Feed aggregator

Peristent XSS Vulnerability Plagues WordPress Plugin

Threatpost for B2B - Tue, 04/07/2015 - 14:37
A persistent cross-site scripting (XSS) vulnerability exists in some versions of a popular WordPress caching engine plugin.

White House Executive Order Declares Cyber National Emergency

Threatpost for B2B - Tue, 04/07/2015 - 13:03
New Obama Administration Executive Order declares a cyber-national emergency and research advocates worry that sanctions could chill security research work.

FBI Warns of Phony Sites Offering Government Services

Threatpost for B2B - Tue, 04/07/2015 - 11:53
The FBI has warned consumers about a rash of phony websites posing as government services.

Vulnerability Forces Mozilla to Disable Opportunistic Encryption in Firefox

Threatpost for B2B - Tue, 04/07/2015 - 10:27
Less than a week after introducing the new opportunistic encryption feature in Firefox, Mozilla has had to disable it because of a security vulnerability in the browser’s implementation of the HTTP Alternative Services specification. The bug puts a kink in the new feature, which was designed to allow clients to connect securely to a server […]

Blockchain technology abuse: time to think about fixes

Secure List feed for B2B - Tue, 04/07/2015 - 06:57

Kaspersky Lab and INTERPOL recently presented research on how blockchain-based cryptocurrencies could be abused through the pollution of public decentralized databases with arbitrary data.  During our presentation at the BlackHat Asia conference in Singapore, we demonstrated the proof-of-concept using the Bitcoin network, but it's important to understand that any cryptocurrency that relies on blockchain technology can be abused in this way.

Blockchain-based cryptocurrencies could be abused through the pollution of p2p databases with arbitrary data

Tweet

Some believe that security researchers, especially those from the anti-malware industry, generally only publish threat reports after the discovery of a threat in the wild.  However, this is not always true.  Our current research focuses on potential future threats that could be prevented before cryptocurrencies are fully adopted and standardized. While we generally support the idea of blockchain-based innovations, we think that, as part of the security community, it is our duty to help developers make such technologies fit-for-purpose and sustainable.

Blockchainware, short for blockchain-based software, stores some of its executable code in the decentralized databases of cryptocurrency transactions. It is based on the idea of establishing a connection to the P2P networks of cryptocurrency enthusiasts, fetching information from transaction records and running it as code. Depending on the payload fetched from the network, it can be either benign or malicious.

The proof-of-concept code we demonstrated was a benign piece of software

Tweet

To ensure the accurate interpretation of our research, we would like to point out that in the anti-malware industry, there is a clear definition of what constitutes malware, and there are extremely strict policies in place that forbid any attempts to create or distribute malware. The proof-of-concept code we demonstrated was a benign piece of software that opened the Notepad application after getting a confirmation from the user.

So, what exactly did we demonstrate at BlackHat Asia?   See for yourself at:  https://www.youtube.com/watch?v=FNsqXHbeMco

As we pointed out during our presentation, possible solutions can be introduced at different layers. From the perspective of a company developing endpoint security solutions, we don't believe it's too much trouble to blacklist applications that load unpredictable external payload from a P2P network.

We believe that the value of solution development lies in its neutrality and decentralized decision-making

Tweet

However, from the perspective of the cryptocurrency network, it's still an open question. We are not the experts in this field, and are therefore not best placed to propose effective solutions.  We also don't want to promote any specific solution as we believe that the value of solution development (as in the case of Bitcoin) lies in its neutrality and decentralized decision-making.

That's why we suggest this is a project for the cryptocurrency community.

We don't promote any specific solution. We suggest this is a project for the cryptocurrency community

Tweet

As a starting point for opening a discussion in the community, we suggest looking for an opportunity to implement a network consensus/negotiation algorithm that will sustain the clean state of the blockchain.

I would like to credit my co-speaker, Christian Karam (@ck4r4m), Cyber Threat Researcher from Interpol for coming up with idea for this research and going all the way to the stage at Blackhat and beyond.

Don't Feel Left Out: Ransomware for IT Security Enthusiasts!

Secure List feed for B2B - Tue, 04/07/2015 - 05:45

Macros are so hot right now

It's getting dark outside and our favorite mail client beeps with excitement for a new missive in our inbox, something interesting perhaps? A rapid glimpse at the contents of the message should indicate that a malicious campaign will play the starring role in what follows. An included attachment reveals itself as a malicious document with password-protected embedded macros. Moreover, a quick analysis of the file shows that it's dropping an executable payload to the system, which further piques our interest in this devious sample:

After opening the file, and only once the victim has been lured into enabling macros,  a seemingly innocuous Word document is shown.

File metadata betrays the developer's rush in crafting this file, using the Russian language letters "фыв" to fill the tags section:

"фыв" corresponds to the "asd" letter combination on Latin keyboards so often used as mindless filler.

Delving into the code

The second stage malicious script containing the instructions is downloaded from a public entry hosted on Pastebin in base64 encoding mode.

The full instruction set is 101 lines long and at the time of writing it counts with more than 5k reads. So this seems like a reliable indicator of the number of potential infections by this malware.

It is important to mention that upon discovery of the initial malicious document, Virustotal showed a null detection rate (however, the executable payload itself was detected by Kaspersky as Trojan-Ransom.Win32.Foreign.mdst)

The decoded script looks like this:

The decoded base64 payload downloaded from Pastebin fetches a file that includes several tokens to be used by the beckoning VBS script. Each token represents a section of the code that needs to be called in a specific order to achieve infection. The sections are named using a generic convention such as 'text20', 'text21', 'stext1', etc. Using the 'Tort' function implemented in the VBS script module, the instructions are deobfuscated and then outputted for execution.

The payload Trojan-Ransom.Win32.Foreign.mdst connects to an onion-based domain via the Tor2Web service

Tweet

In the case of the ' ' section, we can find a PowerShell script being called using the '-noexit' option, which according to Microsoft's Technet documentation is commonly used when running scripts via the command prompt (cmd.exe) so as to avoid exiting after execution. It's worth mentioning the second parameter, which sets the execution policy to bypass mode. Interestingly, by using a simple command line option this malicious creation is able to bypass the PowerShell execution policy configured in the system.

The file set for execution by PowerShell is also set by the original VBS script. A simple yet annoying obfuscation is in charge of getting the final string to be passed as a parameter.

As per the instructions above, the 'currentFile' variable will be replaced by the value of Chr(34) or a quotation mark, and the value of the variables PH2, FL2 and another static text value. Both PH2 and FL2 variables are set at the beginning of the execution of the script, FL2 being the random text used to name several files inside a temporary location set by PH2.

Even though the mechanism is not very complex, we can see that the malware writers took any measures available to slow down analysis and hide the real purpose of their code, even if by virtue of being a script it should be human readable.

We already reported the abusive Pastebin URL.

Payload

The payload is a binary PE file (self-extracting archive or SFX) named "file.exe". Upon execution, "file.exe" is copied to "C:\Windows\System32\WinSrv32.exe" and deleted from its original calling location. Persistence in the infected system is obtained via a registry key written in the following branch "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run".

This payload connects to an onion-based domain via the Tor2Web service.

The mention of a hostname refers to the front-facing side of the um6fsdil5ecma5kf.onion domain that serves as a C2 of the payload malware.

Detection names for malware 239d4f67692a5883574e3c496d88979c logmein_coupon.doc Trojan-Downloader.MsWord.Agent.hz 41d605b3981f330bd893b2dfd6e1d890 file.exe Trojan-Ransom.Win32.Foreign.mdst

Post-Cryptanalysis, TrueCrypt Alternatives Step Forward

Threatpost for B2B - Mon, 04/06/2015 - 14:11
CipherShed and VeraCrypt developers stand ready to step in for TrueCrypt now that the cryptanalysis phase of the audit is complete and no backdoors were discovered.

Linux Australia Hit With Server Breach

Threatpost for B2B - Mon, 04/06/2015 - 12:14
Linux Australia, a consortium in charge of organizing Linux conferences across the continent, acknowledged over the weekend it was breached by attackers last month.

Snapchat Publishes First Transparency Report

Threatpost for B2B - Mon, 04/06/2015 - 10:58
Snapchat has released its first transparency report, covering a four-month period from November through February, and the data shows that the company didn’t receive any National Security Letters and got fewer than 400 total requests for data from the United States government. Snapchat, a California company that runs a popular chat and media-sharing service, said in the report […]

SWF Files Injecting Malicious iFrames on WordPress, Joomla Sites

Threatpost for B2B - Fri, 04/03/2015 - 12:36
Researchers have seen an uptick in Adobe Flash .SWF files being used to trigger malicious iFrames across websites.

VMware Fixes Java Information Disclosure Vulnerability

Threatpost for B2B - Fri, 04/03/2015 - 11:03
VMware has issued an update to a number of its products fixing an information disclosure bug in Oracle's Java runtime environment.

Dyre Banking Malware A Million-Dollar Threat

Threatpost for B2B - Fri, 04/03/2015 - 10:12
IBM warns banks and corporate officers of a change to the dangerous Dyre banking Trojan that involves the phone scam used to bypass fraud detection, and a DDoS attack that distracts security teams away from big-money transfers.

Threatpost News Wrap, April 2, 2015

Threatpost for B2B - Fri, 04/03/2015 - 09:00
Dennis Fisher and Mike Mimoso talk about Google's decision to drop Chinese CA CNNIC from Chrome's trust store, the scope of the malvertising threat and Verizon's super cookie use.

Audit Concludes No Backdoors in TrueCrypt

Threatpost for B2B - Thu, 04/02/2015 - 13:50
Auditors performing a cryptanalysis of TrueCrypt found four vulnerabilities, but zero backdoors in the popular open source encryption software.

Google Report Lauds Android Security Enhancements

Threatpost for B2B - Thu, 04/02/2015 - 13:22
Google's first Android Security Report puts some hard data behind the effectiveness of the security enhancements it has put into the OS.
Syndicate content