September 11th attacks have led to an intelligence community so large and unwieldy that it is unmanageable and inefficient — and no one knows how much it costs, according to a two-year investigation by the Washington Post. The article appeared in the July 19 edition. Although officials in the intelligence community were concerned about the content of the newspaper articles ahead of publication, what troubled them the most was “interactive” component of the series, which they said lists the locations where the CIA, the National Security Agency, and the other agencies that make up the intelligence community have facilities. Many of those sites are not publicly known, some officials said. Officials worried about the security implications of such disclosures. As one person put it, “these are targeted places to begin with … Mapping it out presents counterterrorism and counterintelligence concerns.” The officials said there have been discussions with the Washington Post to make changes in the Web site. It was not immediately known what, if any, changes were made, but an interactive map available the morning of July 19 showed more than 2,000 government work locations and nearly 7,000 for private contractors. The newspaper said it took steps to allay public-safety concerns.
Full Story:
http://www.cnn.com/2010/POLITICS/07/19/intelligence.report/
Texas gives IBM 30 days to fix things under massive contract
Texas has given IBM 30 days to address problems under a $863 million contract to centralize state agencies’ computer services and data storage, reports The Dallas Morning News. The story said Texas Department of Information Resources’ head cited 16 breaches in the deal in a sternly worded “notice to cure” letter. Among her complaints: repeated failure to back up critical state data and to bolster computer systems’ security. IBM maintained that it has lived up to the terms of the contract and called the letter “unnecessary and unjustified.”
Yellow alert over Windows shortcut flaw
Windows Shortcut’s zero-day attack code has gone public. The development increases the risk that the attack vector, already used by the highly sophisticated Stuxnet Trojan to attack Scada control systems, will be applied against a wider range of vulnerable systems. All versions of Windows are potentially vulnerable to the exploit, according to experts. Just viewing the contents of an infected USB stick is enough to get the attack, even on systems where Windows Autoplay is disabled. Maliciously crafted Windows shortcut (.lnk) files might also to be able to push malicious code through other attack routes such as Windows shares. The SANS Institute’s Internet Storm Centre has responded to the heightened threat by moving onto yellow alert status for the first time in years. “We believe wide-scale exploitation is only a matter of time,” wrote an ISC handler. “The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools’ ability to detect generic versions of the exploit have not been very effective so far.” Microsoft has acknowledged the problem — and published workarounds deigned to guard against attack — ahead of a possible patch.
Full Story:
http://www.theregister.co.uk/2010/07/20/win_shortcut_vuln_exploit_code/
Blog platform closed due to posting of terrorist material�
Web hosting company BurstNET Technologies has taken its blogging platform Blogetery.com down after a link to terrorist material, including bomb-making instructions and an al-Qaeda “hit list” was posted to the site. In a statement regarding the termination of service to Blogetry.com, BurstNET claimed that July 9, it received a notice of a critical nature from law enforcement officials and was asked to provide information regarding ownership of the server hosting Blogetry.com. It said: “Upon review, BurstNET determined that the posted material, in addition to potentially inciting dangerous activities, specifically violated the BurstNET acceptable use policy. “This policy strictly prohibits the posting of ‘terrorist propaganda, racist material, or bomb/weapon instructions.’ Due to this violation and the fact that the site had a history of previous abuse, BurstNET elected to immediately disable the system.”
Siemens advises don’t change your SCADA password
If the malware (call Stuxnet for now) was programmed to know the default password used by the SCADA (Supervisory Control And Data Acquisition) systems which manage critical operations, a person might want to seriously consider changing those default passwords, right? As a sensible precaution, yes? Unfortunately, life is not that simple. Although Siemens SCADA systems are being targeted by the Stuxnet malware (which exploits a zero-day Microsoft vulnerability in the way that Windows handles .LNK shortcuts, allowing malicious code to run when icons are displayed), the company is telling customers that they should not change their default passwords. “We will be publishing customer guidance shortly, but it won’t include advice to change default settings as that could impact plant operations,” a Siemens spokesman told journalists. That’s in spite of the fact that the password used by Siemens Simatic WinCC SCADA software was leaked onto the net some years ago. Siemens is worried that if critical infrastructure customers change their Siemens WinCC SCADA password (to hinder the malware’s attempt to access their system) they will stop Stuxnet being able to steal information, but could at the same time throw their systems into chaos.
Full Story:
http://www.sophos.com/blogs/gc/g/2010/07/20/malware-scada-password-siemens/
Eset discovers second variation of Stuxnet worm
Researchers at Eset have discovered a second variant of the Stuxnet worm that uses a recently disclosed Windows vulnerability to attack Siemens industrial machines. The second variant, which Eset calls “jmidebs.sys,” can spread via USB drives, exploiting an unpatched flaw in Windows involving a malicious shortcut file with the “.lnk” extension. Like the original Stuxnet worm, the second variant is also signed with a certificate, used to verify the integrity of an application when installed. The certificate was bought from VeriSign by JMicron Technology Corp., a company based in Taiwan. The first Stuxnet worm’s certificate came from Realtek Semiconductor Corp., although VeriSign has now revoked it, said a Eset senior research fellow. Both companies are listed to have offices in the same place, the Hsinchu Science Park in Taiwan.
Full Story:
http://www.networkworld.com/news/2010/072010-eset-discovers-second-variation-of.html?hpg1=bn
Adobe Reader to block attacks with sandbox tech
Adobe Reader will soon have an additional layer of protection against the many attacks that target the popular PDF viewer. Adobe Systems is borrowing a page from Microsoft’s and Google’s playbook by turning to sandboxing technology designed to isolate code from other parts of the computer. Adobe is adding a “Protected Mode” to the next release of Adobe Reader for Windows due out some time this year, said the director of product security and privacy at Adobe. The feature will be enabled by default and included in Adobe Reader browser plug-ins for all the major browsers. The company has no plans to add the feature to the version of its PDF (Portable Document Format) viewer for the Macintosh at this time because the vast majority of Adobe Reader downloads and exploits are on Windows, a spokeswoman said.
Full Story:
http://news.cnet.com/8301-27080_3-20011015-245.html
Argentinean government sites used in Black Hat SEO campaigns
Numerous Argentinean government Web sites were recently compromised by hackers and used in black hat search engine optimization (SEO) campaigns, according to Sunbelt Software. Security researchers said 12 government pages were involved in the spamming campaign, with some of them distributing malware as well. Also called spamdexing, black hat SEO is a technique used by cyber crooks to unethically raise search rankings. A security expert said, “What’s more scary than the spam itself, is that these sites are hacked and nobody is noticing it or taking any action to clean them up.” He added many of the sites have been accessed through SQL injections and vulnerabilities with poorly coded custom applications.
Full Story:
http://www.thenewnewinternet.com/2010/07/19/argentinean-government-sites-used-in-black-hat-seo-campaigns/
Turkish hackers have stolen personal data of more than 100,000 Israelis.
Turkish hackers have posted two large files that could expose the personal data of more than 100,000 Israeli citizens, according to news reports. Israeli observers fear the data thefts may be a concerted effort by Turkish hackers to target Israeli nationals. The two countries have been in conflict since Israeli forces intercepted a Gaza-bound aid flotilla May 31. On July 18, an Israeli blogger said in his blog on We-CMS that he had found an Excel spreadsheet with more than 32,000 e-mail addresses and passwords published on a Turkish forum.
Full Story:
http://www.darkreading.com/security/cybercrime/showArticle.jhtml?articleID=226000027
Attackers moving to social networks for command and control
Bot herders and the crimeware gangs behind banker Trojans have had much success the last few years using bullet-proof hosting providers as their main base of operations. New research from RSA shows that the gangs behind some Trojans that are such a huge problem in some countries, especially Brazil and other South American nations, are moving quietly and quickly to using social networks as the command-and-control mechanisms for their malware. The company’s anti-fraud researchers recently stumbled upon one such attack in progress and watched as it unfolded. The attack is as simple as it is effective. It begins with the crimeware gang setting up one or more fake profiles on a given social network (RSA is not naming the network). The attacker then posts a specific set of encrypted commands. When a new machine is infected with the banker Trojan, the malware checks the profile for new commands. The specific command begins with a string of random characters that serves as an authentication mechanism, letting the Trojan know it’s found the right commands. The rest of the encrypted string is hard-coded instructions telling the Trojan what to do next, whether to look for other machines on the network, search for saved data or log keystrokes when the user visits an online banking site. These types of attacks are increasing. There have been botnets controlled via Twitter for at least one year, and researchers found a number of example of Facebook profiles set up specifically for malicious activity.
Full Story:
http://threatpost.com/en_us/blogs/attackers-moving-social-networks-command-and-control-071910
Read the Full DHS Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_072110.pdf
Topics: DHS Infrastructure Reports |
Comments are closed.