Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Virii’ Category

New Email Exploit “Scan upon download” 03.08.10

leave a comment »

The email reads:

Dear Sirs,
We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment. We are enclosing the file with the prepared contract.

The email has the ZIP archive attached named Contract.zip, a 202 kB large file, and once extracted an executable file named Contract.exe appears.

After being clicked on and run, the following files are created:

%AppData%\av.exe


%AppData%\v7LsGuo3u6bku

A new process is created:

%AppData%\av.exe

You’ve just been p0wned. Of course the hook here is the social bits. First off, the admonishment of the subject line:

“scan upon download”

Nice touch really.. As not many vendors can see this yet, I am sure this will work pretty well for the mass clickers out there.

My virus scanner said it was ok! CLICK CLICK CLICK!

Second, the whole contract angle. Now, if you are not a sir, and you know nothing of any contracts you might be recieving, why would you click on this? Mostly I think it is because people are generally curious and want to know things that they “shouldn’t” have access to. So they will click on the zip or the “contract” to get the dirt.

Human nature…

The trojan that has just been installed  is named Suspicious:W32/Malware!Gemini by F-Secure or Mal/TibsPk-D by Sophos and is able to create malicious executable files on the infected system for you the end user to handily execute later on! YAY!

So far this was seen in the wild today at 1220 EST and only has been picked up by a scant few virus scanners. I expect there to be many more self p0wnings in the next few hours.

Here’s the hint people… If you don’t have business dealings with contracts DONT CLICK and for heavens sake DO NOT CLICK ON AN EXE!

Duh.

Written by Krypt3ia

2010/03/09 at 19:16

Malware Stego With Proper English

with one comment

Hackers could evade most existing antivirus protection by hiding malicious code within ordinary text, according to security researchers.

One of the most common ways of hijacking other people’s computers is to use “code-injection” attacks, in which malicious computer code is delivered to and then run on victims’ machines. Current security measures work on the assumption that the code used has a different structure to plain text such as English prose.

Now a team of researchers has highlighted a potential future theatre in the virus-security arms race by working out how to hide malware within English-language sentences.

Though this is a hard exploit to pull off because of all the groundwork that needs to go into it, it is a novel approach for say, a nation state actor such as China to try huh? Of course they would have to work a bit harder at using English properly and not go for the pidgin English that they are known for now in coding sites and malware at times. Imagine just getting infected from a grammatically correct http page on the internet eh?

This exploit would be classic steganography though. Lets see if this exploit shows up somewhere in the future….

“English Shell Code”

Written by Krypt3ia

2009/11/28 at 12:48

Fringe Science Or Reality?

with one comment

Swine Flu May Be Human Error; WHO Investigates Claim

By Jason Gale and Simeon Bennett

May 13 (Bloomberg) — The World Health Organization is investigating a claim by an Australian researcher that the swine flu virus circling the globe may have been created as a result of human error.

Adrian Gibbs, 75, who collaborated on research that led to the development of Roche Holding AG’s Tamiflu drug, said in an interview that he intends to publish a report suggesting the new strain may have accidentally evolved in eggs scientists use to grow viruses and drugmakers use to make vaccines. Gibbs said he came to his conclusion as part of an effort to trace the virus’s origins by analyzing its genetic blueprint.

“One of the simplest explanations is that it’s a laboratory escape,” Gibbs said in an interview with Bloomberg Television today. “But there are lots of others.”

The World Health Organization received the study last weekend and is reviewing it, Keiji Fukuda, the agency’s assistant director-general of health security and environment, said in an interview May 11. Gibbs, who has studied germ evolution for four decades, is one of the first scientists to analyze the genetic makeup of the virus that was identified three weeks ago in Mexico and threatens to touch off the first flu pandemic since 1968.

A virus that resulted from lab experimentation or vaccine production may indicate a greater need for security, Fukuda said. By pinpointing the source of the virus, scientists also may better understand the microbe’s potential for spreading and causing illness, Gibbs said.

Possible Mistake

“The sooner we get to grips with where it’s come from, the safer things might become,” Gibbs said by phone from Canberra yesterday. “It could be a mistake” that occurred at a vaccine production facility or the virus could have jumped from a pig to another mammal or a bird before reaching humans, he said.

Gibbs and two colleagues analyzed the publicly available sequences of hundreds of amino acids coded by each of the flu virus’s eight genes. He said he aims to submit his three-page paper today for publication in a medical journal.

“You really want a very sober assessment” of the science behind the claim, Fukuda said May 11 at the WHO’s Geneva headquarters.

The U.S. Centers for Disease Control and Prevention in Atlanta has received the report and has decided there is no evidence to support Gibbs’s conclusion, said Nancy Cox, director of the agency’s influenza division. She said since researchers don’t have samples of swine flu viruses from South America and Africa, where the new strain may have evolved, those regions can’t be ruled out as natural sources for the new flu.

“This is how science progresses,” he said. “Somebody comes up with a wild idea, and then they all pounce on it and kick you to death, and then you start off on another silly idea.”

Well, this has not really made it to the “main stream” news but Bloomberg is close. Now, this story does answer some possible questions on the oddness of this disease. After all, it has traits of three different bugs within its code not just one particular type.

What’s even more interesting that this theory and paper by Gibbs has been accepted for review by WHO! So, we will see what they say as to the potential validity of this theory. Personally, I think it highly possible that this would be the way something like this would escape the labs out there where folks have been tinkering with the DNA of virus’

“Don’t fear the reaper….”

Remember “The Stand” ? Yeah….

Anyway, I am looking to procure the actual paper by Gibbs.. So once I locate that I will post it. Until then, think about this… Could this indeed have been an accidental release of a bug as byproduct of Tamiflu?

Maybe something more directed? Oh, there I go all Fringe on it….

Written by Krypt3ia

2009/05/21 at 10:58

Conficker Object Lesson: Due Diligence Is Key

with 2 comments

In my view, the Conficker worm provides a microcosm of the complexity of IT security and the pressing need for security best practices. Here are a few examples:

  1. Conficker reinforces the link between IT security and operations. Organizations with strong asset, configuration, and patch management processes were probably able to patch vulnerable systems before Conficker first appeared in November 2008.
  2. Conficker demonstrates the need for device authentication and port blocking. Conficker uses USB flash drives as a means for propagation. This should serve as a wake-up call to security professionals that USB drives can act as a modern-day “sneakernet” for spreading malicious code or stealing confidential data. Addressing these threats means limiting USB access to authorized drives (through means like the IEEE 1667 standard) while filtering all traffic that flows to or from USB drives.
  3. Conficker contains a password-cracking program that can break simple passwords like “1234” or “password.” This demonstrates the need for strong password enforcement, password management, and even multifactor authentication.
  4. Finally, Conficker is an extremely aggressive worm that looks for open file shares on the network to create yet another propagation method. Detecting this activity demands network traffic analysis and an understanding of normal versus anomalous behavior.

The rest HERE

This guy hit it right on the head! The poor security practices of many a company out there will be their undoing should Conficker actually do anything of merit. Why is it so many places do so little to really secure their environments? Why, when they are told how to secure and why they need to, do they do nothing or just a half assed job at “Due Diligence” Well, lets see what tomorrow brings.. Well nothing likely tomorrow, but give it a few days….

Written by Krypt3ia

2009/04/01 at 00:19

Digital DNA

leave a comment »

“Today the majority of malware cannot be detected by signature-based security solutions and other traditional security methods. While these solutions play a role in a company’s defense-in-depth security strategy, malware now is more sophisticated and can easily go around these solutions,” said Greg Hoglund, CEO and founder of HBGary. “Our Digital DNA technology detects malware that is polymorphic, using advanced techniques or currently unknown that these solutions can’t find.” HBGary Digital DNA: How it Works Digital DNA is a patent-pending technology to detect advanced computer security threats within computer memory without relying on information provided by the computer’s operating system. All software modules residing in memory are identified and ranked by level of severity. The Digital DNA sequence appears as a series of trait codes when concatenated together describe the behaviors of each software module. For an example of a Digital DNA sequence, pleases use this link http://www.hbgary.com. Observed behavioral traits are then matched against HBGary’s new Global Threat Genome database to classify digital objects as good, bad or neutral. The database currently contains more than 2500 codified behavior traits.

Full Article HERE

I recently had a discussion about the DNA traits that could be programmed digitally into malware/virus’ I am interested to see a RNA version too that would mutate with connection to other malware/virus’ so they could trade and create new variants on their own.

With the advent of Conficker, I think this is getting closer to a reality. It is conceiveable to create code that could mesh in a random mutation and thus generate new and intersting modus operandi.

On the other end of this I am sure that the presented methodology by HB Gary will be all the rage in future attempts to detect and thwart all those pesky nasties.

Written by Krypt3ia

2009/03/26 at 01:16

Conficker C Variant: SRI Analysis

with 4 comments

Conclusion

We present an analysis of Conficker Variant C, which emerged on the Internet at roughly 6 p.m. (PST) on 4 March 2009.  This variant incorporates significant new functionality, including a new domain generation algorithm and a new peer-to-peer file sharing service.   Absent from our discussion has been any reference to the well-known attack propagation vectors (RCP buffer overflow, USB, and NetBios Scans) that have allowed C’s predecessors to saturate so much of the Internet.  Although not present in C, these attack propagation services are but one peer upload away from any C infected host, and may appear at any time.   C is, in fact, a robust and secure distribution utility for distributing malicious content and binaries to millions of computers across the Internet.   This utility incorporates a potent arsenal of methods to defend itself from security products, updates, and diagnosis tools.  It further demonstrates the rapid development pace at which Conficker’s authors are maintaining their current foothold on a large number of Internet-connected hosts.  Further, if organized into a coordinated offensive weapon, this multimillion-node botnet poses a serious and dire threat to the Internet.

Full report HERE

So, what does it all mean? What is the master plan for Conficker? The Cabal has not yet been able to find out who wrote it (but my guess is that they are Ukrainian) to track them down. Everything just looms over us as April 1 approaches and its activation day comes.

What’s missing here is the actual commands that the code is supposed to enact on April 1 though. I am sure they have decoded the bug and know, so why not let us all know? Perhaps the game is afoot and they plan on stopping a mass attack. Who knows…

What I find really interesting about the Conficker updates is that they seem to have thought this out very well. With the random DNS calls, the random sleep times, and other methods to obfuscate its presence, this bug would seem to have the ability to propagate itself, attack the internet, and possibly pass data to the herders at an incredible rate. All the while it would be unable to be stopped by common IDS/Friewalls etc.

April 1 will be interesting to say the least…

Written by Krypt3ia

2009/03/24 at 11:24