Monday, May 11, 2015
Dynamoo's Blog: Malware spam: "Payment details and copy of purchas...
Dynamoo's Blog: Malware spam: "Payment details and copy of purchas...: I haven't really had time to analyse this, so I am using the analysis of an anonymous source (thank you).. From : Kristina Prest...
PHP Hash Comparison Weakness A Threat To Websites, Researcher Says
Flaw could
allow attackers to compromise user accounts, WhiteHat Security's Robert
Hansen -- aka "RSnake" -- says in new finding on 'Magic Hash'
vulnerability.
that affects any website that uses two specific types of operators for
comparing hashes in PHP.
The issue mostly affects authentication, but it could also effect
"forgot password" flows, nonces, binary checking, cookies, and
passwords, among other things, Hansen, aka RSnake, told Dark Reading.
"It totally depends on the website, and how it's constructed." More...
PHP Hash Comparison Weakness A Threat To Websites, Researcher Says
allow attackers to compromise user accounts, WhiteHat Security's Robert
Hansen -- aka "RSnake" -- says in new finding on 'Magic Hash'
vulnerability.
A
weakness in the manner in which PHP handles hashed strings in certain
situations gives attackers an opportunity to try and compromise
authentication systems, passwords, and other functions involving hash
comparisons in PHP, a researcher from WhiteHat Security says.
Robert Hansen, vice president of WhiteHat, describes the issue as oneweakness in the manner in which PHP handles hashed strings in certain
situations gives attackers an opportunity to try and compromise
authentication systems, passwords, and other functions involving hash
comparisons in PHP, a researcher from WhiteHat Security says.
that affects any website that uses two specific types of operators for
comparing hashes in PHP.
The issue mostly affects authentication, but it could also effect
"forgot password" flows, nonces, binary checking, cookies, and
passwords, among other things, Hansen, aka RSnake, told Dark Reading.
"It totally depends on the website, and how it's constructed." More...
PHP Hash Comparison Weakness A Threat To Websites, Researcher Says
Friday, May 8, 2015
Windows 10 Microsoft Passport (aka Microsoft Next Generation Credential) In Detail » Active Directory Security
At the Microsoft Ignite conference this week, there are several
sessions covering Windows 10 features. One of biggest changes in Windows
10 is the new credential management method and the related “Next
Generation Credential”, now named Microsoft Passport.
There hasn’t been much information on how the new credential system
works, so I challenged myself to gather as much information and
understand it as best as possible before the Microsoft Ignite conference
ends this week. This post covers my understanding of this (still beta)
technology.
Note that the information in this post is subject to change
(& my misunderstanding). As I gain clarification, I will update this
post.
Traditional Windows Credential Management
Up until Windows 10, when a user logs on, the user’s credentials are verified, hashed, and loaded into LSASS (Local Security Authority Subsystem Service),
a process in protected memory. The user credential data is stored in
LSASS for authenticating the user to network resources without having to
prompt the user for their password. The issue is that up until Windows
8.1, the user’s clear-text password (reversible encryption) is no longer
placed in LSASS, though the user’s NTLM password hash, among others,
are still stored in LSASS. When using Kerberos, the user’s Kerberos
tickets are stored in LSASS. More....
Windows 10 Microsoft Passport (aka Microsoft Next Generation Credential) In Detail » Active Directory Security
Know your Windows Processes or Die Trying | System Forensics
I have been talking with quite a few people lately tasked with
“security” inside their organizations and couldn’t help but notice their
lack of understanding when it came to Windows process information.
I figured if the people I have talked with don’t understand then
there are probably a lot more people that don’t understand. I’m guessing
quite a few people that consider themselves “experts” as well.
I decided to write this post in an effort to help the individuals
that may not have the knowledge, free time, training budgets, etc. to
explore Windows processes. For about $50 – $75 (few books) and some free
time you can learn pretty much everything needed to know about Windows
processes.
My goal isn’t to dive very deep into each of the processes. I figured
a bulleted “cheat sheet” vs. wordy descriptions will be best for my
intended audience.
The people that want to dive deeper can buy themselves a copy of
Windows Internals, 6th Edition Part I and II, fire up Process
Explorer/Process Hacker, start reading the great documentation by the
Volatility team (references below).
Know your Windows Processes or Die Trying | System Forensics
“security” inside their organizations and couldn’t help but notice their
lack of understanding when it came to Windows process information.
I figured if the people I have talked with don’t understand then
there are probably a lot more people that don’t understand. I’m guessing
quite a few people that consider themselves “experts” as well.
I decided to write this post in an effort to help the individuals
that may not have the knowledge, free time, training budgets, etc. to
explore Windows processes. For about $50 – $75 (few books) and some free
time you can learn pretty much everything needed to know about Windows
processes.
My goal isn’t to dive very deep into each of the processes. I figured
a bulleted “cheat sheet” vs. wordy descriptions will be best for my
intended audience.
The people that want to dive deeper can buy themselves a copy of
Windows Internals, 6th Edition Part I and II, fire up Process
Explorer/Process Hacker, start reading the great documentation by the
Volatility team (references below).
Know your Windows Processes or Die Trying | System Forensics
Wednesday, May 6, 2015
TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ
TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ
TeslaCrypt and Alpha Crypt are
file-encrypting ransomware programs that target all version of Windows
including Windows XP, Windows Vista, Windows 7, and Windows 8.
TeslaCrypt was first released around the end of February 2015 and Alpha
Crypt was released at the end of April 2015. When you are first infected
with TeslaCrypt or Alpha Crypt they will scan your computer for data
files and encrypt them using AES encryption so they are no longer able
to be opened. Once the infection has encrypted the data files on all of
your computer drive letters it will display an application that contains
instructions on how to get your files back. These instructions include a
link to a Decryption Service site,
which will inform you of the current ransom amount, the amount of files
encrypted, and instructions on how to make your payment. The ransom
cost starts at around $500 USD and is payable via bitcoins. The bitcoin
address that you submit payment to will be different for every victim.
When TeslaCrypt or Alpha Crypt are first installed on your computer they will create a random named executable in the %AppData% folder. This executable will be launched and begin to scan all the drive letters on your computer for data files to encrypt. If a a supported data file is detected it will encrypt it and then append a new extension to the filename based on the particular variant you are infected with. For TeslaCrypt, the extension .ECC will be appended and for Alpha Crypt the extension .EZZ will be appended to filenames.
What is TeslaCrypt and AlphaCrypt?
TeslaCrypt and Alpha Crypt are
file-encrypting ransomware programs that target all version of Windows
including Windows XP, Windows Vista, Windows 7, and Windows 8.
TeslaCrypt was first released around the end of February 2015 and Alpha
Crypt was released at the end of April 2015. When you are first infected
with TeslaCrypt or Alpha Crypt they will scan your computer for data
files and encrypt them using AES encryption so they are no longer able
to be opened. Once the infection has encrypted the data files on all of
your computer drive letters it will display an application that contains
instructions on how to get your files back. These instructions include a
link to a Decryption Service site,
which will inform you of the current ransom amount, the amount of files
encrypted, and instructions on how to make your payment. The ransom
cost starts at around $500 USD and is payable via bitcoins. The bitcoin
address that you submit payment to will be different for every victim.When TeslaCrypt or Alpha Crypt are first installed on your computer they will create a random named executable in the %AppData% folder. This executable will be launched and begin to scan all the drive letters on your computer for data files to encrypt. If a a supported data file is detected it will encrypt it and then append a new extension to the filename based on the particular variant you are infected with. For TeslaCrypt, the extension .ECC will be appended and for Alpha Crypt the extension .EZZ will be appended to filenames.
Haifei's random thoughts: Integrating Outdated Flash is a Bad Idea, Even Wor...
Haifei's random thoughts: Integrating Outdated Flash is a Bad Idea, Even Wor...: Shining the Light on the Security of Customized Browsers Used in China When I traveled in China last time, I was quite surprised that the...
Andromeda/Gamarue bot loves JSON too (new versions details) | eternal-todo.com
Andromeda/Gamarue bot loves JSON too (new versions details) | eternal-todo.com
After my last post about Andromeda different updates related to version 2.07 and 2.08 appeared. Mostly, Fortinet was talking about the version 2.7 features and the new anti-analysis tricks of version 2.08. After that, Kimberly was also mentioning version 2.09 in his blog
but I have not seen too many details about the latest versions of
Andromeda. This is a summary of the interesting details about the newer
versions.
After my last post about Andromeda different updates related to version 2.07 and 2.08 appeared. Mostly, Fortinet was talking about the version 2.7 features and the new anti-analysis tricks of version 2.08. After that, Kimberly was also mentioning version 2.09 in his blog
but I have not seen too many details about the latest versions of
Andromeda. This is a summary of the interesting details about the newer
versions.
Tuesday, May 5, 2015
CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Analyzing the ZeuS bot Part 2
CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Analyzing the ZeuS bot Part 2
Okay start up REMnux and sign in as root.
Okay start up REMnux and sign in as root.
We start with the command like in the previous tutorial:
type: volatility -f ‘zeus.vmem’ imageinfo
Thursday, April 30, 2015
Anti-Botnet Advisory Centre: Inform
Anti-Botnet Advisory Centre: Inform
To prevent the re-infection of your computer please note these important rules:
1Check your computer for infection. Please use our EU-Cleaner to remove all
malware.
2Install current Service Packs and Security Updates for your system. Activate automatic updates. Microsoft Instructions: Protect.
3Check your Internet browser and the
embedded plugins (e.g. Java, Flash, Shockwave, Quicktime) regularly to
make sure they are up to date. Browser- and Plugincheck
4Install a virus scanner, e.g. one that is mentioned here and update it
regularly.
5Use a firewall e.g. built-in Windows firewall or a router. More Information
about Firewalls..
hfiref0x/UACME · GitHub
hfiref0x/UACME · GitHub
UACMe
- Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
- More info http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643
Wednesday, April 29, 2015
Blaze's Security Blog: Thoughts on Absolute Computrace
Blaze's Security Blog: Thoughts on Absolute Computrace: Introduction Not too long ago my friend and colleague from Sweden, Jimmy, contacted me in regards to a strange issue. In the firewall, he...
TorrentLocker changes it's name to Crypt0L0cker and bypasses U.S. computers - News
TorrentLocker changes it's name to Crypt0L0cker and bypasses U.S. computers - News
A new ransomware called Crypt0L0cker (the OHs have been replaced with
ZEROs) has been released that appears to be a new version of TorrentLocker.
This ransomware was first sighted at the end of April in European and
Asian countries and in Australia. Unlike TorrentLocker, for some reason
this variant is Geo-Locked so that it will not install on US based
computers. This ransomware is currently being distributed through emails
that pretend to be traffic violations or other government notices. At
this point it is unknown what encryption method is used and if its
possible to recover encrypted files. The ransom amount is currently set
for 2.2 Bitcoins.
A new ransomware called Crypt0L0cker (the OHs have been replaced with
ZEROs) has been released that appears to be a new version of TorrentLocker.
This ransomware was first sighted at the end of April in European and
Asian countries and in Australia. Unlike TorrentLocker, for some reason
this variant is Geo-Locked so that it will not install on US based
computers. This ransomware is currently being distributed through emails
that pretend to be traffic violations or other government notices. At
this point it is unknown what encryption method is used and if its
possible to recover encrypted files. The ransom amount is currently set
for 2.2 Bitcoins.
Monday, April 27, 2015
Without a Trace: Fileless Malware Spotted in the Wild | Security Intelligence Blog | Trend Micro
Without a Trace: Fileless Malware Spotted in the Wild | Security Intelligence Blog | Trend Micro
With additional analysis from David Agni
Improvements in security file scanners are causing malware authors to
deviate from the traditional malware installation routine. It’s no
longer enough for malware to rely on dropping copies of themselves to a
location specified in the malware code and using persistence tactics
like setting up an autostart feature to ensure that they continue to
run. Security file scanners can easily block and detect these threats.
A tactic we have spotted would be using fileless malware. Unlike most
malware, fileless malware hides itself in locations that are difficult
to scan or detect. Fileless malware exists only in memory and is written
directly to RAM instead of being installed in target computer’s hard
drive. POWELIKS
is an example of fileless malware that is able to hide its malicious
code in the Windows Registry. These use a conventional malware file to
add the entries with its malicious code in the registry.
With additional analysis from David Agni
Improvements in security file scanners are causing malware authors to
deviate from the traditional malware installation routine. It’s no
longer enough for malware to rely on dropping copies of themselves to a
location specified in the malware code and using persistence tactics
like setting up an autostart feature to ensure that they continue to
run. Security file scanners can easily block and detect these threats.
A tactic we have spotted would be using fileless malware. Unlike most
malware, fileless malware hides itself in locations that are difficult
to scan or detect. Fileless malware exists only in memory and is written
directly to RAM instead of being installed in target computer’s hard
drive. POWELIKS
is an example of fileless malware that is able to hide its malicious
code in the Windows Registry. These use a conventional malware file to
add the entries with its malicious code in the registry.
Simple and easy ways to keep your computer safe and secure on the Internet
Simple and easy ways to keep your computer safe and secure on the Internet
This tutorial was created to provide tips and techniques for smart and
safe computing. When using these techniques you will not only protect
yourself and your data from hackers and viruses, but also keep your
computer running more smoothly and reliably. The advice in this tutorial
applies to all computer users and all operating systems, but we have
tried to point out specific steps for various operating systems as it
becomes necessary. By Lawrence Abrams
This tutorial was created to provide tips and techniques for smart and
safe computing. When using these techniques you will not only protect
yourself and your data from hackers and viruses, but also keep your
computer running more smoothly and reliably. The advice in this tutorial
applies to all computer users and all operating systems, but we have
tried to point out specific steps for various operating systems as it
becomes necessary. By Lawrence Abrams
Subscribe to:
Posts (Atom)