| Quest InTrust 10.4.x ReportTree and SimpleTree Classes |
čtvrtek 29. března 2012
středa 28. března 2012
Wireshark 1.6.6 and 1.4.2 Released
Highlights
Versions 1.6.6 include updates for the following protocols:
- ANSI A, BSSGP, DIAMETER, DTLS, GOOSE, GSM Management, GTP, HTTP, IAX2, IEEE 802.11, IPP, ISAKMP, ISO SSAP, MP2T, MPLS, MySQL, NTP, PacketBB, PGM, Radiotap, SSL, TCP, UDP, USB, WSP
The following new and updated capture file support is included in this update:
- Endace ERF, Pcap-NG, Tektronix K12
Versions 1.4.12 include updates for the following protocols:
- HTTP, ISAKMP, MySQL, PacketBB, PGM, TCP, UDP
The following new and updated capture file support is included in this update:
Endace ERF, Pcap-NG.
The updates are available here.
[1] http://www.wireshark.org/download.html
[2] http://www.wireshark.org/lists/wireshark-announce/201203/msg00000.html
[3] http://www.wireshark.org/lists/wireshark-announce/201203/msg00001.html
[2] http://www.wireshark.org/lists/wireshark-announce/201203/msg00000.html
[3] http://www.wireshark.org/lists/wireshark-announce/201203/msg00001.html
New Endpoint Test Results from AV-TEST.org
This is one of these days that make me really proud to be a member of the McAfee family. I just received the very latest third-party test results from AV-TEST.org. AV-TEST has built a reputation for doing very thorough, “real world” tests of endpoint security products. They’ve been testing consumer endpoint products for a long time and just last year instituted a very good enterprise endpoint-testing program.
For the third quarter in a row, both McAfee’s consumer product, Total Protection 2012, and our enterprise product, VirusScan Enterprise 8.8, achieved certification. Not only did both of our flagship endpoint solutions achieve certification, but they both received better evaluations than any McAfee products in the history of AV-TEST’s reports.
AV-TEST evaluates endpoint products on three different metrics: core protection, repair and usability. They assign each product tested a score from 1 to 6 in each of the three metrics. While we tend to focus on the core protection metric, the repair and usability scores are important variables in the purchase decisions made by customers large and small.
Besides certifying both products, AV-TEST gave Total Protection 2012 a protection score of 5 out of 6 points, marking only the second time in two-plus years of testing that McAfee’s consumer product scored this well for core detection. On the enterprise side VSE 8.8 got a protection score of 5.5–the highest protection score any McAfee product has ever received from AV-TEST.
For comparison, Total Protection 2012 outscored the comparable products from AVG, Trend Micro, and Microsoft among others. VSE 8.8 outscored the enterprise solutions offered by F-Secure, Sophos, Trend Micro and, of course, Microsoft.
From a total evaluation perspective, this quarter was also record setting. Both Total Protection 2012 and VSE 8.8 received a total score of 13 of 18 points, both of which are historical highs for McAfee products.
As McAfee’s Senior VP of Product Management for McAfee Labs, Rees Johnson, observed, “These latest results from AVTEST.org represent the third test cycle in a row for which both our Enterprise andConsumer products have been certified and each of the three results demonstrates material progress over the previous test cycle. This clearly demonstrates the progress being made within McAfee Labs across all technologies including the core detection engine, remediation, false-positive rates, and the Trusted Source functionality that can be found in Site Advisor and Site Advisor Enterprise and the results we can achieve when we attack an issue like this with focus and energy.”
Signed Malware: You Can Run, But You Can’t Hide
It’s been more than a year since McAfee became an Intel company, and the team and I have been privileged to be a part of designing and developing our DeepSAFE technology, as well as Deep Defender, the first available product that leverages this advancement. Recent threats in the news validate what we’ve been working on, and this blog serves an update to our followers.
Signed Malware Prevalence
Digitally signed malware has received a lot of media attention recently. Indeed more than 200,000 new and unique malware binaries discovered in 2012 have valid digital signatures.
Source: McAfee Labs Sample Database
Why Sign?
Attackers sign malware in an attempt to trick users and admins into trusting the file, but also in an effort to evade detection by security software and circumvent system policies. Much of this malware is signed with stolen certificates, while other binaries are self-signed or “test signed.” Test signing is sometimes used as part of a social engineering attack.
Which signature is real?
Answer: They’re both real and valid certificates, but one is test signed.
Test Signing
Test signing is particularly useful to attackers on 64-bit Windows, on which Microsoft enforces driver signing. By default such drivers will not load. However, Microsoft provides developers with the means of disabling this policy, and malware authors have learned to do the same. Rootkits on 64-bit Windows–such as Necurs used by Banker, Advanced PC Shield 2012, and Cridex–use this approach to compromise the operating system. To combat this, Deep Defender Version 1.0.1 blocks test-signed drivers by default, while allowing ePO administrators to selectively exclude in-house kernel driver developer’s systems as necessary.
This is just one layer of protection, of course. Security is about “defense in depth,” from network to silicon. Real-time memory monitoring allows Deep Defender to identify the Necurs rootkit as it attempts to compromise the kernel.
Trying to Hide
Being able to observe transient events in memory allows DeepSAFE to get past obfuscated file views that challenge traditional antivirus solutions.
Case in point is the Mediyes Trojan referenced in the aforementioned press articles. A quick check of our sample database shows more than 7,000 unique binaries in this family. Yet memory rules written over a year ago to cover rootkit techniques are able to proactively identify the latest signed attack, even as a zero day.
After the attacks were known, the certificate was revoked
Here DeepSAFE intercepts the malware attempting to modify the write-protection bit of the Cr0 control register, as well as install kernel inline hooks on the ZwResumeThread function.
VirusTotal shows traditional file scanning was not very successful against this particular sample (just two out of 43 scanners detecting):
More to Come
For some time we’ve seen malicious payloads that attempt to steal digital certificates for nefarious purposes, and we are likely seeing the fruits of that labor. With so much malware online, we are sure to see this trend of signed malware continue and increase.
P.S. Deep Defender Version 1.0.1 is currently in beta and is expected to hit the market in Q2. If you’re interested in helping protect the world beyond the OS, we’re hiring.
úterý 27. března 2012
Firefox 3.6 EOL
Ever since Mozilla started its controversial new versioning scheme, Firefox 3.6 was still maintained as a stable and supported version of Firefox. Today, Mozilla announced that Firefox 3.6.28, to be released "over the next few weeks", will be the final version of Firefox 3.6. As of April 24th, no more security fixes will be published for Firefox 3.6
Of course, the Firefox version number is at first just a number. One could consider the just released Firefox "11" more like a Firefox 4.11.0 (or 5.11.0). However, plugins and extensions have never quite caught up to the new versioning scheme.
A Firefox add-on XPI file is a "zip" file, that once unpacked reveals a number of components, including a "install.rdf" file, which among other settings governing the install of the extension lists the range of version numbers for which a certain extension will work. Developers usually do not include future major versions as changes to the extension API and to the Firefox feature set will make it necessary to adapt the extension. This will require extension developers to consistently maintain and update extensions as Firefox releases new major versions.
In some ways, this may be a good thing as this will remove unmaintained extensions. In other ways, developers of valuable extensions may get discouraged by this practice. As a user, you could edit install.rdf file, and modify the range of supported versions. I have done this in a couple cases myself, and had decent succes. However, there is a good chance that this will fail in some cases.
http://blog.mozilla.com/futurereleases/2012/03/23/upcoming-firefox-support-changes/
Think twice before installing Chrome extensions
Since November 2011, according to recent statistics, Google Chrome has become the most popular browser in Brazil (more than 45% of the market share).
The same has is true for Facebook, which now is the most popular social network in Brazil, with a total of 42 million users, displacing Orkut.
These two facts are enough to motivate Brazil’s bad guys to turn their attentions to both platforms. This month we saw a huge wave of attacks targeting Brazilian users of Facebook, based on the distribution of malicious extensions. There are several themes used in these attacks, including “Change the color of your profile” and “Discover who visited your profile” and some bordering on social engineering such as “Learn how to remove the virus from your Facebook profile”:
1) Click on Install app, 2) Click on Allow or Continue, 3) Click on Install now, After doing these steps, close the browser and open again
This last one caught our attention not because it asks the user to install a malicious extension, but because the malicious extension it’s hosted at the official Google's Chrome Web Store. If the user clicks on “Install aplicativo” he will be redirected to the official store. The malicious extension presents itself as “Adobe Flash Player”:
At this time the malicious app has 923 users:
After installation, the malicious extension can gain complete control of the victim’s profile, by first downloading a script file:
The script file has instructions to send commands to the victim’s Facebook profile, such as spreading a malicious message, inviting more users to install the fake extension:
“Novidade: Veja se teu Face tá com vírus” means “New: check if your profile has a vírus”
The script also has commands to use the profile of the victim to “Like” some pages. Why? You’ll discover at the end of this article…
Curtir: “Like” in Portuguese
Kaspersky was the first to detect this malicious extension – Trojan.JS.Agent.bxo – on 6 March, distributed in a previous and similar attack. There were a large number of infected users in Brazil and Portugal:
We reported this malicious extension to Google and they removed it quickly. But we noted the bad guys behind this malicious scheme are uploading new extensions regularly, in a cat and mouse game.
Monetization
You’re probably asking yourself how the bad guys are turning this malicious scheme into money. Well, it’s easy: they have total control of the victim’s profile, so they created a service to sell “Likes” on Facebook, especially focused for companies that want to promote their profiles, gaining more fans and visibility:
1000 likes earn R$ 50.00 (around U$ 27.00)
Of course, to sell the “Likes” they use the profile of the victims.
Be careful when using Facebook. And think twice before installing a Google Chrome extension.
Carberp: it’s not over yet
On 20 March, Russian law enforcement agencies announced the arrest of a cybercriminal gang involved in stealing money using the Carberp Trojan. This is very good news, but unfortunately does not mark the end of the Carberp story.
Evidently, those arrested were just one of the criminal gangs using the Trojan. At the same time, those who actually developed Carberp are still at large, openly selling the Trojan on cybercriminal forums.
Here is a recent offer for the ‘multifunctional bankbot’, which appeared on 21 March:
A post advertising the sale of Carberp
There are still numerous ‘affiliate programs’ involved in the distribution of Carberp, particularly “traffbiz.ru”.
We detected a new Carberp distribution incident on 21 March. Infection was initiated at radio-moswar.ru, a website devoted to the MosWar online browser game.
The main page of radio-moswar.ru
A page on the site includes a script which quietly redirects visitors to a web page in a third-level domain.
The script redirecting users from radio-moswar.ru
The second-level domain belongs to Dyn – a company that offers free services for the creation of free *.dyndns.TLD third-level domains. Such services are popular among cybercriminals as they make it unnecessary to register new domains.
Screenshot of the dyndns.tv website
A series of redirects to different DynDns domains ultimately leads to a script of the traffbiz affiliate program. Officially, the program acts as an intermediary between webmasters and traffic buyers, but according to our information, it is mostly used by cybercriminals to distribute malware.
Screenshot of the traffbiz.ru website
A script generates the hit counter image that is demonstrated to users. The script also includes two iframes which quietly redirect users to two links.
The hit counter code on traffbiz.ru
One of the links leads to Java (CVE-2011-3544) and PDF (CVE-2010-0188) exploits that download Trojan-Spy.Win32.Carberp.epm to the victim machine and launch it.
The Trojan attempts to connect to the command server by sending requests to three domains:
****case-now.com
****ssunrise.com
****owfood-cord.com
****ssunrise.com
****owfood-cord.com
Curiously, according to whois data, these domains were registered on 20 March:
Curiously, according to whois data, these domains were registered on 20 March.
The command server to which Carberp connects is operational. It sends the command to the bot to download configuration files specifying which information the bot should steal and how. During the attack, Carberp intercepts the content of Citibank and Raiffeisen Bank webpages on the computer, as well as pages that use software created by BSS, a company which develops and deploys automated remote banking systems.
The second link leads to the infamous BlackHole Exploit Pack, which downloads and launches two malicious programs: a version of Carberp (Trojan-Spy.Win32.Carberp.epl) and a password-stealing Trojan (Trojan-PSW.Win32.Agent.acne).
Carberp also connects to a server located in Germany which has a different IP address. The domain name ****ltd.info was registered on 21 March:
The command center is operational but is not sending any commands as yet. The Trojan receives a list of plugins from that server.
The second piece of malware installed by the BlackHole Exploit Pack is designed to steal sensitive user data, such as FTP passwords. In addition, the Trojan modifies the hosts file to redirect users from vkontakte.ru and narod.ru sites to malicious servers.
In short, those responsible for developing Carberp remain at large and the cybercriminal gangs using the Trojan remain active. In other words, victory is a long way off.
The mystery of Duqu: Part Ten
At the end of the last year the authors of Duqu and Stuxnet tried to eliminate all traces of their activity. They wiped all servers that they used since 2009 or even earlier. The cleanup happened on October 20.
There were virtually no traces of Duqu since then. But several days ago our colleagues in Symantecannounced that they found a new "in-the-wild" driver that is very similar to known Duqu drivers. Previous modifications of Duqu drivers were compiled on Nov 3 2010 and Oct 17 2011, and the new driver was compiled on Feb 23 2012.
So, the authors of Duqu are back after a 4 month break.
Duqu is back
The newly discovered driver does not contain any new functionality compared to its previous versions. The code contains only minor modifications, and they were most likely done to evade detection from antivirus programs and detection tools such as the CrySyS Duqu Toolkit. Here’s a list of changes compared to older versions:
• The code was compiled with different optimization settings and/or inline attributes of functions.
• The size of the EXE stub that is injected with the PNF DLL was increased by 32 bytes.
• The LoadImageNotifyRoutine routine now compares the module name with “KERNEL32.DLL” using hash checksums instead of simple string comparison.
• The size of the encrypted configuration block was increased from 428 to 574 bytes. There are no new fields in in the block, but the size of the registry value name (“FILTER”) field was increased. This makes the registry value name easily modifiable - probably for future use.
• The algorithm of the two subroutines that decrypt the encrypted config block, registry value and PNF DLL has been changed. This is the third known algorithm used in the Duqu encryption subroutines.
• The algorithm of the hash function for the APIs has changed. All the hash values were changed correspondingly.
Old hash function, used in previous versions of the Duqu driver:
Number of incidents
According to the information collected from our sources and from our colleagues in Symantec, there are at least 21 incidents related to Duqu.
During the investigation of several incidents we discovered more than one modification of Duqu per incident. We treat each such group of samples as a single case.
Several infected machines did not contain main Duqu modules, but at the same time they contained the files created by these modules, with names starting with “~DQ”, “~DF”, “~DO”. A number of incidents were discovered while analyzing the contents of captured C&C servers. These incidents were also included in our statistics.
Most of the victims of Duqu were located in Iran.
The scope of activities of companies that became victims of Duqu and information targeted by the Trojan indicates that the attackers were looking for any information related to production control systems used in different industries in Iran, and for information about trade relationships of particular organizations.
It is beyond any doubt that there were more Duqu incidents than we actually know, but we assume that there were no more than several dozens of them in total.
Known modifications of Duqu
The following table contains information about all the components of Duqu we know about. The files marked with green are known. The files marked with red are missing; they were not found on infected machines, however, we know the names and sizes of some of the missing files indirectly.
There are 7 different versions of the main Duqu module (PNF DLL) in our collection. These modules are set up to interact with five 1st tier C&C servers that have been shut down as a result of actions taken by Kaspersky Lab and Symantec. Several 2nd tier C&C servers were shut down, too.
Conclusions
The return of the Duqu Trojan in February 2012 after 4 months of silence indicates that our original assumptions were correct. When you invest as much money as were invested in Duqu and Stuxnet, it’s impossible to simply shutdown the operation. Instead, you do what cybercriminals have learned to do through long experience – change the code to evade detection and carry on as usual. With a total of less than fifty victims around the world, Duqu remains of the most mysterious Trojans ever spotted in the wild. Its focus on Iran indicates a persistent attacker with a strong, clear agenda. Its complexity and multiple layers of encryption and obfuscation indicate how important it is for the project to remain under the radar. It can be assumed that future developments will focus on this direction.
neděle 25. března 2012
Android.Faketoken
Android.Faketoken is a Trojan horse that opens a back door on the compromised device.
Android Package File
APK: santander.apk
Version: 1.0
Application Name: TokenGenerator
Permissions
When the Trojan is being installed, it requests permissions:
Android Package File
APK: santander.apk
Version: 1.0
Application Name: TokenGenerator
Permissions
When the Trojan is being installed, it requests permissions:
- Check the phone's current state.
- Access information about networks.
- Send SMS messages.
- Monitor incoming SMS messages.
- Open network connections.
- Write to external storage devices.
- Install or delete other packages.
- Read contact data.
- Start once the device has finished booting.
Android Package File
APK: santander.apk
Version: 1.0
Application Name: TokenGenerator
Permissions
When the Trojan is being installed, it requests permissions:
Functionality
The threat poses as an online banking token generator. When a user enters a key for an online banking transaction, the Trojan will return a randomly generated, fake token number.
It then opens a back door on the compromised device, allowing an attacker to perform the following actions:
APK: santander.apk
Version: 1.0
Application Name: TokenGenerator
Permissions
When the Trojan is being installed, it requests permissions:
- Check the phone's current state.
- Access information about networks.
- Send SMS messages.
- Monitor incoming SMS messages.
- Open network connections.
- Write to external storage devices.
- Install or delete other packages.
- Read contact data.
- Start once the device has finished booting.
Functionality
The threat poses as an online banking token generator. When a user enters a key for an online banking transaction, the Trojan will return a randomly generated, fake token number.
It then opens a back door on the compromised device, allowing an attacker to perform the following actions:
- Execute arbitrary commands
- Filter SMS messages based on a predefined string and then send them to the C&C server (e.g. SMS messages from an online bank that contain authorization tokens)
- Delete arbitrary SMS messages
- Add a new C&C server
- Send contact lists to the C&C server
- Download and install arbitrary packages
Přihlásit se k odběru:
Příspěvky (Atom)