Archive for February, 2010
Building your OWN Malware Lab (Part 1)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on February 27, 2010
Malicious software pieces like viruses, worms and bots are currently one of the largest threats to the security of the Internet. Antivirus Labs have invested great Money for analyzing and reversing viruses, but for our case we can perform the analysis using some useful tools on our PC.
Let’s start with www.virustotal.com , if I feel that I have a suspicious file. First what I will do is to upload it to VirusTotal. VirusTotal gives the user the ability to analyze any file with more than 40 Antivirus products. With the latest signature definition, this brings a clear idea not only if your file is safe but also to know which AV is effective. The file can be uploaded directly from the site using SSL or sent over the email. You can also download the uploader to your PC and install it which enables you to directly send files from your system using the context menu.
Today it is very important for reversing malware to know virus behavior. User should run the program and detect the changes in the system but this can harm the main system. for this we need Sandboxie. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. After installing Sandboxie you will have a big choice of tools for detecting and monitoring the changes on the system. you can use Process Monitor from sysinternal, API Monitor or free analyzing tools from iDEFENSE LABS.
CWSandbox is another very nice tool for performing malware analysis that fulfills the three design criteria of automation, effectiveness and correctness for the Win32 family of operating systems. CWSandbox allows tracing and monitoring all relevant system calls and generating an automated report that describes:
• which files the malware sample has created or modified,
• which changes the malware sample performed on the Windows registry,
• which dynamic link libraries (DLLs) were loaded before executing,
• which virtual memory areas were accessed,
• which processes were created, or which network connections were opened and what information was sent over such connections.
Malware can be so hard to remove, and sometimes the best approach to clean an infected machine is by restoring a clean copy of the operating system. Here we arrived to the end of this new series of Building your own malware Lab.
make sure you subscribe to my RSS feed!
Block New & Emerging Threats with SECURITY DATABASE
Posted by Mourad Ben Lakhoua in Pentesting, Vulnerabilities on February 23, 2010
Ensuring security of the modern computer network with a large number of system and devices consumes a big effort. Keeping track all new gaps becomes more and more difficult.Here I wanted to present a very good Infosec source.
Security-Database.com is an online computer security portal .provide free comprehensive and complete information about product vulnerabilities and tools for penetration testing based on open international standards.
The most important is that the creator of Security-database managed to provide visitors with latest vulnerability alerts, by taking in consideration the CVE identifier number with a brief description of this vulnerability. Including report references if offered by the vendor.
That’s not all because all these alerts are in accordance to several international information security standards including OVAL ID, CWE ID, CAPEC ID, and SAINTexploitID.
I really like the Fact that this website helps auditor to find all their needs to perform Auditing tasks by providing the best security tools with a short description and a link to the product. It also gives visitors the possibility to participate at the portal by submitting new security tools so they feel that they play a big role in achieving portal success.
At the Top of the page, visitor can find several tabs to make search for the desired vulnerability. Under the alert you can choose the vendor and it will brings you all vulnerabilities related to the concerned vendor. You can filter what you are searching for by Year, Month, day, Severity or Categories.
As you can see information obtained from Security-Database.com is vital for any system administrator looking to prevent and manage threats on the Information system. All the warnings are recorded in the database and are available at any time.
make sure you subscribe to my RSS feed!
Zeus Trojan infected 2.5 thousands Corperate machine around the Globe
Posted by Mourad Ben Lakhoua in News on February 18, 2010
Over the past 1,5 year more than 75 thousands machine worldwide have been infected by Zeus Trojan this is according to NetWitnes Company, all these infected computers were used to thief Banking account, Social Networking and email passwords.
Among the victims we can find some of the major companies like Merck, Cardinal Health, Paramount Pictures and Juniper Networks. NetWitness informed that Cybercriminals might be from an Eastern European group countries and performed their activities over a server located in Germany, by spreading emails containing malicious software or redirecting victims to a malicious website.
The observed hacking activities do not stop here but researchers noted that on 26 January they found a 76 Gigabytes of data stolen by this Trojan, this data contains information about 68 thousand corporate logins as well as online Banking credential, Facebook , Yahoo and Hotmail.
Attackers According to NetWitness are still actively exploiting all vulnerabilities to spread their dangerous Malware in the globe and controlling remotely all these machines by using different ways like p2p-bots Waldec botnet.
ZeuS consists of two main parts:
1. Command control (panel) – a set of scripts, including the admin area that can be installed on the server.
2. Bot – Win32 victim side (Trojan).
The Main features of Zeus are:
1- Invisible in windows process list
2- Bypass most firewalls.
3- Works on the windows restricted accounts.
4- The main Bot are encrypted
5- Disable Windows Firewall, which provides access to incoming messages/ commands.
6- All settings including configuration ,logs and commands passes over encrypted HTTP form (HTTPS).
7- Separate configuration file are available that allows hackers to find them when they lose access to the Main server.
8- Configuration Backup file are available in case of losing the config.
9- The ability to work with any kind of Browser because the program is running through wininet.dll (Internet Explorer, Mozilla Firefox, AOL…)
10- Interception of all machine activities by including a keylogger.
11- Simple transparent URL-redirection to fake web sites (GET / POST-requests, etc.)
12- Get all SSL/TLS Certificate imported by the victim and send them to the server
13- POP3 and Ftp protocol grabber.
14- Search all Hard disk files and download a specific file as desired by the attacker.
15- Getting screenshot in real time.
As you can see it is very easy to gain access to any person sensitive information so it is important to keep your AV/System definitions up to date to ensure you have the best protection against new threats.
make sure you subscribe to my RSS feed!
Fake Antivirus with a Live Technical Support
Posted by Mourad Ben Lakhoua in News on February 16, 2010
A New case has been observed by Symantec about sailing a fake antivirus product with real time technical support to victims.
After installing the fake antivirus software popup windows open to alert victims about detecting malware with an unusual yellow button on the screen leads to an online support. After clicking on the Support Online victim gets the opportunity to talk to a real person playing the role of a support service employee and the conversation goes over the instant messaging.
This tactic convince the victim that the service is legitimate and make him purchase this software which called Live PC Care for 30 to 100$ while the software do not offer any kind of protection to the customer and give them a false security sense.
According to Symantec 43 million copy of the antivirus software were installed during the period from July 1, 2008, to June 30, 2009.
make sure you subscribe to my RSS feed!
Adobe Apologized for a 16 month-old-Bug
Posted by Mourad Ben Lakhoua in News, Software Security, Vulnerabilities, Vulnerabilities & attacks, Web Security on February 9, 2010
Adobe Company has officially apologized for the flash player 16 month old vulnerability that is still not fixed.
According to Adobe the bug has been eliminated in the beta flash player 10.1, but there still not yet a stable version for this release.
The bug officially was reported on the 22nd of September 2008 and all Flash player plug-in since the 9th version are affected. Many hackers used this gap to inject malicious code on victim’s machine.
Currently Adobe experts provided a special web page to check this vulnerability. The exploit really work you can test it following this link but before clicking you should make sure that you have another page open on the same browser.
Adobe Product Manager Emmy Huang promised that on the next Flash player 10.1 releases the vulnerability will be fixed without giving any sign on the final version date.
you can install the Adobe Flash Player 10.1 from Here.
make sure you subscribe to my RSS feed!
Cybercriminals had a phishing Attack on .gov and .mil
Posted by Mourad Ben Lakhoua in Cybercrime, News on February 8, 2010
Criminals are conducting spam attacks on email addresses related to .gov and .mil domain name. According to Brian Krebs Blog post the fake messages includes a link leads to a Trojan Zeus which helps to steal Banking system passwords.
The reason of success of such attacks that the phishing message looks quit legitimate, Recipients are invited to download a report 2020 Project which exist and recently published by the National Intelligence Council of the United States.
At the same time after investigating the email headers the real sender is nobody@sh16.ruskyhost.ru which is a Russian email address.
16 out of 39 Antiviruses detected the malicious software as a dangerous Trojan. Because Cybercriminals are upgrading their Bot Network to cheat on different AV products (F-Secure detected the Trojan as Suspicious:W32/Riskware!Online).
make sure you subscribe to my RSS feed!
Microsoft prepares 13 patches for Next Tuesday
Posted by Mourad Ben Lakhoua in Operating System, Software Security, Vulnerabilities on February 5, 2010
Microsoft announce that they are about to release a 13 security updates on next Tuesday, these new security patches are issued to fix 26 security vulnerabilities in windows operating system and Microsoft office suite.
According to the Advanced Notification five updates are critical and the 8 others are important. While we can find 11 of 13 patches are issued to fix vulnerabilities in one or more operating systems, and the remaining two patches are for Office XP and Office 2003 for windows and Office 2004 for Mac.
Among the patches we can find a fix for a 17 year old Bug in 32-bit windows version, and will close the loophole that involves the venerable DOS operating system. Internet Explorer two recent critical vulnerabilities will not be patched for this Tuesday updates.
You can find Microsoft Security Bulletin Advance Notification for February 2010 Here.
make sure you subscribe to my RSS feed!
F-Secure: Innovating to Protect the Irreplaceable in 2010
Posted by Mourad Ben Lakhoua in Anti-Viruses on February 4, 2010
In addition to an array of threats F-Secure’s Labs predict that there will be more attacks on social networks such as Facebook, Twitter, Myspace, Linkedln, etc. The 350 million people on Facebook, for instance, obviously represent a concentration of people, data and trust far too tempting for cyber-criminals to ignore. And these networks invite users to blur the lines between business and pleasure, creating new risks for PCs both at work and at home.
Meanwhile, hackers are looking to exploit new technologies—such as real-time and location-based search—and scammers are figuring out even craftier ways to exploit the information we reveal in our Tweets, updates and profiles.
F-Secure is dedicated to creating products that protect your irreplaceable data, content and time, so you don’t have to worry about all of these endlessly evolving threats on the web.
We want to thank Mourad for this chance to lay out some of the security solutions we’re offering for 2010.
F-Secure Internet Security 2010 includes comprehensive anti-virus, anti-spyware and firewall along with several breakthrough technologies. DeepGuard 2.0 uses “in-the-cloud” computing to provide instant protection against new threats. Browsing Protection reveals dangerous and corrupted sites while Exploit Shield blocks suspected malicious activity. The Exploit Shield technology in Internet Security 2010 would have helped Google block the recent Aurora attacks . Internet Security is available for Windows XP, Windows Vista and Windows 7 operating systems.
Anti-Virus 2010 is based on same technologies as F-Secure Internet Security. It offers enhanced protection against viruses, spyware, infected e-mail attachments, and other malware. F-Secure Anti-Virus is also available on Windows XP, Windows Vista and Windows 7 operating systems.
Data that exists inside only one internet-connected PC is always at risk—especially as new threats threats like ransomware emerge. F-Secure Online Backup creates unlimited online copies of the important files on your computer. F-Secure Online Backup gives you safe and easy access to your backed-up pictures, documents and other digital content anywhere over the Internet. It’s available Windows XP, Windows Vista, Windows 7 and Mac OS X operating systems.
In addition to our premium personal and business tools, F-Secure will update many of the free technologies we’ve created to protect users and minimize the spread of threats.
Health Check is a free browser-based solution that can be used to check that your computer has up-to-date internet security product and that your applications doesn’t contain any known vulnerabilities. It will also assist the customer to solve any problems it might find. F-Secure Health Check works on Windows XP and Vista machines with Microsoft Internet Explorer 6/7 or Mozilla Firefox 3.0.
Online Scanner is a free browser based solution that can be used to scan your computer for malware. Online Scanner works on Windows XP and Vista machines with Microsoft Internet Explorer 6/7 or Mozilla Firefox 3.0.
The links posted on social networks create the greatest threat to users’ safety. Our newest free tool, Browsing Protection is a way to check if a website is dangerous so you can protect your identity as you visit new sites. It’s available though any web-connected browser.
In just a few years, more people will access the web from mobile devices than from conventional PCs. F-Secure is dedicated to securing smartphones as they become more connected, smarter and contain crucial more business and financial data.
Our newest mobile product protects against the most immediate threat to your phone—theft or loss. With Anti-Theft for Mobile, you can remotely lock the phone and protect the information it contains with a single SMS message. Even if a thief changes the SIM card, the Theft Control feature locks the phone and informs you of the new number. As an ultimate safety measure, you can erase all the data on the phone with Remote Wipe.
Mobile Security includes anti-virus, anti-spyware, a firewall along with anti-theft. It operates seamlessly with automatic updates keep the phone constantly protected. F-Secure released its first mobile security product ten years ago this February.
For information about our business solutions, please check out our site. We also invite you to follow our regular updates @FSecure on Twitter and Facebook.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for February, 2010
SUBSCRIBE
Latest Comments