Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

June 26 2015


June 09 2015


ISSA elections: Write-in candidate position statement

Dear ISSA members, 

I am writing this open letter to ask your support for me in the upcoming elections for the position of vice-president. 

You will not find my name on the slate, you will need to specifically write it in. I originally chose not to be on the election slate due to my highest respect for the role of Andrea Hoy, who was supposed to run for the position. Since then, as you know, President Winkler resigned, and Andrea succeeded in the presidential role. 

 While I do believe that both remaining candidates are excellent professionals and outstanding members of the association, I think that, in this moment of change and transformation, the association needs a vice president with previous board and association experience. I have discussed my position with Andrea and other board members, before this attempt to be elected as a write-in candidate. Something that, I might add, has never happened in the history of ISSA. 

I have served on the board of ISSA for almost 7 years, during which I worked to create our International Conference. I also served for 3 years on the board of the IEEE Computer Society. This experience helped me understand the current need of professional associations, and their need to change into something different to keep serving the members, the profession and the society at large. 

If elected, I will help Andrea (of whom I respect the expertise and the strong leadership) steer the association in its renovation, with a focus on our strategic alliance with other associations (such as ISC2, ISACA, and IEEE). I will also be the first officer in a long time to come from the European Union, and I will devote effort to strengthen and grow the association there. 

My career path (I hold a Ph.D. in Computer Engineering from the Politecnico di Milano university, and I am currently an assistant professor there) makes me also extremely conscious of the need for ISSA to connect with the universities, bring young professionals into our fold, mentor them and help them enter the cybersecurity career. 

My technical background (I am a member of the review board of the Black Hat conference, and I have founded, over ten years ago, one of Italy's leading penetration testing businesses) also makes me aware of the fact that ISSA needs to connect back to the more technical members of the profession, helping to bridge the everlasting gap between management and technology in computer security. 

I look forward to the opportunity of serving ISSA in a different role, if the members so choose. Rest assured that, whatever the results of the election, I will work as a volunteer to address the issues I outlined. 

Thanks for the time you devoted to read this post. If you find my notes worthy of your consideration, please help me further by forwarding a link to this message to your peers and ISSA Chapter members (always respectfully of the ISSA electioneering rules). 

Stefano Zanero
Fellow, ISSA

April 25 2015


February 17 2015


January 30 2015


A few notes on the recent wave of Cryptolocker attacks

A wave of cryptolocker samples hit recently, with the following interesting characteristic: besides the usual English version, there were French, Italian, German and Dutch versions.

At least the Italian one featured a very convincing translation of the emails trying to social engineer users into installing the malware, thus obtaining arguably a high success rate.

Form of propagation is an attachment in a .cab file containing a .scr executable. According to intelligence, it consists of a Dalexis dropper that eventually will install CTB-locker. 

The malware encrypts all files with extension: wm,kwm,txt,cer,crt,der,pem,doc,cpp,c,php,js,cs,pas,bas,pl,py,docx,rtf,docm,xls,xlsx,safe,groups,xlk,xlsb,xlsm,mdb,mdf,dbf,sql,md,dd,dds,jpe,jpg,jpeg,cr2,raw,rw2,rwl,dwg,dxf,dxg,psd,3fr,accdb,ai,arw,bay,blend,cdr,crw,dcr,dng,eps,erf,indd,kdc,mef,mrw,nef,nrw,odb,odm,odp,ods,odt,orf,p12,p7b,p7c,pdd,pdf,pef,pfx,ppt,pptm,pptx,pst,ptx,r3d,raf,srf,srw,wb2,vsd,wpd,wps,7z,zip,rar,dbx,gdb,bsdr,bsdu,bdcr,bdcu,bpdr,bpdu,ims,bds,bdd,bdp,gsf,gsd,iss,arp,rik,gdb,fdb,abu,config,rgx

At the moment I don't have notice of any ways to extract the key or reverse the process. The only resolution available is to restore data from backups. A worthy attempt could be to carve the drive in hope to recover the former version of files.

A couple of virustotal sample analyses:

Runtime info for the latter:

Another runtime analysis of a similar sample:

The following connections are observed with this specific dropper:
"" TCP 443
"" TCP 443
"" TCP 443

The in memory strings contain the following URLs, common to Dalexis:


A semi-useful IOC is the following string which seems to appear in many samples: "proftur.pdb"

Also, intelligence says that samples connect to TOR hidden service dpaqjri6tinnqleh via web2tor proxies, e.g.:

Unconfirmed intelligence is the usage of 587/tcp to spam, possibly propagate.

A few hashes of samples:
SHA256 (august-bebel-str_17_15569_woltersdorf.cab) = 7efcbd21fafaa001488491599b8e0fe9235b08c523b866a06cd8d538255f9d37
SHA256 (barquiel_y_hurtado_s_l.cab) = 675e79c44d0223d63a7cf311ce59c541cb93b3e6f09e1e670b4f0fca15d71476
SHA256 (berliner_all_33_40212_dsseldorf.cab) = 8aba6e465598ee28e9a59657db3604b7ac9250352ac81fbf052ce2a373f1ef23
SHA256 (bureau_detudes_clement_sas.cab) = e99e4bc3d477654cc74dc735854a628e5bf20ba844d7abd4e45f70799d92e284
SHA256 (cariverona_banca_spa.cab) = 8b580acada5284bc8e95f8f69d66930d91c7c1c5c6a88899c102312083dd1f96
SHA256 (daimlerstr_6_71546_aspach.cab) = 675d395c361a37d0afea0010d20bca0ebfdbf8c6a18e396e1008370e955ae9a9
SHA256 (entreprises_gros-louis_roger.cab) = 1e41dafe1795b6956e2410979ee7e8c0aab20fac77594955293807c7286ddc09
SHA256 (envol_voyages_sarl.cab) = 8799ca8ecfdae3451ffbd56fd7f487bfedf9a870bf378b4f4ce13825e9462755
SHA256 (fico_tooling_bv.cab) = 97823a4065d0f8db039e5ece3a0a65a01057d0d976232abda828914fc24c458e
SHA256 (friesenstr_40_26655_westerstede.cab) = f26e80494cd83400115dc0fcb6148c65be347fe1e8339e8c2c4efefdff3013c0
SHA256 (jahnstr_18_42579_heiligenhaus.cab) = adaa38dbaecd443c48d249f04c599000fbc3653937972a67123ba2d065c03e78
SHA256 (lantania_srl.cab) = 87e11ae952e8e991f1de70511d33ae642a2d8e9602d5d54b0a5b8a6d9223f5be
SHA256 (mokrupak_verpakkingen_bv.cab) = 53f990073b7e3c68bf7a92233f4ba600619f172ffa48294eda5422077c16c206
SHA256 (pocklington_coach_works_ltd.cab) = 1671e03689b67602a9ec64395f49f16021c5b7c0c28b9f5f514705c9161006d5
SHA256 (rheinmhlenstr_7_68159_mannheim.cab) = dc7f73ec15eee49e3f88a92ae710f966f75bda62e668c71a5f9d6348b1b5dcca
SHA256 (scitec_group_ltd.cab) = d2fe2adea73466264461a05da4e0fcae41aebf57bbe0f1c0f07a9eb8edf2f80b
SHA256 (siempelkampstr_94_47803_krefeld.cab) = a1cb46f0f65607afa2304a378c17274bf4f05bfb6d6d461679b71423d77ce204
Tags: cryptolocker

January 25 2015

Reposted byphd-studies phd-studies

December 09 2014


October 04 2014

How to resolve this? A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use onlywhen a court has approved a search warrant.
Compromise needed on smartphone encryption - The Washington Post
Tags: idiocy

September 30 2014


Quick summary on ShellShocker

This post contains no original research but just a few links and info on the ShellShocker bug. I put it together to have a handy reference for friends & co., feel free to share.

A summary, along with test cases and info:

Attacks going on in the wild:

- Multiple reports of IP addresses scanning for the vuln with consistent user agent: User-Agent: () { :;}; /bin/ping -c 1 

Request: "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0"
Host: -
UA: "() { :;}; /bin/ping -c 1"

Originally this was by Graham at Errata Security (read here) but he has not been scanning for days, so if you still see it, that's not good. 
Also, Robert's scanner is polite:
Request: "GET / HTTP/1.0 "
Host: "() { :; }; ping -c 11"
UA:  "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"

The pattern above is being used in active exploitation (see also here), and that specific attack drops a bot that a source connected to past infection of routers (although this version is for x86).

July 04 2014

Reposted bygafmanxxarabuscliffordbollabollakanikanischlachtorosevangelyndesiderdrittedonaudampfschifffahrtsgesellschaftankinavgpPachadisrecnigkhabarakhpetrogroeschtlraven

June 24 2014

Reposted byflanel flanel

April 18 2014

8059 eda2 500
Reposted byoskigurski

January 10 2014

8631 7818 500
Reposted byimsickofthishitsnoopybox

November 02 2013


The BadBIOS story and my comments

As I usually do when there's a developing story, here are some reflections and comments on the BadBIOS story.

If you don't know what I'm talking about, just do yourself a favor and start from here, which is a good summary as any. You can also read a different summary, complete with many of the tweets by Dragos, here.

First things first: Dragos Ruiu is a friend, a trusted peer, and if he comes public with something so wild and difficult to believe, I completely trust he has seen something. As all humans, Dragos might be wrong, he might be overestimating stuff, or whatever, but I don't doubt for a minute that he has (what he think is) proof of what he says.

I completely agree with the analysis Robert Graham has done here and share most of his observations. What has been described is all technically possible, but the combination of everything in such an evil and nasty set of malware (more on this in a minute) would be completely unheard of. If anybody shrugs and says he's seen stuff like this before, please waterboard him until he says where.

I would like to share these useful observation on what BIOS can/cannot do. However, I would respectfully disagree with the conclusion that what Dragos is seeing cannot be there. We know that malware and rootkits can be composed by multiple components, and the BIOS component might only be responsible for a few of the reported behaviors. We simply have to wait for more details and samples to be provided.

It should be noted that Igor Skochinsky, a well respected malware reverser, analyzed some samples provided and believes them to be malware free.

In conclusion: I completely respect and trust Dragos. I do believe he saw something complex and behaving misteriously. I think we are missing a lot of technical details still, and I look forward to release of malware samples, at least in the usual trusted communities for malware analysis.
Tags: BadBIOS
Reposted byunskilled unskilled

October 20 2013


September 23 2013


August 07 2013


A quick summary on the "0-day against Tor" brouhauha

It was recently announced that "the FBI" had apparently used a "0-day" exploit against people using Tor, with subsequent explosions of comments from the usual privacy advocates.

While I'm all for privacy advocacy, at times we shouldn't let our preconceived notions get the better of us. So let's look at the available data here.

On Aug. 4th the Tor people were advised of something gone awry. Hidden services from an organization called "Freedom Hosting" were unreachable, and apparently, someone had exploited the software used on them to deploy this malicious Javascript in the web pages it delivered to users. An advisory was released shortly thereafter. 

Now, Freedom Hosting services include TorMail (a very secure anonymous email operation); hacking and fraud forums such as HackBB; money laundering operations; the Hidden Wiki (sort of a Dark Net wikipedia...); and virtually all of the most popular child pornography websites on the planet. A Freedom Hosting account cost a one time fee of $5, offered unlimited space and bandwidth, an onion domain, PHP and MySQL support, FTP access, and even backups (!). A large number of hidden websites were hosted by Freedom Hosting, so it's easy to see how the "attack against Tor users" generalization was borne. 

By analyzing the code (see the excellent writeups here and here) we can observe a number of things.

First of all, this was an attack exploiting a known  vulnerability in an older version of the Firefox JavaScript engine. Specifically, this older version was present in some of the Tor Browser Bundle (TBB) versions. TBB includes Firefox plus some privacy patches.

For the sake of documentation, I will note that this was fixed in Firefox 17.0.7 ESR, and in TBB 2.3.25-10 (plus several of the alphas and the betas). Fixes were available for TBB since June 26th.

So, whoever was affected after June 26th, was affected because they didn't patch their software, this was no zero-day by the time this attack came to light.

Additionally, the exploit was targeted to Windows users, while the Firefox vulnerability is cross-platform.

What the payload does is it connects to and sends an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash.

So, what happened is that through compromising one or more hidden services, the unknown attacker collected at that IP address a list of the vulnerable users that accessed that/those services.

The payload does not open a backdoor or install other stuff, so this is very unlikely to be a black hat operation. It looks much more like a tracking mechanism, so it's not a bad guess that this is law enforcement or three-letter-agency activity. It actually sounds suspiciously like CIPAV, the FBI malware we know about from 2007.

The fact that is in the Northern Virginia area, served by Verizon Business, only confirms this suspicion. Be aware that the suggestion that this IP is allocated to SAIC and previously in use by NSA turned out not to be correct.

Around the same time, a guy named Eric Marques was arrested and is awaiting extradition on FBI's request for facilitating the exchange of child porn. There's no direct link so far, but it's easy to believe that Marques is the founder of Freedom Hosting, and these two operations are related: However, we may wish to be cautious on saying this is what happened.

Interestingly, a couple of years back Anonymous did dismantle for a few hours Freedom Hosting (operation Darknet), under the lead of Sabu, back then an important member of Anonymous, afterwards disclosed as an FBI informant. Since his turning to informant is dated in August 2011 and the operation against Freedom Hosting is dated in October, there's been speculation of that being the first FBI led operation against the network. But this is really a wild shot in the dark.

We shouldn't also believe that child porn is such a large component of the Tor traffic. The curious reader may wish to check some statistics on what is actually hosted on the Dark Net.

What is pretty funny, or sad, are the suggestions given to Tor users to avoid falling into a similar trap in the future. Besides the obvious "keep up-to-date your software", another suggestion from fairy-crypto-lands is "disable Javascript" (try on your own and let me know how many websites you are able to browse after that) - and also, while you are at it, "css, svg, XML"... Other suggestions included "randomizing your MAC address" (I can see Windows users out there doing just that!), and "install various firewalls" (which in this case would have surely helped, right?).

Another suggestion was to use Tails, a live distribution of Linux with Tor and privacy software preinstalled. Which is precisely the best way to keep software up-to-date, right?

I think the Tor community should face, and have users face, the sad reality. It is impossible to safely use Tor to browse common websites without risking an attack of this kind (because it is basically impossible to use ordinary websites with Javascript-and-everything-else-disabled). This was terribly effective and used a month-old vulnerability. Just go figure what would happen with a zero-day. Also, while using Tails per se is a good suggestion (because in this way you compartmentalize privacy browsing from data and systems used in non-private browsing) this wouldn't really help in this scenario (except for the fact that this specific payload was Windows based, but there's no reason for that except the fact that a vast majority of the interesting subjects were using Windows).

If you have a real need to go anonymous, you need to implement good opsec, as my friend Grugq is demonstrating here (slides here).

July 17 2013

9545 81c2 500
Reposted bytonietak tonietak

May 25 2013

Reposted bywarlordiambabsipascalmhviceernilsfsupernele
Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.