The 5th Hacker Halted USA is now taking place in Miami under the slogan - Unravel the Enigma of Insecurity after hurricane Sandy passed Florida last weekend.

Day 1 is the keynote day, so luckily no splitted presentation-streams. After a nice conference opening by Eric Lopez (Conference Director), Jay Bavisi gave a good introduction about the challenges of the post-PC era. He described the evolution of the hardware landscape from classic PCs to small, mobile and smart devices and how the requirements for it-security change. Further this brings problems to forensics, more privacy risks and new social engineering attacks as well as other threats.

HELSINKI, Finland -- The annual T2'12 security conference kicked off here today with several high-quality presentations discussing security weaknesses in Huawei's Versatile Routing Platform (VRT) and the expanding attack surface in pin pad payment terminals.

The Industrial Control Systems Joint Working Group Fall Meeting 2012 is being held in Denver, Colorado this year, organized by the DHS ICS-CERT. Yesterday, Billy Rios from Spear Point Security kicked off the meeting with a discussion that included mention of vendors' defensive postures and the exploit brokers out there. A couple other talks included speakers from Raytheon and the DHS. For someone that savors the technical meat at Infiltrate, Defcon and Project Basecamp, it seemed that was I was surrounded by vegans. For example, when one speaker was asked about whether or not their product thwarts common pass-the-hash techniques that can be used to enable APT related post-exploitation lateral movement from corporate to SCADA networks within ICS environments, the speaker explained that their product uses pass-the-hash and other mathematical techniques that he couldn't discuss to defend networks. Huh. Also, a generational air gap seems to be in place here too, with most of the speakers at least twice the age of speakers leaning into fresh offensive (and some defensive) security topics at Blackhat, Infiltrate, etc. Cultural differences abound.

A talk later in the day about 13 ways to evade firewalls could be boiled into a few thoughts - XSS problems are enabled by SSL proxies, sneakernet exacerbates Usb security issues, and misconfigured firewalls are an issue within ICS environments. These are all a decade old discussions, but may have some insight for top level folks that have no exposure to 10 year old security issues. The unfortunate thing is that these sorts of vulnerabilities continue to be present within critical infrastructure environments.

The second day seems to be starting off with much more interesting talks. SCADAHacker Joel Langill's talk on "Utilizing TCP/IP Addressing Scheme for Network Isolation" demonstrated the usefulness of subnet masking and the misunderstandings of implementing VLANs when enforcing network security policies. Joel runs a fantastic site, sharing links to information that provide complementary data to some of the ICS cyber-security consulting services that he performs.

Dr Nabil Adam from the DHS Science & Technology Directorate demonstrated the powerful modeling framework CEMSA that they have developed, providing ways to model and understand credible consequences of multiple interacting critical infrastructure disruptions. These consequences and disruptions evaluated here based on concrete data around US located industrial operations like chlorine gas plants and online network backbones are the shocking stuff that folks have speculated on for years as "cyber pearl harbors". The difference is that this intelligence and data analysis is the real deal in its precision and comprehension of planned attack, cascading, and coincidental disruptive events. It goes beyond ICS environments, to help policy and decision makers understand and prioritize disruptive impacts. Currently available to "anyone interested" from US based government agencies.

Phishing is not exactly a ground-breaking technique. Quite the opposite, it seems like it has been around forever. This is an indicator of its effectiveness: we might think that it is unlikely that people would give away their banking credentials just because they are asked for them, but still there is a percentage who continue to become victims of one of the simplest fraud methods.

However both user awareness and anti-phishing tools are making harder for fraudsters to succeed in their attempts to get our money. We see this changing in the decrease in the percentage of spam. That is not the only reason: users are switching to new platforms such as social networks for direct communication.

Today I want to show you an example of the creativeness in avoiding spam and phishing filters.

I got the impression that lately the amount of phishing attacks via social media was not as great as we have seen in the past. But just as I logged in to Twitter today I noticed that I had received two direct messages, and they both had a very similar message.

Two days ago I received the first message, and when I tried to verify if it was a link spreading malware, or a phishing site, the URL was already inactive. Now when I received another one I wanted to look at it quickly, and at the time of writing the phishing site is still active.

You can read our Full Technical Paper on SPE / miniFlame here.

In May 2012, a Kaspersky Lab investigation detected a new nation-state cyber-espionage malware, which we named "Flame". Our research also identified some distinguishing features of Flame’s modules. Based on those features, we discovered that in 2009, the first variant of the Stuxnet worm included a module that was created based on the Flame platform. This confirmed there was some form of collaboration between the groups that developed the Flame and Tilded (Stuxnet/Duqu) platforms.

A more in-depth research conducted in June 2012 resulted in the discovery of another nation state-sponsored and previously unknown malware which we named «Gauss». Gauss used a modular structure resembling that of Flame, a similar code base and system for communicating with command-and-control (C&C) servers, as well as numerous other similarities to Flame.

In partnership with Symantec, ITU-IMPACT and CERT-Bund/BSI, we also published our analysis of the Flame Command and Control servers. The analysis showed that the code can understand several communication protocols to talk to different «clients» or malware:

• OldProtocol
• OldProtocolE
• SignupProtocol
• RedProtocol (mentioned but not implemented)

Right after the Venezuelan presidential elections cybercriminals launched a new credential stealing malware joined by a social engineering campaign saying that supposedly the last election was a fraud. The name of the malicious file is “listas-fraude-electoral.pdf.exe” which is translates to “Fraud elections lists” and it spread via a fake Globovision Venezuelan news TV station.

The mentioned malware is quite simple and it sets out to disable the UAC system, which allows the criminals to run administrative commands under restricted users accounts.

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Today, cybercriminals are quick to exploit vulnerabilities in Adobe Reader, Flash and Java to infect users’ computers. There is a simple reason for this popularity: exploits of vulnerabilities found in these products can infect computers regardless of which operating systems and browsers are used on the attacked machines. We assumed that the threats posed to users were unaffected by their choice of browser and undertook a little research to test this assumption.

Picture courtesy of the PCMAG website

In information security, talk about botnets equals talk about malicious actions that materialize through criminal action. In essence, we think there is always a hostile attitude on the part of those who administer them. Please correct me colleagues, refute this if I'm wrong, but I think conceptually you agree with me.

BoteAR (developed in Argentina) adopts the concept of "social networks" although it seems, as yet, not fully materialized. It offers a conventional and manageable botnet via HTTP but uses the model of crimeware-as-a-service. Moreover, the author seems to adopt (maybe unknowingly) the business model of affiliate systems originating in Eastern Europe which are used to spread malware i.e. infect and get revenue for each node you infect.

So far nothing unusual, unfortunately we witness this kind of tactic every day. The striking thing about BoteAR though is that it tries to shield itself under a wrapper of security in an attempt to "fraternize" with its community.

It can happen to anyone…and when it does it usually catches everybody – the victim and his relatives – completely unprepared. I’m talking about kidnapping.

Twice in my life I’ve been involved in helping the police track down and arrest gangs of kidnappers. The first case didn’t directly affect me or my family, but the second time a close friend of mine was kidnapped. And it turns out that our work in tackling cybercrime can also be useful to catch criminals who seem to have little connection with high-tech wrong-doing. The Internet is not just a tool for cybercrime – it is also often used to communicate with the families and friends of kidnap victims, especially to demand a ransom. When this happens, our work can be vital: evidence collected on the Internet as well, as the errors made by criminals, can help to track them down, identifying their location via their IP address.

Many things have been told already about the latest Skype malware spread via instant messages. However I just wanted to add something not mentioned yet. The first thing is about when the attack was launched first. According to Google Short URL service it first surfaced on Oct 6th :

Today's Microsoft updates include a few fixes for remote code execution, and several fixes for escalation of privilege and denial of service flaws. The priority for both general folks and corporate customers running Windows and Office will be to roll out MS12-064 effecting Microsoft Office immediately. Vulnerability CVE-2012-2528 and CVE-2012-0182 is patched by this bulletin, and -2528 predictably will be attacked with more malformed rtf formatted documents. These sorts of files have been delivered with a .doc extension, previously exploiting CVE-2012-0158. This 0158 vulnerability has been heavily exploited with spearphish in a large variety of serious targeted attacks this summer. Accordingly, expect to see more of this new vulnerability exploited with spearphish from the APT. Note that another vulnerability in Word is being patched within the same Bulletin, but is comparably difficult to reliably exploit.

Microsoft is also releasing a bulletin for a vulnerability in Microsoft Works. This code exposes a heap overflow but is a much lower priority because of the level of difficulty in building a reliable exploit.

Another major problem, but not anywhere near as serious, is within Microsoft Sharepoint, InfoPath, and the Microsoft Office WebApps service. A person could craft malicious content and send it to a user, sending just enough data to elevate their privileges to admin on the system.

Depending on your environment, you may look into the other handful of patches immediately. Microsoft presents October's MS SQL, Kerberos, and Kernel Bulletins here.

I'm sending greetings from Canada, where I'm attending the 6th annual SecTor Security Education Conference in the very impressive city of Toronto.

With almost 70 talks and nearly 50 exhibitors there are a lot of opportunities to learn about new techniques and meet interesting people from all over the world. In addition there is a “LockPick Village”, a robotics-showcase and a capture the flag competition located in the expo area.

Last but not least, Kaspersky Lab is exhibiting in the expo area.

Virus Bulletin 2012 is now over, the final chapter from this year’s conference needs to be written. Almost all of the participants have packed their bags and gone home. This event was three action packed days containing everything from discussions about cyber war, interesting meetings with fellow researchers and presentations about Indian Phone Scammers. I am now sitting here and writing the last blog post about the Virus Bulletin 2012 conference in Dallas.

This is my second Virus Bulletin, and just like last time it gave me not just the opportunity to network with fellow researchers, but this time I also presented my own research. Vicente Diaz wrote about the second day at VB, and he included some pictures from my presentation on Malware against Linux and the Attackers Automated Tools - check out the pictures here. During my presentation I also had a 30 minute live demo where four people from the audience helped me identify vulnerabilities and exploit them using the same techniques as the bad guys used. The demonstration also contained automated scripts for backdooring and bypassing security mechanisms within the Linux operating system.

Introduction

This is the description of an attack happening in Brazil since 2011 using 1 firmware vulnerability, 2 malicious scripts and 40 malicious DNS servers, which affected 6 hardware manufacturers, resulting in millions of Brazilian internet users falling victim to a sustained and silent mass attack on DSL modems.

We will show how cybercriminals exploited an under-the-radar vulnerability which affected thousands of outdated DSL modems across the country. This enabled the attack to reach network devices belonging to millions of individual and business users, spreading malware and engineering malicious redirects over the course of several months. The scenario was fuelled by the widespread neglect of ISPs, blunders from hardware manufacturers, under-educated users and official apathy.

If you think the task of cleaning up victims of the DNS Changer malware was a big challenge, imagine what it would be like to deal with 4.5 million modems compromised in this attack v all of them in sunny, beautiful Brazil.