Tuesday, May 31, 2011

Apple Security Update for Removal of Mac Defender

About Security Update 2011-003


This update adds detection [into File Quarantine] and removes all known variants of Mac Defender FakeAV.

In addition, Apple is enabling daily update checks for File Quarantine definitions, so Apple can quickly respond to future malware variants.

Will be interesting to see how long this can last...

Two Iraqi Nationals Indicted on Federal Terrorism Charges in Kentucky


An Iraqi citizen who allegedly carried out numerous Improvised Explosive Device (IED) attacks against U.S. troops in Iraq and another Iraqi national alleged to have participated in the insurgency in Iraq have been arrested and indicted on federal terrorism charges in the Western District of Kentucky.

The arrests in Bowling Green, Ky., and the criminal complaints and indictment unsealed today were announced by Todd Hinnen, Acting Assistant Attorney General for National Security; David J. Hale, U.S. Attorney for the Western District of Kentucky; Elizabeth A. Fries, Special Agent in Charge of the FBI Louisville Division; and the members of the Louisville Joint Terrorism Task Force (JTTF).

Waad Ramadan Alwan, 30, and Mohanad Shareef Hammadi, 23, both former residents of Iraq who currently reside in Bowling Green, were charged in a 23-count indictment returned by a federal grand jury in Bowling Green on May 26, 2011. Alwan is charged with conspiracy to kill U.S. nationals abroad; conspiracy to use a weapon of mass destruction (explosives) against U.S. nationals abroad; distributing information on the manufacture and use of IEDs; attempting to provide material support to terrorists and to al-Qaeda in Iraq [AQI]; as well as conspiracy to transfer, possess and export Stinger missiles. Hammadi is charged with attempting to provide material support to terrorists and to al-Qaeda in Iraq, as well as conspiracy to transfer, possess and export Stinger missiles.


According to J.M. Berger of Intelwire.com, both men arrested today in Kentucky were actually former insurgents, and both were approved to live in the U.S. under refugee status.

The Emergence of Open and Organized Pro-Government Cyber Attacks in the Middle East: The Case of the Syrian Electronic Army



Since the beginning of the popular uprisings and protests in the Middle East and North Africa, events in the region have been characterized by increased contestation in cyberspace among regime sympathizers, governments, and opposition movements. One component of this contestation is the tendency among governments and networks of citizens supportive of the state to use offensive computer network attacks. Such tactics are supplements to legal, regulatory, and other controls, and technical forms of Internet censorship.

For example, a group known as the Iranian Cyber Army has defaced Twitter and Iranian opposition websites. Also, Tunisian political activists and Yemeni oppositional websites have both accused their government security organizations of launching attacks on their sites in an attempt to silence their message and deny access to their content.

In this report, we document the activities of the Syrian Electronic Army, which appears to be a case of an open and organized pro-government computer attack group that is actively targeting political opposition and Western websites. Our aim is to assess to what extent we can find evidence of Syrian government assistance for the attack groups, and what the significance of the attacks themselves are for civil society and cyberspace contestation.


Syria has become the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies. The intensity and scope of the Syrian Electronic Army’s activities signal an interesting development in the Syrian pro-regime Internet arena: In addition to being one of the most repressive Internet censors in the region, the local media, some of which is government-run is apparently supporting the Army’s orchestrated aggressive efforts to attack, by means of website defacements and comment spamming, political opposition and Western websites.

The Syrian Electronic Army claims on its website that it was founded by a team of young Syrian enthusiasts who did not want to stay passive “towards the fabrication of facts on the events in Syria.” Information Warfare Monitor (IWM) research found that the group has a connection with the Syrian Computer Society, which was headed in the 1990s by the current Syrian President Bashar al-Assad before he became president.

The Army has been attacking and defacing Syrian oppositional and “hostile Western news” websites. However, IWM found that some of the targeted Western websites are actually not news websites but rather non-political commercial websites. Although Facebook has been disabling the Army’s Facebook pages, the Army has been creating alternative pages and has been actively spamming popular and political Facebook pages with highly repetitive and orchestrated pro-regime comments.

MMPC Threat Report: Cracking Open Qakbot

Via MMPC Blog -

Today, we’re releasing a Microsoft Malware Protection Center Threat Report on Qakbot as a follow-up to the recently-released Microsoft SIRv10 and our special report on Battling Botnets in late 2010. This report focuses on one botnet in particular, Qakbot. Qakbot is a backdoor that includes user-mode rootkit functionality to hide itself and also steal sensitive user data from infected machines.

In addition to some of the interesting traits of Qakbot, such as the areas of the world where it’s most prevalent and the types of computers it targets, we found one particular aspect to be quite interesting – where the Qakbot authors may have gotten some of their code.

We have long suspected that the Qakbot authors were taking code samples from the Internet and incorporating them into their malware as the family evolved. Recently, while reviewing some of the earliest samples of Qakbot, we found something interesting: NtIllusion debug strings.


NtIllusion is a rootkit that was first disclosed in an article within the underground security zine called Phrack in July of 2004. It includes functionality to hide processes, files, registry entries, and evidence of TCP/IP communication. It hooks several network communication APIs in order to steal POP3 and FTP passwords. This code still appears in Qakbot today.

You can read about this and more on Qakbot in our Threat Report:


Mila has posted details and access to several Qakbot/Pinkslipbot samples on her Contagio Malware Dump Blog.

Thursday, May 26, 2011

DNS Filtering Legislation Would Derail DNSSEC, Experts Contend

Via DarkReading.com -

A key provision in an intellectual property protection bill that was approved today by the Senate Judiciary Committee could sabotage Internet security and specifically, DNSSEC, according to a who's who of Internet infrastructure and security experts including Dan Kaminsky.

The PROTECT (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act) IP Act calls for using recursive DNS servers to blacklist and block domain names of servers offering pirated music or other illegally obtained intellectual property. A group of renowned Internet security experts including Kaminsky released a white paper explaining how forcing these millions of recursive servers on the Internet to filter out DNS requests to those sites would basically cripple the emerging DNSSEC technology. DNSSEC is currently in the process of being adopted on the Internet; it provides verification that the site a user visits is indeed that site and not a spoofed or redirected one.

Along with Kaminsky, who discovered and helped get patched a serious flaw in DNS, the authors of the paper include Steve Crocker, an IETF pioneer and CEO of Shinkuro; David Dagon, a post-doctoral researcher at Georgia Institute of Technology studying DNS security and a co-founder of Damballa; Danny McPherson, chief security officer for Verisign; and Paul Vixie, principal author of the pervasive BIND DNS server software and creator of several DNS standards.

The authors say they support enforcement intellectual property rights, but that the DNS filtering requirement would stymie federal government and private industry efforts for beefing up Internet security -- namely DNSSEC. And the filters could easily be bypassed and therefore would likely be unable to quell online copyright infringement, they say.

"It's like trying to make a telephone that won't carry swear words," Kaminsky says of the DNS-filtering approach.

They maintain that the DNS filtering—which would force the censoring of websites via blacklists published by the Department of Justice--would clash with DNSSEC by encouraging the brand of network manipulation that DNSSEC aims to prevent.


A full copy of the "Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill" is available here for download.

Wednesday, May 25, 2011

NASA Says Goodbye to Spirit Mars Rover

Via discovermagazine.com (Bad Astronomy Blog) -

After nearly a year of trying to reestablish communications with the Spirit Mars rover, NASA has decided to suspend efforts. For all intent and purpose, Spirit is dead.

The rover sent its last message in March of 2010, and it was hoped that as Martian summer dawned at Spirit’s location, the solar cells might absorb enough energy to reawaken the plucky explorer. However, repeated attempts over several months have yielded no joy. And now, just months away from the launch of the much more ambitious "Curiosity" Mars Science Laboratory (MSL) — a golfcart-sized rover with better range and instrumentation than any previous mission — communications satellites and Mars orbiters NASA uses to work with Spirit need to be transitioned to MSL.

This makes me sad, of course: Spirit was an amazing machine. But I have to admit, that sadness is offset by the incredible accomplishments of the rover. Designed to last for three months, Spirit kept on roving for over six years. Imagine having a car, a computer, that lasted for 25 times the warranty!

Or living to be 1500 years old. How much could you accomplish in that time?

Spirit’s made good use of its lifespan.


Sad to see Spirit go, but its twin, Opportunity, continues active exploration of Mars - http://marsrover.nasa.gov/mission/status.html

R.I.P Spirit, Long Live Opportunity!

Tuesday, May 24, 2011

Apple Support: How to Avoid or Remove Mac Defender Malware



A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus. The user is then offered Mac Defender "anti-virus" software to solve the issue.

This “anti-virus” software is malware (i.e. malicious software). Its ultimate goal is to get the user's credit card information which may be used for fraudulent purposes.

The most common names for this malware are MacDefender, MacProtector and MacSecurity.

In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.

In the meantime, the Resolution section below provides step-by-step instructions on how to avoid or manually remove this malware.


Sadly, Apple doesn't recommend disabling the "Open Safe Files After Downloading" feature in Safari. But you should as a practical defense-in-depth measure...

How To Disable "Open Safe Files After Downloading" Feature In Safari

Or you can just use Google Chrome on OSX, which is my suggestion.

Monday, May 23, 2011

Targeted Attack: Trend Micro Researchers Identify Vulnerability in Hotmail

Via Trend Micro Blog -

A couple of days ago, my colleagues reported an attack that appears to be targeted and that involves email messages sent through a Webmail service. Upon further investigation, we were able to confirm that this attack exploits a previously unpatched vulnerability in Hotmail. Trend Micro detects the malicious email messages as HTML_AGENT.SMJ.

The said attack simply requires the targeted user to open the specially crafted email message, which automatically executes the embedded script. This then leads to the theft of critical information, specifically email messages and information about the affected user’s personal contacts. The stolen email messages may contain sensitive information that cybercriminala can use for various malicious routines.

The script connects to http://www.{BLOCKED}eofpublic.com/Microsoft.MSN.hotmail/mail/rdm/rdm.asp?a={user account name}{number} to download yet another script.

The nature of the said URL strongly suggests that the attack is targeted. The URL contains two variables—{user account name}, which is the target user’s Hotmail ID, and {number}, which is a predefined number set by the attacker. The number seems to determine the malicious payload that will be executed, as we’ve found that the information theft routines are only executed when certain numbers are in the {number} field.

The URL leads to another script detected by Trend Micro as JS_AGENT.SMJ. The script triggers a request that is sent to the Hotmail server. The said request sends all of the affected user’s email messages to a certain email address. The email message forwarding, however, will only work during the session wherein the script was executed and will stop once the user logs off.

The attack takes advantage of a script or a CSS filtering mechanism bug in Hotmail. Microsoft has already taken action and has updated Hotmail to fix the said bug.

We analyzed the embedded crafted code before the actual email message’s content and discovered that once Hotmail’s filtering mechanism works on the code, it ironically helps inject a character into the CSS parameters to convert the script into two separate lines for further rendering in the Web browser’s CSS engine. This allows the cybercriminals to turn the script into something that allows them to run arbitrary commands in the current Hotmail login session.


Microsoft has already acknowledged the presence of the vulnerability and has released a security update to address the issue.

As Microsoft’s senior response communications manager Bryan Nairn mentioned, this illustrates Microsoft and Trend Micro’s continuous effort and shared commitment to protect customers via coordinated vulnerability disclosure.

Tehrik-e-Taliban Pakistan: Who or what are they?


When regional and Western media report about terrorism in Pakistan, they frequently and indiscriminately use the labels of 'Pakistani Taliban' and 'Tehrik-e-Taliban Pakistan' (TPP). However, it remains unclear what is exactly meant by these catchall terms.

Qandeel Siddique in this DIIS Report unpacks the concept of who/what the Tehrik-e-Taliban is. The author discusses individual components of the TTP and the spread of 'talibanization' across Pakistan, and she makes an effort at understanding the organization's strength in terms of recruitment strategy, ideology and financial support. Special attention is given to the prevailing socio-economic conditions and the political history of Pakistan's north-western region as factors giving impetus to the TTP movement.

Targeted Attack: Norway Army Says Faced Cyber Attack After Libya Bombing

Via DefenseNews.com / AFP (May 19, 2011) -

The Norwegian military said May 19 that it had been the victim of a serious cyber attack at the end of March, a day after Norwegian F-16 fighter jets for the first time carried out bombings in Libya.

"The army is regularly the target of cyber and virus attacks, but not as extensive as this," Hilde Lindboe, a spokeswoman for Norwegian Defence Information Infrastructure (INI), told AFP.

On March 25, a day after Norwegian F-16s first took part in the NATO-led bombing in Libya, around 100 military employees, some of them high-ranking, received an email in Norwegian with an attachment that, once opened, let loose a virus made to extract information from the host computer.

"From what we have seen, no sensitive information has been obtained," Lindboe said.

According to INI, only one computer containing non-classified information was contaminated.

The Norwegian Police Security Service (PST) has opened an investigation to determine who launched the attack, but authorities say it is too soon to say whether there was a link to the Libya bombings.


Sometimes it can be hard to determine if reports of targeted attacks are really targeted, but in this case...I think the fact that the e-mails were written in Norwegian and took aim at Norwegian army officials adds some serious creditable to calling it a “targeted attack”.

It would be interesting to know if the subject of the malicious e-mails or the malicious attachments directly referenced the new NATO campaign in Libya.

TrendMicro Threat Encyclopedia: Understanding Highly Targeted Attacks

Multiverse = Many Worlds, Say Physicists

Via The Physics arXiv Blog (MIT Technology Review) -

The many worlds interpretation of quantum mechanics is the idea that all possible alternate histories of the universe actually exist. At every point in time, the universe splits into a multitude of existences in which every possible outcome of each quantum process actually happens.

So in this universe you are sitting in front of your computer reading this story, in another you are reading a different story, in yet another you are about to be run over by a truck. In many, you don't exist at all.

This implies that there are an infinite number of universes, or at least a very large number of them.

That's weird but it is a small price to pay, say quantum physicists, for the sanity the many worlds interpretation brings to the otherwise crazy notion of quantum mechanics. The reason many physicists love the many worlds idea is that it explains away all the strange paradoxes of quantum mechanics.


Let's put the many world interpretation aside for a moment and look at another strange idea in modern physics. This is the idea that our universe was born along with a large, possibly infinite, number of other universes. So our cosmos is just one tiny corner of a much larger multiverse.

Today, Leonard Susskind at Stanford University in Palo Alto and Raphael Bousso at the University of California, Berkeley, put forward the idea that the multiverse and the many worlds interpretation of quantum mechanics are formally equivalent.

But there is a caveat. The equivalence only holds if both quantum mechanics and the multiverse take special forms.


At one time, such an idea would have been heresy. But in theory, it could be done if an observer could perform an infinite number of experiments and observe the outcome of them all.

But that's impossible, right? Nobody can do an infinite number of experiments. Relativity places an important practical limit on this because some experiments would fall outside the causal horizon of others. And that would mean that they couldn't all be observed.

But Susskind and Bousso say there is a special formulation of the universe in which this is possible. This is known as the supersymmetric multiverse with vanishing cosmological constant.

If the universe takes this form, then it is possible to carry out an infinite number of experiments within the causal horizon of each other.

Now here's the key point: this is exactly what happens in the many worlds interpretation. At each instant in time, an infinite (or very large) number of experiments take place within the causal horizon of each other. As observers, we are capable of seeing the outcome of any of these experiments but we actually follow only one.

Bousso and Susskind argue that since the many worlds interpretation is possible only in their supersymmetric multiverse, they must be equivalent. "We argue that the global multiverse is a representation of the many-worlds in a single geometry," they say.

They call this new idea the multiverse interpretation of quantum mechanics.


But what this idea lacks is a testable prediction that would help physicists distinguish it experimentally from other theories of the universe. And without this crucial element, the multiverse interpretation of quantum mechanics is little more than philosophy.

That may not worry too many physicists, since few of the other interpretations of quantum mechanics have testable predictions either (that's why they're called interpretations).

Still, what this new approach does have is a satisfying simplicity-- it's neat and elegant that the many worlds and the multiverse are equivalent. William of Ockham would certainly be pleased and no doubt, many modern physicists will be too.

Friday, May 20, 2011

Sophos Whitepaper: What is ZeuS?



Zeus or Zbot is one of the most notorious and widely-spread information stealing Trojans in existence. Zeus is primarily targeted at financial data theft; its effectiveness has lead to the loss of millions worldwide. The spectrum of those impacted by Zbot infections ranges from individuals who have had their banking details compromised, to large public order departments of prominent western governments.

We will explore the various components of the Zeus kit from the Builder through to the configuration file; examine in detail the functionality and behaviour of the Zbot binary; and assess emerging and future trends in the Zeus world.

Symantec - W32.Qakbot in Detail



W32.Qakbot is a worm that has been seen spreading through network shares, removable drives, and infected webpages, and infecting com- puters since mid-2009. Its primary purpose is to steal online bank- ing account information from compromised computers. The malware controllers use the stolen information to access client accounts within various financial service websites with the intent of moving currency to accounts from which they can withdraw funds. It employs a classic key- logger, but is unique in that it also steals active session authentication tokens and then piggy backs on the existing online banking sessions. It then quickly uses that information for malicious purposes.

In-field telemetry shows that the malware authors have gotten more and more aggressive and successful in their ability to infect the com- mon client. Even though we don’t have evidence to show the increase in monetary gain made by malware controllers, we do believe the in-field propagation is directly proportional to the loss incurred by banks and end clients.

There are several information stealing Trojans found in cyberspace to- day. What makes Qakbot stand apart from most of the others is sophis- tication and continuous evolution. The purpose of this white paper is to provide an insight into the worm’s capabilities.


Qakbot has been gaining some press recently, especially with this recent outbreak in April at Massachusetts Department of Unemployment Assistance and Department of Career Services.

For more information on Qakbot, check out this RSA paper from Oct 2010.
Businesses Beware: Qakbot is No Laughing Matter [PDF]

Panetta Warns CIA Employees Against Bin Laden Leaks

Via Washington Post -

CIA Director Leon E. Panetta warned agency employees not to reveal secrets about the raid on Osama bin Laden’s compound earlier this month, saying in a memo sent to employees Wednesday that disclosures could jeopardize future operations.

"The intense public and media interest in the operation that killed Osama bin Laden has led to an unprecedented amount of very sensitive — in fact, classified — information making its way into the press," Panetta said, according to a copy of the memo obtained Thursday by The Washington Post.

Panetta’s message is part of a broader effort by the Obama administration to clamp down on disclosures surrounding the raid, as well as months of sensitive intelligence-gathering efforts that preceded it.

Senior Defense Department officials had conveyed a similar message in a news briefing Wednesday at the Pentagon. "We have talked far too much about this," said Adm. Mike Mullen, the chairman of the Joint Chiefs of Staff. "We need to move on."


In his note, Panetta warned that the agency will investigate leaks and that, "when warranted, referrals will be made to the Dept. of Justice." He also said CIA employees "have every reason to be proud of the bin Laden operation." Obama is scheduled to appear at CIA headquarters Friday to congratulate employees on the operation.

Russia Expels Israeli Military Attache for 'Industrial Espionage'

Via telegraph.co.uk -

In a scandal that risks souring traditionally good relations between the two countries, Russian security sources claimed that Air Force Colonel Vadim Leiderman, Israel's military attaché in Russia, had been caught "red-handed" receiving classified documents in Moscow last Thursday.

"This deals entirely with industrial espionage or rather his overly active work on behalf of certain Israeli companies on the Russian market," a Russian security source told the RIA Novosti news agency.

Col Leiderman was reportedly detained at a café where he was meeting a source from the Russian defence ministry and questioned for several hours before being told to leave the country within 48 hours.

Israel's Haaretz daily said the Soviet-born diplomat's expulsion was the first incident of its kind in almost two decades. Israeli officials insisted Col Leiderman had been questioned on his return and put through a lie-detector test, and that the allegations against him were "without foundation". According to claims in the Israeli media, Russia had attempted to recruit him as a double agent and grown angry when he refused.

New 64-Bit Rootkit Being Used to Steal Banking Credentials

Via Threatpost.com -

Security researchers have come across a new rootkit that is designed specifically to infect 64-bit Windows systems and steal users' online banking credentials. It's believed to be the first piece of malware of its kind that is capable of compromising x64 systems.

The new rootkit is being used by attackers in Brazil as part of drive-by download attacks and is then used to steal banking credentials after the infection. The malware has the ability to change some of the boot configurations of infected machines and then aims to redirect users to phishing sites. The new rootkit can infect machines running either 32-bit or 64-bit versions of Windows.

The drive-by download is accomplished by using a malicious Java applet that is targeted at older versions of the Java Runtime Environment. The applet includes a number of files that each have different jobs to do once they're on an infected PC, including one that disables the Windows User Account Control mechanism.


The rootkit mainly is being seen in Brazil right now, a country where the penetration of online banking is extremely high.


Rootkit Banker - now also to 64-bit

Thursday, May 19, 2011

Sayf al-’Adl and al-Qa’ida’s Historical Leadership

Via Jihadica.com -

In light of the widely reported news that Sayf al-‘Adl (also spelled Saif al-Adel) has taken the reins of operational leadership within al-Qa’ida in the wake of the death of Osama bin Laden, I thought it would be useful to Jihadica’s readers to provide a bit of context about this man and about the significance, if any, of these reports (see, e.g., Musharbash and Bergen), all of which rely on the testimony of Noman Benotman, a former leader of the Libyan Islamic Fighting Group.


Good background on Sayf al-‘Adl...

CDC: Preparedness 101: Zombie Apocalypse


There are all kinds of emergencies out there that we can prepare for. Take a zombie apocalypse for example. That’s right, I said z-o-m-b-i-e a-p-o-c-a-l-y-p-s-e. You may laugh now, but when it happens you’ll be happy you read this, and hey, maybe you’ll even learn a thing or two about how to prepare for a real emergency.


The rise of zombies in pop culture has given credence to the idea that a zombie apocalypse could happen. In such a scenario zombies would take over entire countries, roaming city streets eating anything living that got in their way. The proliferation of this idea has led many people to wonder “How do I prepare for a zombie apocalypse?”

Well, we’re here to answer that question for you, and hopefully share a few tips about preparing for real emergencies too!


Very smart move by the CDC to add some humor to the serious (and sometimes dry) subject of emergency preparedness.

They have also created various buttons & banners to capitalize on the recent 'Zombie' attention surge...

Wednesday, May 18, 2011

Fearing Destruction, Researcher Cancels Disclosure of New Siemens SCADA Holes

Via Wired.com (Threat Level) -

A security researcher has discovered multiple security vulnerabilities in Siemens industrial control systems that he says would allow hackers with remote access to the systems cause physical destruction.

Dillon Beresford canceled a planned demonstration of the vulnerabilities on Wednesday at the Takedown security conference in Texas after Siemens and the Department of Homeland Security expressed concern over the phone and at the conference about disclosing information before Siemens could patch the vulnerabilities.

Beresford, a researcher who works for NSS Labs in Austin, Texas, says he decided to cancel the talk — “Chain Reactions–Hacking SCADA” — after realizing the full ramifications of the information he planned to reveal.

“Based on my own understanding of the seriousness behind this, I decided to refrain from disclosing any information due to safety concerns for the consumers that are affected by the vulnerabilities,” Beresford told Threat Level, adding that “DHS in no way tried to censor the presentation.”


The decision to pull the talk at the last minute caused rumors to fly at the conference. Another presenter at Takedown tweeted that DHS had banned Beresford’s talk.

But Beresford disputed this and said he’s been “extremely impressed” with the way ICS-CERT has handled the matter.

“This is different from simply stealing money out of someone’s bank account,” said NSS Labs CEO Rick Moys. “Things could explode. I don’t want to overplay this and sound like it’s a bunch of FUD but physical damage can occur and people can be seriously injured or worse. So we felt … it was best to be prudent and wait a little bit longer until we get more information.”

Microsoft EMET v2.1 Released


Today we are pleased to announce a new version of the Enhanced Mitigation Experience Toolkit (EMET) with brand new features and mitigations. Users can click here to download the tool free of charge.

The Enhanced Mitigation Experience Toolkit enables and implements different techniques to make successful attacks on your system more difficult. EMET is designed to mitigate exploitation attempts (even of 0-days) by making “current” exploitation techniques harder and less reliable. Users interested in finding out more about EMET can read more here.


This release marks a big milestone for EMET since this is the first version that is available as an officially-supported product. Support will be form based, with the on-line form available here.

Today’s release comes with some new features:
  • EMET is an officially-supported product through online forms
  • “Bottom-up Rand” new mitigation randomizes (8 bits of entropy) the base address of bottom-up allocations (including heaps, stacks, and other memory allocations) once EMET has enabled this mitigation.
  • Export Address Filtering is now available for 64 bit processes. EAF filters all accesses to the Export Address Table which blocks most of the existing shellcodes
  • Improved command line support for enterprise deployment and configuration
  • Ability to export/import EMET settings
  • Improved SEHOP (structured exception handler overwrite protection) mitigation
  • Minor bug fixes

Diplomats: IAEA Fears Iran Hackers

Via Yahoo News! (AP) -

The U.N. nuclear agency is investigating reports from its experts that their cellphones and laptops may have been hacked into by Iranian officials looking for confidential information while the equipment was left unattended during inspection tours in the Islamic Republic, diplomats have told The Associated Press.

One of the diplomats said the International Atomic Energy Agency is examining "a range of events, ranging from those where it is certain something has happened to suppositions," all in the first quarter of this year. He said the Vienna-based nuclear watchdog agency was alerted by inspectors reporting "unusual events," suggesting that outsiders had tampered with their electronic equipment.

Two other diplomats in senior positions confirmed the essence of the report but said they had no further information. All three envoys come from member nations of the International Atomic Energy Agency and spoke on condition of anonymity because their information was privileged.

Agency spokeswoman Gill Tudor said the IAEA had no comment on the issue. IAEA inspectors are in Iran touring various facilities every other week.


An agency official, who also spoke on condition that he not be identified, said strict security measures included inspectors' placing their cellphones into seamless paper envelopes, then sealing these and writing across the seal and the envelope to spot any unauthorized opening while they were away.

He said inspectors are not allowed to take their cellphones with them while touring Iran's uranium enrichment facilities and other venues. Laptops, he said, are either locked in bags or sealed the same way as cellphones when they are left temporarily unattended by inspectors. The computers also are sometimes left unattended in hotel rooms at the end of a work day, he said.

But the diplomat who spoke at greatest length about the reported breach said the Iranians had found ways to overcome the security measures. He said he had no further details.

Iran has been under IAEA inspections for nearly a decade after revelations that it was running a secret uranium enrichment program and has been hit with four rounds of U.N. Security Council sanctions over its refusal to halt the activity.

Behind Today’s Crimeware Installation Lifecycle



The distribution and installation of malicious and unauthorized software has evolved consistently throughout the 21st Century. The evolutionary path from annoying viruses, to destructive malware and on to financially driven crimeware, is well documented and can even be traced through the parallel evolution of technologies designed to counter each aspect of the then contemporary threat.

While the individual technologies embedded within crimeware have evolved incrementally – and some people argue today that the rate of innovation has slowed down over recent years – the diversity in which these technologies are applied to fraudulent and criminal ventures has accelerated. Or, to put it another way, professional cyber criminals have been increasingly inventive in ways in which to apply a “standard” toolset of malware features to the way they conduct their criminal ventures.

As traditional malware features continue to consolidate into professionally maintained and purchasable crimeware construction packs with 24x7 support and guaranteed “Fully Undetectable” (FUD) service level agreements, much of the newest innovation has occurred in the methods and mechanisms that install, update and regulate the control of the crimeware installed upon the victims computing device.

Misinterpretation of legacy malware propagation processes and failures in understanding the innovation and dynamism of modern crimeware installation techniques pose a significant risk to businesses facing off against an onslaught of highly motivated cybercriminals. Incorrect assumptions and an outdated understanding of the threat have resulted in organizations pursuing ineffective protection strategies and a bewildered reactive response to successful breaches.

This paper examines the advancements of legacy malware installation techniques and those currently employed by professional cybercriminals. By understanding the modern crimeware installation lifecycle and exposing the reasoning behind each criminal tactic, organizations under the crosshairs of their attackers will better appreciate the limitations of the security technologies they currently deploy and will ideally be armed with the intelligence they need to develop more robust protection plans and incident response handling strategies.


Hat-tip to Damballa for the whitepaper.

How UCLA Students Came Close to Predicting Bin Laden’s Hideout

Via analysisintelligence.com (Recorded Future Blog) -

Excerpt from UCLA Today:

“They didn’t get his address quite right, but five UCLA undergraduates and a geography professor came fairly close to pinpointing the whereabouts of the world’s most wanted terrorist — and they did it more than two years before Osama bin Laden was actually found…

Cleverly, they did it using theories typically used by biogeographers to determine the likely location of endangered birds or plants, high-resolution satellite imagery, remote sensing data and an analysis of life history characteristics.

In a prescient paper that was published in MIT International Review on Feb. 17, 2009, geography students taking the class “Remote sensing in the environment” taught by Professor Thomas Gillespie came up with a probability model that pointed to a city in northwest Pakistan, Parachinar, as bin Laden’s most likely hideout. Although that location turned out to be 230 miles from Abbottabad, where he was found and killed Sunday, the UCLA researchers’ model turned out to be on track. Based on concentric circles identifying probability over large areas of Afghanistan and Pakistan, the model predicts that there would be an 88.6 percent chance that bin Laden would be found in the area where Abbottabad is located.”

Via the Sandfire blog. See the full study details at the MIT International Review [PDF].

AQAP: Al Qaeda's Leadership in Yemen

Via STRATFOR (Security Weekly) -

On May 5, a Hellfire missile fired from a U.S. unmanned aerial vehicle (UAV) struck a vehicle in the town of Nissab in Yemen’s restive Shabwa province. The airstrike reportedly resulted in the deaths of two Yemeni members of the Yemen-based al Qaeda franchise group al Qaeda in the Arabian Peninsula (AQAP) and injured a third AQAP militant. Subsequent media reports indicated that the strike had targeted Anwar al-Awlaki, a U.S.-born member of AQAP, but had failed to kill him.

The May 5 strike was not the first time al-Awlaki had been targeted and missed. On Dec. 24, 2009 (a day before the failed AQAP Christmas Day bombing attempt against Northwest Airlines Flight 253), an airstrike and ground assault was launched against a compound in the al-Said district of Shawba province that intelligence said was the site of a major meeting of AQAP members. The Yemeni government initially indicated that the attack had killed al-Awlaki along with several senior AQAP members, but those reports proved incorrect.


All this is to say that a UAV strike in Yemen is not particularly surprising — nor is a strike targeting AQAP or al-Awlaki. Indeed, we noted in January our belief that AQAP had eclipsed the al Qaeda core on the physical battlefield due to the efforts of its tactical commanders and on the ideological battlefield due to the efforts of its propaganda wing, Al-Malahem Media.

One thing that has struck us as odd about the May 5 airstrike, however, is the way al-Awlaki has been characterized in the press. Several media outlets have referred to him as the leader of AQAP, which he clearly is not (he is not even the group’s primary religious leader). Other reports have even speculated that al-Awlaki could be in line to become the global leader of the jihadist movement following the death of Osama bin Laden. In light of such statements, it seems a fitting time to discuss once again the leadership of AQAP and to examine al-Awlaki’s role within the organization.


Read more: Al Qaeda's Leadership in Yemen | STRATFOR

Beating Up on Android: Practical Android Attacks



In this talk Massimialiano Oldani and Bas Alberts exploit the Android Attack Surface. This talk will demonstrate the various ways Android devices may be compromised both remotely and locally. Furthermore, it will explore many of the interesting things a remote attacker can do once they have established access to your Android device.


This presentation was presented @ Immunity Inc.'s Infilrate 2011 conference by two senior researchers for Immunity, Inc.

The Beast of Kandahar: Secret Stealth Drone Spied on Bin Laden

Via Wired.com (Danger Room) -

Two years ago, pictures leaked of a previously unknown, bat-winged drone operating out of Afghanistan’s Kandahar airport. Speculation spiked about the mission of the mysterious aircraft, instantly nicknamed “the Beast of Kandahar” by secret plane-spotter extraordinaire Bill Sweetman.

The drone’s smooth, curved shape meant it was stealthy — hard for radars to spot. But the Taliban didn’t have any radars. So what was the Beast doing?

Some suggested that it might be snooping on Iran’s nuclear program. Others thought the drone (officially known as the RQ-170 Sentinel) might be the test bed for a new, microwave weapon to fry enemy electronics or a next-gen jammer to screw with enemy communications. The drone was even spotted over Korea; maybe it was watching missile launches while avoiding the prying eyes of our foes in Pyonyang?

Turns out, the Beast wasn’t dodging enemy radars, at least not lately. It was avoiding detection by our putative allies in Pakistan, as it gathered intelligence about Osama bin Laden’s whereabouts.

The CIA used the drone to “fly dozens of secret missions deep into Pakistani airspace and monitor the compound where Osama bin Laden was killed,” according to the Washington Post.


The Beast never spotted bin Laden directly. But “the agency concluded after months of watching the complex that the figure frequently seen pacing back and forth was probably the al-Qaida chief,” according to the paper. The drone, which is believed to have a 48-foot wingspan and a gross takeoff wright of 2700 pounds, also had eavesdropping equipment. That allowed American operatives to listen up, in case the Pakistanis caught wind of the secret aircraft spying overhead.


Lockheed Martin RQ-170 Sentinel

Monday, May 16, 2011

IIS7 Header Block Released

Via Security-Shell -

Context Information Security have released a module for IIS 7 to block information leakage from HTTP headers. A standard web application penetration test recommends the removal of any version number information. Previously the IIS urlscan tool could be used to block this information, however, for IIS 7 this is no longer possible, therefore Context have released this module to block this information.

HTTP headers are name/value sets of data that are transmitted between the client (web browser) and the web server. HTTP headers are used to transmit key data such as HTTP cookies.Excessive HTTP headers can aid an attacker by either identifying particular technologies used within a web application or presenting specific software version information. Whilst minimising the attack surface by preventing information leakage is not a panacea it is a step towards improving security.With the introduction of new Microsoft frameworks such as ASP.Net and MVC it appears that the number of HTTP headers returned by the IIS web server is increasing. An example of these headers is shown below:

Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET

Download and more info: http://www.contextis.co.uk/resources/tools/headerblock/

New Version of Alureon Ups the Ante on Encryption

Via Threatpost.com -

A new version of the venerable Alureon malware has appeared, and this one includes some odd behavior designed to prevent analysis and detection by antimalware systems. However, this isn't the typical evasion algorithm, as it uses some unusual encryption and decryption routines to make life much more difficult for analysts and users whose machines have been infected.

Alureon is a well-known and oft-researched malware family that has some rootkit-like capabilities in some of its variations. The newest version of the malware exhibits some behavior that researchers haven't seen before and which make it more problematic for antimalware software to detect it and for experts to break down its components.

Researchers at Microsoft took apart the newest version of Alureon and found that the malware now uses what is essentially a brute-force attack to decrypt its own encrypted components.


The Microsoft researchers found that not only did the new version of Alureon employ the encryption and decryption routine, but it also tries to complicate matters by spreading the encrypted data out all over the place.

"Interestingly enough, the encrypted buffer supplied as input for the decryption function is not found as a contiguous memory region but instead is scattered throughout the PE's image, being spread between code, data, resources, etc. This makes static recovery of the encrypted file more complicated," Microsoft's Marian Radu and Daniel Radu wrote in their blog post on the malware.

Older versions of Alureon, which also is known as TDL and TDSS, have included some other interesting capabilities, as well. A version discovered last November had the ability to bypass the driver-signing protection on Windows 7 and Vista that is meant to prevent malicious code from being loaded at start up. TDL4 was able to do this by changing the applications that Windows will allow to load an unsigned driver.

Sunday, May 15, 2011

Targeted Attack Exposes Risk of Checking Personal Webmail at Work

Via TrendMicro Malware Blog (May 13, 2011) -

TrendLabs is currently monitoring an in the wild attack which highlights the underrated and often ignored risk to companies that allow employees to check their personal webmail while at work.

Yesterday, one of our colleagues in Taiwan received what looks like a targeted attack via webmail. Unlike other email-based attacks that require users to open the email, click on an embedded link or download and execute an attachment, this attack merely requires the user to preview the message in their browser in order to launch the attack.


Previewing the message prompts the download of a script from a remote URL. The downloaded script then injects itself into the page to initiate information theft. The stolen information includes sensitive data such as email messages and contact information. More importantly, the script also sets up email forwarding that sends all the user’s messages to a specific address.

The email appears to be specially crafted for a specific recipient, in which their Hotmail ID is specifically used in the malicious script embedded in the mail. Also, the subsequent download is based on the Hotmail ID and a number specified by the attacker. Changing the number may change the payload.

If an employee checks their personal webmail at work and falls victim to the attack, the attacker can have access to sensitive information that might be related to the company the employee is working for, including contacts, and email messages. Companies should take the risk of this and similar attacks seriously, especially considering that merely previewing the email launches the attack.

UN Report: North Korea and Iran 'Sharing Ballistic Missile Technology'

Via BBC -

North Korea and Iran appear to have been exchanging ballistic missile technology in violation of sanctions, a leaked UN report shows.

The report, obtained by Reuters, said regular transfers had been taking place through "a neighbouring third country", named by diplomats as China.

The sanctions were imposed on Pyongyang by the UN after it conducted a series of nuclear tests in 2006 and 2009.

They ban all trade in nuclear and missile technology with North Korea.

They also imposed an arms embargo and subjected some North Korean individuals to travel bans and assets freezes.

North Korea has twice tested nuclear devices and said in September last year that it had entered the final phase of uranium enrichment.

The country is believed to have enough plutonium to make about six bombs, but is not thought to have developed a ballistic missile capable of carrying a nuclear warhead.

The report was written by a UN panel of experts monitoring Pyongyang's compliance with the sanctions.

It said that "prohibited ballistic missile-related items are suspected to have been transferred between the Democratic People's Republic of Korea [North Korea] and the Islamic Republic of Iran", using regular scheduled flights on national carriers Air Koryo and Iran Air.

For arms and related material, "whose illicit nature would become apparent on any cursory physical inspection", Pyongyang appeared to prefer the use of chartered cargo flights, Reuters quoted it as saying.

The flights would travel "from or to air cargo hubs which lack the kind of monitoring and security to which passenger terminals and flights are now subject".

This presented "new challenges to international non-proliferation efforts", said the panel.


The report said the transfers travelled through "a neighbouring third country". The country was not named in the report but one diplomat told the BBC some sanctions-busting takes place through China.

He said Beijing was unhappy with the experts' report, and that the Chinese member of the panel had not signed off on it.


Dispatch: China Blocks U.N. Report on Missile Technology Transfers

Saturday, May 14, 2011

American Supporters of Pakistan Taliban Sent More Than $40,000 To Fund Terror

Via IntelWire.net -

Three naturalized American citizens in South Florida have been indicted for providing money and material support to the Pakistani Taliban, the Justice Department announced today.

Those arrested today and charged include:
  • Hafiz Muhammed Sher Ali Khan, 76, imam of the Miami Masjid
  • Hafiz Khan's son, Irfan Khan, 37, also of Miami, Jamaat Al-Mu’mineen Mosque in Margate, Fla.
  • Izhar Khan, 24, of North Lauderdale, Fla.
Three others living in Pakistan were charged under the same indictment, but are still at large. It was not immediately clear if they were also American citizens.
  • Ali Rehman, aka “Faisal Ali Rehman”
  • Hafiz Khan's daughter, Amina Khan
  • Hafiz Khan's grandson, Alam Zeb

Full text of indictment


DoJ: Six Individuals Charged for Providing Material Support to the Pakistani Taliban
Six individuals located in South Florida and Pakistan have been indicted in the Southern District of Florida on charges of providing financing and other material support to the Pakistani Taliban, a designated foreign terrorist organization.   The charges were announced today by Wifredo A. Ferrer, U.S. Attorney for the Southern District of Florida; John V. Gillies, Special Agent in Charge, FBI Miami Field Office, and the members of the South Florida Joint Terrorism Task Force (JTTF).


In closing, Mr. Ferrer noted, “Let me be clear that this is not an indictment against a particular community or religion.   Instead, today’s indictment charges six individuals for promoting terror and violence through their financial and other support of the Pakistani Taliban.   Radical extremists know no boundaries; they come in all shapes and sizes and are not limited by religion, age or geography.”

Wednesday, May 11, 2011

The Downfall of the Mighty – Zeus Trojan’s Source Code Leaked and Now Available Everywhere

Via RSA FraudAction Research Labs -

Word of yet another historical moment in cybercrime is quickly spreading through the fraud underground and through the legitimate web – the Zeus Trojan’s source code has been made public and is now freely available to anyone wanting a piece of the infamous old “King of Trojans.”

It appears that the Zeus source code has been leaked almost in full – either due to a mishap of some sort, or intentionally exposed by its current owner – hacker and coder “Gribodemon”/ “Harderman”. The entire source code, minus one interesting folder titled “Worm”, has been made available online, reaching even as far as malware researcher chat groups on some social networking sites.

The mere fact that code has somehow been leaked has raised some eyebrows; RSA Research Lab engineers have raised a suspicion that “Harderman” is behind an intentional leak, aiming to abolish the Zeus code’s value once and for all and increasing the sale of his hybrid SpyEye Trojan. The fact that the newest feature was missing from the leaked source code – most probably a replication mechanism planned for the Zeus Trojan – seems to hint to the possibility of an intentional leak.

By exposing Zeus this way a few developments may follow:
  • Malware code writers, other than those on “Harderman’s” team, may pick up where Zeus’ original coder left off and attempt to further develop the code, continuing to sell it to fraudsters.
  • Code writers may freely create and sell Zeus Trojan builders – for a fraction of its original price tag.
  • Zeus binaries may increasingly be sold by long time Zeus owners in SaaS mode, priced “per variant”
  • The Zeus code could be dispersed into the hands of many, causing its corruption and devaluation, rendering it obsolete.
  • SpyEye may continue rising as the Trojan of the chosen few – a crimeware tool par excellence made for cyber criminals who can afford the best.
  • SpyEye will likely replace Zeus as the only advanced crimeware code commercially available, along with support, upgrades and a strong development team running the arms race against online banking fraud prevention.


Don't believe ZeuS was a professional developed cybercrime tool? Check this...

ZeuS User Guide

Tuesday, May 10, 2011

Understanding the Modern DDoS Threat



The breadth of cyber threats that an organization must engage with and combat seemingly change on a daily basis. Each new technology, vulnerability or exploit vector results in a new threat that must be protected against. Meanwhile some forms of attack never appear to age - they remain a threat to business continuity despite years of advances in defensive strategy. One particularly insidious and never-ending threat is that of the Distributed Denial of Service (DDoS) attack.

Never far from the news headlines, DDoS attacks are the staple disruptive technique preferred by an increasingly broad spectrum of attackers. While they may be the oldest and most commonly encountered form of cyber attack, defenses against them are often non-trivial and even the best tried-and-tested protection can fail under a sufficiently well conceived attack.

This paper examines the technology, coordination tactics and motivations behind the DDoS attacks likely to pose a risk to Internet accessible businesses now and in the immediate future.

Monday, May 9, 2011

Wanted: Charismatic Terror Mastermind. Some Travel Required.

Via foreignpolicy.com (May 3, 2011)

As speculation about al Qaeda's leadership succession mounts in the wake of Osama bin Laden's death, the answer to who will assume control next lies in the organization's rules and regulations -- like those of any good corporation. Written and reviewed by a group of senior leaders, some of whom may now be poised to assume new positions within al Qaeda, they provide insight into how this critical transition will be handled, and will factor heavily into who is selected to move up the leadership ladder.

Al Qaeda's organizational protocols (some earlier versions of which are available at the Combating Terrorism Center at West Point) make clear that a chain of succession exists. In the event of the capture or death of al Qaeda's emir (leader), power automatically transfers to the deputy emir (currently Ayman al-Zawahiri), with a executive council vote to follow -- confirming his permanent election to the position, or selecting another leader. If both the emir and his deputy are killed or captured, power temporarily goes to the head of the executive council (again with a vote following to confirm his leadership or select another member). The executive council is compromised of the emir and his deputy, as well as senior leaders from al Qaeda, usually those who head up a section in the organization, such as the military, security, or administration branches. It is a small body, probably now comprised of only a handful of members, although it once numbered around 10 when al Qaeda was safely ensconced in Afghanistan. It is from within this body that a new emir would be chosen if Zawahiri and his new deputy were to be killed or captured or otherwise deemed unfit to lead.


Leah Farrall is the author of the All Things Counter Terrorism Blog and is a former senior Counter Terrorism Intelligence Analyst with the Australian Federal Police (AFP). During her time with the AFP, Leah served as the organization’s al Qaeda subject matter specialist and worked on a range of international and domestic counter terrorism investigations.

As indicated by Will @ Jihadica, there will be no new Bin Laden...but only new leaders of AQ.

Google Chrome Pwned by VUPEN: Sandbox/ASLR/DEP Bypass


We are (un)happy to announce that we have officially Pwnd Google Chrome and its sandbox.

The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).

The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level. Note: The Calculator is used here as an example, it can be replaced by any other payload.

While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP.

This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services.


Possible Mitigation

@scarybeasts Chris Evans (Information Security Engineer at Google Inc.)
@fjserna @VUPEN Yeah, looks like a Flash bug. Defend as per normal (Plug-ins -> Block).

N.Korea’s Highly Trained Hacker Brigades

Via Chosunilbo (HT Infowar Monitor) -

North Korea’s 1,000 or so hackers are as good as their CIA counterparts, experts believe. Due to difficulties in expanding its conventional weapons arsenal following the economic hardships during the 1990s, North Korea apparently bolstered electronic warfare capabilities.

The regime opened Mirim University, now renamed Pyongyang Automation University, in the mid-1980s to train hackers in electronic warfare tactics. A defector who graduated from Mirim University said classes were taught by 25 Russian professors from the Frunze Military Academy. They trained 100-110 hackers every year.

The Amrokgang College of Military Engineering, the National Defense University, the Air Force Academy and the Naval Academy also train electronic warfare specialists.

Jang Se-yul, who served in a North Korean hacker brigade, said on Tuesday there are around two brigades, or 1,200 soldiers in total, directly supervised by the department that handles electronic warfare. “Each squad also operates a unit specializing in cyber warfare.” The two electronic warfare brigades are stationed in Sangwon and Nampo in South Pyongyan Province.

North Korea’s General Bureau of Reconnaissance, which oversees all espionage operations against South Korea, also specializes in electronic warfare. A source said overall conditions for North Korea’s electronic warfare units’ hacking operation have improved because of the expanding Internet infrastructure in China. “In the past, they had to operate in faraway locations like Canada or Australia, but now they can operate effectively in areas close to the Chinese border.” They apparently operate from Dandong and Dalian.

Sunday, May 8, 2011

At 9/11 Memorial, Name Placements Reflect Bonds Between Victims, Thanks To Algorithm

Via fastcodesign.com -

On that terrible morning, when American Airlines Flight 11 hit the North Tower of the World Trade Center, Victor Wald, 50, was working in his 84th floor office at the small brokerage firm, Avalon Partners. Like his colleagues, he raced for the exits, and scrambled down the stairs. But, having suffered from rheumatic fever as a child, he collapsed in exhaustion on the 53rd floor, as frantic workers from the building's upper floors hastily passed him by. Harry Ramos, 46, the head trader at the small investment bank, May Davis Group, who worked on the 87th floor, saw him on the stairs, and stopped.

They had never met, had no friends or relatives in common. But Ramos saw Wald and said, "I won't leave you." Ramos managed to coax Wald down to the 36th floor, where they sat together as the building collapsed.

When the National September 11 Memorial opens this fall, on the tenth anniversary of that world-changing day, the two friends’ names will be inscribed next to each other on the granite wall surrounding the Memorial Garden’s fountains.

Their adjacency is product of a masterful bit of programming undertaken by the New York media design firm Local Projects, which took 1,800 requests from families of the 3,500 9/11 victims, and created an algorithm that let them be grouped by affinity: firefighters with firefighters, cops with cops, all the members of each of the flights, first responders, or just pals.

Thursday, May 5, 2011

IncognitoRAT - Java Botnet Found in the Wild

Via McAfee Labs -

Most of today’s malware works on Windows and its apps, because it can affect a lot of people around the world. However, other platforms are becoming more popular every day and attracting bad guys who are starting to create malicious code for other systems.

further threat is cross-platform malware that can execute on Windows and Mac using Java; this type of malware can run in a multiplatform Java Virtual Machine. IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms.

The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files, to add program icons and version information, and protect and encrypt Java programs. The victim’s machine has to have the Java Runtime Environment installed and must be online. As soon as the file is executed, it starts downloading a ZIP file with a pack of Java-based libraries to perform several remote activities:


According to public information, this malicious code is available for Windows, Mac OS X, and iPhone/iPad (the last only to control infected computers). However, we’ve seen only the PC version in a downloader/dropper in the wild. McAfee products detect this malware in our latest DATs as JV/IncognitoRAT.

Whitepaper: A Criminal Perspective on Exploit Packs



Criminals refer to it as a “BEP”. As the name intones the entire computer exploit process begins with a web browser. The web browser’s ubiquitous use in daily life has given rise to the Browser Exploit Pack as the infection vehicle darling of the Underground.

There are multiple Internet channels available for pushing malware to a victim such as email, P2P file sharing, instant messenger, and social media. A live exploit pack only requires a victim “drive by” – a trivial website visit – a soft push after exploring layer 7 for vulnerabilities.

We installed and configured over 40 exploit packs in order to better understand the different family's value in criminal use scenarios. In this paper we chronicle the exploit pack genesis and historical evolution. We discuss the spectrum of technical acumen required to successfully install and use different exploit pack families. Finally we detail the monetization and code protection mechanisms currently in place as well as the overall effectiveness of these different exploit pack families.

For optimal exploration we created dedicated networks for exploit pack installation. The client machine acting as a drive by victim was running Windows XP SP2 and we excluded all further patches. To further give these exploit packs every chance of exploitation success we installed old version of Internet Explorer, Firefox, Opera, Adobe Reader, Flash, Java Virtual Machine, Windows Media Player and other applications. Generally the application version was matched to a release in late 2004 or early 2005 since that was the approximate time frame that the first exploit packs were released.

Photo of the Day - War Dog

(Photo Credit: U.S. Navy & FP Mag)

Dogs usually jump in tandem with their trainers, but when properly outfitted with flotation vests they can make short jumps into water on their own. A U.S. Navy SEAL, Mike Forsythe, and his dog, Cara -- pictured above -- recently broke the world record for "highest man/dog parachute deployment" by jumping from 30,100 feet.


FP: War Dog - Photo Essay

Dogs have been fighting alongside U.S. soldiers for more than 100 years, seeing combat in the Civil War and World War I. But their service was informal; only in 1942 were canines officially inducted into the U.S. Army. Today, they're a central part of U.S. efforts in Iraq and Afghanistan -- as of early 2010 the U.S. Army had 2,800 active-duty dogs deployed (the largest canine contingent in the world). And these numbers will continue to grow as these dogs become an ever-more-vital military asset.

So it should come as no surprise that among the 79 commandos involved in Operation Neptune Spear that resulted in Osama bin Laden's killing, there was one dog -- the elite of the four-legged variety. And though the dog in question remains an enigma -- another mysterious detail of the still-unfolding narrative of that historic mission -- there should be little reason to speculate about why there was a dog involved: Man's best friend is a pretty fearsome warrior.

Wednesday, May 4, 2011

Intel's FINFET Transistors Increase Speed by Building Upward

Via NYTimes.com -

Intel plans to announce Wednesday that by building a key portion of a microprocessor’s transistor above the chip’s surface, it has found a way to make smaller, faster and lower-power computer chips.

Intel intends to break with the basic design of the so-called planar transistor that has remained a constant in the chip industry since 1959 when Robert Noyce, Intel’s co-founder, and Jack Kilby of Texas Instruments independently invented the first integrated circuits.

Since the advent of the microchip, the transistor, which is the electronic switch that is the basic building block of the information age, has been manufactured in just two dimensions.

But now, when the space between the billions of the tiny electronic switches on the flat surface of a computer chip is measured in the width of just dozens of atoms, designers are increasingly turning to the third dimension to find more room.

The company has already begun making its microprocessors using this new 3-D transistor design called a FINFET (for fin field-effect transistor), which is based around a remarkably small pillar, or fin, of silicon that rises above the surface of the chip. Intel, based in Santa Clara, Calif., plans to enter general production based on the new technology some time later this year.

Although the company will not give technical details about its new process in its Wednesday announcement, it said that it expected to be able to make chips that run as much as 37 percent faster in low-voltage applications and it would be able to cut power consumption as much as 50 percent.

Tuesday, May 3, 2011

Advanced Persistent Tweets: Zero-Day in 140 Characters

Via Kerbs on Security -

The unceasing barrage of targeted email attacks that leverage zero-day software flaws to steal sensitive information from businesses and the U.S. government often are described as being ultra-sophisticated, almost ninja-like in stealth and anonymity. But according to expert analysis of several recent zero-day attacks – including the much publicized break-in at security giant RSA — the Chinese developers of those attack tools left clues aplenty about their identities and locations, with one apparent contender even Tweeting about having newly discovered a vulnerability days in advance of its use in the wild.

Read more: Advanced Persistent Tweets: Zero-Day in 140 Characters

Bin Laden's Death and the Implications for Jihadism

Via STRATFOR (Security Weekly) -

U.S. President Barack Obama appeared in a hastily arranged televised address the night of May 1, 2011, to inform the world that U.S. counterterrorism forces had located and killed Osama bin Laden. The operation, which reportedly happened in the early hours of May 2 local time, targeted a compound in Abbottabad, a city located some 31 miles north of Islamabad, Pakistan’s capital. The nighttime raid resulted in a brief firefight that left bin Laden and several others dead. A U.S. helicopter reportedly was damaged in the raid and later destroyed by U.S. forces. Obama reported that no U.S. personnel were lost in the operation. After a brief search of the compound, the U.S. forces left with bin Laden’s body and presumably anything else that appeared to have intelligence value. From Obama’s carefully scripted speech, it would appear that the U.S. conducted the operation unilaterally with no Pakistani assistance — or even knowledge.

As evidenced by the spontaneous celebrations that erupted in Washington, New York and across the United States, the killing of bin Laden has struck a chord with many Americans. This was true not only of those who lost family members as a result of the attack, but of those who were vicariously terrorized and still vividly recall the deep sense of fear they felt the morning of Sept. 11, 2001, as they watched aircraft strike the World Trade Center Towers and saw those towers collapse on live television, and then heard reports of the Pentagon being struck by a third aircraft and of a fourth aircraft prevented from being used in another attack when it crashed in rural Pennsylvania. As that fear turned to anger, a deep-seated thirst for vengeance led the United States to invade Afghanistan in October 2001 and to declare a “global war on terrorism.”

Because of this sense of fulfilled vengeance, the death of bin Laden will certainly be one of those events that people will remember, like the 9/11 attacks themselves. In spite of the sense of justice and closure the killing of bin Laden brings, however, his death will likely have very little practical impact on the jihadist movement. More important will be the reaction of the Pakistani government to the operation and the impact it has on U.S.-Pakistani relations.


Read more: Bin Laden's Death and the Implications for Jihadism | STRATFOR

Monday, May 2, 2011

STRATFOR Dispatch: Strategic Implications of Osama bin Laden's Death


Analyst Reva Bhalla discusses the strategic implications of Osama bin Laden’s death on U.S. foreign policy.

CIA Director Panetta’s Statement on Bin Laden Death


This morning, CIA Director Leon E. Panetta sent the following message to Agency employees:
Today, we have rid the world of the most infamous terrorist of our time. A US strike team stormed a compound in Abottabad, Pakistan and killed Usama Bin Ladin. Thankfully, no Americans were lost, and every effort was taken to avoid civilian casualties.

Nothing will ever compensate for the pain and suffering inflicted by this mass murderer and his henchmen. But just as evil never rests, neither does good. May the fact that Usama Bin Ladin no longer inhabits the earth be a source of comfort for the thousands of families, here in America and around the globe, who mourn the victims of al-Qa’ida’s barbarity.

Within our Agency family, our thoughts turn to those who died fighting to make this day possible. Our brothers and sisters who gave their lives in the war against al-Qa’ida—from Mike Spann to our heroes at Khowst—are with us, in memory and spirit, at this joyful moment. In all that we do, they are our constant inspiration.

My deepest thanks and congratulations go out to the officers of our CounterTerrorism Center and Office of South Asia Analysis for their outstanding expertise, amazing creativity, and excellent tradecraft. I also extend my profound appreciation and absolute respect to the strike team, whose great skill and courage brought our nation this historic triumph.

The raid was the culmination of intense and tireless effort on the part of many dedicated Agency officers over many years. Our men and women designed highly complex, innovative, and forward-leaning clandestine operations that led us to Bin Ladin. One operation would yield intelligence that was carefully analyzed and then used to drive further operations. Along with our partners at NGA, NSA, and ODNI, we applied the full range of our capabilities, collecting intelligence through both human and technical means and subjecting it to the most rigorous analysis by our government’s leading experts on Bin Ladin and his organization.

Persistent hard work produced the results that the American people expect of their intelligence service: We gave President Obama and his team accurate, relevant, timely intelligence—providing the information and insight they needed at key points as this mission developed. I offered my personal thanks to the President for his willingness to make the courageous decision to proceed with the operation.

Though Bin Ladin is dead, al-Qa’ida is not. The terrorists almost certainly will attempt to avenge him, and we must—and will—remain vigilant and resolute. But we have struck a heavy blow against the enemy. The only leader they have ever known, whose hateful vision gave rise to their atrocities, is no more. The supposedly uncatchable one has been caught and killed. And we will not rest until every last one of them has been delivered to justice.

Remember how you felt in the anxious hours after the attacks of September 11th , and how our Agency vowed to run to ground a vicious foe. Whether you were here at the time or were inspired to serve at CIA in the months and years that followed, take heart in knowing that our Agency is doing its essential job for the American people, and for all humanity. A promise has been kept. And a war will be won.

God bless the United States of America.

Leon E. Panetta

Crimekit for MacOSX Launched

Via CSIS Security Group Blog -

The first advanced DIY (Do-It-Yourself) crimeware kit aimed at the Mac OS X platform has just been announced on a few closed underground forums. Detailed information about this crimeware kit is not being leaked publicly and the authors of the kit are obviously trying to stay below the radar allowing only vetted users of the forums to see most of the content.

The Danish IT-security company CSIS Security Group has just yesterday observed a new advanced Form grabber designed for the Mac OS X operating system being advertised on several closed underground forums. In the same way as several other DIY crimeware kits designed for PCs, this tool consists of a builder, an admin panel and supports encryption.

The kit is being sold under the name Weyland-Yutani BOT and it is the first of its kind to hit the Mac OS platform. Apparently, a dedicated iPad and Linux release are under preparation as well.

The Weyland-Yutani BOT supports web injects and form grabbing in Firefox; however both Chrome and Safari will soon follow. The webinjects templates are identical to the ones used in Zeus and Spyeye.

CSIS eCrime Unit is in possession of videos documenting both the admin panel and its functionality as well as the builder itself. Both video clips prove this kit to be fully operational already. This v1.0 of the BOT has a license price for the complete kit equal to 1,000 WMZ/LR.


In other OSX malware news....
"Apple computer owners are being subjected to a number of specialised malware attacks that insists Mac users download a malware version of the popular MacDefender antivirus application, infecting their computers as a result."

Sunday, May 1, 2011

TDL4 Rootkit is Coming Back Stronger than Before

Via Prevx Blog -

After some months since the last blog post about the TDL rootkit, we have to come back and write again about this nasty threat that is targetting both 32 bit and 64 bit versions of the Windows operating system, succesfully bypassing all the security countermeasures implemented in the 64 bit version of Windows that should prevent the loading of unsigned drivers and every kind of patch to the Windows kernel.


Here it is the behavior exploited by TDL4 until last April, a design flaw that allowed it to effectively overwrite kdcom.dll module with its own module used to load the rootkit driver and disable kernel debugging. Then, after the rootkit driver has been loaded, the rootkit prevents Windows from actually booting in WinPE mode.


This trick allowed TDL4 rootkit to succesfully infect x64 versions of Windows. Until this April, when Microsoft silently released the KB2506014 patch which is described by the company itself as follows: "Microsoft is announcing the availability of an update to winload.exe to address an issue in driver signing enforcement. While this is not an issue that would require a security update, this update addresses a method by which unsigned drivers could be loaded by winload.exe. This technique is often utilized by malware to stay resident on a system after the initial infection".


TDL4 authors didn't wait too long and just released an update to its TDL4 rootkit code, making a number of important changes that are able to bypass the patch issued by Microsoft and a number of TDL rootkit scanners available online. Looks like this new TDL4 dropper is still in development stage because there are some bugs in the dropper code.

This new release of TDL4 rootkit implements specific code to disable the driver signing security routine. As written before, since the last Microsoft patch Winload.exe is checking the digital signature of the kernel and its relative modules. If the integrity check doesn't succeed - i.e. with the patched rootkit's kdcom.dll - the security routine returns the status error C0000428, which is STATUS_INVALID_IMAGE_HASH. If the routine returns this error, winload.exe stops the system bootup and shows a security error.

To bypass this security check, the rootkit now intercepts these digital signature check routines and patches them so that instead of returning the NTSTATUS error C0000428, they'll return the NTSTATUS error 0000C428, which is a non-existant error code. Winload doesn't recognize such error and goes ahead with the system bootup, effectively loading an unsigned tampered module. To intercept kdcom.dll load, TDL4 rootkit has been updated to the new kdcom's resource directory size value 0x110, neutralizing the Microsoft patch.


To avoid being detected by some specific online public TDL4 rootkit scanners, the TDL4 team updated their miniport disk driver hook, changing how the rootkit devices are linked to the rootkit driver and the real hooked miniport driver. As we already know, TDL4 rootkit steals the driver object of the last miniport driver and hijacks the disk driver's DR0 device, attaching it to its own filtering device. By walking the rootkit driver's chain of devices, it was trivial to get a pointer to the real hooked miniport driver object. This geometric structure helped many tools in spotting the presence of the TDL rootkit active in the system. Current TDL4 release removes every reference to the hooked miniport driver object, bypassing many antirootkit TDL4 detection routines.

The team behind TDL4 rootkit is still alive and is working quietly to keep its creature up to date and always able to bypass all known security restrictions. Even if the rootkit development cycle drastically changed and slowed down since the TDL3 period - mostly because of a major change in the development team - who is handling the rootkit development is still trying to keep the malware alive and effective against security software. Sadly the first x64 compatible Windows kernel mode rootkit has not yet disappeared, it is coming back stronger than before.