http://www.win7heads.com/ en Mon, 20 May 2013 22:04:44 GMT vBulletin 60 http://www.win7heads.com/images/misc/rss.png http://www.win7heads.com/ http://www.win7heads.com/security-news/172526-microsoft-security-advisory-2846338-tue-may-14th.html Tue, 14 May 2013 22:01:54 GMT ""Microsoft today also release security advisory 2846338 indicating that they have update their Malware Protection Engine (used in a varierty of their anti malware products) to fix a vulnerability in said engine where an attacker would be able to execute random code in the context of LocalSytem. Micorosft claims the vulnerability was publicly disclosed as a DoS""

More... ]]> Security News Win7Sec http://www.win7heads.com/security-news/172526-microsoft-security-advisory-2846338-tue-may-14th.html http://www.win7heads.com/security-news/172389-extracting-digital-signatures-signed-malware-sat-may-11th.html Sat, 11 May 2013 20:41:10 GMT ""Sometimes attackers digitally sign their malicious software. Examining properties of the signature helps malware analysts understand the context of the incident. Moreover, analysts could use the signature as an indicator of compromise. Here are some tips and tools for determining whether a suspicious Windows executable has been signed and for extracting the embedded signature in a Linux environment. We'll look at Pyew, Disitool and get a bit of help from OpenSSL.
Microsoft's Windows Authenticode Portable Executable Signature Format document explains that the signatures can be embedded "in a Windows PE file, in a location specified by the Certificate Table entry in Optional Header Data Directories." The location of the signature is stored within the PE header's OptionalHeader structure's Security field.
One way to determine whether the file contains an embedded signature is to use Pyew, which is a command-line hex editor/disassembler for malware analysis. After loading the sample into Pyew, you can look at the size of the IMAGE_DIRECTORY_ENTRY_SECURITY field. A non-zero value indicates that the file probably includes an embedded signature.To do this, load the PE file into Pyew and enter the command "pyew.pe.OPTIONAL_HEADER.DATA_DIRECTORY". Then look at the size of IMAGE_DIRECTORY_ENTRY_SECURITY as shown below:

In the Pyew output above, we see that the size of IMAGE_DIRECTORY_ENTRY_SECURITY is non-zero. This indicates that kiwi.exe probably includes an embedded signature.
Disitool provides another way of determining whether a PE file includes a signature. This tool, created by Didier Stevens, can delete, copy, extract and add signatures. If you attempt to extract a signature from a non-signed file, Disitool will tell you "source file not signed."
In the example below, we see that the file has been signed. The author of this malicious file seems to have used a stolen certificate to sign the specimen. Disitool's "extract" command pulled out the signature, so we can examine it.

Disitool saves the extracted certificate in the binary DER format. You can look at the strings embedded in the DER file to examine its contents. Even better, you can use the following OpenSSL command to convert the DER file into a more informative text file:
openssl pkcs7 -inform DER -print_certs -text -in INPUT_FILE > OUT_FILE
Knowing how to spot signed files and extract signature details can be helpful for malware and forensic analysts. On Windows, you can gather some of these details by right-clicking on the PE file and looking at its properties, as well as with the help of Microsoft's Sign Tool and Sigcheck tools. On Linux, you can accomplish this with the help of Pyew, Disitool and OpenSSL, which are installed on REMnux for your convenience""

More... ]]> Security News Win7Sec http://www.win7heads.com/security-news/172389-extracting-digital-signatures-signed-malware-sat-may-11th.html http://www.win7heads.com/security-news/172366-microsoft-adobe-patch-tuesday-pre-release-fri-may-10th.html Fri, 10 May 2013 19:12:07 GMT ""Both Adobe and Microsoft released pre-anouncements for next week's patch Tuesday.
Microsoft is working on having a patch available for the Internet Explorer 8 0-day vulnerability. [1] There are two critical Internet Explorer patches, one specifically for Internet Explorer 8, and the other one for all current versions. The later (refered to as "Bulletin 1" by Microsoft) is likely the usual roll up patch.
There are the only two critical bulletins next week. The rest covers "the usual" (Office, Windows, Lynx and Windows Essentials) and is rated important.
Adobe announced only one bulletin for Acrobat and PDF Reader. There is no patch scheduled for Cold Fusion at this point.
[1] http://blogs.technet.com/b/msrc/arch...n-release.aspx
[2] http://technet.microsoft.com/en-us/s...letin/ms13-may
[3] http://www.adobe.com/support/securit...apsb13-15.html""

More... ]]> Security News Win7Sec http://www.win7heads.com/security-news/172366-microsoft-adobe-patch-tuesday-pre-release-fri-may-10th.html http://www.win7heads.com/security-news/171882-apache-binary-backdoor-adds-malicious-redirect-blackhole-tue-apr-30th.html Tue, 30 Apr 2013 17:00:16 GMT ""On 26 APR, Sucuri's Daniel Cid posted Apache Binary Backdoors on Cpanel-based servers. This coincided closely with a technical study of the Linux/Cdorked.A malware provided by ESET.
Sucuri stated that "on cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one."
ESET's analysis of this malware revealed that it is a "sophisticated and stealthy backdoor meant to drive traffic to malicious websites."
Speculation regarding how the initial entry occured to allow injection in the first place is varied, but SSH bruteforce is on the list.
See ESET's guidance regarding shared memory, and as always, validate the intergrity of httpd packages.
Review both articles, and if you're utilizing a shared webserver provided by a colo/ISP, be sure your confidence in their ability to manage and administer that server on your behalf is high""

More... ]]> Security News Win7Sec http://www.win7heads.com/security-news/171882-apache-binary-backdoor-adds-malicious-redirect-blackhole-tue-apr-30th.html http://www.win7heads.com/security-news/171840-report-fake-tech-support-calls-submission-form-reminder-mon-apr-29th.html Mon, 29 Apr 2013 21:23:54 GMT ""Previously we detailed this project in Feature of the Week: Report Fake Tech Support Calls and some initial statistic reports at Feature of the Week: Report Fake Tech Support Call Statistics.
We have steadily been receiving first and second hand information emails about fake tech support calls and sms spam. I wanted to highlight our data collection project again at https://isc.sans.edu/reportfakecall.html where you, or anyone that reports these to you, can submit as much information as you are comfortable sending us to help better understand how common "Fake Tech Support" calls are, and what they are trying to achieve.
The emphasis today is on SMS (texting) type messages! The first question on the form "Was the call automated or did a person call you?" has choices for automated, personal or SMS. Follow on questions for SMS can include message language, URL if any and the phone number. Fill in any or all of the information, nothing is required but anything is helpful.
I can't wait to get my first call and go round-and-round trying to find the start button on my linux system :D but I have received numerous SMS spam and submitted to the form.""

More... ]]> Security News Win7Sec http://www.win7heads.com/security-news/171840-report-fake-tech-support-calls-submission-form-reminder-mon-apr-29th.html http://www.win7heads.com/security-news/171477-chargen-based-ddos-chargen-still-thing-sun-apr-21st.html Sun, 21 Apr 2013 17:23:31 GMT ""In the recent few days there was another denial of service attack launched at financial organizations. (Yeah, I know, DDoS on a bank, that's *totally* never happens). What is newsworthy isn't that it happened, it was the means used to execute the attack. Specifically, the organizations were flooded with UDP port 19 traffic which is the chargen protocol. I am not sure I've ever seen a legitimate use of this protocol or encountered a machine that had it on intentionally before.
For review, chargen is basically a character generation protocol that listens on port 19 with TCP or UDP. If you connect to TCP, it continues to stream random characters until you close the connection. With UDP, it will respond with an up to 512 byte response depending on the request. In this particular case, it was another amplification attack using UDP. What makes chargen under UDP so desirable is that you can spoof sources without having to worry about establishing a fake connection and that it responds with packets much larger than the request. In short, if your networks are exposing a service that responds to UDP with packets much larger than the request (DNS in particular is popular these days), take due care that you are doing rate-limiting if those protocols are Internet-accessible.
It's not a common attack using chargen and there is some evidence that in a few of the cases in the past few years the attack was used as a smoke screen to hide other attack traffic.
In this case, many of the devices used were commodity multifunction copiers and the like. Which leads to two questions:
1) Why are these Internet accessible?
2) Why did the vendor enable this protocol by default? (or possible some malicious individual enabled it)
So your takeaways are two-fold:
- Check to make sure you don't have Internet-accessible devices that don't need to be (and if they need to be, you are regulating UDP requests).
- Make sure you are doing some form of BCP 38 where you filter outbound traffic to ensure that no packets leave your network that don't have internal addresses. Amplification attacks rely on spoofed packets and if every provider implemented this filtering, we would see these attacks greatly diminish overnight.
And don't forget old and dead protocols, sometimes they're still around. :)
--
John Bambenek""

More... ]]> Security News Win7Sec http://www.win7heads.com/security-news/171477-chargen-based-ddos-chargen-still-thing-sun-apr-21st.html