Showing posts with label analysis. Show all posts
Showing posts with label analysis. Show all posts

15 June, 2012

CERT's FloCon 2013 CFP

CERT's FloCon 2013 CFP is posted.

Albuquerque, New Mexico, on January 7–10, 2013.

I plan to attend.

08 June, 2012

Flame Round-up

Updated June 13 with a few more links.

I decided to write a short post with a Frame timeline, links to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 related information, and a brief summary of interesting information available at each link. I might update this post if I get comments with additional interesting links or if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are significant new developments. When possible, I'm trying to catalog technical discussion racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than news aimed at a general non-technical audience.

Note that many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dates, on blog posts in particular, will reflect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last time cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post was changed racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than initial posting date. This can be a problem when relying on sites that do not show both a publication and modification date for web publications. I will note when I know of discrepancies in date.

2012 May 28:

Kaspersky Lab and ITU Research Reveals New Advanced Cyber Threat: Kaspersky Lab posts information about new malware dubbed Flame. They were investigating incidents related to something known as Wiper on behalf of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ITU and discovered Flame in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process. Kaspersky calls Flame a "super-cyberweapon" and says cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary purpose is cyber espionage. The end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article includes a link to The Flame: Questions and Answers, a technical FAQ. Judging by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CrySyS report (below), Wiper and Flame could actually be one and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same.

Identification of New Targeted Attack: Dated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same day as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Kaspersky Lab post, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Iranian CERTCC (MAHER) posts information gleaned from an investigation into Flame. They include bullet points listing some of Flame's behaviors and capabilities.

  • Distribution via removable medias
  • Distribution through local networks 
  • Network sniffing, detecting network resources and collecting lists of vulnerable passwords 
  • Scanning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 disk of infected system looking for specific extensions and contents 
  • Creating series of user’s screen captures when some specific processes or windows are active 
  • Using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infected system’s attached microphone to record cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 environment sounds 
  • Transferring saved data to control servers 
  • Using more than 10 domains as C&C servers 
  • Establishment of secure connection with C&C servers through SSH and HTTPS protocols 
  • Bypassing tens of known antiviruses, anti malware and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security software 
  • Capable of infecting Windows Xp, Vista and 7 operating systems 
  • Infecting large scale local networks
Both Kaspersky Lab and MAHER tie Flame to Stuxnet and Duqu. Kaspersky later referred to this post by MAHER taking place on May 27 racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than date listed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 page, which is May 28.

CrySyS Lab publishes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir first version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 64 page sKyWIper (Flame) technical report, updated to version 1.05 as of May 31. The report states that Flame may have been active for as long as five to eight years at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time of discovery. The report details modules, encryption, activation, propagation, component descriptions, C&C details, scripts, and evasion techniques.

2012 June 01:

OpenDNS provides a timeline of command and control domain registrations. Domains were registered and active as far back as 2008.

The New York Times publishes an article, Obama Ordered Wave of Cyberattacks Against Iran, detailing efforts directed first by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bush administration and increased by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Obama administration to use cyberattacks to slow Iranian nuclear development. The article ties cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacks most directly to Stuxnet and was adapted from David E. Sanger's new book, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power.

2012 June 03:

Microsoft issues Security Advisory (2718704): Unauthorized Digital Certificates Could Allow Spoofing after revelations that Flame was using a cryptographic collision and terminal server licensing certificates to sign code, allowing spoofing of Windows Update. Microsoft issued an emergency patch that blacklisted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three intermediate certificate authorities.

2012 June 04:

ArsTechnica rounds up links, quotes, and information in "Flame" malware was signed by rogue Microsoft certificate. I will not repeat cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir work, but instead say that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y did a good job providing information along with links to more detailed posts and articles from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 various players that have been active in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dissemination of information about Flame.

Kaspersky Lab posts The Roof is on Fire: Tackling Flame's C&C Servers. The post includes a chart comparing Duqu and Flame command and control infrastructure, from choice of OS (CentOS for Duqu, Ubuntu for Flame) to number of known C&C domains (80+ for Flame), and more. They go into great detail about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 C&C architecture, including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 domains being purchased primarily through GoDaddy, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fake identities used for registration, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical details of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 C&C infrastructure, and a list showing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 geographic distribution of infections. OpenDNS's timeline links to this post by Kaspersky Lab, so it was presumably posted around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same day, June 01, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n updated later.

2012 June 05:

Bitdefender Labs details how Flame uses USB and old-fashioned sneakernet to move data off systems that are not connected to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet and onto systems that have previously connected to Flame's C&C servers. FLAME – The Story of Leaked Data Carried by Human Vector also mentions how Flame is different from much ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r malware, for instance very large file sizes and no anti-debugging or anti-reversing code.

2012 June 06:

Microsoft Security Research and Defense posts Frame malware collision attack explained. This goes into detail and is well worth reading. Notable is that Windows versions older than Vista would have been vulnerable without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MD5 collision, but newer versions required cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collision attack.

ArsTechnica also posts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject and links to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same MS post among ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Flame's "god mode cheat code" wielded to hijack Windows 7, Server 2008. Included is a link to a write-up about a cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical MD5 collision attack dating back to 2007, which itself was an extension of work from 2004. In 2008, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attack went from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical to practical.

Symantec's blog post titled Flamer: Urgent Suicide details remaining Flame C&C servers sending a command to essentially uninstall from infected systems by deleting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n overwriting Flame files with random data.

Related to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 topic of cyber espionage but not dealing directly with Flame, Google announces that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will warn users of possible state-sponsored attacks.

2012 June 07:

Details start to emerge that Flame used a new collision attack. ArsTechnica posts Flame breakthrough shows Flame was designed by world-class scientists. Marc Stevens and B.M.M de Weger are quoted as saying that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collision attack was new.
“Flame uses a completely new variant of a ‘chosen prefix collision attack’ to impersonate a legitimate security update from Microsoft. The design of this new variant required world-class cryptanalysis,” says Marc Stevens. “It is very important to invest in cryptographic research, to continue to be ahead of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se developments in practice.”
This adds to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ever-present but growing evidence regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 type of resources needed for Flame.

2012 June 11:

Bitdefender Labs get into some great detail on components within Flame, including comparisons to Stuxnet, in Stuxnet's Oldest Component Solves cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Flamer Puzzle.
"As mentioned before, atmpsvcn.ocx was believed to belong to Stuxnet: more to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point, its MD5 hash (b4429d77586798064b56b0099f0ccd49) was detected in a Stuxnet dropper.  This irrefutably places it as a Stuxnet component. It is common knowledge that Stuxnet used quite an array of droppers, and one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 oldest such droppers, dated from 2009, also contains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 atmpsvcn.ocx component. Inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dropper, we identified a resource encrypted using XOR 255 (0xFF) that is 520.192 bytes large and has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same hash: b65f8e25fb1f24ad166c24b69fa600a8.

This concludes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 demonstration. There is no doubt about it being a Stuxnet component, but today’s demonstration will shed new light on how it fits in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Flamer puzzle."

07 January, 2009

Harlan Carvey's memory tool round-up

Harlan Carvey has a good round-up of incident response tools for collection and analysis of physical memory. His blog is definitely a good read for security professionals, particularly those that do any incident response or forensics. He is really good at posting his analysis processes and explaining which tools he uses for which tasks.

This post is just a reminder to myself to try some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools on his list that I have not yet used and to look more deeply into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools that I have used. I hope to play with a number of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools in a lab environment.