Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

October 4, 2018

Patent Prior Art Archive – Malware Prior Art?

Filed under: Cybersecurity,Malware,Patents — Patrick Durusau @ 8:18 am

Coming together to create a prior art archive by Ian Wetherbee and Mike Lee.

From the post:

Patent quality is a two-way street. Patent applicants should submit detailed disclosures describing their inventions and actively participate in the examination process to define clear distinctions between their inventions and existing technology. Examiners reviewing patent applications should conduct thorough searches of existing technology, reject any attempts to patent existing technology, and develop a clear record of the differences between the patent claims and what came before. The more that the patent system supports and incentivizes these activities, the more reliable the rights that issue from patent offices will be, and the more those patents will promote innovation.

A healthy patent system requires that patent applicants and examiners be able to find and access the best documentation of state-of-the-art technology. This documentation is often found in sources other than patents. Non-patent literature can be particularly hard to find and access in the software field, where it may take the form of user manuals, technical specifications, or product marketing materials. Without access to this information, patent offices may issue patents covering existing technology, or not recognize trivial extensions of published research, removing the public’s right to use it and bringing the reliability of patent rights into question.

To address this problem, academia and industry have worked together to launch the Prior Art Archive, created through a collaboration between the MIT Media Lab, Cisco and the USPTO, and hosted by MIT. The Prior Art Archive is a new, open access system that allows anyone to upload those hard-to-find technical materials and make them easily searchable by everyone.

Believe it or not, Wetherbee and Lee write an entire post on Google and the Prior Art Archive, without ever giving the web address of the Prior Art Archive.

There, fixed that problem on the web. 😉 You know, it’s possible to be so self-centered as to be self-defeating.

The problems of malware prior art are orders of magnitude greater than patent prior art. The literature, posts, etc., alone are spread across ephemeral and often inaccessible forums, blogs, emails, chat groups, to say nothing of the self-defeating secrecy of security researchers themselves. (Not to mention information in languages other than English.)

A malware prior art archive would present numerous indexing, searching, machine translation, clustering and other problems. Perhaps not as lucrative as the results of the Patent Prior Art Archive but at least as interesting.

Thoughts? Suggestions?

PS: You can search the Prior Art Archive through Google Patents. Two other relevant Google resources: TDCommons (non-patented information) and Google Patents Public Datasets.

July 18, 2018

Self-Help Transparency – Smoke Loader

Filed under: Cybersecurity,Malware,Transparency — Patrick Durusau @ 8:18 pm

Dissecting Smoke Loader by Michał Praszmo.

From the post:

Smoke Loader (also known as Dofoil) is a relatively small, modular bot that is mainly used to drop various malware families.

Even though it’s designed to drop other malware, it has some pretty hefty malware-like capabilities on its own.

Despite being quite old, it’s still going strong, recently being dropped from RigEK and MalSpam campaigns.

In this article we’ll see how Smoke Loader unpacks itself and interacts with the C2 server.

You can go the Freedom of Information Act (FOIA) route to become an “informed citizen,” provided you don’t mind:

  • Indeterminate exchanges to clarify your request
  • Delays and fees by agencies
  • Exemptions
  • Review and editing of documents by those most interested in non-disclosure

If you had access to the agency’s files:

  • No need to clarify your request
  • No delays or fees by the agency
  • No exemptions from disclosure
  • No review and editing of requested documents to prevent disclosure

Not to mention that self-help transparency saves the agency staff time and other resources in answering your request.

The other advantage of self-help transparency is that it works with political PACs, foreign governments, corporations and a host of other groups and institutions with no FOIA traditions.

All of those are incentives for closely attending to this blog post on the Smoke Loader.

Enjoy!

January 30, 2018

Combating State of the Uniom Brain Damage – Malware Reversing – Burpsuite Keygen

Filed under: Cybersecurity,Hacking,Malware,Reverse Engineering — Patrick Durusau @ 5:43 pm

Malware Reversing – Burpsuite Keygen by @lkw.

From the post:

Some random new “user” called @the_heat_man posted some files on the forums multiple times (after being deleted by mods) caliming it was a keygen for burpsuite. Many members of these forums were suspicious of it being malware. I, along with @Leeky, @dtm, @Cry0l1t3 and @L0k1 (please let me know if I missed anyone) decided to reverse engineer it to see if it is. Surprisingly as well as containing a remote access trojan (RAT) it actually contains a working keygen. As such, for legal reasons I have not included a link to the original file.

The following is a writeup of the analysis of the RAT.

In the event you, friend or family member is accidentally exposed to the State of the Uniom speech night, permanent brain damage can be avoided by repeated exposure to intellectually challenging material. For an extended time period.

With that in mind, I mention Malware Reversing – Burpsuite Keygen.

Especially challenging if you aren’t familiar with reverse engineering but the extra work of understanding each step will exercise your brain that much harder.

How serious can the brain damage be?

A few tweets from Potus and multiple sources report Democratic Senators and Representatives extolling the FBI as a bulwark of democracy.

Really? The same FBI that infiltrated civil rights groups, anti-war protesters, 9/11 defense, Black Panthers, SCLC,, etc. That FBI? The same FBI that continues such activities to this very day?

A few tweets produce that level of brain dysfunction. Imagine the impact of 20 to 30 continuous minutes of exposure.

State of the Uniom is scheduled for 9 PM EST on 30 January 2018.

Readers are strongly advised to turn off all TVs and radios, to minimize the chances of accidental exposure to the State of the Uniom or repetition of the same. The New York Times will be streaming it live on its website. I have omitted that URL for your safety.

Safe activities include, reading a book, consensual sex, knitting, baking, board games and crossword puzzles, to name only a few. Best of luck to us all.

December 7, 2017

Malpedia

Filed under: Cybersecurity,Malware — Patrick Durusau @ 8:55 pm

Malpedia

From the webpage:

Malpedia is a free service offered by Fraunhofer FKIE.

The primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster meaningful and reproducible research.

Also, please be aware that not all content on Malpedia is publicly available.

More specifically, you will need an account to access all data (malware samples, non-public YARA rules, …).

In this regard, Malpedia is operated as an invite-only trust group.
…(emphasis in original)

You are probably already aware of Malpedia but I wasn’t.

Enjoy!

November 27, 2017

Why Study ARM Exploitation? 100 Billion Chips Shipped, 1 Trillion Projected in 20 Years.

Filed under: ARM,Cybersecurity,Malware — Patrick Durusau @ 10:07 pm

Getting Started With ARM Exploitation by Azeria.

From the post:

Since I published the tutorial series on ARM Assembly Basics, people keep asking me how to get started with exploitation on ARM. Since then, I added some tutorials on how to write ARM Shellcode, an introduction to Memory Corruptions, a detailed guide on how to set up your own ARM lab environment, and some small intro to debugging with GDB. Now it’s time we get to the meat of things and use all this knowledge to start exploiting some binaries.

This first part is aimed at those of you who have no experience with reverse engineering or exploiting ARM binaries. These challenges are relatively easy and are meant to introduce a few core concepts of binary exploitation.

Why Study ARM Exploitation?

Can you name another attack surface that large?

No?

Suggest you follow Azeria and her tutorials. Today.

October 28, 2017

Useless List of Dark Web Bargains – NRA Math/Social Science Problems

Filed under: Cybersecurity,Dark Web,Malware,Security — Patrick Durusau @ 3:00 pm

A hacker’s toolkit, shocking what you can buy on Dark Web for a few bucks by Mark Jones.

From the post:

Ransomware

  • Sophisticated license for widespread attacks $200
  • Unsophisticated license for targeted attacks $50

Spam

  • 500 SMS (Flooding) $20
  • 500 malicious email spam $400
  • 500 phone calls (Flooding) $20
  • 1 million email spam (legal) $200

What makes this listing useless? Hmmm, did you notice the lack of URLs?

With URLs, a teacher could create realistic math problems like:

How much money would Los Vegas shooting survivors and families of the deceased victims have to raise to “flood” known NRA phone numbers during normal business hours (US Eastern time zone) for thirty consecutive days? (give the total number of phone lines and their numbers as part of your answer)

or research problems (social science/technology),

Using the current NRA 504c4 report, choose a minimum of three (3) directors of the NRA and specify what tools, Internet or Dark Web, you would use to find additional information about each director, along with the information you discovered with each tool for each director.

or advanced research problems (social science/technology),

Using any tool or method, identify a minimum of five (5) contributors to the NRA that are not identified on the NRA website or in any NRA publication. The purpose of this exercise is to discover NRA members who have not been publicly listed by the NRA itself. For each contributor, describe your process, including links and results.

Including links in posts, even lists, helps readers reuse and even re-purpose content.

It’s called the World Wide Web for a reason, hyperlinks.

October 25, 2017

Proton Sets A High Bar For Malware

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 9:14 pm

Malware hidden in vid app is so nasty, victims should wipe their Macs by Iain Thomson

Proton was distributed by legitimate servers and is so severe that only a clean install will rid your system of the malware.

From the post:


Proton is a remote-control trojan designed specifically for Mac systems. It opens a backdoor granting root-level command-line access to commandeer the computer, and can steal passwords, encryption and VPN keys, and crypto-currencies from infected systems. It can gain access to a victim’s iCloud account, even if two-factor authentication is used, and went on sale in March with a $50,000 price tag.

Impressive!

Imagine a Windows trojan that requires a clean system install to disinfect your system.

Well, “disinfecting” a Windows system is a relative term.

If you are running Windows 10, you have already granted root access to Microsoft plus whoever they trust to your system.

Perhaps “disinfect within the terms and limitations of your EULA with Microsoft” is the better way to put it.

A bit verbose don’t you think?

October 10, 2017

Wall Street Journal Misses Malvertising Story – Congressional Phishing Tip

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 2:32 pm

Warning: Millions of POrnhub Users Hit With Maltertising Attack by Mohit Kumar.

From the post:

Researchers from cybersecurity firm Proofpoint have recently discovered a large-scale malvertising campaign that exposed millions of Internet users in the United States, Canada, the UK, and Australia to malware infections.

Active for more than a year and still ongoing, the malware campaign is being conducted by a hacking group called KovCoreG, which is well known for distributing Kovter ad fraud malware that was used in 2015 malicious ad campaigns, and most recently earlier in 2017.

The KovCoreG hacking group initially took advantage of POrnHub—one of the world’s most visited adult websites—to distribute fake browser updates that worked on all three major Windows web browsers, including Chrome, Firefox, and Microsoft Edge/Internet Explorer.

According to the Proofpoint researchers, the infections in this campaign first appeared on POrnHub web pages via a legitimate advertising network called Traffic Junky, which tricked users into installing the Kovtar malware onto their systems.

When you spend your time spreading government directed character assassination rumors about Kerpersky Lab, you miss opportunities to warn your readers about malvertising infections from PornHub.

Just today, the Wall Street Journal WSJ left its readers in the dark about Kovter ad fraud malware from PornHub.

You can verify that claim by using site:wsj.com plus KovCoreG, Kovter, and PornHub to search wsj.com. As of 15:00 on October 9, 2017, I got zero “hits.”

The WSJ isn’t a computer security publication but an infection from one of the most popular websites in the world, especially one of interest to likely WSJ subscribers, Harvey Weinstein, Donald Trump, for example, should be front page, above the fold.

Yes?

PS: Congressional Phishing Tip: For phishing congressional staffers, members of congress, their allies and followers, take a hint from the line: “…POrnHub—one of the world’s most visited adult websites….” Does that suggest subject matter for phishing that has proven to be effective?

October 5, 2017

Software McCarthyism – Wall Street Journal and Kaspersky Lab

Filed under: Cybersecurity,Malware,NSA,Security — Patrick Durusau @ 8:42 pm

The Verge reports this instance of software McCarthyism by the Wall Street Journal against Kaspersky Lab saying:


According to the report, the hackers seem to have identified the files — which contained “details of how the U.S. penetrates foreign computer networks and defends against cyberattacks” — after an antivirus scan by Kaspersky antivirus software, which somehow alerted hackers to the sensitive files.
… (emphasis added)

Doesn’t “…somehow alerted hackers to the sensitive files…” sound a bit weak? Even allowing for restating the content of the original WSJ report?

The Wall Street Journal reports in Russian Hackers Stole NSA Data on U.S. Cyber Defense:

Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.

The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

U.S. investigators believe the contractor’s use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.

Investigators did determine that, armed with the knowledge that Kaspersky’s software provided of what files were suspected on the contractor’s computer, hackers working for Russia homed in on the machine and obtained a large amount of information, according to the people familiar with the matter.

The facts reported by the Wall Street Journal support guilt by association style McCarthyism but in a software context.

Here are the only facts I can glean from the WSJ report and common knowledge of virus software:

  1. NSA contractor removed files from NSA and put them on his home computer
  2. Home computer was either a PC or Mac (only desktops supported by Kaspersky)
  3. Kaspersky anti-virus software was on the PC or Mac
  4. Kaspersky anti-virus software is either active or runs at specified times
  5. Kaspersky anti-virus software scanned the home computer one or more times
  6. Hackers stole NSA files from the home computer

That’s it, those are all the facts reported in the Wall Street Journal “story,” better labeled a slander against Kaspersky Lab.

The following claims are made with no evidence whatsoever:

  1. “after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab”
  2. “believe the contractor’s use of the software alerted Russian hackers to the presence of files”
  3. “whether Kaspersky technicians programed the software to look for specific parameters”
  4. “unclear is whether Kaspersky employees alerted the Russian government to the finding”
  5. “armed with the knowledge that Kaspersky’s software provided”

The only evidence in the possession of investigators is the co-locations of the NSA files and Kaspersky anti-virus software on the same computer.

All the other beliefs, suppositions, assumptions, etc., of investigators are attempts to further the government’s current witch hunt against Kaspersky Labs.

The contractor’s computer likely also had MS Office, the home of more than a few security weaknesses. To say nothing of phishing emails, web browsers, and the many other avenues for penetration.

As far as “discovering” the contractor to get the files in question, it could have been by chance and/or the contractor bragging to a waitress about his work. We’re not talking about the sharpest knife in the drawer on security matters.

Judging hacking claims based on co-location of software is guilt by association pure and simple. The Wall Street Journal should not dignify such government rumors by reporting them.

Printer Exploitation Toolkit: PRET [398 Days to Congressional MidTerm Elections]

Filed under: Cybersecurity,Malware,Politics,Security — Patrick Durusau @ 1:08 pm

Printer Exploitation Toolkit: PRET

From the post:

PRET is a new tool for printer security testing developed in the scope of a Master’s Thesis at Ruhr University Bochum. PRET connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers today. This allows PRET to do cool stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.

The main idea of PRET is to facilitate the communication between the end-user and a printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.

Billed in the post as:

The tool that made dumpster diving obsolete (emphasis in original)

I would not go that far, after all, there are primitives without networked printers, or so I have heard. For those cases, dumpster diving remains a needed skill.

Reading Exploiting Network Printers – A Survey of Security Flaws in Laser Printers and Multi-Function Devices (the master’s thesis) isn’t required, but it may help extend this work.

Abstract:

Over the last decades printers have evolved from mechanic devices with microchips to full blown computer systems. From a security point of view these machines remained unstudied for a long time. This work is a survey of weaknesses in the standards and various proprietary extensions of two popular printing languages: PostScript and PJL. Based on tests with twenty laser printer models from various vendors practical attacks were systematically performed and evaluated including denial of service, resetting the device to factory defaults, bypassing accounting systems, obtaining and manipulating print jobs, accessing the printers’ file system and memory as well as code execution through malicious firmware updates and software packages. A generic way to capture PostScript print jobs was discovered. Even weak attacker models like a web attacker are capable of performing the attacks using advanced cross-site printing techniques.

As of July of 2016, Appendix A.1 offers a complete list of printer CVEs. (CVE = Common Vulnerabilities and Exposures.)

The author encountered a mapping issue when attempting to use vFeed to map between CVEs to CWE (CWE = Common Weakness Enumeration).


Too many CWE identifier however match a single CVE identifier. To keep things clear, we instead grouped vulnerabilities into nine categories of attack vectors as shown in Table 3.2. It is remarkable that half of the identified security flaws are web-related while only one twelfth are caused by actual printing languages like PostScript or PJL.
… (page 11 of master’s thesis)

I haven’t examined the mapping problem but welcome suggestions from those of you who do. Printer exploitation is a real growth area in cybersecurity.

I mentioned the 398 Days to Congressional MidTerm Elections in anticipation that some bright lasses and lads will arrange for printers to print not only at a local location but remote one as well.

Think of printers as truthful but not loyal campaign staffers.

Enjoy!

October 3, 2017

Who Does Cyber Security Benefit?

Filed under: Cybersecurity,Ethics,Malware,Security — Patrick Durusau @ 2:04 pm

Indoctrinating children to benefit the wealthy starts at a young age: ‘Hackathon’ challenges teens to improve cyber security.

Improving cyber security is taught as an ethical imperative, but without asking who that “imperative” benefits.

OxFam wrote earlier this year:

Eight men own the same wealth as the 3.6 billion people who make up the poorest half of humanity, according to a new report published by Oxfam today to mark the annual meeting of political and business leaders in Davos.

Oxfam’s report, ‘An economy for the 99 percent’, shows that the gap between rich and poor is far greater than had been feared. It details how big business and the super-rich are fuelling the inequality crisis by dodging taxes, driving down wages and using their power to influence politics. It calls for a fundamental change in the way we manage our economies so that they work for all people, and not just a fortunate few.

New and better data on the distribution of global wealth – particularly in India and China – indicates that the poorest half of the world has less wealth than had been previously thought. Had this new data been available last year, it would have shown that nine billionaires owned the same wealth as the poorest half of the planet, and not 62, as Oxfam calculated at the time.
… From: Just 8 men own same wealth as half the world

It’s easy to see the cyber security of SWIFT, “secure financial messaging system,” benefits:

the “[the e]ight men own the same wealth as the 3.6 billion people who make up the poorest half of humanity”

more than “…the 3.6 billion people who make up the poorest half of humanity.”

Do you have any doubt about that claim in principle? The exact numbers of inequality don’t interest me as much as the understanding that information systems and their cyber security benefit some people more than others.

Once we establish the principle of differential in benefits from cyber security, then we can ask: Who does cyber security X benefit?

To continue with the SWIFT example, I would not volunteer to walk across the street to improve its cyber security. It is an accessory to a predatory financial system that exploits billions. You could be paid to improve its cyber security but tech people at large have no moral obligation to help SWIFT.

If anyone says you have an obligation to improve cyber security, ask who benefits?

Yes?

September 25, 2017

Awesome Windows Exploitation Resources (curated)

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 3:27 pm

Awesome Windows Exploitation Resources

Not all of these resources are recent but with vulnerability lifetimes of a decade or more, there is much to learn here. I count two hundred and fifty (250) resources as of today.

Including election day, November 6, 2018, there are only 408 days left until the 2018 mid-term Congressional elections. You have a lot of reading to do.

You can contribute materials for listing.

September 10, 2017

“Should We Talk About Security Holes? An Old View”

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 7:15 pm

Michael Sikorski, @mikesiko, tweeted a quote forwarded by @SteveBellovin in a discussion about open sharing and discussion of malware.

The quote was an image and didn’t reduce well for display. I located the source of the quote and quote the text below.

Rudimentary Treatise on the Construction of Door Locks: For Commercial and Domestic Purposes : with Mr. Smyth’s Letter on the Bramah Locks by J. Weale (by the book’s pagination, starting on page 2 and ending on page 4).


A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not is it right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by shewing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock—let it have been made in whatever country, or by whatever maker—is not so inviolate as it has hitherto been deemed to be, surely it is in the interest of honest persons to know this fact, because the dishonest are tolerably certain to be the first to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquaintance with real facts will, in the end, be better for all parties. Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear—milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased. So likewise in respect to bread, sugar, coffee, tea, wine, beer, spirits, vinegar, cheap silks, cheap wollens—all such articles are susceptible of debasement by admixture with cheaper substances—much more good than harm is effected by stating candidly and scientifically the various methods by which debasement has been, or can be produced. The unscrupulous have the command of much of this kind of knowledge without our aid; and there is moral and commercial justice in placing on their guard those who might possibly suffer therefrom. We employ these stray expressions concerning adulteration, debasement, roguery, and so forth, simply as a mode of illustrating a principle—the advantage of publicity. In respect to lock-making there can scarcely be such a thing as dishonesty of intention: the inventor produces a lock which he honestly thinks will possess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open for them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and the curiosity stimulates invention. Nothing but a partial and limited view of the question could lead to the opinion that harm can result: if there be harm, it will be much more than counterbalanced by good.

More to follow but here’s a question to ponder:

Can you name one benefit that white hats gain by not sharing vulnerability information?

August 31, 2017

Monitoring Malware Sinkhole Traffic

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 5:01 pm

Consolidated Malware Sinkhole List by Lesley Carhart, Full Spectrum Cyber-Warrior Princess.

From the post:

A common practice of researchers studying a piece of malware is to seize control of its malicious command and control domains, then redirect traffic to them to benign research servers for analysis and victim notification. I always highly recommend monitoring for traffic to these sinkholes – it is frequently indicative of infection.

I’ve found no comprehensive public list of these sinkholes. There have been some previous efforts to compile a list, for instance by reverse engineering Emerging Threats Signatures (mikesxrs – I hope this answers your questions, a little late!). Some sinkholes are documented on the vendors’ sites, while others are clearly labeled in whois data, but undocumented. Still others are only detectable through behavior and hearsay.

Below, I share my personal list of publicly-noted sinkholes only. Please understand that with few exceptions I have not received any of this information from the vendors or organizations mentioned. It is possible there is some misattribution, and addresses in use do change over time. This is merely intended as a helpful aid for threat hunting, and there are no guarantees whatsoever.

An incomplete malware sinkhole list by her own admission but an interesting starting point for data collection/analysis.

When I read Carhart’s:

I always highly recommend monitoring for traffic to these sinkholes – it is frequently indicative of infection.

I had to wonder, at what level will you be monitoring traffic “…to these sinkholes?”

Sysadmins monitor their own networks, but traffic monitoring at higher levels is possible as well.

Above network level traffic monitoring for sinkhole would give a broader picture of possible “infections.”

Upon discovery, a system already infected by one type of malware, may be found to be vulnerable to other malware with a similar attack vector.

It certainly narrows the hunt for vulnerable systems.

If you don’t already, follow Lesley Carhart, @hacks4pancakes, or visit her blog, tisiphone.net.

August 29, 2017

Inspiring Female Hackers – Kronos Malware

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 7:00 pm

Hasherezade authored a two part series:

Inside the Kronos malware – part 1

Inside the Kronos malware – part 2,

an in depth examination of the Kronos Malware.

It’s heavy sledding but is one example of current work being done by a female hacker. If it seems alien now, return to it after you learn some hacking skills to be properly impressed.

BTW, Hasherezade has a blog at: hasherezade’s 1001 nights

PS: There’s a lot of talk about white-hats and black-hats in the cybersecurity community.

My question would be: “What color hat are you paying me to wear? Otherwise, it’s really none of your concern.”

August 28, 2017

What Being a Female Hacker Is Really Like

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 3:55 pm

What Being a Female Hacker Is Really Like by Amanda Rousseau.

I never imagined citing a TeenVogue post on my blog but this one is a must read!

Amanda Rousseau is a white-hat malware expert and co-founder of the blog, VanitySec.

I won’t attempt to summarize her four (4) reasons why women should consider careers as hackers, thinking you need to read the post in full, not my highlights.

Looking forward to more hacker oriented posts in TeenVogue and off now to see what’s up at VanitySec. (Today’s top post: Fall Bags to Conceal Your RFID Reader. Try finding that at your tech feed.)

August 25, 2017

Air Gapping USB Sticks For Journalists (Or Not! For Others)

Filed under: Cybersecurity,Ethics,Malware,Security — Patrick Durusau @ 12:34 pm

CIRCLean – USB key sanitizer

Journalists are likely to get USB sticks from unknown and/or untrustworthy sources. CIRCLean copies potentially dangerous files on an untrustworthy USB stick, converts those files to a safe format and saves them to your trusted USB stick. (Think of it as not sticking a potentially infected USB into your computer.)

Visual instructions on using CIRCLean:

Written instructions based on those for CIRCLean, without illustrations:

  1. Unplug the device.
  2. Plug the untrusted USB stick into the top usb slot.
  3. Plug your own, trusted USB stick into the bottom usb slot.
  4. Note: Make sure your USB stick is bigger than the untrusted one. The extracted documents are sometimes bigger than the original ones.

  5. Connect the power to the device.
  6. If your device has a diode, wait until the blinking stops.
  7. Otherwise, plug a headset and listen to the music that is played during the conversion. When the music stops, the conversion is finished.

  8. Unplug the device and remove the USB keys

Label all untrusted USB sticks. “Untrusted” means it has an origin other than you. Unicode U+2620 ‘skull and crossbones” works, ☠. Or a bit larger:


(Image from http://graphemica.com/)

It’s really that easy!

On The Flip Side

Modifying the CIRCLean source to maintain its present capabilities but adding your malware to the “trusted” USB stick offers a number of exciting possibilities.

Security is all the rage in the banking industry, making a Raspberry Pi (with diode), an attractive case, and your USB malware great banking convention swag.

Listing of banking conferences are maintained by the American Bankers Association, the European Banking Association, and Asian Banking & Finance, to name just a few.

A low-cost alternative to a USB cleaning/malware installing Raspberry Pi would to use infected USB sticks as sway. “Front Office Staff: After Hours” or some similar title. If that sounds sexist, it is, but traps use bait based on their target’s proclivities, not yours.

PS: Ethics/legality:

The ethics of spreading malware to infrastructures based on a “white, cisheteropatriarchal*” point of view, I leave for others to discuss.

The legality of spreading malware depends on who’s doing the spreading and who’s being harmed. Check with legal counsel.

* A phrase I stole from: Women’s Suffrage Leaders Left Out Black Women. A great read.

August 1, 2017

Why Learn OpenAI? In a word, Malware!

Filed under: Artificial Intelligence,Cybersecurity,Malware — Patrick Durusau @ 6:46 pm

OpenAI framework used to create undetectable malware by Anthony Spadafora.

Spadafora reports on Endgame‘s malware generating software, Malware Env for OpenAI Gym.

From the Github page:

This is a malware manipulation environment for OpenAI’s gym. OpenAI Gym is a toolkit for developing and comparing reinforcement learning algorithms. This makes it possible to write agents that learn to manipulate PE files (e.g., malware) to achieve some objective (e.g., bypass AV) based on a reward provided by taking specific manipulation actions.
… (highlight in original)

Introducing OpenAI is a good starting place to learn more about OpenAI.

The value of the OpenAI philosophy:

We believe AI should be an extension of individual human wills and, in the spirit of liberty, as broadly and evenly distributed as possible. The outcome of this venture is uncertain and the work is difficult, but we believe the goal and the structure are right. We hope this is what matters most to the best in the field.

will vary depending upon your objectives.

From my perspective, it’s better for my AI to decide to reach out or stay its hand, as opposed to relying upon ethical behavior of another AI.

You?

June 19, 2017

Concealed Vulnerability Survives Reboots – Consumers Left in Dark

Filed under: Cybersecurity,Malware — Patrick Durusau @ 8:50 pm

New Vulnerability Could Give Mirai the Ability to Survive Device Reboots by Catalin Cimpanu

From the post:

Until now, all malware targeting IoT devices survived only until the user rebooted his equipment, which cleared the device’s memory and erased the malware from the user’s equipment.

Intense Internet scans for vulnerable targets meant that devices survived only minutes until they were reinfected again, which meant that users needed to secure devices with unique passwords or place behind firewalls to prevent exploitation.

New vulnerability allows for permanent Mirai infections

While researching the security of over 30 DVR brands, researchers from Pen Test Partners have discovered a new vulnerability that could allow the Mirai IoT worm and other IoT malware to survive between device reboots, permitting for the creation of a permanent IoT botnet.

“We’ve […] found a route to remotely fix Mirai vulnerable devices,” said Pen Test Partners researcher Ken Munro. “Problem is that this method can also be used to make Mirai persistent beyond a power off reboot.”

Understandably, Munro and his colleagues decided to refrain from publishing any details about this flaw, fearing that miscreants might weaponize it and create non-removable versions of Mirai, a malware known for launching some of the biggest DDoS attacks known today.

Do security researchers realize concealing vulnerabilities prevents market forces from deciding the fate of insecure systems?

Should security researchers marketing vulnerabilities to manufacturers be more important than the operation market forces on their products?

More important than your right to choose products based on the best and latest information?

Market forces are at work here, but they aren’t ones that will benefit consumers.

E-Cigarette Can Hack Your Computer (Is Nothing Sacred?)

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 8:29 pm

Kavita Iyer has the details on how an e-cigarette can be used to hack your computer at: Know How E-Cigarette Can Be Used By Hackers To Target Your Computer.

I’m guessing you aren’t so certain that expensive e-cigarette you “found” is harmless after all?

Malware in e-cigarettes seems like a stretch given the number of successful phishing emails every year.

But, a recent non-smoker maybe the security lapse you need.

June 7, 2017

Personal Malware Analysis Lab – Summer Project

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 7:30 pm

Set up your own malware analysis lab with VirtualBox, INetSim and Burp by Christophe Tafani-Dereeper.

Whether you are setting this up for yourself and/or a restless child, what a great summer project!

You can play as well so long as you don’t mind losing to nimble minded tweens and teens. 😉

It’s never too early to teach cybersecurity and penetration skills or to practice your own.

With a little imagination as far as prizes, this could be a great family activity.

It’s a long way from playing Yahtzee with your girlfriend, her little brother and her mother, but we have all come a long way since then.

June 1, 2015

Which Malware Lures Work Best?

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 6:04 pm

Which Malware Lures Work Best? Measurements from a Large Instant Messaging Worm by Tyler Moore and Richard Clayton.

Abstract:

Users are inveigled into visiting a malicious website in a phishing or malware-distribution scam through the use of a ‘lure’ – a superficially valid reason for their interest. We examine real world data from some ‘worms’ that spread over the social graph of Instant Messenger users. We find that over 14 million distinct users clicked on these lures over a two year period from Spring 2010. Furthermore, we present evidence that 95% of users who clicked on the lures became infected with malware. In one four week period spanning May–June 2010, near the worm’s peak, we estimate that at least 1.67 million users were infected. We measure the extent to which small variations in lure URLs and the short pieces of text that accompany these URLs affects the likelihood of users clicking on the malicious URL. We show that the hostnames containing recognizable brand names were more effective than the terse random strings employed by URL shortening systems; and that brief Portuguese phrases were more effective in luring in Brazilians than more generic ‘language independent’ text.

Slides

How better to learn what to teach users to avoid than by watching users choose malware?

Although since the highly trained professionals at the TSA miss 95% of test explosives and guns, I’m not sure that user training is the answer to malware URLs.

Perhaps detection and automated following of all links in messages/emails, from a computer setup to detect malware? Not sure how you would get a warning to users.

Still, I like the idea of seeing what users do rather than speculating about what they might do. The latter technique being a favorite of our national security apparatus. Mostly because it drives budgets.

January 12, 2015

Open-Source projects: Computer Security Group at the University of Göttingen, Germany.

Filed under: Cybersecurity,Machine Learning,Malware,Security — Patrick Durusau @ 8:03 pm

Open-Source projects: Computer Security Group at the University of Göttingen, Germany.

I mentioned Joern March 2014 but these other projects may be of interest as well:

Joern: A Robust Tool for Static Code Analysis

Joern is a platform for robust analysis of C/C++ code. It generates code property graphs, a novel graph representation of code that exposes the code’s syntax, control-flow, data-flow and type information. Code property graphs are stored in a Neo4J graph database. This allows code to be mined using search queries formulated in the graph traversal language Gremlin. (Paper1,
Paper2,Paper3)

Harry: A Tool for Measuring String Similarity

Harry is a tool for comparing strings and measuring their
similarity. The tool supports several common distance and kernel
functions for strings as well as some excotic similarity measures. The
focus lies on implicit similarity measures, that is, comparison
functions that do not give rise to an explicit vector space. Examples of such similarity measures are the Levenshtein and Jaro-Winkler distance.

Adagio: Structural Analysis and Detection of Android Malware

Adagio is a collection of Python modules for analyzing and detecting
Android malware. These modules allow to extract labeled call graphs from Android APKs or DEX files and apply an explicit feature map that captures their structural relationships. Additional modules provide classes for designing binary or multiclass classification experiments and applying machine learning for detection of malicious structure. (Paper1, Paper2)

Salad: A Content Anomaly Detector based on n-Grams

Letter Salad, or Salad for short, is an efficient and flexible
implementation of the anomaly detection method Anagram. The method
uses n-grams (substrings of length n) maintained in a Bloom filter
for efficiently detecting anomalies in large sets of string data.
Salad extends the original method by supporting n-grams of bytes as
well n-grams of words and tokens. (Paper)

Sally: A Tool for Embedding Strings in Vector Spaces

Sally is a small tool for mapping a set of strings to a set of
vectors. This mapping is referred to as embedding and allows for
applying techniques of machine learning and data mining for
analysis of string data. Sally can applied to several types of
string data, such as text documents, DNA sequences or log files,
where it can handle common formats such as directories, archives
and text files. (Paper)

Malheur: Automatic Analysis of Malware Behavior

Malheur is a tool for the automatic analysis of program behavior
recorded from malware. It has been designed to support the regular
analysis of malware and the development of detection and defense
measures. Malheur allows for identifying novel classes of malware
with similar behavior and assigning unknown malware to discovered
classes using machine learning. (Paper)

Prisma: Protocol Inspection and State Machine Analysis

Prisma is an R package for processing and analyzing huge text
corpora. In combination with the tool Sally the package provides
testing-based token selection and replicate-aware, highly tuned
non-negative matrix factorization and principal component analysis. Prisma allows for analyzing very big data sets even on desktop machines.
(Paper)

Derrick: A Simple Network Stream Recorder

Derrick is a simple tool for recording data streams of TCP and UDP
traffic. It shares similarities with other network recorders, such as
tcpflow and wireshark, where it is more advanced than the first and
clearly inferior to the latter. Derrick has been specifically designed to monitor application-layer communication. In contrast to other tools the application data is logged in a line-based ASCII format. Common UNIX tools, such as grep, sed & awk, can be directly applied.

There are days when malware is a relief from thinking about present and proposed government policies.

I first saw this in a tweet by Kirk Borne.

November 29, 2014

Cynomix Automatic Analysis, Clustering, and Indexing of Malware

Filed under: Cybersecurity,Malware,Security — Patrick Durusau @ 7:36 pm

https://www.youtube.com/watch?v=Wgc5msNUvfE&feature=youtu.be

From the description:

Malware analysts in the public and private sectors need to make sense of an ever-growing stream of malware on an ongoing basis yet the common modus operandi is to analyze each file individually, if at all.

In the current paradigm, it is difficult to quickly understand the attributes of a particular set of malware binaries and how they differ from or are similar to others in a large database, to re-use previous analyses performed on similar samples, and to collaborate with other analysts. Thus, work is carried out inefficiently and a valuable intelligence signal may be squandered.

In this webinar, you will learn about Cynomix, a web-based community malware triage tool that:

  • Creates a paradigm shift in scalable malware analysis by providing capabilities for automatic analysis, clustering, and indexing of malware
  • Uses novel machine learning and scalable search technologies
  • Provides several interactive views for exploring large data sets of malware binaries.

Visualization/analysis tool for malware. Creating a global database of malware data.

No anonymous submission of malware at present but “not keeping a lot of data” on submissions. No one asked what “not keeping a lot of data” meant exactly. There may be a gap in what is meant by and heard by as “a lot.” Currently, 35,000 instances of malware in the system. There have been as many as a million samples in the system.

Very good visualization techniques. Changes to data requests produced changes in the display of “similar” malware.

Take special note that networks/clusters change based on selection of facets. Imagine a topic map that could do the same with merging.

If you are interested in public (as opposed to secret) collecting of malware, this is an effort to support.

You can sign up for a limited beta here: http://www.cynomix.org/

I first saw this in a tweet by Rui SFDA.

PS: You do realize that contemporary governments, like other franchises, are responsible for your cyber-insecurity. Yes?

July 19, 2014

Government-Grade Stealth Malware…

Filed under: Cybersecurity,Malware,NSA,Security — Patrick Durusau @ 4:36 pm

Government-Grade Stealth Malware In Hands Of Criminals by Sara Peters.

From the post:

Malware originally developed for government espionage is now in use by criminals, who are bolting it onto their rootkits and ransomware.

The malware, dubbed Gyges, was first discovered in March by Sentinel Labs, which just released an intelligence report outlining their findings. From the report: “Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime.”

Sentinel was able to detect Gyges with on-device heuristic sensors, but many intrusion prevention systems would miss it. The report states that Gyges’ evasion techniques are “significantly more sophisticated” than the payloads attached. It includes anti-detection, anti-tampering, anti-debugging, and anti-reverse-engineering capabilities.

The figure I keep hearing quoted is that cybersecurity attackers are ten years ahead of cybersecurity defenders.

Is that what you hear?

Whatever the actual gap, what makes me curious is why the gap exists at all? I assume the attackers and defenders are on par as far as intelligence, programming skills, financial support, etc., so what is the difference that accounts for the gap?

I don’t have the answer or even a suspicion of a suggestion but suspect someone else does.

Pointers anyone?

November 22, 2013

BinaryPig: Scalable Static Binary Analysis Over Hadoop

Filed under: Cybersecurity,Malware,Pig,Security — Patrick Durusau @ 5:12 pm

BinaryPig: Scalable Static Binary Analysis Over Hadoop (Guest post at Cloudera: Telvis Calhoun, Zach Hanif, and Jason Trost of Endgame)

From the post:

Over the past three years, Endgame received 40 million samples of malware equating to roughly 19TB of binary data. In this, we’re not alone. McAfee reports that it currently receives roughly 100,000 malware samples per day and received roughly 10 million samples in the last quarter of 2012. Its total corpus is estimated to be about 100 million samples. VirusTotal receives between 300,000 and 600,000 unique files per day, and of those roughly one-third to half are positively identified as malware (as of April 9, 2013).

This huge volume of malware offers both challenges and opportunities for security research, especially applied machine learning. Endgame performs static analysis on malware in order to extract feature sets used for performing large-scale machine learning. Since malware research has traditionally been the domain of reverse engineers, most existing malware analysis tools were designed to process single binaries or multiple binaries on a single computer and are unprepared to confront terabytes of malware simultaneously. There is no easy way for security researchers to apply static analysis techniques at scale; companies and individuals that want to pursue this path are forced to create their own solutions.

Our early attempts to process this data did not scale well with the increasing flood of samples. As the size of our malware collection increased, the system became unwieldy and hard to manage, especially in the face of hardware failures. Over the past two years we refined this system into a dedicated framework based on Hadoop so that our large-scale studies are easier to perform and are more repeatable over an expanding dataset.

To address this problem, we created an open source framework, BinaryPig, built on Hadoop and Apache Pig (utilizing CDH, Cloudera’s distribution of Hadoop and related projects) and Python. It addresses many issues of scalable malware processing, including dealing with increasingly large data sizes, improving workflow development speed, and enabling parallel processing of binary files with most pre-existing tools. It is also modular and extensible, in the hope that it will aid security researchers and academics in handling ever-larger amounts of malware.

For more details about BinaryPig’s architecture and design, read our paper from Black Hat USA 2013 or check out our presentation slides. BinaryPig is an open source project under the Apache 2.0 License, and all code is available on Github.

You may have heard the rumor that storing more than seven (7) days of food marks you as a terrorist in the United States.

Be forewarned: Doing Massive Malware Analsysis May Make You A Terrorist Suspect.

The “storing more than seven (7) days of food” rumor originated with Rand Paul R-Kentucky.

http://www.youtube.com/watch?feature=player_embedded&v=X2N1z9zJ20k

The Community Against Terrorism FBI flyer, assuming the pointers I found are accurate, says nothing about how many days of food you have on hand.

Rather it says:

Make bulk purchases of items to include:


Meals Ready to Eat

That’s an example of using small data analysis to disprove a rumor.

Unless you are an anthropologist, I would not rely on data from CSpan2.

February 7, 2013

Ads 182 Times More Dangerous Than Porn

Filed under: Malware,Marketing,Security — Patrick Durusau @ 5:44 am

Cisco Annual Security Report: Threats Step Out of the Shadows

From the post:

Despite popular assumptions that security risks increase as a person’s online activity becomes shadier, findings from Cisco’s 2013 Annual Security Report (ASR) reveal that the highest concentration of online security threats do not target pornography, pharmaceutical or gambling sites as much as they do legitimate destinations visited by mass audiences, such as major search engines, retail sites and social media outlets. In fact, Cisco found that online shopping sites are 21 times as likely, and search engines are 27 times as likely, to deliver malicious content than a counterfeit software site. Viewing online advertisements? Advertisements are 182 as times likely to deliver malicious content than pornography. (emphasis added)

Numbers like this make me wonder: Is anyone indexing ads?

Or better yet, creating a topic map that maps back to the creators/origins of ad content?

That has the potential to be a useful service, unlike porn blocking ones.

Legitimate brands would have an incentive to stop malware in their ads, origins of malware ads would be exposed (blocked?).

I first saw this at Quick Links by Greg Linden.

June 21, 2012

Mapping and Monitoring Cyber Threats

Filed under: Malware,Mapping,Security — Patrick Durusau @ 4:05 pm

Mapping and Monitoring Cyber Threats

From the post:

Threats to information security are part of everyday life for government agencies and companies both big and small. Monitoring network activity, setting up firewalls, and establishing various forms of authentication are irreplaceable components of IT security infrastructure, yet strategic defensive work increasingly requires the added context of real world events. The web and its multitude of channels covering emerging threat vectors and hacker news can help provide warning signs of potentially disruptive information security events.

However, the challenge that analysts typically face is an overwhelming volume of intelligence that requires brute force aggregation, organization, and assessment. What if significant portions of the first two tasks could be accomplished more efficiently allowing for greater resources allocated to the all important third step of analysis?

We’ll outline how Recorded Future can help security teams harness the open source intelligence available on various threat vectors and attacks, activity of known cyber organizations during particular periods of time, and explicit warnings as well as implicit risks for the future.

Interesting but I would add to the “threat” map known instances where recordable media can be used, email or web traffic traceable to hacker lists/websites, offices or departments with prior security issues and the like.

Security can become too narrowly focused on technological issues, ignoring that a large number of security breaches are the result of human lapses or social engineering. A bit broader mapping of security concerns can help keep the relative importance of threats in perspective.

April 4, 2012

Adobe Releases Malware Classifier Tool

Filed under: Classification,Classifier,Malware — Patrick Durusau @ 3:33 pm

Adobe Releases Malware Classifier Tool by Dennis Fisher.

From the post:

Adobe has published a free tool that can help administrators and security researchers classify suspicious files as malicious or benign, using specific machine-learning algorithms. The tool is a command-line utility that Adobe officials hope will make binary classification a little easier.

Adobe researcher Karthik Raman developed the new Malware Classifier tool to help with the company’s internal needs and then decided that it might be useful for external users, as well.

” To make life easier, I wrote a Python tool for quick malware triage for our team. I’ve since decided to make this tool, called “Adobe Malware Classifier,” available to other first responders (malware analysts, IT admins and security researchers of any stripe) as an open-source tool, since you might find it equally helpful,” Raman wrote in a blog post.

“Malware Classifier uses machine learning algorithms to classify Win32 binaries – EXEs and DLLs – into three classes: 0 for “clean,” 1 for “malicious,” or “UNKNOWN.” The tool extracts seven key features from a binary, feeds them to one or all of the four classifiers, and presents its classification results.”

Adobe Malware Classifier (Sourceforge)

Old hat that malware scanners have been using machine learning but new that you can now see it from the inside.

Lessons to be learned about machine learning algorithms for malware and other uses with software.

Kudos to Adobe!

November 18, 2011

Improved Call Graph Comparison Using Simulated Annealing

Filed under: Graphs,Malware,Simulated Annealing — Patrick Durusau @ 9:38 pm

Improved Call Graph Comparison Using Simulated Annealing by Orestis Kostakis, Joris Kinable, Hamed Mahmoudi, Kimmo Mustonen.

Abstract:

The amount of suspicious binary executables submitted to Anti-Virus (AV) companies are in the order of tens of thousands per day. Current hash-based signature methods are easy to deceive and are inefficient for identifying known malware that have undergone minor changes. Examining malware executables using their call graphs view is a suitable approach for overcoming the weaknesses of hash-based signatures. Unfortunately, many operations on graphs are of high computational complexity. One of these is the Graph Edit Distance (GED) between pairs of graphs, which seems a natural choice for static comparison of malware. We demonstrate how Simulated Annealing can be used to approximate the graph edit distance of call graphs, while outperforming previous approaches both in execution time and solution quality. Additionally, we experiment with opcode mnemonic vectors to reduce the problem size and examine how Simulated Annealing is affected.

From the introduction:

To facilitate the recognition of highly similar executables or commonalities among multiple executables which have been subject to modification, a high-level structure, i.e. an abstraction, of the samples is required. One such abstraction is the call graph which is a graphical representation of a binary executable, where functions are modelled as vertices and calls between those functions as directed edges. Minor changes in the body of the code are not reflected in the structure of the graph.

Can you say subject identity? 😉

How you judge subject identity depends on the circumstances and requirements of any given situation.

Very recent and I suspect important work on the detection of malware.

Older Posts »

Powered by WordPress