Bob Dylan was right. The times are changing, especially in the web security war. It turns out that the hacker group behind the Coreflood Trojan have stolen at least 463,582 usernames and passwords while flying under the radar. How did they accomplish this? Instant messaging worm? Emailing malware out, via a botnet, to everyone and their dog? According to SecureWorks Director of Malware Research Joe Stewart, it all started with a drive-by attack:
According to Stewart, it was by not targeting things like instant messaging or e-mail, which get a lot of attention from security vendors. Instead, the hackers relied on drive-by attacks, and would pick a hosting provider and do a mass hack of every single Web page on that particular server. Then they would wait for users—particularly domain administrators with high-level rights.
So basically, the attackers plan is to put an infected website up, let one user access it and get infected, and then wait for the domain administrator to log into that workstation. After the administrator has logged in, and the malware has privileges, it propagates like an update to all other systems on the network.
Also, the group “did not rely on zero-day attacks, just standard exploits that one can get from various underground forums“.
According to Stewart:
“Their trick is not in getting that initial infection—their trick is being patient and waiting for the right person to log into that workstation and then (taking) over that whole network,” he said.
Ah, the old Keyser Soze trick – The greatest trick the devil ever pulled was convincing the world he did not exist. And like that… he is gone.
Here is the list:
SVASE Guerrilla PR – Not security related but for those trying to heighten their PR presence it is certainly a good read.
A few days ago I was at a SVASE meeting and the topic was on guerrilla PR. This was my first SVASE meeting, so I didn’t really know what to expect. I felt like I was the only bootstrap startup, as everyone I talked to were funded by angels or VCs.
Free AV Scanners – Harlan was kind enough to point out a collection of free AV tools. Check it out.
Many times during an examination, you may want to do a little data reduction, by scanning your image for the presence of malware. While this should not be considered a 100% guarantee that there is no malware if there are no hits, this may lead you to something and narrow your search a bit. Again, this is just a tool, something that as a forensic analyst you can use.
Social Engineering Schemes Increase: Great Case Study From An Actual Event – I do love a good case study.
Just today I have already read in my daily news items 5 articles about social engineering! One in particular, “CUNA Mutual Warns on Costly HELOC Scam,” provides not only a great example of a current social engineering scam, but it would also make a great case study for social engineering training and within your awareness communications and activities. Here’s a quick overview…
The Worst IT Security Breaches of 2007 – They’re probably still fresh in your head but here is a link in case you need to reference them for a future presentation.
Every year sees a fresh crop of security breaches. Most go unreported, unless they involve consumers’ personal data, at which point companies are required to give timely public notice of security breaches. The following list of 2007’s worst security breaches consists mainly of such reportable incidents. The incidents are sorted in descending order of severity based on how many individuals were potentially affected.
Tips from an RHCE: Visualizing audit logs with mkbar – Log visualization on-the-cheep.
The 2.6 Linux kernel comes with a very flexible and powerful auditing subsystem called auditd. auditd is composed of two parts. The main work is done in kernel-space (kernel/audit.c, kernel/auditsc.c). In user-land, auditd is listening for generated audit events. auditd is able to log file-watches as well as syscalls. All LSM-based subsystems–for example, SELinux–are logging via auditd as well. All events are written to /var/log/audit/audit.log.
Steve Grubb wrote a small script called mkbar. It converts these lines into gnuplot-compatible data. Gnuplot is a 2D/3D plotting program which is able to produce nice-looking graphics. If you would like to get a graphic showing which SELinux file types are generating an AVC message (and in what proportions), just call aureport and pipe its output through mkbar…
Great Malware Visualizations – Wow…that IS really cool 🙂
Wow, these are tre’ cool. They are from Alex Dragulescu done for messagelabs‘ latest marketing. found via the always excellent infosthetics blog. Hit infosthetics for more information on the visualization technique.
Top IT Security Threats of 2008 – Hmmm…do you agree or disagree?
The SANS (SysAdmin, Audit, Networking and Security) Institute has released its list of the top 10 cybersecurity threats for 2008. The list includes new developments of evergreen security risks: new exploitations of browser vulnerabilities; worms with advanced P2P (peer-to-peer) technologies; and insider attacks by rogue employees, consultants or contractors.
malware unpacking tutorial videos – Good catch Michael. I agree with you…reverse engineering is cool but it’s not something that I think I could wrap my head around.
I’m not a big software de-engineering guy or reverser and I don’t see myself gaining those skills in the next couple years, but someday I might get interested in the topic. While books and blogs and personal contacts are good resources, I really like seeing everything put together and the end results. Here are two video tutorials on unpacking and examining malware from Frank Boldewin over at Offensive Security.
The growth of malware – This is somewhat alarming…
It’s worth noting that these numbers are also increasing because of variants — i.e. the same Trojan will be changed sometimes hourly or daily just to try and fool the scanners. So it’s not like there’s over 5 million unique pieces of malware. There are many that are variants of the same piece of malware.
NERC CIP Rules Out – Logs In! – You should check this out too.
NERC security rules [PDF], that were updated and became mandatory last week, might well become “a new PCI DSS” and trigger “a golden age” of security in the energy industry: the rules are mandatory, they are specific (more specific than a lot of other regulatory security guidance) and there is an enforcement body (NERC) that can make life miserable for those not complying.
Visa reports high compliance numbers – Good to see that compliance levels are high…repeat….compliance levels are high.
Visa Inc. announced today that as of the end of 2007, more than three-fourths of the largest U.S. merchants [Level 1] and nearly two-thirds of medium-sized merchants [Level 2] have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Merchants in these two categories account for approximately two-thirds of Visa’s U.S. transaction volume.
Bridging Security and Visualization – Cool post, and associated video, from Raffy.
OnSecrity just released another video of the conversation we recorded last year during RSA. I am talking about security visualization in light of the book I am working on. This video cast is the sequel to the first one that I posted a few days ago.
Top Ten Web Hacks of 2007 (Official) – Incredible. I’m having a hard time wrapping my head around the number of web hacks in 2007. Kind of makes you sick, doesn’t it?
The polls are closed, votes are in, and we have ten winners making up the Top Ten Web Hacks of 2007! The competition was fierce. The information security community put 80 of the newest and most innovative Web hacking techniques to the test. The voting process saw even some attempts at ballot stuffing, but to no avail, and very few techniques received zero votes. The winners though stood head and shoulders above the rest. Thanks to everyone who helped building the list of links, took the time to vote, and especially the researchers whose work we all rely upon. Congratulations!
Metasploit Framework GUI – Hot new MSF3 GUI.
I’m behind on my posting, but I’m going to do a quick post on the shiny new MSF3.1 GUI.
I’m not usually a GUI kinda guy but I do like the GUI specifically the browser option where you can just drag and drop files…way cool.
here is the post from the framework list talking about getting it up and running on linux and windows
I think its technically still in beta and not officially released but its working well and I would expect a release soon.
From the SANS Information Security Reading Room: