<< Previous Next >>
malicious code
CALL FOR PAPERS
DIMVA 2011
Eighth International Conference on
Detection of Intrusions and Malware & Vulnerability Assessment
Organized by GI SIG SIDAR
In Cooperation with
IEEE Computer Society Task Force on Information Assurance
ABSTRACT
Nowadays most of the malware applications are either packed or protected.
This techniques are applied especially to evade signature based detectors
and also to complicate the job of reverse engineers or security analysts.
The time one must spend on unpacking or decrypting malware layers is often
very long and in fact remains the most complicated task in the overall
process of malware analysis. In this report author proposes MmmBop as a
relatively new concept of using dynamic binary instrumentation techniques
CALL FOR PAPERS
DIMVA 2011
Eighth International Conference on
Detection of Intrusions and Malware & Vulnerability Assessment
Organized by GI SIG SIDAR
In Cooperation with
IEEE Computer Society Task Force on Information Assurance
WINDOWS REQUIRES IMMEDIATE ATTENTION
=============================
ATTENTION ! Security Center has detected
malware on your computer !
Affected Software:
Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
When MP servers running software versions 5.3.235.0 and earlier
receive invalid input for the STPL or FTPL parameters, they return
a HTML error template page. The returned HTML page contains the
original inputted URL.
When this reflected XSS vulnerability is exploited, malicious code
or a script is embedded within the URL and associated with either
the STPL or FTPL parameter. The malicious code is usually in the
form of a script embedded in the URL of a link or the code may be
stored on the vulnerable server or malicious website. An
unsuspecting user is enticed to follow a malicious link to a
Eric's talk seems to be a good start on risk analysis of gadgets generically.
The design of Vista gadgets seems particularly troubling since it seemed to
have several design flaws which were the subject of the paper.
> Given what an incredible attack vector they are (it's pretty much an open
> invitation to get malware onto PCs), I'm amazed there haven't been any
> serious exploits yet. I guess the relatively low uptake of Vista (compared
> to the XP installed base) has meant that they're not a significant target
> for the malware industry just yet, since it's still more profitable to do a
> drive-by iframe exploit and hit all OSes than to mount a Vista-only attack.
NOTE: Resending this was blocked last time.
Profit-driven malware has gotten very good at using Social Engineering
(backed up with Exploits) to spread itself. Zlob and it Codecs are one
particular example that has worked very well on Windows, even by
simply getting the user to install the software willingly. The
Storm/Zhelatin/Russian Business Network group however are by far the
best at this. They have shown time and time the power of simple Social
Engineering in order to infect victims machines. Zlob may have been
the first for profit malware to make the jump, but if it proves
Topics of interest include, but are not limited to the following:
# WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security
# Data Recovery, Forensics and Incident Response
# Analysis of viruses, worms and malicious code
# Side Channel Analysis of Hardware Devices
# Applications of cryptographic techniques
# HSDPA / CDMA Security / WIMAX Security
# Apple / OS X security vulnerabilities
# Next generation attacks and exploits
legal and ethical codes guiding our defensive responses.
------------------------------------------------------------------------
Topics of interest include but are not limited to:
* Infection vectors for malware (worms, viruses, etc.)
* Botnets, command and control channels
* Spyware
* Operational experience
* Forensics
* Click fraud
CALL FOR PARTICIPATION
DIMVA 2011
Eighth International Conference on
Detection of Intrusions and Malware & Vulnerability Assessment
Organized by GI SIG SIDAR
In Cooperation with
IEEE Computer Society Task Force on Information Assurance
> > "recipes.
> >
> > I have been taking the updated SANS@Home 610 course. I have a GREM,
> but
> > Lenny and the other guys have added an additional component to the
> > Reverse Engineering Malware Course. So I had to take it.
> >
> > The course focuses on analysing and reversing malware, but IDA and
> Olly
> > work on binaries of all types and the bad combination of a bottle of
> > good resiling and 9 coffees after midnight is not a good
Vuln : TEHTRI-SA-2010-018
Tool : LuckySploit Exploit Pack
Title: Remote execution in LuckySploit
LuckySploit is a tool used by attackers to penetrate companies or
personal computers by abusing client-side vulnerabilities. This malware
exploitation kit is full of anti Microsoft technologies.
By auditing this Malware, TEHTRI-Security has found a pre-auth remote
exploit in the file /mod/to.php
Hello Readers,
Here are with the Issue-21, October 2011 of ClubHack Magazine. This time too we are with continuing Malware theme.
This issue covers following articles:-
0x00 Tech Gyan - Low Profile Botnets
0x01 Tool Gyan - Demystifying the Android Malware
0x02 Mom's Guide - MALDROID
0x03 Legal Gyan - Law relating to Child Pornography in India
0x04 Matriux Vibhag - WEBSECURIFY
10. About TELUS Security Labs
TELUS Security Labs, formerly Assurent Secure Technologies is the leading provider of security research. Our research services include:
* Vulnerability Research
* Malware Research
* Signature Development
* Shellcode Exploit Development
* Application Protocols
* Product Security Testing
* Security Content Development (parsers, reports, alerts)
The DeepSec In Depth Security Conference is happy to announce the planned
schedule for this year's event from November 11th to 14th in Vienna, Austria.
The schedule (which can be found at https://deepsec.net/schedule) covers a
range of topics including botnet analysis, web application security, malware
detection/analysis, legal and administrative issues, secure coding and code
review, hardware and firmware attacks, attacking/hardening databases, social
engineering, dealing with rich Internet applications (RIAs) and, of course,
the Digital Armageddon (coming soon to a server near you).
- CFP closes May 15, 2011
- Registration is open, only 170 tickets left
+ Accepted Talks
- Sticky Fingers & KBC Custom Shop by Alexandre Gazet of Sogeti/ESEC & Metasm
- Designing a minimal operating system to emulate 32/64bits x86 code snippets, shellcode or malware in Bochs by Elias Bachaalany of Hex-Ray
- Practical C++ decompilation by Igor Skochinsky of Hex-Ray
- RFID Hacking by Milosch Meriac of Bitmanufaktur & OpenPCD
- AndBug -- A Scriptable Debugger for Android's Dalvik Virtual Machine by Scott Dunlop of IOActive
- Memory Eye by Yoann Guillot of Sogeti/ESEC & Metasm
of them ad-based on real sites, or defaced sites such as forums that
remain with the same content only now infect people). Then there is also
spam directing people to these sites.
Now, a criminal gang (could be the mob could be one guy) targets the mac.
So much so that they serve different malware by OS-type.
As a security researcher looking at code, bits and bytes, you are simply
not usually following what's going on in operational security where things
are bleak.
interesting.
http://www.argeniss.com/research/Data0.pdf
Abstract:
This paper it's about Data0, a fictitious (or not)
simple PoC of new malware that after it's
deployed on a computer in an internal network it will
automatically hack database servers and
steal their data. Several techniques used by Data0
will be detailed. Data0 will be targeting
Microsoft SQL Server and Oracle Database Server two of
> "recipes.
>
> I have been taking the updated SANS@Home 610 course. I have a GREM,
but
> Lenny and the other guys have added an additional component to the
> Reverse Engineering Malware Course. So I had to take it.
>
> The course focuses on analysing and reversing malware, but IDA and
Olly
> work on binaries of all types and the bad combination of a bottle of
> good resiling and 9 coffees after midnight is not a good combination.
> If it was possible to execute system() commands directly through the
> browser
It's possible to use this vulnerability for phishing and for spreading
malware. And after it'll be run at user's computer, malware can run system
commands :-). So attacks will be doing directly through the browser.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
Dear All,
I'm really proud to announce that the first stage of the Dissect.pe
project is in beta now!
The idea of the project is to provide a free interface for malware
analysis, similar to other existing projects, but with advances that
will be announced when we start freely dissecting samples.
For now, the system has malware classification and is open for
partnership with industry vendors and other projects for feed exchange.
initially registered application (i.e. legitimate SUPERAntiSpyware or
Super Ad Blocker process) will be "unregistered" and all requests will
fail.
Consequences of this "driver hijack" are not directly obvious -
malware scanner seems not to be affected, despite the application
making driver calls which all fail - some parts of malware detection
engine are obviously placed in user mode.
Nevertheless, the application must be affected somehow (because all
calls fail), but the specific details were not discovered.
10. About TELUS Security Labs
TELUS Security Labs, formerly Assurent Secure Technologies is the leading provider of security research. Our research services include:
* Vulnerability Research
* Malware Research
* Signature Development
* Shellcode Exploit Development
* Application Protocols
* Product Security Testing
* Security Content Development (parsers, reports, alerts)
# HSDPA / CDMA Security / WIMAX Security
# Network Protocol and Analysis
# Smart Card and Physical Security
# Virus and Worms
# WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security
# Analysis of malicious code
# Applications of cryptographic techniques
# Analysis of attacks against networks and machines
# File system security
# Side Channel Analysis of Hardware Devices
# Cloud Security
* Secure coding
* Audit
* Honeynets
* Perimeter Security
* Web security
* Malware Development
* Computer Forensic
* Fuzzing
* AI applications related with security
* Database hacking
* Privacy issues
XSS - http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web
sites. Cross-site scripting (XSS) attacks occur when an attacker uses a
web application to send malicious code, generally in the form of a
browser
side script, to a different end user. Flaws that allow these attacks to
succeed are quite widespread and occur anywhere a web application uses
input from a user in the output it generates without validating or
encoding it.
> "recipes.
>
> I have been taking the updated SANS@Home 610 course. I have a GREM,
but
> Lenny and the other guys have added an additional component to the
> Reverse Engineering Malware Course. So I had to take it.
>
> The course focuses on analysing and reversing malware, but IDA and
Olly
> work on binaries of all types and the bad combination of a bottle of
> good resiling and 9 coffees after midnight is not a good combination.
From: pgut001 [mailto:pgut001@cs.auckland.ac.nz]
Sent: Monday, September 17, 2007 2:48 AM
To: Thierry@Zoller.lu
Cc: bugtraq@securityfocus.com; Roger A. Grimes; tmb@65535.com;
vuln-dev@securityfocus.com; webappsec@securityfocus.com
Subject: Re: Re[2]: [Full-disclosure] Next generation malware: Windows
Vista's gadget API
Thierry Zoller <Thierry@Zoller.lu> writes:
>PG> No, this is an entirely new level of attack,
Reflected XSS
Licenses.html (BoxSerial parameter)
Affected software versions: WebAdmin version 3.30 and 4.30 (previous versions may also be vulnerable)
Impact: Successful attacks could disclose sensitive information about the user, session, and application to the attacker, resulting in a loss of confidentiality. Using XSS, an attacker could insert malicious code into a web page and entice nave users to execute the malicious code.
Fixed in: Pending - The vendor has logged the issue and anticipates a patch to be available in Autumn 2011.
Remediation guidelines: Restrict access to internal network segments and monitor vendor notifications for application updates that may address and fix the issues identified. Remove the hardware dongle from the affected system when not needed.
TZ> Multiple engines are susceptible to this evasion. We are working internally
TZ> and with third-party OEM vendors to create a fix for this evasion. For our
TZ> own engine, we have placed a fix on our long-term development roadmap, but
TZ> this is a low priority for us because this engine runs in a desktop
TZ> environment where malicious code in these archives will be detected upon
TZ> extraction or execution. If and when an update addressing this issue is
TZ> delivered for our engine, we will credit you."
TZ> Ignoring that the end-point argument doesn't hold true for the network
TZ> device, isn't this incredible?
<<Previous Next>>
|
