06 Feb Encrypted Java Archive Trojan bankers from Brazil Dmitry Bestuzhev
06 Feb Largest Website in Sweden Spreading Malicious Code David Jacoby
05 Aug Campus Party, the biggest Technology Camp in the world! Roberto Martinez
27 Apr CeCOS VII Michael
04 Apr Virus calendar wallpapers for 2013 David
15 Mar Highlights from BlackHat Europe 2013 in Amsterdam Stefano Ortolani
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
This week has been one of the most hectic weeks in a very long time, I've been working day and night to finish everything for the Kaspersky Security Analyst Summit. I was not in the mood for new work because of the very late and hectic nights. I am on my way out from the door to drop off the kids and wife at her parents place and suddenly the phone rings, its Magnus Lindkvist, who was the Security Evangelist at Microsoft in Sweden. It is always nice to talk to Magnus, but this time he had a different tone on his voice, he was not really up for any chit chat, and just asked me if I was close to a computer. The mood for something exciting suddently just came back to me! I was in the game again! :)
As a security researcher, I always have at least one computer running 24/7, he tells me that the largest website in Sweden; Aftonbladet is spreading malware. I quickly up boot my virtual machine, launch Chrome and open the website. Nothing happen... what did I miss? Was Magnus joking? Then on the other side of the phone I hear Magnus say: "You need to use Internet Explorer".
Campus Party is considered the world's most important event in the areas of Innovation, Creativity, Science and Digital Entertainment. This time it was the Mexican 4th edition and took place July 31st to August 4th in Mexico City. Even though the event took place around the same time as DefCon and Black Hat, had the participation of recognized computer security professionals from Latin America and the attendance was about 8,000 people with more than 500 conferences and workshops.
The first edition took place in Spain in 1997 and has since amassed more than 287,000 people from around the world. Currently annual events take place in countries like; Mexico, Ecuador, Colombia, Peru, Brazil, Germany, England and USA.
The Counter eCrime Operations Summit VII (CeCOS VII) engages questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the electronic-crime threat every day.
The annual event, organized by the Anti-Phishing Working Group (APWG) is this time held in Buenos Aires, Argentina.
Some of you may remember the virus wallpaper calendars that we published in previous years, listing a selection of significant events in the history of the IT security industry.
Well, we're posting new versions for 2013.
April's wallpaper is here.
But be sure to check our calendar page each month as we'll be adding new wallpapers as we go through the year.
We hope they'll be an interesting background for your desktop, as well as highlighting key security events from the past.
Every year as Europe wakes up from the cold winter to the warm days of spring, BlackHat traditionally descends to Amsterdam. This year’s conference is taking place on March 14-15 at the NH Grand Hotel Krasnapolsky, right Dam Square, the heart of Amsterdam. As spring doesn’t necessarily equal warm days here in Europe right now, the 500 or so BlackHat participants hit the conference rooms to attend quite a few interesting talks. Here’s a summary of the best talks at BlackHat Europe 2013.
The title of this blog reminds me of the old zombie horror movies back from the 80-ies, but what im going to write here is more like a comedy. Some of you guys have probably read my blog post about the time when i tricked them into accessing websites under my control, which led to me collecting alot of information about the callers.
After that blog post i didn’t receive any calls... until today. I was sitting in my home office, drinking my daily smoothie and writing on my paper for the Virus Bulletin magazine, and suddenly i hear the phone ringing. I don’t care about that anymore, because i hear that my wife answers the phone, but after a few minutes she enters my room and tells me that "they" are calling again.
As always, i booted up my VMware image with a totally FRESH installation of Windows XP and start talking to the scammers. For you who are not familiar with the scam, please read my other blog post which can be found below because i won’t cover it in this post. http://www.securelist.com/en/blog/208193750/Trying_to_unmask_the_fake_Microsoft_support_scammers
This time the scammers where using some different methods trying to convince me that my compute where infected with some malware. They even gave me the name "Frozen Trojan", and went to Google and tried to look it up for me. But they only ended up on results talking about the bird flue and other biological viruses which i thought was quite entertaining.
The Industrial Control Systems Joint Working Group Fall Meeting 2012 is being held in Denver, Colorado this year, organized by the DHS ICS-CERT. Yesterday, Billy Rios from Spear Point Security kicked off the meeting with a discussion that included mention of vendors' defensive postures and the exploit brokers out there. A couple other talks included speakers from Raytheon and the DHS. For someone that savors the technical meat at Infiltrate, Defcon and Project Basecamp, it seemed that was I was surrounded by vegans. For example, when one speaker was asked about whether or not their product thwarts common pass-the-hash techniques that can be used to enable APT related post-exploitation lateral movement from corporate to SCADA networks within ICS environments, the speaker explained that their product uses pass-the-hash and other mathematical techniques that he couldn't discuss to defend networks. Huh. Also, a generational air gap seems to be in place here too, with most of the speakers at least twice the age of speakers leaning into fresh offensive (and some defensive) security topics at Blackhat, Infiltrate, etc. Cultural differences abound.
A talk later in the day about 13 ways to evade firewalls could be boiled into a few thoughts - XSS problems are enabled by SSL proxies, sneakernet exacerbates Usb security issues, and misconfigured firewalls are an issue within ICS environments. These are all a decade old discussions, but may have some insight for top level folks that have no exposure to 10 year old security issues. The unfortunate thing is that these sorts of vulnerabilities continue to be present within critical infrastructure environments.
The second day seems to be starting off with much more interesting talks. SCADAHacker Joel Langill's talk on "Utilizing TCP/IP Addressing Scheme for Network Isolation" demonstrated the usefulness of subnet masking and the misunderstandings of implementing VLANs when enforcing network security policies. Joel runs a fantastic site, sharing links to information that provide complementary data to some of the ICS cyber-security consulting services that he performs.
Dr Nabil Adam from the DHS Science & Technology Directorate demonstrated the powerful modeling framework CEMSA that they have developed, providing ways to model and understand credible consequences of multiple interacting critical infrastructure disruptions. These consequences and disruptions evaluated here based on concrete data around US located industrial operations like chlorine gas plants and online network backbones are the shocking stuff that folks have speculated on for years as "cyber pearl harbors". The difference is that this intelligence and data analysis is the real deal in its precision and comprehension of planned attack, cascading, and coincidental disruptive events. It goes beyond ICS environments, to help policy and decision makers understand and prioritize disruptive impacts. Currently available to "anyone interested" from US based government agencies.
I got the impression that lately the amount of phishing attacks via social media was not as great as we have seen in the past. But just as I logged in to Twitter today I noticed that I had received two direct messages, and they both had a very similar message.
Two days ago I received the first message, and when I tried to verify if it was a link spreading malware, or a phishing site, the URL was already inactive. Now when I received another one I wanted to look at it quickly, and at the time of writing the phishing site is still active.
Virus Bulletin 2012 is now over, the final chapter from this year’s conference needs to be written. Almost all of the participants have packed their bags and gone home. This event was three action packed days containing everything from discussions about cyber war, interesting meetings with fellow researchers and presentations about Indian Phone Scammers. I am now sitting here and writing the last blog post about the Virus Bulletin 2012 conference in Dallas.
This is my second Virus Bulletin, and just like last time it gave me not just the opportunity to network with fellow researchers, but this time I also presented my own research. Vicente Diaz wrote about the second day at VB, and he included some pictures from my presentation on Malware against Linux and the Attackers Automated Tools - check out the pictures here. During my presentation I also had a 30 minute live demo where four people from the audience helped me identify vulnerabilities and exploit them using the same techniques as the bad guys used. The demonstration also contained automated scripts for backdooring and bypassing security mechanisms within the Linux operating system.