G's Reading List for March 19, 2017

Virtual machine escape fetches $105,000 at Pwn2Own hacking contest [updated]
by Dan Goodin @ Arstechnica.com

Using 3 different exploits in Microsoft Edge browser, Windows 10, and then VMWare contestants were able to escape a virtual machine to compromise the host the VM was running on. Impressive.
Link: https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

_____________________________________________

Malwarebytes teams up with Cybersecurity Factory
by Malwarebytes Labs

Malwarebytes is proud to support Cybersecurity Factory, a 10-week summer program for early-stage cybersecurity companies. This program runs in collaboration with Highland Capital Partners provides teams with a $35,000 convertible note investment, office space, and dedicated security mentorship from industry leaders at leading companies throughout the United States...

Link: https://blog.malwarebytes.com/malwarebytes-news/2017/02/malwarebytes-teams-up-with-cybersecurity-factory/
_____________________________________________

WikiLeaks to Share CIA Hacking Data with Tech Companies
by Marissa Lang, San Francisco Chronicle

WikiLeaks will release the code showing how the CIA managed to break into phones, work around encrypted messaging apps and avoid detection by software designed to defend against cyberattacks.

Link: http://www.govtech.com/security/WkiLeaks-to-Share-CIA-Hacking-Data-with-Tech-Companies.html

_____________________________________________

Google Points to Another POS Vendor Breach
by Brian Krebs @ Krebs on Security

Another good thing about Google's site warnings.

Link: http://krebsonsecurity.com/2017/03/google-points-to-another-pos-vendor-breach/

Article Highlight: Q1-2014 SPAM study by Sophos shows interesting results

Every quarter Sophos studies spam and releases the results. This years title is "The Dirty Dozen Spampionship: Who's who in the global spam-sending league?"

The study shows the amount of spam sent by country. It's important to note that this does not necessarily correlate to the bad actor's physical location.  Most of these actors don't send it directly from their networks but rather utilizes resources, usually infected PCs (aka zombies), on other networks many times in countries other the one they reside in.  A couple tidbits I found interesting...

• By volume the United States tops the list at 16.4% of total spam.  This is a huge lead as the next offending country, Spain, comes in at 5.0% of all spam volume followed by Russia (4.4%), Italy (4.3%), and China (4.1%).

• Israel, who in the past spawns off information security start-up companies, is #3 in the list by population.  That's surprising to me.

• I expected Russia, China, and India to be higher based on some of the data I've personally seen

Link to article:
http://nakedsecurity.sophos.com/2014/04/17/the-dirty-dozen-spampionship-whos-who-in-the-global-spam-sending-league/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=000398c556-naked%252Bsecurity&utm_term=0_31623bb782-000398c556-454927713
(short link)
http://bit.ly/1iqTmgF

2008 Malware Challenge Revisited

My buddy Tyler Hudak has posted our a malware challenge contest that we ran in 2008.  We thought it would be a good idea to give those who haven't tried it an opportunity to do so.

Check out the challenge here at Security Shoggoth's blog:
http://secshoggoth.blogspot.com/2012/11/2008-malware-challenge.html#links

Malware targeting Blackberry's

According to Trend Micro, a ZeuS banking trojan is targeting Blackberry mobile devices. Previously ZeuS variants targeting only mobile devices running Symbian and Windows Mobile had been spotted.

This story just helps bolster the point that malware's growth will occur in the mobile device world. Strap in your seatbelts, we're in for a rough ride!

http://www.finextra.com/news/fullstory.aspx?newsitemid=22336

Various interesting news and posts

The Web's most dangerous keywords to search for
http://blogs.zdnet.com/security/?p=3457
I've long known that some 75% of all screensavers found on the Internet via Google search contain malware but thought that some of these words were interesting: free games, work from home, iphone, barack obama. Something else interesting is the finding that when searching for lyrics keywords or phrases with the word 'free' in them one of four sites contain malicious code. Talk about blackhat SEO.

Building an Automated Behavioral Malware Analysis Environment using Open Source Software by Jim Clausing
http://www.sans.org/reading_room/whitepapers/tools/building_an_automated_behavioral_malware_analysis_environment_using_open_source_software_33129
Looks very promising. On my reading list.

Ex-DOS and Microsoft Exec Heading Up DHS Cyber Post
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133855
Earlier this month Secretary Napolitano of the U.S. Department of Homeland Security named Philip Reitinger as Director of the National Cyber Security Center in DHS. This is a newly formed office in DHS. Previously Philip had held positions in DOD Cyber Crime Center and was leading the Trustworthy Computing initiative at Microsoft. Philip replaces Rod Beckstrom who vacated the post earlier this year citing lack of funding and internal support. I wish Philip all the best and hope he's able to get what he needs to get things done there.

Microsoft to disable Autorun feature - YEAH

Microsoft plans to disable the Autorun feature in Windows 7 and release a patch to disable it in older supported version of Windows. It won't affect CD or DVD players, they will still autorun, but will disable USB ports. This is great news! There is so much malware out running around infecting USB drives that this had to be done.

Microsoft talks about this topic:

http://blogs.technet.com/msrc/archive/2009/04/28/changes-in-windows-to-meet-changes-in-threat-landscape.aspx

http://blogs.technet.com/srd/archive/2009/04/28/autorun-changes-in-windows-7.aspx

Kudos to Microsoft for taking this measure.

Will April 1st be Conficker's D-Day that Blows Up the Internet? NO!

NO!

Contrary to popular belief by the mass of non-security Internet citizens the Internet will not turn into Armageddon on April 1st, 2009. It's not going to turn into anarchy where zombie computers spew their venom through the billions of miles of cables that make up the Internet - that's just not going to happen. At least that's the belief of most of us in the security industry. Could it be a hoax? Sure. Could there be a large influx of newly infected PCs? Sure. Maybe the already infected PCs start doing something different like a DDOS attack or something else. Who knows, we don't...only the criminals behind the infections/attacks do.

I've heard from many of my non-technical friends and coworkers asking about this "new" worm that is set to "explode", as they put it, at midnight on April 1st. I've even seen people say to unplug their computers, like turning them off, from March 31st and then plug them back in on April 2nd. No really, that's what they are saying. Take a look at an email I received earlier today that's making the rounds of non-technical users:

Subject: unplug computer Mar 31, replug April 2

Unplug your computers from the internet on March 31 and don't reconnect them until April 2. Then it won't have access to the web to "activate" the worm if you have it (that's how the article says this worm works). Hopefully by April 2 they will have a "fix" for it and you can get back on your machine.

Sigh.

While I appreciate all the awareness they are providing acting like this is some huge tital wave that will wash your home away is just ridiculous. If your Windows computer is fully patched, including this one from October, you have some sort of antivirus and firewall than you are safe from this worm.

No, the Internet is NOT going to explode tomorrow! See you online.

Malicious links on President Obama's website

First it's fake Barack Obama websites spreading malware now the REAL BarackObama.com website is responsible for pushing the stuff. To be clear, it's not President Obama's people pushing it, it's a registered user of their site. Attackers are using one of the sites features called Community Blogs to place malicious links on the site.

A recent attack that I looked at featured what appears to be a embedded video but when you click it you are redirected through a couple different sites finally to a site selling rogue/fraudulent security software and trojans.

Another unfortunate example of the dangers of Web 2.0 and while this technique of using blogs to spread malware is not new (Google dev site, Twitter, 2005, German Wikipedia) I expect to see it grow in popularity due to how effective it's proving. Oh joy.

More...
http://news.softpedia.com/news/Barack-Obama-039-s-Website-Used-to-Push-Malware-102977.shtml
http://securitylabs.websense.com/content/Blogs/3284.aspx

Fake US Presidential Inauguration and Obama Websites

Fake Barack Obama blogs and websites are being used to infect computers with a worm called Waledac. This worm appears to be from the same makers of the Storm worm according to several in the security community including Jose at Arbor Networks.

An example is hxxp://www.bestbaracksite.com/
(WARNING: Malicious site).

When visiting the site visitors see graphics and blog entries that look real and while they read the entries silently a drive-by install is placing malicious code on their system. All the links on the website point to a malicious EXE download as well. This site, by the way, is using "fast flux" DNS to avoid takedown and appears to be hosted on a botnet as some of the IPs appear to be home DSL/cable modem customers.

With the US presidential inauguration tomorrow I expect to continue to see a rise in this type of attack and recommend you check your web proxy logs for any domains with the following words in them:

barack
obama
presidential
inauguration

New electronic Christmas gifts may have a special 'present'

As I celebrate this holiday season with my family and friends I'm finding myself busier than ever with security work - and it's not dealing with any infected PCs of my family and friends. You see, this year we have received more electronic devices that can plug into a computer than ever.

What's the big deal you ask? Concerns about malware-infected devices and their software.

Malware-infected devices isn't a new issue: we've had reports of new devices being infected with malware for the past couple years. This year is no different: I know first hand of several such instances where MP3 players or digital video frames come out of the box with this additional 'special gift' that when plugged into a computer drops malicious code onto it used to join botnets, steal Internet website account credentials, or who knows what. Oh, and it's not just the devices themselves, the software that comes with the hardware has had issues. Stories: Best Buy sold infected digital picture frames (Jan 2008) and here, Vuescape frames have infected software (Aug 2008), Samsung ships infected picture frame software CD (Dec 2008).

So while the percentage of these infected devices is still very low I'm still taking the precaution and plugging these things into my security test lab of 'victim' machines and will monitor what they do. Even if you don't have a lab like mine you can still exercise caution when hooking these up to your system. You can run system monitoring tools such as Process Monitor or Process Explorer from the brilliant folks in the Microsoft SysInternals team or a packet sniffer like Wireshark. You might also run something that monitors network connections, such as Windows built in utility NETSTAT (sorry, I don't know a Mac equivalent), while you plug the device in or install the software to see whether your machine visits a site on the Internet during the install and usage of the device and it's bundled software.

I'm raising an eggnog toast to all of us receiving electronic gifts without the special additional 'gift'. Hope your holiday is a malware-free one.