Archive for the ‘Celframe Security’ Category
Flaws in Shamoon Malware Reinforce Theory It’s Not A Wiper Variant
Last Updated on Thursday, 23 August 2012 10:15 Written by Celframe Security Team Friday, 16 November 2012 12:35
Some clumsy coding discovered during an analysis of the Shamoon malware has led researchers to conclude that it is probably not related to the Wiper malware that hit some Iranian networks recently and likely isn’t the work of serious programmers.
A prime error appears to come from the main executable — the dropper — which in some systems is launched as a service to create a scheduled task, only the programming works incorrectly due to the date August 15, 2012 being hard-coded into the malware. Thus, if the current year is 2013 or later but the month is earlier than August, the malware reads the date as arriving before the August 2012 checkpoint value.
“This error indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian systems,” wrote Kaspersky Lab researcher Dmitry Tarakanov in a Securelist post. “Wiper is presumed to be a cyber-weapon and, if so, it should have been developed by a team of professionals. But experienced programmers would hardly be expected to mess up a date comparison routine.”
“Wiper” was the name researchers gave to malware that was discovered earlier this summer on some networks in Iran erasing data from infected machines. Like that malware, Shamoon steals data from infected computers before overwriting the master boot record, rendering compromised machines unbootable. But upon further analysis, researchers realized the two pieces of malware differed.
In an earlier post by another Kaspersky Lab expert, Shamoon was considered an imitation of the earlier malware tied to energy systems. “It is more likely that this is a copycat, the work of a script kiddies inspired by the story. Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often.”
Tarakanov outlined evidence for such a conclusion by examining how the program runs in a typical 32-bit operating system. For instance, the program expects arguments that work like a list of IP addresses linked to computers targeted for infection. When the program runs without such arguments, it must rely on a service it installs locally, called a distributed link tracking server, to ensure the malware reboots and changes workstation configurations whenever the operating system loads.
“There is an easier way to force the OS to run a service at startup – just set up the appropriate option of a particular service,” Tarakanov wrote. “Moreover, ‘TrkSvr’ gets created by malware with that option adjusted to start automatically. Why the author followed this method, with dependencies, is difficult to understand.”
Black Hat: 5 Security Lessons From an Ex-FBI Official
Last Updated on Thursday, 23 August 2012 10:14 Written by Celframe Security Team Thursday, 15 November 2012 01:24
LAS VEGAS—There is a lot private sector companies can learn from the Federal Bureau of Investigation when it comes to beefing up their security defenses, a former official told attendees at Black Hat security conference.
The private sector has to accept that companies can’t keep focusing on protecting the network perimeter but acknowledge the adversaries are already inside, Shawn Henry, director of the FBI and currently a president of CrowdStrike Services, a division of security startup CrowdStrike, told attendees at the Black Hat security conference. The private sector should bear the responsibility for defending their networks from criminals, lone-wolf attackers, nation states, and corporate espionage, Henry said, calling it a matter of “life and death” if the companies failed to step up.
The FBI had to change their approach and tactics after 9/11, because it was clear terrorists were already inside the country. The best way to catch them once they were in was to work with other intelligence agencies to gather and share better intelligence, Henry said. The private sector has to shift the “paradigm” and approach security as a strategic exercice, collecting and analyzing intelligence before taking concrete steps before the attackers can cause damage.
In his keynote speech on the first day of Black Hat in Las Vegas, Henry laid out five lessons the FBI and other intelligence agencies learned from when dealing with hostage situations in the return world.
The actual tactics used to launch the attacks may be different, but the theory is the same, he said.
Assume you’ve been breached.
Companies are accepting they can’t keep out intruders, so they are shifting their focus on minimizing the amount of time the adversary spends in the network. The goal is to quickly spot intrusions and quickly respond, Henry said.
“I can’t tell you how many times FBI agents are deployed onsite, saying they found data that was breached, because we found all of this company data outside of the network,” Henry said. “We sit down with the CISO or COO, and they said it couldn’t have happened.”
Of course, after some analysis, the same “couldn’t have happened” official realizes the perimeter had been breached months before. In some cases, the breach may have happened years ago, and the organization just didn’t notice, Henry said.
Once the organization has accepted that someone has breached the network, the logical next step is to look for them, Henry said. IT administrators and security teams have to constantly be looking for traces of malicious, unexplained activity. He did not advocate hacking back at the adversaries, noting that was illegal. However, he did encourage leaving behind fake files and information as decoys to trick adversaries looking for certain types of information. If the company was engaged in sensitive negotiations over a merger, that is what the thief is most likely looking for, so leaving fake data out for them to find is a way to foil their attempts, Henry said.
Not Everything Has to be on the Network.
Organizations are putting a lot of information on the network, without thinking about what really has to be there, Henry said. If the super-sensitive data is not on the network, adversaries can’t steal it. The FBI doesn’t put certain information, such as transcripts from court-ordered intercepts and documents detailing sensitive investigative techniques, on the network, Henry said.
“I don’t understand why more companies aren’t compartmentalizing their data,” Henry said.
Change How You Measure Success.
For a while, the FBI focused on how many arrests and indictments they made, Henry said. That wasn’t a good metric because it didn’t give any insight into whether they were going after the big threats or impacting the landscape. Private sector should also change their metrics, and instead of worrying about keeping out intruders, focus on reponse speed, Henry said.
“How long after the adversary gets access to my network will I be able to identify and mitigate the threat?” Henry said.
Information-sharing is the katest buzzword in security circles, and in a good way. Businesses should be sharing with each other and with the government information about security threats they are seeing, Henry said. Granual intelligence gives the security teams the necessary intelligence to figure out where the attacks are coming from, what the motivations are, and what form the attacks may take, Henry said.
“We need to understand who the adversary is, because if we understand who they are, we can take proactive measures,” Henry said.
Fake Flash Player, Laden with Malware, Making Rounds
Last Updated on Thursday, 23 August 2012 10:14 Written by Celframe Security Team Wednesday, 14 November 2012 04:55
Scammers have already begun to take advantage of Adobe’s recent decision to remove its Flash Player from Android’s Google Play marketplace. Last week’s removal has prompted scammers to start promoting fake versions of the software to unsuspecting smartphone owners. While researching the scamware, security firm GFI Labs uncovered a separate fake version of the Flash Player that’s not only bogus but an SMS Trojan that comes bundled with adware.
According to a post on the company’s blog, the app named ‘adobeflashinstaller.apk’ comes replete with adware from the mobile ad network AirPush. Once installed, the app tricks users into following a series of steps to root their phone before downloading another .APK file. This file, hosted on a XDA-Developers forum post, is a hacked version of Adobe’s Flash Player app. While the app isn’t necessarily malicious, it’s not authorized by the company, meaning it’s possible the app could grant or install permissions without the users’ knowledge further down the line.
Meanwhile, the app’s adware leads to the installation of advertisements on the phone. If the user tries to deletes them, the adware will simply add more of them. The adware also will change the users’ home page; send pop-up ads to the phone’s status bar every fifteen minutes and even read and send the users’ phonebook contacts to advertisers.
Adobe ceased development on Flash Player for Android on August 15 after announcing it was shifting its focus to AIR, a runtime environment that allows apps that utilize Flash to run on devices natively. Adobe added that the current version of Flash Player as it stands may exhibit “unpredictable behavior” when the next version of Android, Jelly Bean, is further rolled out.