Next Page >>
malicious code
Abstract:
Some Windows antivirus software fails to detect, block and/or
disinfect/move/delete malware if the malware EXE file has only
execution permission and no read, write or other permissions.
The worst cases are NOD32 and Avast antivirus, which allow the
malware to run unimpeded. Avast has fixed the flaw while NOD32
is still vulnerable as of this writing.
-----------------
InterScan Web Security Suite product lines and
InterScan Web Protect for ISA
Impact: Detection is evaded but files are quarantined by default
,residual risk of an administrator deblocking a file as there is
no detection of malicious code.
InterScan Messaging Security Appliance
Impact: Detection is evaded but files are quarantined by default
,residual risk of an administrator deblocking a file as there is
no detection of malicious code.
systems to prevent
> pretty much anything from being installed or modified. So everytime you
opened up a brand
> new session of ie and tried to access an external site you were prompted
for your
> username/password. Somehow I doubt there's any malware around that is
designed to survive
> in that type of an environment.
(This is far enough afield that I'm not cc'ing pdp or Thor or anyone else,
just the lists).
The scan-function and the online-scanner OnGuard doesn't
scan .sit- and .dmg-archives.
Impact:
It's possible to download malware from the internet or
to copy it from an usb-stick without interruption from
iAntiVirus.
Malware in .sit-archives is recognized by OnGuard during
manuel decompression, but malware in .dmg-diskimages is
only recognized during a manual scan of the mounted image.
[My apologies if this has already been covered - I started this email a
few hours ago, and haven't had a chance to finish it until now.]
I think the point Gadi (and Alex of Sunbelt Software, in his original
blog entry) is trying to make is that professional malware authors have
begun to take notice of Apple. As a piece of malware goes, this trojan
is nothing remarkable in itself, other than the fact that it's aimed at
Mac users.
As Gadi mentioned, there are a number of known issues that Apple has
pull off, we can safely say the "future" you state below is here now.
Now, what is interesting is that any exploit requiring social
engineering to work has so far been less of a problem than the vast
majority of "remote buffer overflow" exploits like the Blaster and SQL
worms. Social engineering-required malware still works, and works well,
but not with the same success of remote buffer overflow malware. There
is very little we in the security space can point to as a success...but
the overall decrease in remote buffer overflows is one. Unfortunately,
the social engineering malware is getting better day-by-day. We can no
longer count on mispellings (sic) and bad grammar to be malware
> pull off, we can safely say the "future" you state below is here now.
>
> Now, what is interesting is that any exploit requiring social
> engineering to work has so far been less of a problem than the vast
> majority of "remote buffer overflow" exploits like the Blaster and SQL
> worms. Social engineering-required malware still works, and works
> well,
> but not with the same success of remote buffer overflow malware. There
> is very little we in the security space can point to as a
success...but
> the overall decrease in remote buffer overflows is one.
>
> Now, what is interesting is that any exploit requiring social
> engineering to work has so far been less of a problem than the vast
> majority of "remote buffer overflow" exploits like the Blaster and SQL
> worms. Social engineering-required malware still works, and works
> well, but not with the same success of remote buffer overflow malware.
> There is very little we in the security space can point to as a
success...but
> the overall decrease in remote buffer overflows is one.
TZ>> Multiple engines are susceptible to this evasion. We are working internally
TZ>> and with third-party OEM vendors to create a fix for this evasion. For our
TZ>> own engine, we have placed a fix on our long-term development roadmap, but
TZ>> this is a low priority for us because this engine runs in a desktop
TZ>> environment where malicious code in these archives will be detected upon
TZ>> extraction or execution. If and when an update addressing this issue is
TZ>> delivered for our engine, we will credit you."
TZ>> Ignoring that the end-point argument doesn't hold true for the network
TZ>> device, isn't this incredible?
I have run across a design issue in VMware's scripting automation API that
diminishes VM guest/host isolation in such a manner to facilitate privilege
escalation, spreading of malware, and compromise of guest operating systems.
VMware's scripting API allows a malicious script on the host machine to
execute programs, open URLs, and perform other privileged operations on any
guest operating system open at the console, without requiring any
credentials on the guest operating system. Furthermore, the script can
execute programs even if you lock the desktop of the guest OS.
'OS X is the new Windows 98.'
Its sensationalist and of no use, especially when posted to lists that
are supposedly populated with security experts. Everyone here is aware
of the consequences of malware and the manipulation of end users to
spread it. Of course its interesting that a criminal group has taken
to spreading this but hyping up the consequences of it do nobody any
good and is just spreading FUD. To me it seems like the original
poster is trying to get a quote in some tech/security/computer
magazine.
Dear all,
I want to share with you this phenomenon.
Web malwares are heavily attacking big hosting providers during the last days.
In particular, as I know, attacks were moved against GoDaddy (USA) and Aruba (Italy). All index files were infected. If you are a customer of the above providers, it's enough to remove the malware script, if your website was infected.
There are a couple of malwares attacking Aruba, at the moment. I just did some reverse engingeering of the last one I found.
Twitter.com is being used to support the script execution.
Cheers,
Angelo Rosiello
- Attack and Defense Techniques
- Reverse Engineering
- Application Security, Testing, Fuzzing
- Code Auditing
- Virtualization Security
- Malicious Code
- Databases Security
- Viruses, Worms, and Trojans
- e-crime, Phishing and Botnets
- Malware, Crimeware
- Banking Security
Wopla, Spamthru, Storm, Grum, Onewordsub; These are the top as reported by Secure
Works. (http://www.secureworks.com/research/threats/topbotnets/?threat=topbotnets)
Guess what, eight out of eleven are all encrypted. Not that big of a deal until you decipher
what Microsoft stated in their original quotes in correlation to some facts.
From the article: Microsoft security experts analyze samples of malicious code to capture
a snapshot of what is happening on the botnet network, which can then be used by law
enforcers, Cranton said. "They can actually get into the software code and say, .Here's
information on how it's being controlled.'"
Perhaps Microsoft could clarify how exactly are they doing what they do, more
///////////////
Architecture of the vulnerable HP Info Center software gives an attacker few different
attack vector combinations:
- remote automated download and execute (e.g. malware instalation)
- remote registry arbitrary key access (e.g. attack preparation, remote system info gathering)
- remote registry data modification (e.g. sensitive data manipulation, malware instalation, DoS attacks)
- system disk data area manipulation and user documents alteration (e.g. system files manipulation,
sensitive user documents access, entire system crash DoS attacks)
Smartphone / MobileSecurity
Smart Card and Physical Security
Network Protocols, Analysis and Attacks
Applications of Cryptographic Techniques
Side Channel Analysis of Hardware Devices
Analysis of Malicious Code / Viruses / Malware
Data Recovery, Forensics and Incident Response
Hardware based attacks and reverse engineering
Windows / Linux / OS X / *NIX Security Vulnerabilities
Next Generation Exploit and Exploit Mitigation Techniques
NFC, WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security
Classifications:
* Attack Method: Unknown
* Country: France
* Country: Libya
* Outcome: Planting of Malware
* Vertical: Government
To iframe or not to iframe, this is the question. As malware becomes more
popular, the number of incidents, mostly insignificant, in which malware was
planted on a hacked site is rising and WHID is not the right place to list
> deal until you decipher
> what Microsoft stated in their original quotes in correlation to some
> facts.
>
> From the article: Microsoft security experts analyze samples of
> malicious code to capture
> a snapshot of what is happening on the botnet network, which can then
> be used by law
> enforcers, Cranton said. "They can actually get into the software code
> and say, .Here's
> information on how it's being controlled.'"
those markers is parsed and interpreted. Furthermore PDF files are read from
the bottom to the top.
Adobe Acrobat nor the FoxitReader care too much about the data that
comes prior the magic byte, the kaspersky engine does, not only does
it care, it fails to detect the malware inside the PDF file.
I will spare you the details, a PDF file is bascialy a container that
starts with %PDF and ends with %%EOF.
What follows are the details of this evasion, note this one is generic
WINDOWS REQUIRES IMMEDIATE ATTENTION
=============================
ATTENTION ! Security Center has detected
malware on your computer !
Affected Software:
Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
Classifications:
* Attack Method: Unknown
* Country: France
* Country: Libya
* Outcome: Planting of Malware
* Vertical: Government
To iframe or not to iframe, this is the question. As malware becomes more
popular, the number of incidents, mostly insignificant, in which malware was
planted on a hacked site is rising and WHID is not the right place to list
> Classifications:
>
> * Attack Method: Unknown
> * Country: France
> * Country: Libya
> * Outcome: Planting of Malware
> * Vertical: Government
>
> To iframe or not to iframe, this is the question. As malware becomes more
> popular, the number of incidents, mostly insignificant, in which malware was
> planted on a hacked site is rising and WHID is not the right place to list
# Smart Card and Physical Security
# Network Protocols, Analysis and Attacks
# Applications of Cryptographic Techniques
# Side Channel Analysis of Hardware Devices
# Data Recovery, Forensics and Incident Response
# Analysis of Malicious Code / Viruses / Malware
# Windows / Linux / OS X / *NIX Security Vulnerabilities
# Next Generation Exploit and Exploit Mitigation Techniques
# WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security
Each non-resident speaker will receive accommodation for 3 nights / 4
- Attack and Defense Techniques
- Reverse Engineering
- Application Security, Testing, Fuzzing
- Code Auditing
- Virtualization Security
- Malicious Code
- Databases Security
- Viruses, Worms, and Trojans
- e-crime, Phishing and Botnets
- Malware, Crimeware
- Banking Security
Grossman, the co-discoverer of the widely publicized vulnerability. For the
uninitiated, it's a set of techniques discovered by Jeremiah Grossman and
Robert Hansen that allows an attacker to transparently capture a user's
clicks, forcing the user to do all manner of unpleasant things ranging from
adjusting security settings to unwittingly visiting websites with malicious
code.
The vectors for this attack include all the major browsers and Flash. In
co-operation with Adobe, the discoverers delayed public discussion to allow
a patch to be created. In the intervening time, other researchers have made
partial disclosures, but this is your chance to join co-discoverer Jeremiah
When MP servers running software versions 5.3.235.0 and earlier
receive invalid input for the STPL or FTPL parameters, they return
a HTML error template page. The returned HTML page contains the
original inputted URL.
When this reflected XSS vulnerability is exploited, malicious code
or a script is embedded within the URL and associated with either
the STPL or FTPL parameter. The malicious code is usually in the
form of a script embedded in the URL of a link or the code may be
stored on the vulnerable server or malicious website. An
unsuspecting user is enticed to follow a malicious link to a
>
> WINDOWS REQUIRES IMMEDIATE ATTENTION
> =============================
>
> ATTENTION ! Security Center has detected
> malware on your computer !
>
> Affected Software:
>
> Microsoft Windows NT Workstation
> Microsoft Windows NT Server 4.0
* In the US a small financial firm in Montana lost the information of all
its 226,000 customers
(http://www.webappsec.org/projects/whid/byid_id_2008-08.shtml)
But the incident I want to focus on this week is one I just added from late
last year: In India a large newspaper site was broken into and malware was
planted on it
(http://www.webappsec.org/projects/whid/byid_id_2007-85.shtml). Why is it
important? based on a recent report by WebSense, 51% of the sites hosing
malware are legitimate sites that have been broken into. This is a major
shift in web based threats. For end users, it is not sufficient anymore to
Eric's talk seems to be a good start on risk analysis of gadgets generically.
The design of Vista gadgets seems particularly troubling since it seemed to
have several design flaws which were the subject of the paper.
> Given what an incredible attack vector they are (it's pretty much an open
> invitation to get malware onto PCs), I'm amazed there haven't been any
> serious exploits yet. I guess the relatively low uptake of Vista (compared
> to the XP installed base) has meant that they're not a significant target
> for the malware industry just yet, since it's still more profitable to do a
> drive-by iframe exploit and hit all OSes than to mount a Vista-only attack.
ABSTRACT
Nowadays most of the malware applications are either packed or protected.
This techniques are applied especially to evade signature based detectors
and also to complicate the job of reverse engineers or security analysts.
The time one must spend on unpacking or decrypting malware layers is often
very long and in fact remains the most complicated task in the overall
process of malware analysis. In this report author proposes MmmBop as a
relatively new concept of using dynamic binary instrumentation techniques
Next Page>>
|
