Kategorie

Dramatický nárůst phishingových útoků na Facebooku, při kterých se snaží počítačoví piráti vylákat od svých obětí důležité informace – konkrétně potvrzovací SMS zprávy - zaregistrovali v posledních dnech bezpečnostní experti. Útočníkům jde prakticky vždy o peníze. Uživatelé zmiňované sociální sítě by tak měli být velmi ostražití.

Finally, Adobe is Killing FLASH — the software that helped make the Internet a better place with slick graphics, animation, games and applications and bring online video to the masses, but it has been hated for years by people and developers over its buggy nature. But the end of an era for Adobe Flash is near. Adobe announced Tuesday that the company would stop providing updates and stop

1. INTRODUCTION Day by day, Smart phones and tablets are becoming popular, and hence technology used in development to add new features or improve the security of such devices is advancing too fast. iPhone and iPod are the game changer products launched by Apple. Apple operating system (IOS) devices started growing popular in the mobile […]

The post IOS Forensics appeared first on InfoSec Resources.

Email has been used as a medium for remote communication even before the World Wide Web and other technological breakthroughs came into light. Though email security seems unglamorous and old hat on the surface, keeping email secure is perhaps more important now than it has ever been. An online survey of 400 white collar workers […]

The post The Ins and Outs of Email Security Awareness appeared first on InfoSec Resources.

When sharing small files over the Internet, you can always attach them to an email but, when the file is large, it may not be possible to send it via email. Most email servers have a limit on the email size, so you need a more robust mechanism for sharing files across the internet. Fortunately, […]

The post Ways to Stay Secure When using File Sharing appeared first on InfoSec Resources.

Passwords are an important safeguard for our data, yet so vulnerable: Verizon Enterprise recently reported that 63% of breaches are due to passwords that are weak, default, or stolen. That’s why it’s essential you use the strongest passwords possible – and different ones – for every single application or account you use. This article is […]

The post Best Tips for Creating Strong Passwords appeared first on InfoSec Resources.

InfoSec Institute now has a Metasploit training course available that goes in-depth on Metasploit tools and scripting. Leave class Metasploit certified.

The post Metasploit meterpreter scripting appeared first on InfoSec Resources.

Why Is Desktop Security Important? Desktop security can be thought of as the first line of defense on a company’s network. By having proper security policies in place, many malware and virus outbreaks can be stopped before they become too big a problem, or they can be avoided altogether. Desktop security within a corporate network […]

The post Managing Desktop Security appeared first on InfoSec Resources.

1. INTRODUCTION Windows phones hold a large market share, so it is essential that Examiners or Investigators are aware of techniques used to extract data from them. It is also crucial that Analysis techniques, Types of Artifacts that can be retrieved and the location of those artifacts are known to examiners or investigators. This document […]

The post Windows Phone Forensics appeared first on InfoSec Resources.

Your daily round-up of some of the other stories in the news

At Black Hat, two RIT professors are expected to deliver a talk about the professional skills gap in security and how academic programs are falling short.

The organization behind Firefox is crowdsourcing voice samples to help people outside the big companies build software and services. But is having your say a good idea?

Adding a slice of LIME to machine learning can take it from the 'what' to the why'

Security researchers have discovered a new, massive cyber espionage campaign that mainly targets people working in government, defence and academic organisations in various countries. The campaign is being conducted by an Iran-linked threat group, whose activities, attack methods, and targets have been released in a joint, detailed report published by researchers at Trend Micro and Israeli

Researchers have a devised a way to trick a web server into caching pages and exposing personal data to attackers.

Huge outsourcing project led to data on millions of Swedish citizens as well as criminal records, and the home addresses of military personnel being exposed

Full implementation of DMARC could stop bogus emails sent by scammers to taxpayers

We recently reported about SambaCry, a new family of Linux Trojans exploiting a vulnerability in the Samba protocol. A week later, Kaspersky Lab analysts managed to detect a malicious program for Windows that was apparently created by the same group responsible for SambaCry. It was the common C&C server that both programs used – cl.ezreal.space:20480 – that suggested a relationship between them.

Kaspersky Lab products detect the new malicious program as Backdoor.Win32.CowerSnail. MD5: 5460AC43725997798BAB3EB6474D391F

CowerSnail was compiled using Qt and linked with various libraries. This framework provides benefits such as cross-platform capability and transferability of the source code between different operating systems. This, however, has an effect on the resulting file size: the user code ends up as a small proportion of a large 3 MB file.

First stage

First of all, CowerSnail escalates the process priority and the current thread’s priority.

Then it uses the StartServiceCtrlDispatcher API to launch the main C&C communication thread as a control manager service.

If the thread is successfully launched as a service, further communication with the C&C is carried out through that service; otherwise, CowerSnail operates without it. CowerSnail can also accept various variables as input, such as the C&C host. When these are absent, the required data is extracted from the file itself.

Invoking the main C&C communication method will look like this in the control service routine (the method is stated as ‘route’).

C&C server communication

Traffic analysis shows that the bot communicates with the C&C via the IRC protocol. This can be seen from the characteristic ‘CHANNEL’ command and the subsequent exchange of pings, which often occurs in IRC botnets made up of IoT devices.

The first two bytes are the ‘pk’ signature which occurs in each packet except the CHANNEL command. The DWORD that follows is the size of the remaining part of the packet:

The name of each field is encoded in Unicode and is preceded by field length. The RequestReturn/Request DWORD coming after the status bar shows the number of variables for the variable RequestReturn. In this example, there are three variables: ‘success’, ‘I’ and ‘result’. Each of these fields, in turn, can contain more nested variables. The screenshot below shows the response to the SysInfo request in which CowerSnail sends 14 (0xE) different strings containing information about the infected system. The type of variable is stated after its name, followed by its value.

The structures of the request packet and the response packet are slightly different. The server’s request includes the request name coded as Request->arg->type->”Ping/SysInfo/Install”, as well as extra parameters that are nested into the arg field.

Here are examples of several variable types:

0x00000005 – Integer variable

0x0000000A – String variable

After registering the infected host at the C&C server, which includes sending information about the infected system, CowerSnail exchanges pings with the server and waits for commands.

Commands

Unlike SambaCry, CowerSnail does not download cryptocurrency mining software by default, but instead provides a standard set of backdoor functions:

• Receive update (LocalUpdate)
• Execute any command (BatchCommand)
• Install CowerSnail as a service, using the Service Control Manager command line interface (Install)
• Uninstall CowerSnail from service list (Uninstall)
• Collect system information:
• Timestamp
• Installed OS type (e.g. Windows)
• OS name
• Host name
• Information about network interfaces
• ABI
• Core processor architecture
• Information about physical memory
  

Conclusion

SambaCry was designed for *nix-based systems. CowerSnail, meanwhile, was written using Qt, which most probably means the author didn’t want to go into the details of WinAPI, and preferred to transfer the *nix code “as is”. This fact, along with the same C&C being used by both programs, strongly suggests that CowerSnail was created by the same group that created SambaCry. After creating two separate Trojans, each designed for a specific platform and each with its own peculiarities, it is highly probable that this group will produce more malware in the future.

Více než pět let se šířil internetem zákeřný virus Stantinko, aniž si toho kdokoliv všiml. Zmapovat chování tohoto nezvaného návštěvníka se podařilo až nyní bezpečnostním expertům antivirové společnosti Eset.

Mike Mimoso and Tom Spring preview Black Hat, which starts tomorrow in Las Vegas.