Monthly Archives: September 2015

Shifu <3 Great Britain




I noticed since several days a shift in malware distribution in the UK.
Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.

First time I encountered that threat : 2014-10-08

Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path
2014-10-08
At that time I learnt from Frank Ruiz ( FoxIT ) that he spotted it 1 month earlier (2014-09-03 exactly). We were using a "non public" name to talk about it.

So two days ago in UK traffic :

2015-09-22 - An Angler EK dropping  0598ee3e06c681d7f9e05d83bb7ea422
via malvertising on GBR traffic
I saw that banking trojan again. (note : contacted,  Frank Ruiz told me that this banker activity never really stopped). What was new to me is that it was installing Apache,

Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422 
2015-09-22


Apache Config



Data folder of the Apache installation



Customers of 4 financial institutions are targeted by the injects stored in the config.xml

config.xml
The same day i saw it again, other malvertising campaign (read: other actor bringing the traffic) and not dropped directly but as a 2nd Stage in a bedep thread which was not grabbing an adfraud module:

Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83
2015-09-22

Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu ..and fast confirmed it looking at the sample. (Edit reaction to twitter : He also told me that Shifu is based on Shiz)

So here we are: Shifu <3 GBR

Shifu <3 GBR
2015-09-24
Side note : Here are some of the DGA in case main domain stop working.

Files : ShifuPackage_2015-09-24.zip Password : malware

Contains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects).

Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.

Read More:
Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-Force
Japanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfee

Post publication Reading:
3,000 High-Profile Japanese Sites Hit By Massive Malvertising Campaign  2015-09-30 - Trenmicro

Hack Naked TV – September 23, 2015

This week on Hack Naked TV Beau talks iOS malware, Kaspersky vulnerabilities in their AV engine and more. Links to all stories are below.Android Screen Lock Bypass - http://sites.utexas.edu/iso/2015/09/15/android-5-lockscreen-bypass/

iOS malware - https://isc.sans.edu/forums/diary/Detecting+XCodeGhost+Activity/20171/

Zerodium Million Dollar Bug Bounty - https://threatpost.com/zerodium-hosts-million-dollar-ios-9-bug-bounty/114736/

Kaspersky Vulns - http://googleprojectzero.blogspot.co.uk/2015/09/kaspersky-mo-unpackers-mo-problems.html

 

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

SWAMP, the Software Assurance Marketplace

SWAMP-Logo-Final-Med

I recently took a fresh look at the “SWAMP”, the Software Assurance Marketplace- it is a great idea and a valuable resource.  The short and incomplete story is that SWAMP is a suite of software analysis tools integrated into a centralized, cloud-based software testing environment- and it is available to software developers, software tool developers, and researchers- for free.

From their website:

“Software is a crucial component of daily living, affecting worldwide economic structures and the services we depend on every day. With the increasing rate of security breaches, it is clear that conventional network security solutions are no longer able to defend our privacy, corporate data, and critical banking information. Today’s applications need to be built more securely at the code level, and that code needs to be tested regularly.

The SWAMP was developed to make it much easier to regularly test the security of these applications and to provide an online laboratory for software assessment tool inventors to build stronger tools. Testing is often complicated and challenging, because comprehensive testing requires the use of several disparate tools with no central means of managing the process. The SWAMP is a no-cost, high-performance, centralized cloud computing platform that includes an array of  open-source and commercial software security testing tools, as well as a comprehensive results viewer to simplify vulnerability remediation. A first in the industry, the SWAMP also offers a library of applications with known vulnerabilities, enabling tool developers to improve the effectiveness of their own static and dynamic testing tools. Created to advance the state of cybersecurity, protect critical infrastructures, and improve the resilience of open-source software, the SWAMP integrates security into the software development life cycle and keeps all user activities completely confidential.”

The current test environment is able to test software written in C/C++, Java (including Java on Android), Ruby and Python- with JavaScript and PHP in development.  SWAMP will support eight languages by the end of the year.  There are currently sixteen tools in the suite with more being added, and numerous commercial companies are participating- including Veracode, CodeDX, Goanna, GrammaTech, and Parasoft.

The Marketplace team includes some serious academic centers for technology, the Morgridge Institute and the Department of Computer Sciences at U of Wisconsin-Madison, the Pervasive Technology Institute at Indiana University, and the National Center for Supercomputing Applications (NCSA) at U of Illinois Urbana-Champaign.  In my conversation with Bart Miller and Miron Livny of SWAMP it was clear that this project was built for practical use in the real-world, it is not an academic exercise- this is immensely practical and useful stuff.

There are many more details on their background page, including some impressive tech specs (at least I consider 700 cores, 5 TB of RAM, and 104 TB of HDD impressive).

We are going to try to get folks from SWAMP on the Security Weekly Podcast to discuss the marketplace in depth.  Stay tuned for more on that.

 

Jack

Security Weekly #435 – Interview with Josh Pyorre and Exploding Chips

This week interview Josh Pyorre from OpenDNS on honeypots and malware. Josh  is a security analyst with OpenDNS. Josh has presented at Defcon, multiple Bsides across the USA and Source Boston.In this interview, we find Josh's secret weapon against attackers and why he goes second in ass-grabby-grabby.For links to Josh's blog and Twitter, visit our wiki:http://wiki.securityweekly.com/wiki/index.php/Episode435#Interview:_Josh_Pyorre_-_6:05PM-6:55PMToday in the news we discuss an Apple iOS directory traversal vulnerability in AirDrop. Also in Security News is the Facebook 'Dislike' button. Not to be confused with with a downvote, more along the line of sympathy or empathy. Do you ever wish you could remotely detonate resistors? Well now you can (kind of).For a full list of stories, visit our wiki:http://wiki.securityweekly.com/wiki/index.php/Episode435#Stories_of_the_Week_-_7:00PM-8:00PM

Highlights from five years of StopBadware work

The Cambridge-based StopBadware team is signing off this week after more than five years of community building and collaboration with some of the best people in the security business. As we turn full operations over to Dr. Tyler Moore and his excellent team at the University of Tulsa, take a look at some of the highlights of our work these past five-plus years. 

 

Security Weekly #434 – Interview with Micah Hoffman

This week Jack joins Paul in studio, Joff, Carlos, John, and Michael are on via Skype. Jack mixes up some fabulous cocktails and we are off.

 

Paul and the crew interview Micah Hoffman. Micah Hoffman has been working in the information technology field since 1998 supporting federal government, commercial, and internal customers in their searches to discover and quantify information security weaknesses within their organizations.

 

In the news, we talk about John McAfee for President, responsible disclosure, and 10 things to do before your laptop is stolen.

 

Show Notes:http://wiki.securityweekly.com/wiki/index.php/Episode434

 

Security Weekly Web Site: http://securityweekly.com

 

Hack Naked Gear: http://shop.securityweekly.com

Hack Naked TV – September 11, 2015

Brought to you by Black Hills Information Security and Cybrary!

 

Today, Beau talks more about the Ashley Madison password dump, responsible disclosure to FireEye, and shiny new Android Ransomware. Also as promised on last week's episode, a quick demo of Powershell Empire. 

 

 

http://tinyurl.com/HNTV-AM-PASSWORD-CRACKING

http://tinyurl.com/HNTV-FIREEYE-VULNS

http://tinyurl.com/HNTV-ANDRIOD-RANSOM

http://tinyurl.com/HNTV-EMPIRE

 

 

Hack Naked TV Web Site: http://hacknaked.tv

Security Weekly Web Site: http://securityweekly.com

Hack Naked TV – September 8, 2015

Brought to you by Black Hills Information Security and Cybrary!

 

This week Aaron talks about the OPM breach, Windows 10 data collection being back-ported, HP no longer sponsoring Pwn2Own, and vulnerabilities in FireEye's products being sold.

 

Hack Naked TV Web Site: http://hacknaked.tv

 

 

Security Weekly Web Site: http://securityweekly.com

 

Twitter: @securityweekly

Security Weekly #433 – Outside The Echo Chamber

This week Larry and Jack join Paul in studio, Carlos is on via Skype without a shirt and none other than Google-Image-Search-John-Strand joins us...from his car none the less! 

 

Jack recently gave a talk at B-Sides Cleveland and was approached by a listener on how exactly you should talk to high-level execs about security, the DBIR and more. Then, well, tangents...

 

We talk about a recent article describing how to crack the passwords resulting from the Ashley Madison breach. Paul's prediction of UPnP being used for evil is in the news, this time the bad guys will turn all of your routers into a botnet, a bigger, better, faster botnet.

 

Show Notes:http://wiki.securityweekly.com/wiki/index.php/Episode433

 

Security Weekly Web Site: http://securityweekly.com

 

Hack Naked Gear: http://shop.securityweekly.com

 

 

Follow us on Twitter: @securityweekly

Hack Naked TV – September 1, 2015

Brought to you by Black Hills Information Security and Cybrary!

This week Aaron talks about the Ubiquity email scam, the resignation of the Ashley Madison CEO, the NSA’s bulk collection extension, NSA backdooring encryption and MORE!

 Show Notes: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_September_1_2015

Hack Naked TV Web Site: http://hacknaked.tv

Security Weekly Web Site: http://securityweekly.com

Hack Naked TV – Favorite Hacking Tools

This week on Hack Naked TV, Beau talks about his top 5 favorite pentest and hacking tools as seen at BlackHat/DefCon/B-Sides.

 

tinyurl.com/HNTV-EMPIRE

tinyurl.com/HNTV-SSTI

tinyurl.com/HNTV-BLEKEY

tinyurl.com/HNTV-NETRIPPER

tinyurl.com/HNTV-CRACKLORD

 

Also, be on the lookout for Chrome pausing all flash-based ads on September 1, 2015. You can read the full article at tinyurl.com/HNTV-FLASH-KILLER.