Thursday, April 28, 2011

Russia-U.S. Bilateral on Cybersecurity: Critical Terminology Foundations

On Wednesday April 27, the EastWest Institute and the Information Security Institute released the first joint Russian-American report to define critical terms for cyber and information security.

Prepared by a team of Russian and U.S. experts convened by EWI, Critical Terminology Foundations presents twenty terms – the basis for an international cyber taxonomy.

“It may seem like a small step, but Russians and Americans have never before sat down and really agreed on the terms that are the prerequisite for rules of the road for cyber conflict,” says EWI Chief Technology Officer Karl Rauscher who led the process with Valery Yaschenko, Director of the Information Security Institute at Moscow State University. “Defining terms together is the first step for creating international cybersecurity agreements.”

According to experts on the team, several bodies have sponsored efforts to create a U.S.-Russian cyber glossary for over a decade, but they stalled out on the definition of an essential first term: cybersecurity itself. Unlike Americans, Russians saw cybersecurity as an inextricable part of a larger discussion on information security. In the EWI-led process, the group resolved this difference by consciously addressing “cyber” as a crucial subset of “information.”


Download Full Report

The Kaspersky Kidnapping - Lessons Learned

Via STRATFOR (Security Weekly) -

On April 24, officers from the anti-kidnapping unit of Moscow’s Criminal Investigation Department and the Russian Federal Security Service (FSB) rescued 20-year-old Ivan Kaspersky from a dacha in Sergiev Posad, a small town about 40 miles northeast of Moscow. Kaspersky, the son of Russian computer software services billionaire Eugene Kaspersky (founder of Kaspersky Lab), was kidnapped on April 19 as he was walking to work from his Moscow apartment. A fourth-year computer student at Moscow State University, Kaspersky was working as an intern at a software company located near Moscow’s Strogino metro station.

Following the abduction, Kaspersky was reportedly forced to call his father and relay his captors’ demands for a ransom of 3 million euros ($4.4 million). After receiving the ransom call, the elder Kaspersky turned to Russian law enforcement for assistance. On April 21, news of the abduction hit the Russian and international press, placing pressure on the kidnappers and potentially placing Kaspersky’s life in jeopardy. In order to defuse the situation, disinformation was leaked to the press that a ransom had been paid, that Kaspersky had been released unharmed and that the family did not want the authorities involved. Kaspersky’s father also contacted the kidnappers and agreed to pay the ransom. Responding to the ruse, four of the five members of the kidnapping gang left the dacha where Kaspersky was being held to retrieve the ransom and were intercepted by Russian authorities as they left. The authorities then stormed the dacha, arrested the remaining captor and released Kaspersky. The five kidnappers remain in custody and are awaiting trial.

According to Russia’s RT television network, Russian officials indicated that the kidnapping was orchestrated by an older couple who were in debt and sought to use the ransom to get out of their financial difficulties. The couple reportedly enlisted their 30-year-old son and two of his friends to act as muscle for the plot. Fortunately for Kaspersky, the group that abducted him was quite unprofessional and the place where he was being held was identified by the cell phone used to contact Kaspersky’s father. Reports conflict as to whether the cell phone’s location was tracked by the FSB, the police anti-kidnapping unit or someone else working for Kaspersky’s father, but in any case, in the end the group’s inexperience and naivete allowed for Kaspersky’s story to have a happy ending.

However, the story also demonstrates that even amateurs can successfully locate and abduct the son of a billionaire, and some very important lessons can be drawn from this case.

RSA: A Not-So Targeted Targeted Attack

Via -

Several weeks before news of the RSA compromise broke, a good friend and industry colleague here in D.C. received an email, purportedly from a well-known industry expert on terrorism studies.
The subject of the email touted a listing of risk assessment security organizations, and the attachment appeared to be just that -- an Excel spreadsheet containing a list of many of the major security industry organizations. Embedded within the document was a series of Flash Action Script (rev3), which, in and of itself, is a feature and not necessarily malevolent. However, it all goes Pete Tong from here as the action script then manifested a Shockwave Flash payload, triggering an uninitialized memory reference flaw, which can result in arbitrary code execution on its target. This vulnerability is now better known as CVE-2011-0609.

Some further investigation revealed that my contact was not the only recipient of this email: It had been sent out to a number of other individuals within the security industry -- in likelihood, somewhere in the ballpark of about 100 individuals.

So we have a previously unpatched flaw in Flash 9 and 10 being sent to prominent members of the community in a not-so-convincing email. Prior to understanding the scale on which this exploit had been used, my first thought was that this was not a targeted attack. To begin with, the email lure was on point in terms of genre, but lacked any of the more convincing specifics that are generally associated with highly targeted attacks.


So this was either a huge waste of an 0day, and the attacker spent all of his time on exploit development rather than target reconnaissance, or the exploit was intended for a broader audience. News of similar emails sent to similarly placed members of the industry (including some former, high-ranking national security policy-makers) confirmed the latter.

And then there was RSA. Unfortunately, but for good reason, not a lot of technical specifics have been made publicly available by RSA; however, it is clear from what has been released that the phishing email did indeed try to coax RSA employees into opening its attachment through promising details of the “2011 Recruitment Plan,” and was directed toward a "small group of users." RSA have additionally confirmed that the email came complete with an Excel spreadsheet attachment, which exploited the very same Flash vulnerability (CVE-2011-0609) previously used in the aforementioned attacks. This immediately raised some serious questions in my mind as to how targeted the attacks against RSA really were.


Is it true to say that RSA was targeted? Sort of.

From the information available, I believe, that RSA was indeed a target, but one of many targets associated with a broader campaign designed to seek out industrial secrets. This is very similar to the modus operandi used by other recent attacks against industry, including the Night Dragon attacks publicized by McAfee in February.

Did those responsible behind the RSA attack develop a specific offensive capability and engage in activities to specifically seek out data associated with RSA’s SecurID and authentication technologies? Absolutely not. All things considered, it is my belief that those behind the RSA hack caught a lucky break, and had never anticipated the level of success that this particular venture might yield.


The various CVE-2011-0609 samples outlined by Mila on the Contagio Malware Dump blog seem to confirm the then 0day exploit was used on a wider group than just RSA.

Maximizing the Return on Exploit Investment (ROEI)

Given the research time it takes to find a new exploitable vulnerability and then develop a working and reliable exploit for that new vulnerability, it would make sense that the attackers wanted to maximize the return on their exploit 'investment'. Of course, the 'return' for these type of threat actors (APT) is not fast money, but the amount of sensitive data that can be obtained from the targeted companies.

Wednesday, April 27, 2011

Insecure Defaults Lead to Mass Open Proxies in China

Via Infosecinstitute Resources -

Description: A bug in Chinese video streaming software leads to mass open proxies on the web.

A security blogger has uncoverd a flaw in the Chinese PPLive video streaming software. A new port, TCP port 9415, was appearing regularly on websites that list open proxies. Most of these open proxies were based in China. However, some were also based within Taiwan, Hong Kong and there were small a small number within the United States. Within a year, more than 394,000 instances of open proxies listed with the TCP port 9415 being open were documented.

There was reason to suspect some kind of malware at play. English speaking websites offered little information, Hinky Dink, the blogger who uncoverd the open proxy port, started searching Chinese speaking websites such as Baidu with the help of translation software.

We will look at how the flaw was found, what proxies are and how they are used on the internet today.

Tuesday, April 26, 2011

Targeted E-mail Attacks

Targeted E-mail Attacks
This blog provides examples of socially engineered and/or specifically targeted spear phishing emails, intended to spread trojans and malware. These examples are generally focused on the China/Taiwan analyst community in Washington, D.C.
It would appear that the blog grew out of another blog (ran by the same author) and one specific blog post focused on the GhostNet attack. The author appears to be based in Washington DC and work for the US-Taiwan Business Council.

I learned about this new blog via Mila @ Contagio.
We are not related but somehow share the same set of overseas "friends" - I recognize many messages posted there and even received targeted messages designed to look like they came from that organization. The author does not post samples but provides links to Virustotal so it gives a good idea of what it is.
Should be a great resource for those interested in APT / spear-phishing / social engineering techniques.

Monday, April 25, 2011

Stars: New Virus in Iran?

This morning Strategic Forecasting, Inc. (commonly known as STRATFOR) posted the following tweet on Twitter:
An Iranian scientist discovered a virus, Staress, in Iran’s computer system; the virus is currently being studied at a laboratory.
At this time, information on the alleged virus is very limited. While put the backdrop of the Stuxnet worm event of 2010, this story merits keeping an eye on.

Gholamreza Jalali told the semi-official Mehr news agency that the new virus, called "Stars", was being investigated by experts.

"Fortunately, our young experts have been able to discover this virus and the Stars virus is now in the laboratory for more investigations," Jalali was quoted as saying. He did not specify the target of Stars or its intended impact.

Saturday, April 23, 2011

Mexican Cartel Logos and Branding

Via Global Guerrillas Blog -


Here is my best guess....

C.D.G. = Gulf Cartel (the Z in the logos is for Los Zetas)
C.D.S. = Sinaloa Cartel
M.F.G. = Milenio/Familia/Gulf
La Familia Michoacana Cartel

I am going to guess that some of these are many years old, as the Los Zetas are now separate from the Gulf Cartel. The Zetas are working with BLO and the Juarez Cartel, while the Gulf Cartel has sorta teamed up with the Sinaloa (and the La Familia cartel) to fight them under the "New Federation" name.


Additional insight..
As recently as April 4, authorities found a cache of false police uniforms used by the "Knights Templar" (Caballeros Templarios), the new incarnation of the Familia Michoacana. The seized goods, which appear about 14 seconds into the video, included baseball hats branded with the Knights Templar logo: a crusader wearing typical medieval gear, a white robe marked with a red cross. The insignia is clearly meant to evoke the Familia's quasi-religious ideology, and their "crusade" to rid Michoacan of their hated rivals, the Zetas.

Friday, April 22, 2011

Innovation, Espionage, and Chinese Technology Policy

Via -

Adam Segal, Ira A. Lipman Senior Fellow for Counterterrorism and National Security Studies, testifies before the House Foreign Affairs Subcommittee on Oversight and Investigations about Chinese cyber espionage and China's desire to reduce its dependence on the West for advanced technologies.

Communist Chinese Cyber-Attacks, Cyber-Espionage and Theft of American Technology
Chinese cyber espionage has to be understood within the context of China‟s desire to reduce its dependence on the West for advanced technologies, and on the United States and Japan in particular. This goal is laid out in the 2006 National Medium- and Long-Term Plan for the Development of Science and Technology (MLP) which introduced the need for “indigenous innovation” (zizhu chuangxin) to lessen the “degree of dependence on technology from other countries to 30 percent or less,” (down from 50 percent today, as measured by the spending on technology imports as a share of the sum of domestic R&D funding plus technology imports).1 Moving from “made in China” to “innovated in China” is essential to the country‟s future; “Facts tell us that we cannot buy true core technologies in key fields that affect the lifeblood of the national economy and national security,” states the MLP. China will become an “innovation oriented society” by 2020 and a world leader in science and technology (S&T) by 2050."

In pursuit of these goals, China has followed three, often intertwined, tracks: industrial policy, innovation strategy, and cyber and industrial espionage. Industrial policy involves top-down, state-directed technology programs often focused on specific sectors and the government research institutes. The MLP, for example, includes twenty science and engineering megaprojects in such areas as high-end generic chips, manned aerospace and moon exploration, developmental biology, and nanotechnology.


The last strand is the theft of intellectual property either through cyber espionage or more traditional industrial espionage. Since January 2010, Google, Nasdaq, DuPont, Johnson & Johnson, General Electric, RSA, and at least a dozen others have had proprietary information stolen by hackers, although how many of these attacks originated from China is uncertain.4 Attacks are becoming more sophisticated and increasingly rely on spear phishing (targeted attacks that rely on publicly available information) and other social engineering techniques. In the physical world, Chinese nationals have been recently charged in the theft of radiation-hardened microchips and precision navigation devices.


The relationship between the state and hackers is even murkier. As the “Shadows in the Clouds” report on computer exploitation notes, there is an emerging ecosystem of crime and espionage. Espionage networks adopt criminal techniques and networks “both to distance themselves from attribution and strategically cultivate a climate of uncertainty.” Some of the information stolen by the hackers ends up on the black market, some of it, according to the report, ends up in the "possession of some entity of the Chinese government." At the very least, much of the hacking is state tolerated, in many instances it is encouraged, and in some cases of espionage, it is directed by state actors.

Thursday, April 21, 2011

Easter Science: The Chemistry of the Creme Egg

Via -

I have always wanted to see creme eggs subjected to a variety of chemical procedures -- subjected to a vacuum, frozen in liquid nitrogen, dipped in potassium chlorate -- and so have the scientists at the University of Nottingham, as you can see in this video. It's excellent Easter fun.

Insecure Mail Server Offers Chinese Government Accounts To The Masses

Via -

A security researcher who identified holes in SCADA software used by utilities in China has issued a new warning to that country's CERT about insecure Web infrastructure, including an e-mail server that allows any Web user to create their own Chinese government mail account.

Dillon Beresford, a security researcher at NSS Labs, notified China's Computer Emergency Response Team (CERT) on Wednesday about a hole in the mail server for Guizhou Province that allows any user to create a new mail account and log in to the Provincial government's mail server. The critical hole is just one example of what Beresford said is a public sector Web infrastructure that is rife with vulnerable and insecure applications, despite China's popular reputation as an aggressor in the arena of cyber espionage and cyber warfare.

The vulnerable e-mail server doesn't require users to authenticate to it with a user name and password and lacks proper access controls, Beresford wrote in the e-mail, which was shared with Threatpost. Threatpost verified that the script allows unauthenticated users to create e-mail accounts for the Internet domain for Guizhou Province, which is located in southwestern China, one of the country's coal producing regions.

The ramifications behind the security hole are extremely serious," he said in an e-mail addressed to China's CERT and official email addresses for the province. "An attacker could represent themselves as an official from the Chinese Government and use the accounts to socially engineer and attack other Government workers in the People's Republic of China," Beresford wrote.

A moderately sophisticated user could also leverage access to the Webmail server to escalate their privileges. Beresford confirmed that the server in question was vulnerable to SQL injection attacks that could give a hacker access to other e-mail accounts, as well.

The Thousand Grains of Sand In The Electronic Age: China’s Cyber Espionage Capabilities Outstripping Ours

Via Krypt3ia Blog -

Advanced Persistent Threats Are Not New: 先进的威胁不是持久性的新功能

The news cycle has been abuzz again as to how China is capable of beating the pants off of us in the hacking sphere and that we should be worried. I say, this is not news in any way and those of you who read this blog should already know this fact. For those of you who are not so familiar with the DoD space, the knowledge of what has been called APT has been around for quite some time. In fact, the term was coined in 2006 by the Air Force, but the attack structure of how the Chinese and other state actors had been using similar tactics on DoD infrastructure goes back to the 90′s (Moonlight Maze, Titan Rain)

So, hello world outside of the insular DoD and Infosec sphere, They have been around quite a while. In fact, one could make the extension that the Chinese line of thought called “The Thousand Grains of Sand” has been around far longer and has been used as their model of espionage for a very long time. Obviously the connections can also be made to Sun Tzu and his precepts on warfare, which, just happen to involve a fair amount of espionage as the means to winning a war. It is little surprise to anyone who knows the Chinese mind and the teachings of Sun Tzu, that China would apply these same precepts to another battle space (cyberspace) the fifth domain as the US military calls it now.


Such a good read. Krypt3ia attempts to outline how the APT espionage model fits into the wider geopolitical landscape and the concept of "soft power". In short, APT is just one variable in the overall algebra.

Jeffery Carr's Play on the Point of Symmetry

A short paper describing how the requirements of Multi-National Corporations become a tactical advantage for State-run cyber operations.
Huawei's Chairwoman Worked For China's Ministry of Public Security

Huawei's 2010 annual report included, for the first time, information about its Board of Directors in an apparent bid to demonstrate increased transparency into its operations. The bio for its Chairwoman Sun Yafang (CEO Ren ZhengFei's daughter) failed to mention that she once worked for the Ministry of Public Security, which is the national law enforcement agency for the Peoples Republic of China.

Tool Shows Vulnerability of Email Addresses

Via WSJ Digits Blog -

Hacker and security researcher Samy Kamkar has a new tool out — one that can find working email accounts for people at businesses, even if the address hasn’t been published online.

The tool, called Peepmail, promises to deliver email addresses for everyone from Apple’s Steve Jobs and Microsoft’s Steve Ballmer to the random guy whose business card you lost. It takes advantage of the fact that many email servers will tell the sender whether the address is valid, even before the message is actually sent.

When a user enters a name and company into Peepmail, the program tests permutations of the name until the company’s email server responds with a message that indicates the address is valid. Before any emails go through, the program aborts the communication, so the person being looked up doesn’t know what’s happening.


In some other instances, the tool wasn’t able to return any results at all. Mr. Kamkar explained that some mail servers don’t say whether an address is valid before getting the email. They just “happily accept any email address” and then return an error message only after the offending email is sent. (The Wall Street Journal is one of those domains.)

But the tool isn’t intended to help people find contacts, really. Mr. Kamkar, who is perhaps most famous for a 2005 virus that took down MySpace, says his intent is to expose how vulnerable valid email addresses are to being found, despite the fact that it would be easy for email servers to block his technique. “I created the tool to demonstrate what has been possible for years but very few people know,” he said in an email to Digits.

Even if it doesn’t always “work,” Peepmail gets that point across.

Saturday, April 16, 2011

MC Frontalot - Zero Day [Official Video]

From the album Zero Day by MC Frontalot
featuring int80 of Dual Core and ytcracker
Directed by Mohit Jaswal

Download this song's video and mp3 free at

Dispatch: Beyond Ai Weiwei's Detention

STRATFOR's China Director Jennifer Richmond discusses how the timing of Chinese artist Ai Weiwei’s detention illustrates a change in the Chinese government’s behavior — as well as in increased foreign scrutiny — even at the expense of damaging its public image.


According to the Financial Times, two accounts used by Ai Weiwei were hacked as part of the Operaton Aurora attack on Google. According to Google, the attackers were only able to view details on two accounts and those details were limited to things such as the subject line and the accounts' creation date.

RawCap Sniffer for Windows

RawCap is a free raw sockets sniffer for Windows.

Here are some highlights of why RawCap is a great tool to have in your toolset:

  • Can sniff any interface that has got an IP address, including (localhost/loopback)
  • RawCap.exe is just 17 kB
  • No external libraries or DLL's needed
  • No installation required, just download RawCap.exe and sniff
  • Can sniff most interface types, including WiFi and PPP interfaces
  • Minimal memory and CPU load
  • Reliable and simple to use

Thursday, April 14, 2011

New Malware Can Automatically Register Facebook Applications

Via Symantec Blog -

A few months ago, at least prior to February 7th, Sality operators pushed a new malware onto their P2P network of infected bots. The malware in question hooks into Internet Explorer using its standard COM interface, and gathers credentials submitted via web forms. February’s variant treated Facebook, Blogger, and Myspace logon information differently: on top of stealing and sending the username/password to a Command and Control (C&C) server, the information was also dumped to an encrypted file, onto the user’s compromised computer. At that time, the plausible guess was that these credentials would be used by upcoming malware – the Sality programmers are very imaginative.

This was confirmed last weekend. The newest Sality package contained a new malware, on top of their usual spam/web relays. The malware searches for encrypted files containing either Facebook or Blogger credentials (Myspace is left aside). If such files are found and contain credentials, the malware then connects to a C&C server (, hosted in Florida) to request an “action script”. Such scripts look like C programs and are interpreted by the malware itself. The main goal is to automate Internet Explorer actions.


The function names are self-explanatory. The script, when executed, performs the following actions:
  • Create a visible instance of Internet Explorer.
  • Navigate to
  • Log in.
  • Go to the Facebook app #119084674184 page: this application, named VIP Slots, has been around for a few years.
  • Grant access to this application.
  • Close the browser instance.
The permission required by VIP Slots is only “Basic information”, meaning your name and gender, profile picture, networks, and list of friends. The application itself does not seem to exhibit malicious behavior, but the fact that a malicious program interacts with it is very troubling. The end-goal is not determined at this stage: registering the user could serve as aggressive spamming (application posts appearing on your news feed), or a way to get more users to use the app, for monetary purpose (by buying virtual credits). The application could simply be an innocent party.

Another script was also distributed. The actions taken by this generic script were the following:
  • Create an invisible instance of Internet Explorer.
  • Go to
  • Search for “auto insurance bids”.
  • Close the browser instance.
This script could serve experimentation purposes. It could also be a very convoluted way to measure the propagation of their creation: Google Trends report a recent peak for this search term.

As of today, it appears script distribution has stopped. However, new scripts could be distributed in the future as the C&C server is still up and running.

Wednesday, April 13, 2011

Analysis of the CVE-2011-0611 Adobe Flash Player Vulnerability Exploitation

Via Microsoft Malware Protection Center (MMPC) -

About a month ago, we blogged about an Adobe Flash Player vulnerability (CVE-2011-0609) that was actively exploited in the wild. That exploit was hidden inside a Microsoft Excel document. Over the weekend, a new Adobe Flash Player 0-day (CVE-2011-0611) was reported by Adobe in a recent advisory (APSA11-02).

It all started with spam emails enticing users to open its attachment, typically a Microsoft Word document (or a zip file of a Microsoft Word document), which contained the malicious Flash exploit inside.


Inside the .doc file a malformed Adobe Flash file is embedded. Once a user opens the document, Flash Player will load the malicious file and exploitation will occur. Unlike the previous vulnerability, a bug in the ActionScript Virtual Machine version 1 is now used in the exploitation process. Another difference is that this is not a result of fuzzing clean files. We won’t disclose any detail on what triggers the vulnerability, for security reasons, obviously.

Microsoft Pushes Out Two New Security Tools

Via -

In parallel with its release of 17 bulletins on Patch Tuesday this month, Microsoft also unveiled two new tools that are meant to help make a couple of common exploitation scenarios more difficult for attackers.

The company released a tool called Office File Validation for some older versions of Office, including Office 2003 and 2007. The feature is specifically designed to give users information about whether there's a potentially malicious component in an Office file that the user is trying to open. When the user attempts to open a file, the Office File Validation tool will inspect it and look for any signs of malicious behavior. If there's a problem, the user will get a warning dialog box giving him the opportunity to cancel the operation.

Attackers in the past few months have taken to embedding malicious Flash files inside Word and Excel documents as part of spear phishing campaigns. This was the primary attack vector used to compromise RSA last month.


The second enhancement Microsoft pushed out on Tuesday is an update to winload.exe, the component that loads Windows. The update is designed to help prevent some techniques that rootkits use to evade detection and remain persistent on infected machines.

"For a rootkit to be successful it must stay hidden and persistent on a system. One way we have seen rootkits hide themselves on 64-bit systems is bypassing driver signing checks done by winload.exe. While the update itself won't remove a rootkit, it will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit," Microsoft's Dustin Childs said.


Advisory 2501584 - Release of Microsoft Office File Validation for Microsoft Office
Consult TechNet article, Office File Validation for Office 2003 and Office 2007, for information on deployment, installation, and configuration of the Office File Validation feature for Microsoft Office 2003 and Microsoft Office 2007.
Advisory 2506014 - Update for the Windows Operating System Loader
SRD Blog: The second advisory, KB 2506014, hardens Windows against kernel-mode rootkits. This specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family [against 64-bit operating systems]. It is an optional update available on WU and WSUS.

Rebels Hijack Gadhafi's Phone Network

Via WSJ -

A team led by a Libyan-American telecom executive has helped rebels hijack Col. Moammar Gadhafi's cellphone network and re-establish their own communications.

The new network, first plotted on an airplane napkin and assembled with the help of oil-rich Arab nations, is giving more than two million Libyans their first connections to each other and the outside world after Col. Gadhafi cut off their telephone and Internet service about a month ago.

That March cutoff had rebels waving flags to communicate on the battlefield. The new cellphone network, opened on April 2, has become the opposition's main tool for communicating from the front lines in the east and up the chain of command to rebel brass hundreds of miles away.

While cellphones haven't given rebel fighters the military strength to decisively drive Col. Gadhafi from power, the network has enabled rebel leaders to more easily make the calls needed to rally international backing, source weapons and strategize with their envoys abroad.

To make that possible, engineers hived off part of the Libyan cellphone network—owned and operated by the Tripoli-based Libyan General Telecommunications Authority, which is run by Col. Gadhafi's eldest son—and rewired it to run independently of the regime's control. Government spokesman Moussa Ibrahim, asked about the rebel cellphone network, said he hadn't heard of it.

Monday, April 11, 2011

Adobe Warns of New Flash Player Zero-Day Attack

Via ZDNet (Zero Day Blog) -

Attackers are embedding malicious Flash Player files in Microsoft Word documents to launch targeted attacks against select businesses, according to a warning from Adobe.

This latest Flash Player zero-day attack comes just weeks after EMC’s RSA Division was hit with a malware attack that used a rigged Flash (.swf) file embedded in a Microsoft Excel document.

In both cases, the attacks are being used to steal corporate secrets.

Here’s the gist of the latest Flash Player zero-day....


The following blog was written by Microsoft after the last Flash 0day (CVE-2011-0609) was being exploited via Excel files. Given that this new attack (CVE-2011-0611) is using Word (.doc) files, many of the recommendations outlined by the SRD team will be relevant.

Microsoft SRD: Blocking Exploit Attempts of the Recent Flash 0-Day
  • Ensure Data Execution Prevention security mitigation (DEP) is enabled for Office and for your browser of choice (IE, Firefox, etc).
  • Install and configure the Enhanced Mitigation Experience Toolkit (EMET). Turning on EMET for the core Office applications will enable a number of security protections called security mitigations. Since Flash Player can also be hosted in a web browser, you may wish to turn on EMET for the browser you use (IE, Firefox, etc).
  • Beyond EMET, there is a workaround that Office 2007 users can use to prevent the Flash Player (as well as other ActiveX controls) from loading inside an Office application. This is done by changing the ActiveX setting in the Trusted Center to “Disable all controls without notification”. The ActiveX setting in the Trust Center can also be set via group policy or registry. For more information, please refer to “Security policies and settings in the 2007 Office system”.
  • Sadly, not everyone is running Office 10, so If you are running Office 2003 or 2007, I would recommend installing the Microsoft Office Isolated Conversion Environment (MOICE). MOICE takes a potentially risky binary file type and convert it within a sandboxed process to the new XML format (much safer) and then back to the binary format and opens it. The hope of doing this conversion was to remove any exploit code that was hidden away within the file.

Possible DEP and ASLR Bypass
I hear this attack works in Windows 7, so it sounds like it can bypass both DEP and ASLR - which is more advanced than the previous zeroday exploitation via XLS.


Mila Parkour has posted a very informative blog on this new 0day...

Secunia Whitepaper: Cybercriminals Do Not Need Administrative Users

Via Secunia Blog -

For years the software industry has promoted reduced privileges for user accounts as a key security best practice to prevent misuse and successful exploitation of end-point systems. Unfortunately, user accounts with reduced privileges do not provide protection from attack, misuse, or compromise.

Reduced privileges for end-users can only be regarded as one part of an effective security strategy that should not be solely relied on. Organisations should know the limitations of this approach to prevent them from getting a false sense of security and under-investing in complementary security layers.

The new Secunia Whitepaper "Cybercriminals Do Not Need Administrative Users", discusses the limitations of security by denying users administrative access to their systems, and highlights how cybercriminals can achieve their goals without administrative access.

The whitepaper can be downloaded here.

Friday, April 8, 2011

Mobile App Privacy Continued…

Via Veracode ZeroDay Labs Blog -

The blog post we made earlier this week entitled, Mobile Apps Invading Your Privacy, gives detail around the information being requested by the advertisement libraries embedded inside a popular online radio application. There have been a number of great posts and comments that got us thinking more about the issues and the types of data being requested.

First off we want to thank some people who commented about the Pandora application not having permission to actually access the GPS on the device. Below are the Manifest permissions for the version of Pandora currently in the Google Application Marketplace:

  • Full Internet Access
  • Create Bluetooth Connections
  • Read Contact Data
  • Add or Modify Calendar Data and Send Emails to Guests
  • Read Phone State and Identity
  • Modify Global System Settings
  • Prevent Device from Sleeping
  • Bluetooth Administration
  • Change Wifi State
  • Change Network Connectivity

As you can see, GPS access is NOT included in that list. There was an error in the original post we made stating that some of the library code was requesting permissions from the Google system for GPS access, and as the commenter pointed out, that is incorrect. The code snippet we posted is only checking whether the parent application, Pandora in this case, has permission to access the GPS. If the parent does not have permission, the accessing of GPS data can’t occur.

However, the overarching theme of the original post is still valid. If Pandora had required GPS access for a legitimate reason, the embedded advertisement library would have been able to request the GPS data and send it off device. As we mentioned in the original post, there is a chance that Pandora has no idea what the embedded advertising library actually does, simply taking it from the advertising partner and embedding it into their application.

Thursday, April 7, 2011

Al Qaeda Never Left Kunar, and Other Problems with U.S. Intelligence

Via The Long War Journal (Threat Matrix Blog) -

Today's article at The Wall Street Journal on the resurgence of al Qaeda in the Afghan east has provided a great service in shining light on al Qaeda's presence in region. This is a subject that longtime readers of The Long War Journal will easily recognize, as we've devoted a significant portion of our coverage to al Qaeda's presence and networks in the area, as well as to the impact of the US military withdrawal from combat outposts in Kunar and Nuristan provinces.

But the WSJ article also highlights, both intentionally and unintentionally, some very significant failures in the US military and intelligence communities' analysis of the nature of al Qaeda and the scope of the threat in the Afghan northeast. At the very end of the WSJ article, a senior US military official is quoted making the following claim:

"We do not have an intelligence problem. We have a capacity problem. We generally know the places they are, how they are operating," said the senior U.S. military official, speaking of al Qaeda. The problem "is our ability to get there and do something."
I'm here to tell you that that viewpoint is wrong. And here's why:

Read more:


Like LL Cool J once said, "Don't call it a comeback / I've been here for years."

Wednesday, April 6, 2011

Mobile Apps Invading Your Privacy

Via Veracode ZeroDay Labs Blog -

An article in the Wall Street Journal, dated April 5, 2011, disclosed that Federal prosecutors in New Jersey are investigating numerous smart phone application manufacturers for allegedly, illegally obtaining and distributing personal private information to third party advertisement groups. The allegations state that mobile applications are gathering data such as GPS location, device identifiers, gender, and even user age without proper notice or authorization from the end user. The Journal tested 101 applications and found that 56 of them transmitted the device unique identifier off the device, while 47 transmitted the phone’s location. Five of the tested applications leaked personal information such as user gender and age.


The folks at the Veracode research team decided to spend a bit of our time today breaking apart one of the accused applications to see what could be found within the code. Given what was written in the Journal article, we thought it would be most interesting to take an in-depth look through the Pandora application for the Android platform. A quote from the article states the following about the Pandora application:
In Pandora’s case, both the Android and iPhone versions of its app transmitted information about a user’s age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.


So what does this mean to the end user? It means your personal information is being transmitted to advertising agencies in mass quantities. As more and more “free” applications attempt to monetize their offerings, we will likely see more of your personal information being shuttled out to marketing and advertising data aggregation firms. The application developers may not even be aware of the privacy violations they are introducing by using third party advertising libraries. They may merely think they are getting $x per ad impression, not that the ad library is leaking significant information about the user.

In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight into a persons life. Consider for a moment that your current location is being tracked while you are at your home, office, or significant other’s house. Couple that with your gender and age and then with your geolocated IP address. When all that is placed into a single basket, it’s pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them. I don’t know about you, but that feels a little Orwellian to me.

Monday, April 4, 2011

STRATFOR Dispatch: AQAP's 'Inspire' Magazine

Vice President of Tactical Intelligence Scott Stewart analyzes the latest edition of al Qaeda of the Arabian Peninsula’s English-language jihadist magazine.

Read more: Dispatch: Al Qaeda's 'Inspire' Magazine | STRATFOR


Like in previous magazines and speeches, AQAP continues to target the radical sympathizers in the West and advocates the use of 'lone wolf' attack methodology.

IBM Nanoparticle Breakthrough Destroys Drug-Resistant Bacteria

Via Business 2.0 Press -

A team of engineers and researchers headed by Dr. James Hedrick at IBM Inc. has developed a new technology that could revolutionize how resistant bacterial infections are currently treated.

IBM researchers created a new type of nanoparticles that are capable of destroying the membrane walls of certain drug-resistant bacteria strains, leaving the cells to harmlessly thaw without any trace. The new system works by using biodegradable plastic to engineer electrically charged nanoparticles that in turn attract to the bacteria’s opposite charge, in turn destroying the membrane walls hence the cell entirely.

Traditional antibiotic medicines, like apo amoxicillin, block certain types of microorganisms that can cause infections from multiplying by interfering with their DNA. Mostly, these medicines work very well in destroying all (which is why it is critical to follow dosage instructions from your physician, and continue to take your prescribed medication even after you feel better) bacteria over the course of treatment, but there are times when not every bacterial cell is killed which could later become drug resistant.

The new breakthrough methodology developed at IBM is able to destroy the cell’s membrane wall, leaving the remaining matter of the cell to safely degrade. Since the molecules of the system are organic, the human body is able to easily dispose of the medicine, unlike certain antibiotics that are not as easily removed by the body hence causing side effects.

The system proved successful in destroying methicillin-resistant staphylococcus aureus (MRSA) bacteria in laboratory tests involving infected mice, according to results published in Nature Chemistry. The system has yet to be tested on humans, but IBM said the company is currently in talks with major pharmaceutical firms looking at creating a human trial, but declined to publically say which specific firms are involved in talks.

MRSA bacterium is common around the world, and it is responsible for millions of deaths resulting from various infections, including respiratory infections.

Friday, April 1, 2011

RSA - Anatomy of an Attack

Via -

Turns out the targeted attack that breach that exposed RSA's SecurID technology started with one of the oldest tricks in the book—a phishing email with an infected attachment, according to new details revealed today by RSA and security analysts.


RSA said two different phishing emails were sent to two small groups of low-level users received emails with the subject line "2011 Recruitment Plan" with an Excel attachment that was rigged with the newly patched Adobe Flash zero-day [CVE-2011-0609], which was seen in limited targeted attacks earlier this month by Adobe.

"The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file," said Uri River, head of new technologies, consumer identity protection, at RSA, The Security Division of EMC in a blog post today.

The attack then installed a Poison Ivy variant for remotely controlling the infected machine "in a reverse-connect mode that makes it more difficult to detect as the PC reaches out to the command and control rather than the other way around," River blogged.

The exploit, a Trojan, stole user credentials from RSA employees, including IT staff, and eventually gained privileged access to the targeted system, according to Avivah Litan, vice president and distinguished analyst with Gartner.


RSA's River said the attacker first harvested access credentials--user, domain admin, and service accounts. "They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators," he blogged.

"The attacker in the RSA case established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction," he said.

Password-protected RAR files were transferred via FTP from the RSA file server to an external machine that had been compromised at a hosting service provider. "The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack," he said.


On March 16, FireEye examined one of the XLS file, which contained the Adobe 0day and determined that a known Chinese threat actor, called 'linxder', might have been involved. At the time, the companies targeted with this malware were not known - it would appear RSA was one of those companies.

Trojan.Linxder and the Flash 0-day (CVE-2011-0609)